In this episode we discuss:
To learn more, read Max Wandera's article, "Cybersecurity: The importance of validating connected products with a global standard".
Get notified when new episodes of "The Making of What Matters" are released by signing up for our mailing list.
ZARI VENHAUS: We're hearing a lot in the news today about cyber security, data breaches from companies like Google, and Uber, and Facebook. So we want to talk a little bit more about why cyber security matters.
We're here with Max Wandera, the director of our Cybersecurity Center of Excellence. Hi, Max. How are you doing?
MAX WANDERA: Very good.
ZARI VENHAUS: Great.
MAX WANDERA: Thank you for having me here.
ZARI VENHAUS: We're loving you here. It's great to have a subject matter expert here to talk a little bit more about why cybersecurity is so important and what are the things that we're doing.
So you heard me mention a little bit, we've got Facebook, Google, Uber. We're seeing a lot out in the news about cybersecurity and data breaches. Why is it so important for companies to be thinking about cybersecurity?
MAX WANDERA: I think if we look at it from Eaton perspective, the products that we build and where they end up in our customer environment, they manage critical infrastructure. We have our products in the data center, we have products in the utilities. And it's very important that Eaton make sure that these products are secure, because our customers are looking at Eaton to make sure that we are selling products that are not hackable, products that they can trust that when they install them and they go back to their homes, that their systems are operating the way they're supposed to operate and they're given the value that we promised them that perhaps we'll give them.
ZARI VENHAUS: Our world is so much more connected than it's ever been before. So I can imagine when you start having systems talk to each other, you've got smart homes, that that makes it even more important to make sure that everything in the home or everything in an industrial facility is secure.
MAX WANDERA: Cybersecurity and quality is one thing. You're expecting that when you're buying a product, it should have the same quality, including cybersecurity quality, that's required, and you should never think about cyber security when you buy a product. Same thing when you buy a product-- when you have an iPhone and you log into your bank, you'd never think about, is this website secure? You assume that the iPhone itself it came up with the security to protect you when you're browsing--
ZARI VENHAUS: Right.
MAX WANDERA: --at the websites.
ZARI VENHAUS: So just that peace of mind.
MAX WANDERA: Yeah.
ZARI VENHAUS: Right?
MAX WANDERA: That's a good name.
ZARI VENHAUS: That inherent trust in the websites you go to, in the products you access, however you're accessing them, through your phone or through a network connection, that that information is secure.
MAX WANDERA: Exactly.
ZARI VENHAUS: So how are we thinking about cybersecurity at Eaton? How are we thinking about it differently than other people are?
MAX WANDERA: We are ensuring that we've studied embedding cybersecurity into our product development. When you say secure by design, what you mean is that we have added cybersecurity in all the phases of development. And then once we build our products with security, we also now moving to secure by default. And that concept is where we release our product, and then if a customer install our products into the environment, using the default settings, the product is still secure. So cybersecurity is embedded, you know, a process of how you build your products.
ZARI VENHAUS: From the very beginning.
MAX WANDERA: From the very beginning.
ZARI VENHAUS: So you start thinking about a new product, what are the requirements for determining whether or not something we should be thinking about cybersecurity? Is it going to have a network connection? Is it going to be on the internet?
MAX WANDERA: So in Eaton, any product that has an embedded logic, whether it's going to be connected to a network or not--
ZARI VENHAUS: Or not.
MAX WANDERA: --has to go through cybersecurity. And the reason behind that is you might not be connect to the network, but that device or that product might be protecting an asset, any product asset, and that asset, you have to-- you have to service that product. You have to configure that product. You have to use tools to do that. You have to have a-- you might have a USB port that you want to plug in a USB to update the firmware. So it's important that we ensure that all those connections we put some level of requirements to protect that product.
ZARI VENHAUS: When we think about our Center of Excellence, so what do we do in our Center of Excellence? How does that really set the foundation for cybersecurity at Eaton?
MAX WANDERA: It's a very good question. So Cybersecurity Center of Excellence is challenged with driving cybersecurity requirements, best practices, and technology across all the products that we build, and we do that through a secure development lifecycle. We do that through ensuring that we are providing customers with communications and white papers that can help them deploy our products securely when they buy them from us. And we also provide them avenues to communicate with us. When there's issue with our product, in terms of cybersecurity, they can communicate to us securely, and we can work with them to resolve those issues very quickly.
ZARI VENHAUS: How do we make sure that there are standards for what secure by design mean? What does cybersecurity actually mean in industry? Because it could mean different things to different companies, so how do we make sure we have a level playing field?
MAX WANDERA: One of the things that we're doing at Eaton, we have partnered with UL. UL came up with UL2900 certification standard, and we are the first company to be accepted by UL in that acceptance program.
So what does that mean to us in Eaton? What it means is that now we are taking the leadership to drive common criteria hard-to-assess connected products. And we are going to see this trend moving along, because as a customer, when you buy a product, you want it to be secure, but how do you validate that? What's the independent body that can validate that for you? And I think the partnership we have with UL is going to set us to that direction of creating a standard, a common standard across.
ZARI VENHAUS: And do you see that happening in other regions potentially too, there becoming some kind of IEC standard certification that acts the same way?
MAX WANDERA: Yeah. Yeah, we're seeing that in Europe. IEC also is coming up with-- is pushing that to come up with their own certification criteria. And we are hoping that all the standard bodies are going to come together and talk and come up with common criteria for assessing our products.
ZARI VENHAUS: Do we think that there is not only a lack of standardization, but also just a lack in knowledge or expertise about what cybersecurity really is and the best ways to protect against cyber threats?
MAX WANDERA: People need a framework to understand guidelines of, if this product is sold in this market, what's the framework that governs around cybersecurity, driving same standards of requirement as a company and will do the same thing, the requirements that we have that we're putting to our products, which are stringent requirements for cybersecurity. At Eaton, you cannot release a product without meeting our cybersecurity requirements.
ZARI VENHAUS: OK. So that's really critical. We're actually saying, hey, we're not going to release a product unless it goes through a cybersecurity assessment?
MAX WANDERA: Yeah, and that's the stand we have taken the last three years.
The same stance, we are putting them to the supplier. Any product that comes to us through a supplier, once it comes, it goes through a cybersecurity assessment. If it doesn't meet those requirements, we not let it go.
I think we've worked with so many suppliers now, and the feedback we're getting is that we are actually making their products more secure and also we're making their products more marketable, because we are pushing the bar. And our customers also now having partnered with and collaborated with UL now, they're now excited, because now they don't need to validate our work. We can rest assured that our work has been validated by an independent company.
ZARI VENHAUS: Max, thanks so much for coming and talking cybersecurity. There's some really cool things we're doing here at Eaton to help make our customers more secure, so thank you.
MAX WANDERA: Thank you very much for having me. I think this was great. I think definitely we need to-- our customers need to know what Eaton is doing in the cybersecurity world, and this is great.
ZARI VENHAUS: Absolutely, because we make what matters work.