Here’s an interesting snippet for you, purely anecdotal. As we do our groundwork about future product developments, especially where cloud or anything-as-a-service is concerned, the top of mind issues for our customers are privacy and (cyber) security. OK, no surprise there. We’d somewhat taken the view that perhaps the market lay in sectors which were less risk averse than, e.g., government or finance. But no, in fact it’s exactly those sorts of organisations which want to engage in dialog because they are the ones most likely to know where the risks lie – they are expert in managing risk.
Without wanting to labour the point, there’s a lot of risk out there. The Symantec 2016 Internet Security Threat Report (ITSR – be prepared to give up your email address to download the 81-page PDF document) discovered more than 430 million unique pieces of malware during 2015, an increase of 36 percent on the year before. Amongst their findings was a doubling of zero-day vulnerabilities, the loss of half a billion personal records, and over a million web attacks against people every day last year. They also identified an increase in spear phishing attacks and Ransomware.
From our customer’s perspective, they want to know more about how we connect them to us when exchanging data and information – what protection we’re extending via firewalls, encryption etc., as we transmit, process, and analyse data and share results (that’s where cyber security comes in). Sometimes they do not distinguish between these activities and privacy measures – how we store and protect their data, and controlling access to what can be seen by whom. Often, they simply want to make a protect decision based upon some sort of certification against processes.
But this sort of assurance is really a vanity metric because it’s only going to be valid the day they’re signed. The game changer, as mentioned above, is the trending issue of zero-day threats. To quote Wikipedia; “A zero-day vulnerability is a disclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network. It is known as a “zero-day” because once the flaw becomes known, the software’s author has zero days in which to plan and advise any mitigation against its exploitation.”
What counts in this case is the observed capability of the vendor to be able to react and close down unhelpful software susceptibilities. And to do so in conjunction with other cyber security disciplines, because the customer really needs to approach this whole subject from a holistic point of view. We need to be confident that those responsible for the security of data are just that – responsible.
Which brings me back to the companies which have been speaking to us; they are sensitive to managing risk. Sectors like the insurance industry share data about a wide and increasing number of factors so that they can model risk and set premiums accordingly. In our business, another thing which needs to be considered is that as undesirable as a security breach may be, the non-descript M2M data is of little value should it fall into the wrong hands. It tells nothing about the companies from which it originated.
Somewhat counter-intuitively, companies that connect into the Schneider Electric cloud could be increasing their measure of cyber security – taking that word in its widest measure. For a start, by building and securing a gateway inside the firewall it reduces the necessity to have the firmware on every single monitored device fully patched (even though that is recommended best practice). Secondly, we’re proactively interrogating the devices and can tell where security is not up to scratch and needs attention.
The plain fact is that unlike IT which has always been highly security conscious, facilities have been somewhat lagging behind. There are a whole bunch of reasons for this which I’m not going to discuss here (for more information, please read our blog Top Five Recommendations for Securing the Data Center Against Cyber Attacks). There is also a major difference in attitude to cyber security concerns between IT and OT professionals, and that’s a gap which properly architected cloud services can bridge.