Much has been written and debated regarding communicating cyber risk to boards and other key corporate decision makers. Conveying to a non-technical audience the criticality of cyber vulnerabilities in IT systems that support business functions can be a daunting task; but what if the systems don’t just support the business, what if they are the business?
For businesses who supply critical services and infrastructure to their customers, risk to the control systems from a cyber source is a relatively new concept, and industrial cyber risk dramatically increases the severity of worst-case scenarios. Information technology that supports business functions and protects confidential enterprise data is increasingly integrated into the very control systems upon which essential services rely.
So for operators of power generation plants, rail signaling networks, offshore E&P, petrochemical refineries, and airport operations systems, what should be the difference in approach and substance when communicating cyber risk to industrial operations versus communicating traditional IT cyber risk?
Above all, it is counterproductive to see cyber risk to industrial systems as solely an IT issue for two reasons:
- The consequences of cyber breach do not stop at compromised data, but can extend into the physical world: equipment damage, explosions, service downtime, casualties at the site and environmental incidents.
- The business functions impacted in an industrial cyber breach include not only information technology but all the functions of the enterprise: operations, human resources, compliance, legal, and continuity of services.
To be more effective at communicating the scale of disruptive effects of industrial cyber risk, it is important to focus on physical consequences and wider business impacts of a potential cyber breach of industrial control systems.
NOT A MATTER OF INTERPRETATION
An effective way to illustrate industrial cyber risk is to use examples of real cyber attack incidents as well as international regulations and guidance for your specific industry. When citing example industrial cyber incidents keep this perspective as global as possible, as geographic boundaries are no hindrance for malicious cyber actors.
In a safety-conscious organization, everyone understands the impact of compromised control systems – what is important to communicate is that it is immaterial whether compromise comes from negligence, human error, poor processes or cyber. Compromised control systems mean that an adversary has directly or indirectly taken control of operational equipment – and that it is imperative to control for the risk between network attack channels.
When we reach the point where everyone in the room understands this risk and the conversation evolves to risk mitigation, the focus from an industrial risk perspective must be on prevention. The discussion around cyber attacks should focus less on the mutable list of vulnerabilities we can detect within the ICS network, and more on preventing attackers from using widely-available attack capabilities to reach into our networks to exploit those vulnerabilities.
ATTACK EXPOSURE: CAPABILITY OVER MOTIVATION
When considering attacks and consequences, expect objections from stakeholders such as, “who would want to attack us?”, or “why would anyone want to attack us?”, or even “we haven’t seen that type of threat in our country.” There is a flaw in this line of thinking: motivations can change overnight. We can’t control the what, why or where of cyber attacks, but we can control which capabilities we defend against. The first step towards a robust security posture is understanding the depth and breadth of cyber risk to industrial systems; if we set the security bar high enough and even sophisticated attacks can be reliably defeated. Nothing happens until we set the bar for our enterprise though – it all starts with communicating risk.
In summary, to effectively communicate industrial cyber risk and its impact on a company, remember the following:
- Industrial cyber risk is not about protecting against disruptions to data – but protecting against disruptions to physical operations – which have far-reaching impacts on the business as a whole;
- Treat cyber risk as any other physical risk to the correct functioning of control systems: cyber defense is another mandatory measure that must be in place just as are physical measures such as ”guards, gates and guns,” and
- When dealing with push-back from decision-makers, remember that cyber risk is not about why an attack would happen, but about what damage and disruption is possible when, not if, widely-available attack capabilities are used against us.
Safe and reliable physical operations are the priority at all industrial sites. Cybersecurity is essential to safety and to reliability.