What every SAM should know about cybersecurity: An interview with International Society of Automation’s Steve Mustard

Steve Mustard is the president and CEO of National Automation, Inc., a company that supplies automation products and services to customers in water & wastewater, oil & gas, transport, electricity and manufacturing. He is also the president-elect of the International Society of Automation (ISA), a non-profit professional association that provides standards-based technical training, publications, events, and resources for engineers, technicians, and management working in industrial automation.

In December, news broke of a major compromise of U.S. federal government and Fortune 500 companies who used software from a network-management software vendor called SolarWinds. The incident arose from a SolarWinds software update that contained malicious code. Users who applied the update from March 2020 onward would have been exposed to the vulnerability, potentially allowing attackers to gain access inside their networks. It is estimated that 18,000 users applied the update. As of January 2021, the full extent of the breach remains unknown.

This incident should cause genuine concern to all SAMA members. In my earlier conversation with Harvey, we discussed the fact that safe and secure products and services are crucial to strategic account relationships. We also talked about how hackers will target the weakest link in the supply chain. Here is a very real example with very real consequences. SolarWinds is now involved in a massive recovery effort, both technically and with its credibility. However, they are unlikely to be the last major vendor to be the focal point of such an incident.

Vendors will learn from this incident and address any known gaps that they have, but the next incident will be different and will leverage previously unknown gaps. The most serious threat to any SAMA member is complacency. Cybersecurity management is a continuous process requiring constant vigilance and dedication. SAMA members should constantly review their exposure to cybersecurity risks, with a focus on answering these key questions:

• How well do we protect our systems, intellectual property and other sensitive information? How would we have been affected had the latest incident hit us?

• Do we have effective processes for reviewing and updating who has access to our systems and information as well as the methods for doing so?

• How secure is our supply chain? How confident are we that we don’t have weak links in our chain?

• How well prepared are we if a cybersecurity incident were to occur? Do we know what we would do and whom we would contact? Does our incident-response plan cover our entire supply chain?

• How secure are our strategic accounts? Do we provide them with the necessary guidance, and are we helping them manage their cybersecurity risks?

One closing thought: The focus ought not to be on SolarWinds themselves but rather on the fact that attackers will look to exploit the weakest link in the supply chain.

Harvey Dunham: It’s my pleasure to be speaking with an expert from the International Society for Automation, Steve Mustard, who’s an expert in cybersecurity. Steve, welcome. It’s great to be speaking with you, and I look forward to the conversation we’re about to have.

Steve Mustard: Thank you, Harvey. I’m very happy to be here. I’m very happy to discuss cybersecurity with your members.

HD: And Steve, would you just give a brief introduction about yourself so they know a little bit about your background and how you earned your stripes in the cybersecurity world?

SM: Sure. I’ve worked in industrial automation and real-time embedded systems for 30 years, space defense and then energy and utility companies. In the last 12, 15 years, cybersecurity has become a big issue in industrial control systems. And as a result of my background, I’ve gotten heavily involved in that side of life, and I’ve spent a lot of my time these days consulting with asset owners about how to improve their cybersecurity posture in their mission-critical facilities.

Continue reading “What every SAM should know about cybersecurity: An interview with International Society of Automation’s Steve Mustard”