A Key to critical infrastructure cybersecurity: Build customer trust in third-party relationships

This audio was created using Microsoft Azure Speech Services

Countries across the globe are increasingly aware of the vulnerability of their critical infrastructures, as there has been an exponential growth of ransomware attacks from well-funded and highly sophisticated threat groups. Moving beyond attacks on digital networks, these groups are gaining expertise in attacking the networks that are connected to the operational assets in critical infrastructures.  

While it varies by country, critical infrastructures typically include government, energy, water supplies, healthcare, agriculture, transportation, and finance sectors, to name a few. Attacks on the operational systems in these sectors can have even more severe consequences than an attack on a digital network. In fact, in reference to its critical infrastructure sectors, the U.S. Cybersecurity & Infrastructure Security Agency stated that the “incapacitation or destruction [of a critical infrastructure] would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof”.  

Sovereignty, resilience, and people’s safety are at risk  

The energy sector is, by design, one of the most vital sectors. It is a systemically critical infrastructure, as an electric grid is at the center of almost every sector — and without a grid, these infrastructures would shut down. There has been an increased number of reported attacks on electric grids all across the globe, including ones in Estonia, Canada, Italy, and Luxembourg. While most of these only had a minor impact, a ransomware attack in Ghana in late 2022 left people without power for more than five days. 

With increased focus on the cybersecurity of critical infrastructures, nation-state sovereignty and resilience are also of concern around the globe, especially as countries often rely on external organizations to keep their critical infrastructure running smoothly. There is also unease regarding loss of control of essential services when a foreign company oversees a sensitive infrastructure, as it might be perceived as a loss of sovereignty. External organizations could also be a vector of vulnerabilities and at the root of potential disruptions, leading to resilience issues as well.  

Suppliers play a major role in operational cybersecurity  

Previously isolated operational networks are now converging with digital ones, which increases the attack surface for critical infrastructure organizations. Cybersecurity teams must make sure to adapt their processes, skills, and tools to properly mitigate the risks that arise from this greater exposure. In addition, the challenge of securing the assets connected to operational networks is complicated by the fact these assets are aging and more difficult to protect.  

As a company serving critical infrastructure customers, Schneider Electric understands the risks our customers face. We understand that the offers we build and deliver must be secure to be trusted. Therefore, we build resiliency into our offerings to prove to our customers that we are a trustworthy partner and protective of their sovereignty.  

Evidence-based trust is embodied in our entire supply chain  

Schneider Electric has measures in place to secure our entire supply chain, from design, manufacturing, staging, and shipping through to maintenance. We have markers of trust that are built upon tangible, data-driven practices with industry standards and regulatory compliance that protect our customers from potential threats and vulnerabilities. Here is a quick overview of a few of these practices.  

• Secure behaviors and accountability. Our digital and operational environments adhere to industry-leading cybersecurity standards, such as the NIST Cybersecurity Framework, ISA/IEC 62443, and ISO/IEC 27000. We have a strong cybersecurity culture, where everyone understands the role they play in helping to secure our organization, no matter what their function is. Employees are trained in cybersecurity annually and our high-risk populations must take additional dedicated training. 
• Strong supplier interactions. We source goods and services from five continents and closely examine the security postures of our suppliers, recognizing that they may represent an attack vector. We therefore have policies and processes in place to assess the level of risk they may represent and proactively plan for any mitigation of vulnerabilities that might be necessary.  
• Resilient and secure offers. We deliver reliable offers, with secure-by-design products, software, and solutions that meet industry standards and regulatory requirements. We are certified to the ISA/IEC 62443-4-1 secure development lifecycle (SDL) standards and have certified lines of production as well. We have measures in place to secure our source code and intellectual property. In addition, penetration tests, scoring, and external audits are conducted by reliable institutions to continuously improve our cybersecurity maturity. 
• Comprehensive site-level security. Our development, manufacturing, and staging sites are physically and digitally monitored for disruptions. This level of security extends to customer environments as well, where any customer-facing employees must achieve a proprietary Cyber Badge certification to identify that they are trained properly, and their devices and software are secure and up to date.  
• Transparent customer communication. We continually engage with customers through questionnaires which help in sharing information on our cybersecurity posture. This allows customers to assess firsthand our ability to provide secure offers and mitigate attack vectors. Responses to these questionnaires are timely and share consistent information on our cyber posture.  
• Rapid cyber defense and incident response. We hold ourselves accountable for responding in a timely manner when vulnerabilities are detected and reported. They are addressed through an ISO/IEC 30111-certified process for vulnerability handling and ISO/IEC 29147-certified process for vulnerability disclosure. 
• Extensive threat intelligence. We share real-time operational threat intelligence with our customers, which helps them address exposures and vulnerabilities in their own digital and operational landscape.  
• Continuous learning and growing expertise. At the end of the day, cybersecurity is not competitive — it is a global, collective effort, and we exchange information and insights through international partnerships and alliances, such as the Paris Call or the Cybersecurity Coalition. We are also key contributors to cybersecurity platforms such as those with the World Economic Forum, as well as national authorities and regulatory organizations. 

Trust is an on-going process and exchange, but it is never a given 

Trust with our customers starts on day one of a relationship, but it has no end. It must be proven and continuously renewed to remain valid. We strive for the highest standards, but this only works if everyone plays their role.   

• It is necessary to develop cooperation with other companies that provide products and services to our customers, as cybersecurity is not a competition but a collective effort.   
• To get stronger together at an ecosystem and industry level requires collaboration, personal dialogue, and a shared understanding within the entire ecosystem. 

Schneider Electric is committed to doing business responsibly, and to earning and sustaining trust by relying on mechanisms, not just on intentions, to fit with national security agendas. In the end, improving our relationship with our customers and maintaining our position as a trusted partner benefits the industry and, more importantly, people all around the globe.