ComSpark Podcast - Steve Kesler, Senior Director Cyber Security for GE Aviation

comSpark Thought Leader​

Steve Kesler, Senior Director Cyber Security

GE Aviation

Moderator

Hannah Tucker

LEAD Tribune Media Group

To listen to the podcast click here!

Hello and welcome to the comSpark podcast where you will get to meet today's technology thought leaders. To learn more visit comSpark.tech

Hannah Tucker: We're here today with Steve Kessler, who is the senior director of cybersecurity for Ge Aviation, which has about 30,000 employees with locations globally. My name is Hannah Tucker. I am the editorial coordinator for Lead Tribune Media Group and I will be your guest moderator today. So let's get started. Mr. Kessler, thank you for coming in. We appreciate having you here.

Steve Kessler: Thank you.

HT: So, let's jump right into some of these questions that we have for you. The first one that we have is about development in your company. Today everyone has a smartphone. We use them to do everything. They're a part of our daily life, tablets, computers, everything. And we have an APP for literally everything that we do. You know, of the flashlight o'clock, everything has an APP. So, what are the challenges for you in designing an application?

SK: Look at applications today on all the different platforms you were mentioning. The software development or the way these applications are developed has really changed over the years. It used to be just one big application with a database behind. It had its own log in or authentication components to it. Now it's moved into much more of a distributed type architecture, so things like security that I work with quite a bit is now broken up into components and so the whole model of having an account on every system is no longer part of that. So, if you look at Facebook, you look at Instagram and others; I think everyone is seeing the log in with your Facebook credentials or log in with your Instagram credential mobile devices. Also, as you mentioned, they're broken down into micro applications. This whole idea, and I mentioned the Facebook and Instagram because the idea of sharing your identity across applications becomes a big piece of that and that's how you get -- if you want to share your friends list with another application to enrich or give that metadata to be able to do something with.

You see it a lot and things like your location and you don't want to give all your information, but you want to share pieces of that. As you develop these applications, security becomes a very key piece of this because now you don't control all the other applications that it interacts with, so things like secure coding, design principles, they all play into how you develop this application. As well as privacy because now you're sharing metadata or other pieces of information about people or process that has to be taken into consideration.

HT: Moving into a less serious question, we all want to know, tell us about your home network. What is your home look like in terms of what you have set up?

SK: So, at GE I really sort of wear two hats, I’m focused the cyber security engineering piece, so application secure applications is a big piece of that; cloud technologies. The other piece of it is securing our manufacturing assets. So, how do we, all the things we make, how do we make sure cybersecurity's built into that? The term operational technology or Internet of things gets used a lot. In my home environment actually step back from that and took a look and I found out that I didn't know it, but I had over 30 operational technology, or OT, devices on my home network. Roku, TV's, Fitbit, mobile phones and I can keep going down the list. Alarm systems, everything was there. So, I actually broke up my home network and because of security concerns, I could actually see those devices phoning to China, to Russia. They were connecting everywhere without me doing anything. So, people need to pay attention to that as part of it. So, I segregated my home network where those things don't touch, sort of my other private stuff.

I also have a 17-year old son who has a mobile phone and he connects to everything. So, he's now on the OT network and we let him connect that way as part of it to protect the rest of it.

HT: Moving into that sort of security realm that you talked about, you mentioned your son's phone specifically. Do we need to be concerned about our personal devices?

SK: Personal device security is definitely one that I think people need to pay attention to. The mobile ones an easy one to understand because nobody wants you to really to touch your phone. You've got your entire life on that phone with it. So, you can also start to look at that as these additional, as I mentioned, IOT or OT devices you bring into your house or in your, into your life. They all are collecting data on one way or another about you. There's usage, there's personal information that they can do the new data science or analytics with. So smart browsing a smart protection; I think I'm not allowing certain devices, be careful how you connect some of these devices and home automation type things. They're all great. I use them. It's just being smart in the way you use them. [HT So being aware] Being aware is probably the big piece.

HT: As far as companies go as opposed to our personal level of devices. Should companies, harden all of their devices.

SK: So, that's a quite a broad area with it. So if you look at the way companies have handled security in the past, there's been really focused around enterprise applications or everybody's familiar with servers and workstations is how do I protect those with it? The attackers and the activist with it have gotten much broader so you can think about attacks being either criminal, people wanting to do cyber-crime type things. You can think of it as people wanting to steal intellectual property or activists or hacktivists that have an agenda that they want to push as part of it. I think all those together really have to be taken into consideration around how you protect and harden systems. You need to have a strategy in place to cover comprehensively how you protect your assets and your business.

HT: Lastly, for a company that doesn't have a security or a governance plan, what would you recommend to them, and also where would you say that they should even start?

SK: If a company doesn't have any type of governance or processed cyber plan in place, they need to at least start by understanding the regulatory requirements. So is there anything government or policy that affects my business as part of it? If there is, you need to start looking at how you structure a program and policy around those. If you're in an ungoverned business, then you still have commitments to shareholders and employees and business partners in general with it. So things like basic cyber hygiene is we refer to it. So do you have good protection on your login accounts? Do people have process in place to make sure they only get access to things they should as part of it? Do I have controls in place to protect personal information, any ERP or financial systems? They all come into play with this and you need to have a plan around that.

HT: Well, Mr. Kessler, thank you so much for your time and thank you for sharing your thoughts with us. Again, this is Hannah Tucker with LEAD Tribune Media Group and Steve Kessler with GE Aviation. To learn more about us, visit [comSpark.tech