Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Threat Landscape
Vulnerabilities

Deteriorating cybersecurity landscape brings increased participation by board of directors in ICS decision-making

September 04, 2022
Deteriorating cybersecurity landscape brings increased participation by board of directors in ICS decision-making

Acceleration of digitization, the spike in cyber breaches, and regulatory requirements have pushed the board of directors across operational environments to ensure that the ‘tone at the top’ is conducive to robust cyber management programs protecting key assets while building mechanisms for carrying out critical ICS decision-making. While cyber incidents and breaches cannot be eliminated, the level at which they impact the entire organization and its surrounding ecosystem can be minimized by delivering a ‘secure by design’ approach to every decision the management takes. 

McKinsey identifies numerous factors that have been causing the shift in the involvement of boards. For instance, the growing number of cybersecurity attacks and incidents making headlines, regulators who increasingly hold companies accountable for addressing gaps in their cybersecurity resilience, and the increase in cybersecurity and technology investment. 

Often, some of these elements have left boards looking for direction to take cues from those who have already begun pursuing a cybersecurity and technology risk-management strategy integrated with business operations. As a result, the strategies include integrating cybersecurity and technology risks with operational risk and resilience, giving the board the right tools to assess cybersecurity and technology risks, and ​​ensuring that the board has the necessary knowledge and skill.

For the board of directors of an organization, it is also critical to exercise oversight of cybersecurity risk management to avoid liability and litigation that can have severe consequences. Cyber breaches have prompted the board and senior leadership to emphasize cyber risk, primarily brought on by the organization-wide implications that these cybersecurity incidents could cause. Furthermore, apart from the cost of a cyber breach, which itself can be staggering, there is also the added burden of various reputation and litigation losses that it can bring, along with the effect it can have on the overall functioning of an organization.

As cybercrime increasingly becomes industrialized, vulnerabilities are identified by one set of groups, and then the information is shared with other criminal groups. Those criminal groups can, in effect, lease the ransomware in exchange for a percentage of the profits and employ it against victims, enabling a massive increase in the volume of attacks and their sophistication. 

It would also be prudent for the board to pay attention to the tenets of the SRP (Safety-Reliability-Productivity) triad. Safety can be addressed by ensuring that the ICS (industrial control system) architecture is correctly designed, without software bugs, hardware failures, sensor problems, or incorrect actions executed by an authorized person, which might push the system to unstable, risky, unsafe conditions. Further, paying attention to make sure that the ICS architecture design assures that the entire plan is working reliably, without failure, and not causing uncontrolled outages due to any reason. Finally, the productivity factor covers the operation cost of the plant, delivering the requested profit level.

Industrial Cyber addresses with industrial experts the biggest challenges faced by the board when making ICS decision-making and how best organizations can overcome these in the current ICS threat landscape marred by cybersecurity attacks and vulnerabilities. 

Sharon Chand, a principal at Deloitte & Touche LLP and the secure supply chain leader for the cyber practice of Deloitte Risk & Financial Advisory
Sharon Chand, a principal at Deloitte & Touche LLP and the secure supply chain leader for the cyber practice of Deloitte Risk & Financial Advisory

As the board of directors tackles ICS decision-making, they have two big challenges to wrestle with – governance and visibility, Sharon Chand, a principal at Deloitte & Touche LLP and the secure supply chain leader for the cyber practice of Deloitte Risk & Financial Advisory, told Industrial Cyber.

“Often, the governance responsibilities for ICS security are not clear – is the IT team responsible? The CISO? The operations and business leaders that run the Industrial Control Systems? Boards should begin by asking management to provide a clear operational model governing the cybersecurity of these critical ICS assets,” she added.

Addressing cyber risk must begin with understanding what ICS assets the company has, where they are, and what business value they provide to the enterprise, Chand said. “By their very nature, ICS assets are distributed and embedded across a company’s landscape. Management should leverage emerging technology solutions to discover and provide visibility into what ICS/operational technology means to the company,” she added.

Marty Edwards, deputy CTO for OT/IoT at Tenable
Marty Edwards, deputy CTO for OT/IoT at Tenable

Rapid digital transformation within organizations has expanded the attack surface and increased susceptibility to threats, Marty Edwards, deputy CTO for OT/IoT at Tenable, told Industrial Cyber. “In OT, connectivity to IT systems and networks is a comparably new phenomenon and often involves updating legacy industrial systems with modern connectivity solutions in order to improve efficiency. This convergence of IT and OT infrastructure is transforming how critical infrastructure organizations operate, and it’s also increasing risk in the process – making full visibility of all assets absolutely paramount.” 

“While this may sound easy and logical, it’s harder to do in practice. The weakest link is often a 20-year-old system that’s tucked away in a closet or hidden under a desk, and that was once installed as a stopgap and promptly forgotten, so it’s underprotected,” Edwards said. “Without complete visibility of all systems, it will be difficult for the board to allocate resources to keep the crown jewels of the organization secured.”

Paul Smith, CTO at SCADAfence
Paul Smith, CTO at SCADAfence

“One of the biggest challenges I find when conversing with various boards and board members in regards to ICS decision-making is the quantifying of ROI (return on investment) with present solutions,” Paul Smith, CTO at SCADAfence, told Industrial Cyber. “When weighing the cost-benefit analysis, it was inferred that the sum of the costs typically outweighed the sum of the benefits as most often organizations had no record of market disruption from cyber attacks or they simply indicated that their cyber insurance coverage would take care and cover their risk and exposure.”  

Smith added that lately, with the threat landscape changing and more industry-similar attacks happening, board members are starting to understand better the cost behind business interruption and what incident response and remediation can cost an organization.

Probing how the factors affecting the ICS decision-making by the board evolved following the increase in cybersecurity incidents, Chand said that ICS expands the lens that the board must use when working with management on decision-making in cybersecurity incidents. “The impacts of an ICS cybersecurity incident are likely to be broader than ‘just’ the IT ransomware decision making they’ve prepared for – now they must consider impact to life/safety, the ability to continue safe business operations, additional downstream impacts to their third parties and customers, and more,” she added.

“Not too long ago, the board really wasn’t aware of issues facing control systems and operational technology,” Edwards said. “In recent years, devastating attacks such as ransomware have crippled many businesses’ ability to manufacture or deliver their product or services. This increased attention to detail by those with fiduciary responsibility is causing them to ask questions such as ‘are our OT systems exposed to threats from the internet?’” he added.

Edwards said, “My advice is to be ready to provide details when that question is asked, as replying ‘I don’t know’ is not going to be very well received.”

“Qualitatively, the factors have changed that directly affect the ICS decision-making of the board,” Smith said. In the past, it came down to strict ROI and capital expenditure preventing or inhibiting budgeted projects, he added. 

Smith also pointed out that now they factor in several items, such as the cost of business interruption, in terms of identifying total loss of revenue combined with downtime for IR (incident response) and remediation. He also included insurance exposure and coverage and whether insurers require specific equipment, detection tools, processes, and procedures to validate insurance policies. Further, he added that insurance carrier denials for similar operating businesses mean have there been any competitors that have been denied cyber risk insurance due to threat landscape exposure.

As boards look at their next moves, McKinsey also said they could take cues from more advanced firms starting to adopt a cybersecurity and technology risk-management strategy informed by business operations. These firms are integrating their efforts to control cybersecurity and technology risks with operational risks and resilience. They are giving their boards new views of information to help them assess cyber risks against the enterprise’s risk tolerance and ensure that board members have the knowledge to oversee these activities.

The prevailing threat landscape has made it essential to assess how board members weigh cyber risk in the industrial enterprise and how much the process has changed over the last 24 months considering recent attacks and legislative focus on the space.

“It is critical to understand where ICS assets sit across the enterprise and what business value those assets provide,” Deloitte’s Chand said. “Quantification of risk should combine the business context along with the cyber threat landscape, regulatory and legislative requirements, and mitigating controls that the business may have in place,” she added. 

“Additionally, consider the criticality of securing ICS systems and how that supports the mission of the company. For example, as a producer of alternative energy equipment, would an ICS cyber attack cause irreparable damage to my brand reputation?” Chand asked.

Edwards said cybersecurity needs to be intrinsically linked to business goals to weigh cyber risk effectively. “To do this, security leaders must work with their business partners and the board to understand exactly what it is the business unit does and identify what services, applications, and OT/ICS systems are critical to accomplishing core business tasks. This allows the security team to determine where to focus protection efforts.” 

Perhaps even more importantly, this helps clarify who the asset owners are in the organization should an incident arise, enabling information security teams to respond more quickly to limit the damage, according to Edwards. “Few security organizations use metrics that speak to business risk. By cultivating and consuming cybersecurity metrics for both return on investment (ROI) and the impact on business performance, security leaders will be able to show added value such as risk reduction over time,” he added.

“I would say that the primary metric has been the idea of how many like-design industry players have been breached and what was their direct business interruption cost. This would help them weigh their cyber risk exposure,” SCADAfence’s Smith said. “Now, in the last 24 months, that has drastically changed as we have seen pipeline companies, cogeneration, water treatment, healthcare, building management, and others all get hit in some form or another. It is no longer a case of being industry obscure as every organization has direct attack exposure.”

Looking into how has the board’s ICS decision-making been affected by the increase and sophistication of cyber adversaries targeting the ICS environment, Chand said, “we have seen the rapid emergence of new threats and creative attack vectors targeting the ICS environment, while the existing (traditional) IT cyber threats continue to grow. It’s important to remember that ICS security isn’t ‘instead of’ the existing focus, but rather it’s ‘in addition to.’”

“With cybercriminals becoming more sophisticated and more aggressive in their attacks, there’s a growing concern among cybersecurity practitioners that businesses are not investing in OT security as much as they should,” Tenable’s Edwards said. “OT security must be prioritized, but often it is not. Companies’ percentage of investment in OT security is relatively a small fraction of their overall IT security investments.” 

However, according to Edwards, OT environments are as critical, if not more, to businesses’ operations and warrant a lot more investments. “Decision-making is a matter of prioritizing and committing to investing in the right people, processes, and technology to get the job done,” he added.

“There has definitely been a perceived mood change in the way board members are addressing ICS decision-making in the sense that the traditional business interruption models of cyber risk insurance as a safety net no longer provide complete coverage for the ever-increasing sophistication of attacks being launched by threat actors,” Smith said. 

“Specific case would be Elon Musk and board encouraging the attacks against Starlink in the early days of launch as they provided Ukraine with terminal, their attitude and demeanor have now changed after it became public domain that a $25 COTS (Commercial Off The Shelf) device, when connected, would allow the attacker to gain access to the entire network including the administrative backbone,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations