Another big problem with OT cyber risk is that while we were automating and increasing the sophistication of our operations, our enemies were automating as well and increasing the sophistication of their attacks and attack tools. A recent report showed that before 2019, it was rare to have more than one or two cyber attacks per year that caused physical consequences in manufacturing or critical industrial infrastructures. Since the turn of the decade however, ransomware attacks with physical consequences have more than doubled every year. It will take only another few doublings for cyber attacks to become a serious, widespread impediment to correct, continuous and efficient industrial operations. Today, no expert believes that we will ever return to a state where we suffer only one or two cyber attacks per year with physical consequences.

A second data point for attack automation – both Microsoft and Sentinel Labs are reporting that the high end of ransomware groups are buying and selling sophisticated attack tools and technologies from and to nation states. The high end of ransomware attacks have become effectively indistinguishable from nation state attacks. In decades past, many of us might have thought “oh, I don’t know – is this facility really important enough to be the target of a nation state to attack?” Today, ransomware attacks everyone with money. Do we have money? Yes? Then we’re likely to be a target of nation-state-style attacks, either from true nation states or from the high end of ransomware.

The same is true in IT networks. In those networks, cybersecurity attacks, monitoring and other defenses are in constant change, as defenders seek to invest optimally and minimally to stay one step ahead of their attackers. This constant change, however, is a poor fit for many industrial environments where engineers must strictly manage change, to control risks to safe and reliable operations. An extreme example – in Germany, it is illegal to apply patches and security updates to automation systems in passenger trains without submitting a safety case for the change to the regulator. Looking even deeper, in the most consequential systems and industries, staying one step ahead of our attackers is a poor fit for our need to assure correct and reliable operations over the entire decades-long expected lifetime of our investments in physical infrastructures.

All this means that today, board members and executives may have a very hard time discharging their obligations to manage exposures to cyber risks. When a CISO reports to the board that they invest steadily in reducing OT cyber risk, how is the board to know if that executive is talking about investments in slow-moving government initiatives, in “constant change” initiatives that may be difficult to apply to the most consequential industrial operations, or in engineering-centric mechanisms that take some, but never all, cyber risk entirely off the table. Board members need to stop asking “have we got this covered?” and start asking more specific questions.

To read further on OT cyber threats, remediations and the tough “how much is enough” question that boards, executives and managers must all answer, click here to request a free copy of the author’s latest book: Engineering-Grade OT Security: A manager’s guide.