Risk-Driven Security in ManufacturingTata Motor's Deshpande Shares Unique Challenges, Recommendations
Unlike the relatively uniform and mature perspective that financial services and some other sectors have on information security, manufacturing challenges organizations to operate across a diverse spectrum of businesses and technology applications. Without the benefit of regulatory guidance, most organizations in these sectors have to naturally bank on a business risk driven security program that meets their unique needs.
See Also: Threat Intelligence - Hype or Hope?
Uday Deshpande, CISO at Tata Motor, says that the core InfoSec challenges remain the same, but diversity of the infrastructure and need for prioritization are a big challenge.
"The 10 key domains of information security are going to be there because the business processes are automated through information technology," he says. "In a very diverse environment, the key question is how a security practitioner prioritizes InfoSec efforts."
Security has to be risk-focused, he believes, as this is the only way to get the executive buy-in and put a sustainable program in place.
This exclusive interview with Deshpande explores:
- Security issues unique to the manufacturing sector;
- Getting management buy-In;
- Recommendations for improving security in manufacturing.
Deshpande is a leader with 20-plus years of experience leading global information security programs, enterprise risk management and compliance projects. He is adept at information security strategy, has designed & implemented security architecture and secured information assets through innovative technologies. He is an astute business manager with a keen understanding of tomorrow's cyber security threats and possesses the skills to align them with organization's strategic business goals.
Edited excerpts follow.
On Manufacturing's Unique Challenges
Varun Haran: To begin with, share with me some of your main pain points as a CISO in manufacturing. What is unique for security practitioners in manufacturing?
Uday Deshpande: Typically, automotive manufacturing companies are not highly regulated like banking and FSI, so lot of things have to be done on a reactive basis. As and when you come across situations, you have to take measures around it. And the manufacturing sector is pretty diverse in terms of infrastructure. On the one hand you have the corporate network, with the data-related infrastructure, and then you have the plant network where you have the devices connected on the shop floor and are also processing a lot of data.
Both networks need to be secured. From a threats perspective, looking at the current scenario, a typical IT lifecycle in any automotive company can be divided into design, manufacturing and selling. There are different platforms in IT that enable these key business processes. For instance, it can be a PLM in design, and it can be SAP or other for supply chain financials management, and then typical products like CRM for customer and channel handling. Apart from that, there will be plant-related networks.
So it is a very diverse environment for a security practitioner, and the key question is how is this going to be prioritized and what is the key data? For instance in the design phase the protection of design systems and IPR is essential to avert reputation and financial damages, and in the SAP phase I basically get involved in the fraud risk management piece. So, prioritization is a big challenge.
Haran: Seeing how diverse the security challenge in manufacturing can be, as a CISO, given the lack of any regulatory guidance, how do you go about discharging your mandate and address your challenges?
Deshpande: Whether the industry is regulated or unregulated, the information security risks are going to be there. Wherever the business processes are enabled by IT, the traditional challenges are going to remain. For instance when we have to manage networks, either from SCADA perspective, or the shop floor networks and others, network related issues will come into the picture. When designs are going to be created on CAD/CAM obviously the protection of those systems from an IPR angle will come into the picture.
When financials are being managed through SAP, again access management and the fraud risk management around SAP comes into the picture. All customer-facing portals and access also need to be managed, as also for channel partners and various brand initiatives in the organization. Some part of cryptography and digital certificate use also comes into the picture in this role.
So, the traditional information security measures that are there for other verticals are going to be applicable to manufacturing, because the 10 key domains of information security are going to be there because the business processes are automated through information technology.
Haran: What strikes me here is that you have a diverse bucket of risks and environment that you need to protect - from taking care of fraud right up to pure information security. Having outlined the context, when you compare this to a regulated industry, it is evident that you are approaching this from a business risk perspective. How receptive do you feel the management is to information security risks in the manufacturing sector?
Deshpande: First of all, management is not going to be adequately aware of information security challenges, and that is the first job of the CISO to apprise them of the various information security challenges that the organization has. He needs to communicate to the management the implications of not taking proper measures to safeguard information. The model we have at Tata Motors is that we have a forum called the Management Information Security Forum, or MISF, where we meet once every quarter and engage all the heads of business and make them aware of the threat landscape contextual to the company's business. (Also See: Articulating Security's Business Value)
If any incidents have occurred, we inform them of what reactive measures were taken and, thereafter, what proactive measures have been taken as a future safeguard. We communicate to them the implications of such incidents and what kind of organization-wide initiatives need to be taken to avoid business losses.
The other aspect is the threat from emerging technologies. For instance, the management is very keen on leveraging SMAC (Social Media, Mobility, Analytics & Cloud) platforms for business. The presence of Tata Motors on these platforms is high and, in most cases, the awareness of how to approach these platforms in a secure manner may be lacking. Ensuring that the company's sensitive information does not leak out via these platforms advertently or inadvertently is something that management needs to be made aware of.
Employee awareness initiatives, mobility challenges, cloud security and other issues can be correctly presented in forums like this to enable the management to make informed decisions to tackle information security risks. The key is to meet them periodically and keep them informed of the company's threat exposure. (Also See: Security & Privacy: Making the Case)
Haran: If you look at the current threat landscape, where you have threats like APT and targeted attacks, how concerned is the manufacturing sector about this and how do you communicate this to your management?
Deshpande: As I said before, the core information security threats are same in manufacturing as they are in other verticals. APTs primarily seek to steal data. If you add PLMs and SCADA technology to this picture, they may even have physical or disruptive effects. But as far as the core systems are concerned, these cannot be exposed to the world and access should only be given on a need basis, and that too in a protected manner.
For instance, for all design-related data at our organization, access can only be over VPN enabled through two-factor authentication. To explain the implications of APT, the effects need to be demonstrated to the management that in spite of the traditional firewall, IPS, monitoring etc, some amount of exfiltration may be happening across the network, which may or may not lead to an APT kind of attack. Management is cognizant of business risks such as this. (Also see: Security: How to Get Management Buy-In)
Risk Driven Security
Haran:Given that you do not have any regulatory or compliance push available to you to justify security spends with your management, it must become all the more important for you to speak the language of business and communicate the business risk. Would I be right in saying that practitioners in manufacturing may be needing to work extra hard to make a business case for security investments? What are some recommendations for your peers to do this?
Deshpande: I would agree and the first and the most important thing to remember is to leave the technology issues aside. In manufacturing, when a practitioner joins the organization, he needs to understand the core business processes. Go to the ground level and understand the key processes that will require your involvement. You need to understand the business first and then start from the ground up. Once you understand the risk, take the aid of any standard or industry reputed framework to map those information security risks and then start remediating them. At the end of the day, a practitioner in this space needs to remember that addressing people, process & technology issues is key to securing the organization.
For the people piece, strong management buy-in is needed to adopt strong policies. For the process piece, one could adopt robust frameworks like ITIL, which will put in structured, disciplined processes to streamline the IT-related operations in a secure manner. The last part is the technology piece, which can be looked upon as 80 percent technology and 20 percent training people to correctly use the technology in a way that abides by the policies.
If this flow is adopted properly, I believe that 80-90 percent of the goal of protecting information can be served. Again 10 percent is something that constitutes the unkown unkowns that you will have to deal with as they come.
There is no such thing as 100 percent security - there will be zero-days, there will be APTs. The key is how strong you incident response framework is, so that you can reduce the magnitude and impact of such attacks when they do happen.