5 Questions on Critical Infrastructure with Lei Fan
Lei Fan, Information Security Manager at Takeda Pharmaceuticals, tells Qatalyst Global about his thoughts on the state of Cyber Security in Critical Infrastructure
What three Cyber Security trends do you see happening within the Critical Infrastructure Industry?
The first trend I see is IoT increasing in the industry. Not only does it impact how manufacturing is done i.e. controlling systems and them being IP enabled, but the actual product that’s facing the consumer i.e. smart packaging which collects end user information, is increasing. From production cycle to end user, IoT helps both parties keep track of each other, but it also increases the overall threat level. Information sharing is also another trend. Everybody shares today, hospitals, power grids… these impact human lives and can easily become targets. My third trend would be security investment, highly regulated and threatening environments, such as power grids, need to put investments in their security. New start-ups pop up every day, we need to understand how best they can prioritise their investments in security.
Is the Industry prepared to handle these trends? Or is this a serious issue that needs to be addressed?
It depends on the business, food and pharmaceuticals for example are more regulated because of their industry requirements. They’re more likely to save more and invest more in security. Other critical manufacturing industries may not be as up to date because of the different requirements and have less investment in their security to start with. Therefore they might be a little behind. Overall I feel the whole industry is gaining more awareness and moving towards the right direction, some are better than others and some are lagging behind.
From your experience at Takeda Pharmaceuticals, do you think it has become accepted that Cyber Security is no longer just an IT issue, but an issue for a company as a whole?
Oh yes definitely, definitely. Security in our organisation is called ‘Cyber Security and Risk Management’. Cyber Security is definitely not just a technology thing, it has to be aligned with all the other units in the organisation: Risk Management, Corporate Management, IT Management, Privacy, Regulatory and Legal – all those different units have to be aligned and at the end of the day I feel we’re solving that business problem not that technology problem. It’s like auditors, the auditors used to be hated by everybody, they became the cops of a company. But nowadays the trend is that auditing needs to be the enabler of a business, because they really identify the issue and help an organisation to grow. I think the same thing in security is happening right now. Security needs to become an enabler instead of a show stopper.
You are moderating the opening panel at the MANUSEC USA Summit in October, on: ‘An Overview of the Cyber Security Climate for the Manufacturing Industries’. If there is only one key point that you would like the audience to take away from your presentation, what would that be and why?
Right now security is a problem that everybody has. The Critical Manufacturing Industry really is not like the Finance or Insurance industry, we’re dealing with a lot of air and car transactions and things within that nature. The Manufacturing Industry is always manufacturing things; production always comes first. Pharecuticals is a little bit different because we also have RND – we have IT to protect, but I will say that in most manufacturing industries, production is the highest priority. I think the approach or mind set towards cybersecurity needs to be changed to face the very dynamic risk and threat landscape. That would be my vote right now.
Finally, what are you most looking forward to at the event?
I would love to see what our peers are doing at the moment and the information being shared. I’m looking forward to the interaction between the security vendor exhibits, as well interacting with the security leaders within the industry.