Cybersecurity Leaders – Paolo Fanuli
Paolo Fanuli has more than 30 years of experience in the IT industry, of which more than 20 in cybersecurity. Since 2018, Paolo is making sure that cybersecurity is being designed into products of Knorr-Bremse.
The Rail Vehicle Systems Division of this long-established company equips mass transit vehicles and mainline trains with highly advanced products.
The Competence Center Product Security located at the group company Selectron Systems in Lyss, Switzerland, is enabling rapid digital business transformation, by keeping products secure for the digital value chain and for daily operation.
How do you articulate the three-pronged approach of “people, processes and technology”?
In a global company, which designs and manufactures complex process control systems for railway, this approach comes with its own challenges. In our environment, structured processes have been relevant from the very beginning due to the high awareness for safety. Solutions for rolling stock must always comply with stringent certification and homologation requirements to guarantee safety. Cybersecurity can benefit from this culture because everybody understands the importance of processes and the need for a skilled workforce to achieve safety, hence it can easily relate to the same need for security.
The challenge consists of understanding and accepting the differences in the technology domain. Risk assessment for safety is based on a deterministic cause/effect relationship. Cybersecurity risks on the other hand are highly random and can change on a daily basis with the evolving threat landscape. In our environment, regular patching is not a straightforward option, because it must be done without affecting safety homologations. Considering that our products must be fully functional and maintained for 20 or more years, security must be built-in from the very start of design, cover the whole lifecycle of the product, be resilient and follow defense in-depth concepts.
How can security executives get that “buy-in” from the top?
Top management is responsible for business results and for corporate risk, among other things. We need to show how security affects primarily corporate risk, protects the business and how important business initiatives of the market are transforming that risk. Fleet operators want to adopt digital business transformation to improve their positioning with attractive, smart transportation solutions. They also want to adopt new operational concepts like predictive maintenance or assistance systems that could soon allow for automated train operation (ATO). All this to increase safety and value and decrease cost.
These business objectives mandate for ubiquitous networking and on-line connection of fleets, which in the past operated off-line. Standard, commercially available off-the-shelf technology is also key to reducing cost. Cybersecurity is an important enabler to mitigate the new risks introduced by on-line operation and standard solutions, which are prone to “standard” attack methods.
Customers will look for cybersecurity to enable their business initiatives. A certain standard of cybersecurity is essential for new products. Otherwise they will not be accepted by the market. Consider on top of that, regulations like the EU Commissions NIS Directive create new auditable compliance requirements. This can already provide for a good set of business arguments to conduct productive conversations about the topic of cybersecurity with top management.
How can a Product Security Officer better understand a business’ needs?
If you want to understand the business, the best way is to talk to your customers. Working for many years as a sales executive, developing cybersecurity business with many different types of clients globally has helped me a lot. Of course, before talking you need to listen. You need to understand how your customers create value for their customers, then identify your potential role in their value chain. It is always about creating value – and it’s about doing it in the most efficient way. It’s about striking a balance between relying on a generic approach and still flexibly accommodating varying requirements. In the main hall of my alma mater, the ETH Zurich, you will find a memorial plaque to one of their first professors, Francesco de Sanctis, in his time professor for Italian Literature. The plaque bears his quote, “Before you are engineers, you are above all people”. I would say this is the short answer to this question.
What unique security challenges does your industry face?
While security for process control systems follow similar rules as for IT systems, addressing people, process and technology, the priorities are different. Confidentiality is less important than availability. Controllers must operate in real-time, which constrains your computing power, hence your controls must have small footprints. Patching is not easy to do, without affecting safety controls, which would require re-certification. Trains are usually on the move; therefore, physical controls are much less effective. Intrusion detection is also more difficult. Consider that trains can be reconfigured during the day. This changes the whole network, the list of assets, the network traffic, and more. You can only protect what you know, therefore asset management is important. But if your assets can change constantly even this task gets more difficult. Finally, there are many fewer solutions available to protect devices on a train. The difference in architecture often eliminates many readily available IT security solutions. Some protection you might even have to build on your own.
How can the Product Security Officer balance security and innovation?
Innovation is key in a group like Knorr-Bremse. Every year there is an event called Digital Days, where innovative solutions developed in the group are being presented. As we design and manufacture complex components and systems, Knorr-Bremse is leading digital transformation with artificial intelligence applications, smart manufacturing concepts, digital twins, virtual design and testing and much more. In our environment, security by design concepts are essential. It is basically impossible to retrofit a train with some security device after it is built, certified and homologated. You need to include security considerations in the very early stage of every product design, even more so for innovative concepts. The main work of the Product Security Officer must be done already during the design and development phase, as opposed to the CISO, who acts typically on existing IT systems, which cannot be redesigned anymore. Therefore, there is not really a “balancing act” needed in our environment. What we need instead is to be very close to our R&D colleagues and to coach them during the whole lifecycle of their products. In fact, our cybersecurity specialists will typically sit in the various R&D organizations, not in the central IT. The real balance we need is to reconcile generic governance, risk management and security controls with each product platform’s unique needs. Even our organization is adapted to this, with a small central competence center plus specialists in each major product platform, managed in a matrix structure.
What is the best way to foster an image of product cybersecurity being there to support the business rather than just being about the raw technology?
We are having regular information exchanges with our customers, operators and other stakeholders. Sometimes this takes the form of collaborating in standardization bodies like CENELEC or associations like UNIFE to exchange views and optimize our approaches. We have even introduced regular workshops with train builders and operators to create common views and approaches to the required solutions. Again, the Product Security Officer, by the nature of his mission, must be very close to the business, the market, and the sales organization, because we want to primarily sell trust in our solutions. Trust comes from working together and sharing successes.
Following a strictly risk-based approach in developing concepts is also key. An attack to the hand dryer in the train toilet will usually be less risky than one to the main control system -unless the attacker can then move horizontally to the control system. What also helps is the fact that we provide components which are then integrated by train builders into their trains. The trains are operated by fleet operators, which means they become essentially endpoints in their Operational Technology (OT) network. We need to have conversations with all these other stakeholders to understand the real risks at the level of the system and the fleets.
My vision as Product Security Officer is to identify and mitigate security risks at the earliest stage of product design and development. We need to coach the entire lifecycle of our products from cradle to grave. Finally, we need to build trust among our stakeholders – which can be achieved best by remembering that before being engineers we are above all people.