Hall of Fame – Industrial Cybersecurity Beacon Megan Samford
In the upcoming segment of the Hall of Fame series, featuring detailed discussions with professionals from the industrial cybersecurity sector, Industrial Cyber is honored to spotlight the significant contributions of Megan Samford. As a notable personality in ICS (industrial control systems) cybersecurity, she has had a distinguished career focused on protecting vital infrastructure and maintaining the robustness of crucial services. Samford’s knowledge and efforts have established her as a revered authority in the domain.
Samford’s journey into the world of ICS cybersecurity began with a strong educational foundation. She holds a bachelor’s degree in homeland security and emergency preparedness and a master’s in public administration, both from Virginia Commonwealth University, widely known for its focus on cutting-edge technology and security research. Her academic prowess laid the groundwork for her successful career.
As a cybersecurity professional, Samford found her true passion and calling emerged when she recognized that ICS systems play a vital role in managing essential infrastructure such as power grids, water treatment plants, and manufacturing facilities. Samford understood that protecting these systems was paramount to national security and public safety. Her unique perspective on the security community stems from her diverse security background with an interest in utilizing proven concepts from traditional critical infrastructure protection and emergency management foundations.
Currently, Samford is vice president and chief product security officer for energy management at Schneider Electric. With a comprehensive approach to ICS cybersecurity, she advocates for a combination of technical solutions, employee training, and a robust incident response plan to fortify critical infrastructure against cyber threats. Her holistic perspective has helped improve the security posture across organizations, as well as serving as a model for the entire industry.
Samford’s impact extends beyond her day-to-day work. She is a passionate advocate for increased awareness of ICS cybersecurity issues. Samford often speaks at industry conferences, contributes articles to cybersecurity publications, and participates in government and industry working groups dedicated to addressing the unique challenges of securing critical infrastructure.
With a strong belief in the power of collaboration, Samford actively works together with government agencies, private sector organizations, and academia to foster a collective approach to ICS cybersecurity. Her dedication to information sharing and best practices has played a pivotal role in strengthening the national and global cybersecurity landscape.
In a world where the threat to critical infrastructure is ever-present, Samford stands as a beacon of knowledge, leadership, and advocacy. Her educational background, hands-on experience, and commitment to the field make her a formidable force in safeguarding the systems that underpin modern ways of life. As organizations navigate the complex challenges of the digital age, Samford’s expertise and dedication continue to be invaluable in protecting the critical infrastructure used and relied on daily.
Q&A
From your beginnings in the public sector as the Critical Infrastructure Protection Coordinator for the Commonwealth of Virginia to your present role as VP and Chief Product Security Officer at Schneider Electric’s Energy Management business, could you walk us through your professional evolution? Were there specific challenges you encountered transitioning from public service to the corporate world?
I was recruited into cybersecurity based on my experience in critical infrastructure protection and emergency management when working for the Governor’s Office of Virginia. I had connected with General Electric which ultimately recruited me to lead their fairly new, Product Security Incident Response Team (PSIRT). The decision allowed me to continue doing policy work and work in the private sector.
At the time, there was a lot of debate as to whether you could take someone who had done emergency response-related work for the government, which is about protecting life and property, and transition to the private sector, which of course is about protecting life but is also in the business to make money.
The transition took me about a year and was really about learning business drivers as well as public safety drivers. My career has allowed me to work for GE, Rockwell, and Schneider Electric, which are industrial companies that have their foundations in safety. In that sense, the work still felt grounded to me because the mission was the same. While the objective is to ensure security and safety, the approach to achieve this objective varies between government and business. In a business, achieving the objective requires a lot of stakeholder engagement, socialization, and alignment across not only public safety drivers but also business drivers.
How have your public sector experiences influenced your perspective on industrial cybersecurity?
My time in the public sector provided me with a core foundation in security assessments, risk analysis, and risk modeling as well as practical experience in strategy, deployment, and budgeting. In government, we calculate the likelihood of bridges falling over a certain span of life. We do engineering risk analysis for public safety. In the private sector, we are doing the exact same thing: the identification of risks and then the application of control points against those risks. We’ve been doing security the same but with different tools and different drivers.
As the first female CPSO for a leading industrial firm, you’ve set a precedent in the cybersecurity realm. What guidance can you offer to other women aiming for leadership positions in this predominantly male sector?
Take up space. Speak out. Don’t take to heart a lot of the initial criticism you’ll get early in your career for showing passion. It can be jarring for some people to see a female have a loud voice on topics but don’t be scared to contribute, to be present in the moment, and to let your voice be heard. Don’t take criticism about the fact that you are participating in meetings, speaking up, and doing the work.
In your role at Schneider Electric, what are the key challenges and priorities in driving the security strategy for ICS? How do you balance security with the need for operational efficiency in these environments?
Like every other security professional, we prioritize risks. One of the key challenges is addressing both legacy product fleets as well as new products, figuring out how to secure customers that have legacy environments at the same time as you’re looking ahead, three or four years in the future, designing the security features and capabilities that the products of the future will need. There exists a significant disparity between the security capabilities of legacy products, which were developed a decade or a
decade and a half ago without inherent security features, and those that are being manufactured today, boast far more robust security capabilities.
The key is to appropriately size security features. They need to be appropriate for the product, which relates to the environment that the product will be operating within and the functions that it performs. The ability of the end user to be able to operate that product properly over time also needs to be taken into account. The right sizing of the security features is where operational efficiency can be found: you don’t want to overshoot risk, and you certainly never want to undershoot risk. That’s really where the magic of cybersecurity product management as a profession lies.
Throughout your pioneering journey in cybersecurity, have gender-related challenges or experiences stood out? Has your gender ever swayed the perception of your contributions, or has it been largely inconsequential in your career trajectory?
The fact that I am a woman has definitely been a part of my career trajectory. Less than 20% of cybersecurity executives are female. Attributes of being a female have helped me, being able to take lots of data points and make pretty quick judgment calls as well as being able to animate a community, trying to keep people engaged. But there are challenges, it’s much harder when you’re a female in this industry without a name to command presence, to be taken seriously.
With your many roles, including being on the current ISA Executive board, an RSA Conference Program Committee Member, and the founder of ICS4ICS, how do you navigate the complexities of these responsibilities?
It is like being a mother with many children. You love all of your children, and you want to spend as much time as you can with each of them, but at the end of the day, you need to make some judgment calls. I put guardrails in place, so I don’t get stretched too thin. Reading a new white paper and studying something new helps refocus my mind and keep me engaged in the community.
You’ve been instrumental in creating a unified language for addressing cyber incidents in the ICS domain through the ICS4ICS initiative. Could you shed light on the objectives and repercussions of this initiative? How can entities gain from integrating standardized ICS incident response protocols?
Incident Command System for Industrial Control Systems (ICS4ICS) is designed to improve global Industrial Control System cybersecurity incident management capabilities by leveraging the Incident Command System used by first responders worldwide in the context of cyber. The objective is to improve the response structure, define roles, and bolster interoperability.
The incident command system (ICS) improves emergency response efforts in several ways:
a. Standardization: ICS provides a standardized, structured approach to emergency response.
b. Coordination: ICS facilitates coordination and collaboration between multiple agencies and organizations by establishing clear roles, responsibilities, and communication protocols.
c. Flexibility: ICS is a flexible system that can be adapted to respond to different types of incidents, from natural disasters to hazardous materials incidents, to any cyber-related incident.
d. Clear Command Structure: ICS establishes a clear command structure, with a single Incident Commander who is responsible for managing the response effort.
e. Effective Resource Management: ICS facilitates effective resource management by providing a framework for identifying and prioritizing resource needs, and for deploying resources in the most effective manner.
Overall, the incident command system enables organizations to manage emergency response efforts effectively and efficiently.
Given your involvement in various boards and committees, such as the ISA Executive Board and the RSA Conference Program Committee, could you highlight some of the most pressing cybersecurity challenges and trends you see in critical infrastructure protection today?
The biggest trend is modernization: digital transformation and with it, the hyperconnectivity of systems which allows us to create data used for better decision-making. In order to reliably get that data, we have to work towards making these hyperconnected environments secure.
To do so, manufacturers need to ensure that the right level of security is designed into the product from inception. We have to operate both at the product as well as the systems and solution level.
And then finally, perhaps the problem that is holding us back the most is the problem of scale with the workforce. We need more people trained in industrial cybersecurity to help us build the product securely, to help us securely deploy those systems and for the customers to be able to safely own and operate this equipment.
Can you share a particularly memorable or impactful experience from your ICS cybersecurity career?
The standup of ICS4ICS. To now see thousands of people across the world adopting a framework that you created, is an edifying moment, the work of my life. This has changed the way that we run cybersecurity responses globally, improving the outcome of responses and diminishing the suffering that people go through during cyber-attacks. Seeing this idea come to life is something memorable, though we are at the point where I no longer want the program to be identified with me. I no longer want to be a brand for the program because I think that the program has grown so far beyond me as an individual.
The intersection of cybersecurity and critical infrastructure protection is a complex area. Can you share a notable success story or lesson learned from your career that underscores the importance of collaboration between the public and private sectors in securing critical infrastructure?
There are many stories when one works in this field, most that we cannot talk about, but one such story is when I helped get a wind farm back online in India, which was supplying power to a small village. They had already run out of 8 hours of their 12-hour supply of backup fuel for their generator, and these wind farms were helping to power hospitals. This was definitely a success story.
At the end of the day, securing infrastructure is a matter of national security, therefore collaboration between the public and the private sectors is an evident necessity. I have worked for rapid restoration of critical infrastructures, where getting assets back online could possibly have had a life and safety impact both immediately and later on. When considering that 85% of critical infrastructures are owned and operated by the private sector, the fact that the government and the private sector have to collaborate is a no-brainer.
In a rapidly evolving cybersecurity landscape, what are some strategies and best practices that organizations can implement to stay ahead of emerging threats and vulnerabilities, particularly in the industrial sector?
If starting from zero, I always tell organizations that have no programs in place to choose a control framework and apply it. In Schneider Electric we use IEC 62443, NIST could be another one, and there are plenty more. There’s a methodology within these standards that has taken 20 years to write; those standards will provide much more guidance than other solutions. With IEC 62443, different security levels allow us to tailor controls to the changing landscape. We’re constantly reevaluating the right sizing of security capabilities through these security levels based on emerging threats.
Another best practice is to focus on the development community, the people making the products. Baking security into products should not be compliance-driven, but rather it becomes part of how we operate and what our core values are. To do so, we automate security testing, we try to push decision-making down closest to the offer, and we provide the tools and the direction that the development community needs, in order to take action on their piece of the pie.
As someone deeply engaged in the industrial cybersecurity community, what do you believe are the key skills and qualities that aspiring professionals should cultivate to excel in the field of industrial control systems security?
Internal processing capability, your ability to take in large amounts of data and learn new things. One aspect to highlight also is that to have friends, you must be a good friend. You need to connect with different people because we are such a small community, we trip over each other all the time. We also benefit from this however, when we want to push hard in a certain area the community can really get behind something. That is what we saw with ICS4ICS, where something went from being a fletching idea to a program that has scaled globally in a matter of two years.
Could you share your insights on how organizations can foster a culture of cybersecurity awareness and resilience among their employees, from the shop floor to the boardroom?
Culture is both about the behaviors that an organization wants to promote, as well as the really bad behaviors that organizations tolerate. To change a culture, it takes a very long time. This is especially true for cybersecurity because it’s a complex field. It is what one could call a scary field, and quite frankly, cybersecurity as an industry likes to perpetuate this mysticism and exclusivity. The right thing to do is to democratize cybersecurity in the same way that we democratized safety in the 60s and 70s. No one questions the need to have things in place for safety and cybersecurity is on that same journey. Cybersecurity is a disaster science, though it doesn’t know it yet.
Peering into the future, how do you perceive the trajectory of ICS security? What role do you foresee for nascent technologies like AI and blockchain in bolstering critical infrastructure protection?
We are going to see more hyperconnectivity, and see more interesting IT capabilities come into the OT environment. Customers are going to want transparency in the design of their product, and their security capabilities, and they’re going to ask for more turnkey solutions.
In terms of nascent technologies such as AI, industrial environments are the perfect environments for AI because they’re static environments. Data models can easily be studied over thousands of hours of field and device data. Models can be generated so that when we see anomalous behavior in an environment, the AI will be able to pick that up. We know what the baseline is, and the AI can detect anomalous behavior that it believes could likely be a cyberattack, enabling quicker response, isolation, and mitigation. Interesting times ahead!
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
