60 seconds with Mark Stevens, Digital Guardian

Mark Stevens, Digital Guardian
Title: Vice president of global services and support
Location: Waltham, Mass.
Experience: 20 years in enterprise software and systems
Primary Focus: Digital Guardian is a security firm that specializes in data loss protection.

Modern: We hear a lot today about credit cards, retail point-of-sale (POS) systems and even the military’s Twitter account being breached by hackers. How vulnerable are manufacturing and warehousing systems?
Stevens: There’s a saying that there are two kinds of companies: those that have been hacked and those that don’t know they’ve been hacked. So, the short answer is that manufacturing and warehousing systems are very vulnerable.

Modern: Why is that?
Stevens: It’s two-fold. First, it’s the interconnectedness on the factory and warehouse floor. Every machine today has an IP address and is online. Now, a hacker doesn’t really want to get into your plant. What they want is your data, and a manufacturing plant has data. For instance, you may protect your intellectual property at the corporate level, but when you manufacture something, you have to send that information to the factory floor, where it’s now vulnerable. One of our clients was a manufacturer that made a chip that was important to the entertainment industry. The hackers waited and didn’t try to get into the corporate system. Instead, they waited until the design was downloaded to a test plant. That was where the company was vulnerable. For the hacker who wants data, it may be easier to attack a retail POS system—or a machine on the floor—that is less secure than to go after the corporate network.

Modern: Are industrial clients aware of this vulnerability?
Stevens: The conversation is different today than it was six months ago, as a result of some of these high-profile breaches. You’ve been hacked. I’ve been hacked. The factory manager has been hacked. You can’t turn on the TV without hearing about Sony. It’s heightening awareness, which is helping. Your reader should ask themselves whether they have sensitive information that could hurt them if it got out. If the answer is yes, they have to assume someone is going to try to get it.

Modern: I read about one company that was hacked through its programmable thermostat. Given that they’re coming in through the heating system, what can be done? 
Stevens: The industry term is “defense in depth.” What that means is that we know they’re going to get through your perimeter because no one is going to stop these guys. So, you don’t worry about the programmable thermostat on the wall. Instead, you determine what’s really sensitive and protect that. The new chip diagram I referred to is on a protected server that will shut down if they system is hacked. It’s not keeping them out anymore; it’s about making sure they don’t get to your most sensitive assets.

Modern: What should a manufacturer or distributor do to protect themselves?
Stevens: First and foremost, understand what data is important to you and your business. Next, you need to figure out how to keep an efficient business process while securing the data at the point of risk.

Modern: Is this problem only going to get worse?
Stevens: Unfortunately, the answer is yes. And while you may think your business is immune because you’re not as high profile as a Sony, think of it this way: What if you’ve got a good job working at a plant in Ohio that is at risk because the Chinese can steal your company’s IP and make the part for 20% less? That’s a real concern. That’s a real issue. What makes it a hard problem to solve is that these systems weren’t thought about from security first. They were designed for interconnectedness and now that’s going to be exploited.