Securing Operational Technology (OT)

Addressing digital risks in business-critical infrastructures

March 2022

Confidential Property of Schneider Electric

 Presenter

Hedi Santoso
Prescription and Government Relations Director
Indonesia and Timor-Leste Cluster
Schneider Electric

@linkedin.com/in/hedi-santoso-07691731

[email protected]

Confidential Property of Schneider Electric | Page 2

Internal
 Our purpose is to empower all to
make the most of our energy and resources
bridging progress and sustainability for all

At Schneider, we call this

©2020 Schneider Electric. All Rights Reserved

Internal
 Our mission is to be
your digital partner for Sustainability and Efficiency

©2020 Schneider Electric. All Rights Reserved

Internal
 Schneider Electric in Indonesia
Leading the digital transformation of energy management and automation Schneider Electric Indonesia
in homes, buildings, data centers, infrastructure, and industries. CIBIS 9 Building, Lt. 16, JL. TB Simatupang No.2
Cilandak, Jakarta - 12560

www.se.com/id

Established 1973
~4500 employees
Smart factories + Logistic serving global / regional / local
markets
• Batam (4)
• Cikarang
2019 Indonesia 4.0 readiness trophy winner from R.I. President
Major sites
Jakarta, Batam, Cikarang, Cibitung
Education / Vocational school (SKM) National Partner
Main office Distribution center Field / sales offices Manufacturing facilities Delivering state of the art training to Indonesian youths

© 2019 Schneider Electric. All Rights Reserved I Page 5

Schneider Electric Commitment in Indonesia
New Energy Resources Development

Our smart factory in Schneider Electric Schneider Electric Energy Asia Investment in
Cikarang has started the function of their solar Xurya Daya to expand solar rooftop power
panel rooftop in 2020 which had produced 224 usage in plants Xurya Daya is a renewable
Mwh or equal to 21.6% of the factory’s total energy (cleantech) startup that pioneered the
consumption. method to switch to solar panels for
commercial and industrial buildings in
Indonesia.
©2021 Schneider
Confidential Property ofElectric.
SchneiderAllElectric
Rights| Reserved
Page 6

Internal
Schneider Electric Commitment in Indonesia
Industry 4.0 Vocational Development
• The Center of Excellence for Electricity, Automation, and Renewable Energy

240 Trained teachers

10,800 Students to be trained by teachers
184 School's laboratory upgrade

• Industry 4.0 National Lighthouse

First-hand implementation of factory automation at Smart Factory Batam

• Digital Capabilities Center Development & Vocational Program Development

5 years Strategic partnership

Develop “Basic industry 4.0” curriculum training
Providing trainer & product showcase

©2021 Schneider
Confidential Property ofElectric.
SchneiderAllElectric
Rights| Reserved
Page 7

Internal
Digitization + Cybersecurity
 Digital 3x IoT
IoT connections 2018-2025 (*GSMA)

disrupts
>5x Big Data
Efficiency & generated data from 33 ZBs today to 175 ZBsby 2025 (*IDC, 2018)

Sustainability 6x AI
worldwide spending on cognitive and AI systems btw 2017 & 2022 (International data corporation)

©2020 Schneider Electric. All Rights Reserved

Internal
 Digital transformation for industry is wide reaching
Market environment

Increasing Changes in Changing Geopolitical Rapid advances Generational

competition and demand and regulations uncertainties in technology shift
economic commodity costs
uncertainty

Sources
• https://www.accenture.com/us-en/service-industry-x0
• Report by TechSci Research, entitled “Global Internet of Things (IoT) Services Market By Type, By Application, By Region, Competition
Forecast & Opportunities”, https://www.i-scoop.eu/internet-of-things-guide/internet-things-services-market-outlook-growth-disruption

Confidential Property of Schneider Electric | Page 10

Internal
 Data Sensors/Internet Augmented/
analytics of Things virtual reality

Industry 4.0 Cloud Artificial

computing intelligence

Wireless Automation 3D printing

Internal
 Thriving in a digital economy

“Any skilled engineer can take control remotely

of any connected ‘thing’.
Society has not yet realized the incredible
André Kudelski
scenarios this capability creates.” 1
Chairman and CEO of Kudelski
Group

“Popular movies have frequently exploited the idea that

the infrastructure of modern life is vulnerable to well-
staged cyberattacks. But the real-world Stuxnet virus
succeeded better than anything out of Hollywood in
proving that power plants and other nuclear assets can
indeed be sabotaged.” 2

1 Hutt, R. (January 23, 2016). 9 quotes that sum up the Fourth Industrial Revolution, World Economic Forum Agenda.
Retrieved from https://www.weforum.org/agenda/2016/01/9-quotes-that-sum-up-the-fourth-industrial-revolution/
2 Heiligtag, S., Maurenbrecher, S., and Niemann, N. McKinsey. (February 2017). From scenario planning to stress testing: the
next step for energy companies. Retrieved from https://www.mckinsey.com/business-functions/risk/our-insights/from-scenarioplanning-to-stress-testing-the-next-
step-for-energy-companies Internal
Thriving in a digital economy
Industry trends

Market globalization Changing digital needs Operational efficiency Cyber threats

Of heavy industrials
Of manufacturers to put
Top emerging economies 80% 60% experienced a breach
data at the center of
18 have lifted >1B people from 10X More digital3 their processes by 20205
in ICS or SCADA systems*7
poverty since 19651
Of organizations push digital
More data flows across 77% Of industrials to focus on smart 80% innovation faster than they
2X More personal4 connected operations6 can secure against hackers8
countries than 10 years ago
45X
with more economic impact Of organizations hold
IX leaders focus digitization on
than manufactured goods2
52% fixing the greatest operational
16% employees accountable
inefficiencies6 for cybersecurity8
Sources: (3) HIS, March 2016, UN population stats (7) McKinsey & Company, Article “Critical infrastructure companies and the global cybersecurity threat”,
(1) McKinsey & Company, Insights “High-growth emerging economies and the companies that propel (4) Strategy Business, “Smart Customization: Profitable Growth Through Tailored Business Streams”, Apr-2019
them”, Sept-2018 2004 (8) Ponemon Institute, Accenture Study “The Cost of Cybercrime”, 2019
(2) Deloitte, “Beyond the Noise: The Megatrends of Tomorrow’s World”, 2017 (5) IDC, Perspective “Staying ahead of Manufacturing Disruption”, July 2019
(6) LNS Research, “Understanding Digital Transformation
Internal today”, 2019 *ICS = Industrial Control System; SCADA = Supervisory Control And Data Acquisition
 The rising cost of cybercrime
Risks must be addressed to safely and profitably embrace digital age technologies

Implications for Industry

Cyber threats are rising - 200% Increase in Malware Activity in

the last 5 years

Industrial cyber attacks are on the rise - it’s not just about
information theft anymore

Average annual loss from cybercrime per company was $9.5M

worldwide in 2016. The average cost of a data breach will exceed
$150M by 2020.

Internal
 Industrial Cybersecurity in the headlines
It’s not just about information theft anymore

Offshore hackers remotely access utility control rooms1 1000 Machines destroyed at nuclear fuel plant2
• Access level gained could have allowed network shutdown and blackouts • Worm entered network via an infected USB memory stick
• Attacker strategy was to target smaller firms who are suppliers to the utility • Malware spread on network - highly targeted to re-program machine controls
• Used ‘phishing’ e-mails which drove staff to visit fake ‘spoofed’ websites • Hacked control code caused repeated machine overspeed cycles for a few months
• Similar attacks have already affected power to 225,000 in Ukraine • 20% of plant machinery destroyed by overspeed stress

Source BBC.Com: 1) Russian hackers penetrate US power stations

Confidential Property of Schneider Electric | Page 15 2) How Stuxnet attacked a nuclear plant
Internal
The rising cost of loss
Risks must be addressed to safely and profitably embrace digital age technologies

The rising cost of cybercrime:

Global Average Total The global average cost of cybercrime is

Cost of a data breach is expected to peak at US $6 trillion
$4.24M in 20211 annually by the end of 2021, driven by
the proliferation of ransomware
attacks.2

1: IBM Security, “Cost of a Data Breach in 2021”

2: https://cybersecurityventures.com/annual-cybercrime-report-2020/
Confidential Property of Schneider Electric | Page 16
Internal
Mitigation

Internal
What are common OT risk?

A wide attack surface Legacy infrastructure Targeted attacks on Regular exposure to

with aging assets unique weaknesses third-party access

Internal
Addressing OT risk

Network Segmentation

People and Operational Model

Avoiding The Cascading Effects

Securing Legacy Infrastructure

Adopting Share Responsibility

Internal
Cybersecurity
From basic awareness to active plant and supply chain security for the entire lifecycle

The need for secure business integrity

Cross & multi-layer ✓ Superior operational risk reduction

integration
✓ Protect and optimize profitability safely and

+
securely
✓ Reduce overall lifecycle cost
Cross-functional
collaboration

Harness the value of your data

Confidential Property of Schneider Electric | Page 20

Internal
 Cybersecurity
Awareness

Help protect against casual or coincidental

Management cybersecurity violations often caused by mistakes

IT

People Process Technology

Operations Maintenance Raw material

Structure Policy Ad-hoc

Parts
Engineer Continuous
improvement

Accountability Metrics Manual

Energy
Human Resources

Customers
Training Lifecycle Automatic
Suppliers/Partners

Confidential Property of Schneider Electric |

Internal
 The benefit of getting the
basics in place
According to the Ponemon Institute data breaches
caused by human error cost $126 per record lost1.
On average each data breach results in the loss of
24,0001 records.
Putting the basics in place and avoiding issues
due to human factors could save an average of $3M

• Many Cybersecurity incidents are caused by simple

lack of awareness and poor security practices
• Measures such as:
• Putting basic policy and governance in place
• Defining a formal leadership structure
• Putting basic cybersecurity protection in place at all
nodes
• Training to build staff security competencies and
awareness
May help avoid some these costly mistakes.
1) Ponemon Institute 2017 Cost of Data Breach Study benchmark research sponsored by IBM Security p5, p11.

Confidential Property of Schneider Electric | Page 22

Internal
 Cybersecurity
Active Management

Cybersecurity is an inherent part of business culture, processes and innovation

Management Formalized governance and review of security performance and metrics

IT

People Process Technology

Operations Maintenance Raw material

Structure Policy Ad-hoc

Parts
Engineer Continuous
improvement

Accountability Metrics Manual

Energy
Human Resources

Customers
Training Lifecycle Automatic
Suppliers/Partners

Confidential Property of Schneider Electric | Page 23

Internal
Active Management saves
money
• Higher Security Effectiveness Scores (SES)
could decrease the annualized cost of cyber crime
by $6M
High Security Effectiveness is defined as:

• fully dedicated Chief Information Security Officer (CISO)

• adequate budget for staffing
• training and awareness programs designed to reduce
employee negligence People

• regular audits and assessments of security vulnerabilities

• participation in threat sharing programs
• comprehensive program of policies & assessments
to manage 3rd party risk Process

• adequate budget for enabling security technologies

• strategic investment in appropriate security enabling
technologies, especially enterprise-wide encryption
Technology

1) Ponemon Institute 2017 Cost of Cybercrime study – Key finding 18, P40

Confidential Property of Schneider Electric | Page 24

Internal
 Cybersecurity
Security Excellence

End-to-end lifecycle cybersecurity approach across the entire value chain

Management
Partnerships with relevant experts to ensure security in the digital economy

IT

People Process Technology

Raw material

Operations Maintenance

Structure Policy Ad-hoc Parts

Engineer Continuous
improvement

Accountability Metrics Manual

Human Resources
Energy

Training Lifecycle Automatic

Customers
Suppliers/Partners

= Data flow

Confidential Property of Schneider Electric | Page 25

Internal
 The benefits of automatic
technologies
• Security intelligence systems and advanced identity and
access governance are the top two most widely
deployed security technologies across the enterprise1.

• They offer the highest potential organizational benefits

with cost savings of US$2.8 million and
US$2.4 million respectively1.

1) Cost of cybercrime study 2017. Ponemon Institute with Accenture Page 6

Confidential Property of Schneider Electric | Page 26

Internal
What is Schneider Electric doing to secure its supply chain?

BASIC INTERMEDIATE ADVANCED

Cyber Leaders
@every plant
& distribution center

Awareness
Training, assets
Production Line PCs
Compliant and Protected
Industrial Endpoint security
Inventory & Protection
Sites
> 200
OT Network
sites Topography

Cyber Solutions Isolate shop floor production line Segment the production lines
OT monitoring from Office PCs to guarantee product security level

Industrial Cybersecurity OT Monitoring, Continuous Threat Detection & Incident Response

Scalability of the deployment strategy for cybersecurity on industrial sites

Internal
Improving the security of industry with cybersecurity training and services

Initial 1.0 Developing 2.0 Defining 3.0 Managing 4.0 Optimizing 5.0
People : People : People : People : People :
No dedicated staff for Leadership structure Roles & Responsibilities All RACI roles filled with Ongoing development &
security activities but formalized & established and dedicated resources training, continues
risks broadly accepted. management roles formalized. and/or responsibilities improvement.
assigned. assigned.
Process: Process : Process : Process : Process :
No governance or Basic governance Comprehensive Cyber Formalized governance Cybersecurity
management system in framework and policy management system group, reviewing management system
place. created. established. performance & metrics. fully implemented.

Technology : Technology : Technology : Technology : Technology :

No emphasis on Some technology Formalized technical Control measures in High level of
formalized security implemented in an ad- control. place & monitored for automation for
control. hoc fashion. compliance. monitoring, compliance
& performance.

Internal
Improving the security of industry with cybersecurity training and services

Schneider Electric solutions revolve around four essential factors:

• Permit: The access to the network is subject to safety measures

such as authentication, authorization, and physical identification.

• Protect: The network is protected from malware and viruses and

can have some advanced protection tools installed.

• Detect: Issues in performance, anomalies, and intrusions should

be detected as soon as possible to allow an adequate response.

• Respond: Once a cyberattack is found, incident response is

activated, and forensic investigations conducted. If needed,
recovery can be made from a backup

Internal