Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Management & Strategy
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions

Navigating strategic risk management, decision-making at board level across OT environments for cyber resilience

September 03, 2023
Navigating strategic risk management, decision-making at board level across OT environments for cyber resilience

As industries increasingly adopt and rely on digital infrastructure, the potential for catastrophic cyberattacks and system failures in critical infrastructure and operational technology (OT) environments has also grown significantly. This has made it crucial to ensure appropriate strategic risk management and decision-making across OT environments at the board level.

Boards are increasingly urged to prioritize understanding the unique risks associated with OT environments, including cyberattacks, equipment failures, and supply chain disruptions. These actions prompt the need to engage OT experts, leverage threat intelligence, and conduct regular security audits to stay informed and proactive. Robust strategic risk management and decision-making in OT environments are vital for safeguarding critical infrastructure and ensuring business continuity in an increasingly digital world. Boards should view OT security as a strategic imperative that demands continuous attention and investment.

Analyst firm E&Y disclosed in June that geopolitical events, supply chain disruption, people and culture issues, and climate change have risen on the risk agenda for boards. They also said that boards need to do more to oversee their organization’s most material risks, modernize their governance structures, and adapt to emerging technology, while boards also challenge management to proactively identify, react to, and capitalize on changes in the business environment before they become risks.

Industrial Cyber reached out to industrial cybersecurity experts to identify the primary obstacles faced by boards when evaluating strategic risks in OT environments. They also consider how addressing these challenges contributes to promoting effective decision-making within OT environments at the board level.

Joe Doetzl, head of cybersecurity at Hitachi Energy
Joe Doetzl, head of cybersecurity at Hitachi Energy

“Fundamentally, I believe Boards are challenged to understand OT cybersecurity risks as an enterprise-level risk, not just as an IT-related risk,” Joe Doetzl, head of cybersecurity at Hitachi Energy, told Industrial Cyber. “We need to do more to educate all levels of the organization, including the Board about these risks. It is challenging for security executives to translate the technical risks into enterprise-level risk that resonates with the Board.” 

Doetzl added that OT systems are often more critical to operations than IT systems as they control the physical processes that keep the business running, such as power grids. “The Board must understand that OT risks go beyond the IT department and impact the entire business value chain.”

Rich Springer, marketing director of OT solutions at Fortinet
Rich Springer, marketing director of OT solutions at Fortinet

OT organizations face challenges from an ever-expanding threat landscape, new government regulations worldwide, increasing compliance complexity, and the cybersecurity skills gap that makes it difficult to fulfill OT and IT staffing needs, Rich Springer, marketing director of OT solutions at Fortinet, told Industrial Cyber. 

“Due to recent production and safety-related events, the risk associated with OT cybersecurity and production loss have risen to the executive level,” according to Springer. “In the past, when discussions took place among an organization’s leadership, CISOs spoke from a risk perspective, while CIOs were more in tune with the business view. But because of the convergence of IT and OT and the impact on production, these conversations need to change to include operational roles such as the COO.” 

Springer added that to protect the entire organization, getting the perspective of all stakeholders is necessary and OT and production leaders need to be included in these conversations more than ever.

John Cusimano, vice president for OT cybersecurity at Armexa
John Cusimano, vice president for OT cybersecurity at Armexa

“In our experience, the biggest obstacle for Boards (and Executives) for understanding Operations (e.g., production, manufacturing) cyber risk is that the people who truly understand OT and OT security risks are buried too far down in the organization to have any real hope of reaching and influencing the board,” John Cusimano, vice president for OT cybersecurity at Armexa, told Industrial Cyber. “And the CISO, who is an IT professional, does not understand, nor can he/she hope to manage, (and often does not want to manage) Operations-level risks. Consequently, operations cybersecurity is typically understaffed and underfunded relative to the potential magnitude and impact of an OT cyber incident. In other words, the CISO gets all the attention, and the budget and staff, even though the greater consequences are in the operations. It’s backward.”

Cusimano added that if boards want to understand and evaluate operations/OT risks, then they must require that the executive team appoint a dedicated operations cybersecurity director, and this person must be a peer and collaborator with the CISO. 

“Ideally, they would co-present to the board. Without such a dedicated person who has executive-level visibility and sponsorship, they will never get a true picture of Operations cyber risk. If you want to understand information security risk, you can ask the CISO – but if you want to understand operations cyber risk, you can’t ask the CISO, he/she is NOT the expert. You need to ask the operations cybersecurity director.”

He also pointed out that more and more companies are recognizing this and creating dedicated roles for OT cybersecurity directors or even OT-CISOs.

Cusimano also highlighted another challenge, largely due to the lack of a dedicated operations cybersecurity director, “is that it is very difficult for boards to get a meaningful picture of the actual cybersecurity risks to their OT environments. The data they get is typically compiled by big external consultants brought in by CISOs to conduct assessments like they do for IT.” 

“Effective decision-making starts with understanding how OT risk is different from information security risk. In OT, we are concerned with managing cyber threats to health, safety, environmental and operations integrity,” according to Cusimano. “The best way to address these challenges is to take a different approach to assessing OT cybersecurity risk than most organizations are doing today. Fortunately, guidance on the proper way to conduct OT risk assessments is available in industry standards, such as ISA/IEC 62443-3-2, NIST 800-82, and ISA TR84.00.09.” 

Gustav Sandberg, vice president and head of business area cyber security at AFRY, told Industrial Cyber that when evaluating risk in OT environments boards and executive leaders are often confronted with a complex system landscape with a lot of unknown dependencies internally as well as in its supply chain. 

Gustav Sandberg, vice president and head of business area cyber security at AFRY1
Gustav Sandberg, vice president and head of business area cyber security at AFRY

“Understanding both vulnerabilities and consequences is difficult, one is often forced to look at dimensioning worst cases and dimensioning high probability cases while not fully understanding the underlying mechanics that could cause them. By nature, it then becomes very difficult to take action to mitigate these risks as they are not well defined,” according to Sandberg. “Assessing cyber risk in OT environments also needs to take into account a threat actor whose intentions and capabilities to attack one’s own business is often unknown, adding even more uncertainty.”

Sandberg added that many different categories of risks are presented to boards, not only relating to OT security. “This makes it very important, as well as challenging, to have some way of comparing these risks and understanding any potential inter-dependencies. Boards need to make sure that resources spent on risk remediation provide maximum value. Addressing these challenges means investing in understanding your OT environment, its vulnerabilities, and associated risks to your business.”

The executives analyze the involvement of the senior management and the board in identifying and prioritizing strategic risks in OT environments. They also shed light on how the board ensures the presence of appropriate expertise and knowledge to facilitate well-informed decisions regarding strategic risk management in OT environments.

Doetzl said that the level of cybersecurity expertise and the involvement of senior management in risk management decisions is continuously growing. “This is driven by the severity of the impact of cyber events in OT environments and regulatory drivers, like what we are seeing in the US requiring a certain level of cybersecurity expertise at the Board level. Boards have a tremendous amount of responsibility and work to do to ensure that they have access to a high level of cybersecurity expertise and to ensure that cybersecurity risks are thoroughly understood and discussed. We are seeing many Boards form specific cybersecurity committees.”

“Adequate security measures, system controls, and resources should already be in place to ensure the organization is well prepared,” according to Doetzl. “After identifying the possible risks and opportunities, the Board is responsible for developing and implementing appropriate risk responses and processes. Internal communication between the Board, senior management, and other stakeholders play an important role in ensuring that risk management actions are done effectively and on a timely basis.”

Springer said that across the organization, leaders must foster a balance between compliance, security, and production risk mitigation to ensure that all three areas are a priority. “Broadly, it will require educating others on the importance of all three areas of concern.”

“Tactically, skilled cybersecurity resources are difficult to find. In OT, professionals often follow one of two paths. They are either in cybersecurity with an OT mindset, or they are automation engineers who are given security requirements,” according to Springer. “It’s very difficult to find someone with real-world experience in both security and OT. Thus it’s important to include IT expertise and knowledge share for common security solutions and to fill the gaps. Although many organizations don’t have the resources to do cross-training, management needs to get on board to provide appropriate cybersecurity training and experience in both IT and OT.”

Cusimano pointed out that executive management and boards don’t currently have a very good understanding of real OT risks. “As stated above, they tend to rely on their CISOs to evaluate this risk and many CISOs don’t have a good understanding of operational environments and OT systems. Furthermore, when CISOs attempt to assess and rank OT risk they often reach out to big external cybersecurity consultants who themselves don’t really understand operational environments and OT systems.”

“Additionally, senior management and the board need to understand the financial and business risks of OT cyber incidents that could cause health, safety, environmental, and operations disruptions,” according to Cusimano. “These risk scenarios must be presented to them in a manner where they can make informed judgements about the necessary investments in risk management. Usually, these risks are quantified and communicated as a combination of potential revenue impacts, and safety and environmental impacts.” 

He added that the cyber PHA methodology, based on the ISA/IEC 62443-3-2 standard, is perfect for this kind of quantification. “Appoint a dedicated Operations Cybersecurity role and conduct consequence-based risk assessments, such as Cyber PHA, per the guidance provided in ISA/IEC 62443-3-2.”

Cusimano specified appointing “a dedicated operations cybersecurity role and hiring consultants with actual OT experience and the skills to conduct OT cybersecurity assessments per the requirements in ISA/IEC 62443-3-2. Require participation by a well-rounded group of stakeholders (e.g. Operations, IT, OT, EH&S).”

Sandberg mentioned that although OT security is becoming a more frequent topic in boardrooms, there is still quite a lot of confusion on what cyber security is to an industry company. “A lot of companies consider cyber security a confidentiality problem only when often much larger consequences could arise from a loss of availability of IT or OT systems. This old way of looking at cyber security, with a too large focus on information and too little on process and production is deeply embedded in decision-makers and cyber security professionals.”

“The board needs to consider the fact that cyber security has an impact not only on the company’s information but also on its production,” Sandberg highlighted. “To illustrate one could think of a worst-case scenario for a cyber-attack being the same as a catastrophic fire in the factory. The board must make sure that it is absolutely clear who is responsible for what in regard to Information, IT, and OT security – securing information and securing continuous production.”

The executives provide proactive measures for senior management and boards to identify emerging risks in OT environments and align their decision-making processes accordingly. They also evaluate how to ensure the adoption of a strategic approach to cyber risk management practices throughout the entire organization.

From the Board level, they should ensure that management has implemented an appropriate risk management framework that adequately considers OT cybersecurity risks, Doetzl said. “There are multiple frameworks to consider such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the ISO 27000 family of standards. These standards help organizations identify and mitigate risks by implementing more efficient and effective security controls.” 

Additionally, Doetzl turned to the traditional three lines of defense model that is increasingly adopted by various organizations to establish risk management capabilities to ensure that an internal audit provides a high level of assurance that the risk management practices are operating effectively. “While the three lines of defense model have its critics, it is a flexible framework that can be adapted to meet specific needs.”

Springer identified that cyber risk identification starts with the engagement of security professionals such as the CIO or CISO. Since implementing security in OT is often brand new, use of the NIST CSF or CIS Top 20 controls can provide a high-level framework to deploy and measure OT security. 

“As the OT security policy broadens and matures, convergence of IT and OT security operations can enable a consistent and efficient mitigation of cyber risk,” according to Springer. “In parallel, the inclusion of the COO or operational leader will ensure that safety and production priorities are interwoven in the cybersecurity policy.” 

Lastly, Springer said that companies should assess their vendors and their ability to meet strategic goals. “Most vendors offer single solutions. A strategic vendor will provide a platform that will enable your growing security strategy long term. With this approach, companies can mitigate their security and production risk while evolving towards IT and OT convergence of security operations while reducing vendor management by partnering with a platform vendor.”

“The most and best proactive thing the board could do would be to require regular Cyber PHA style OT risk assessments and to translate these assessments into quantified risk scenarios,” Cusimano said. “Once the board has the scenarios in hand, they can ask the Security Director to develop and implement an Operations-specific cybersecurity risk management strategic plan to address the highest risk scenarios. They must then provide support and funding for implementation of the plan and monitoring its effectiveness.”

He said that the Board should appoint an executive Cybersecurity Governance Board (CGB) who will direct and oversee the execution of the Program Plan. “The CGB ideally would include the Operations Executive, the Engineering Executive, the CIO, and the CFO. In turn, the CISO and the Operations Cybersecurity Director (OCD) or OT-CISO would be peers, and both report on their respective Program progress to the CGB. It is imperative that the board recognizes that there must be TWO Programs, one for Corporate IT headed by the CISO and one for operations headed by the OCD or OT-CISO.” 

Cusimano added that this ‘two programs’ idea is probably an initial stumbling block for the Board to understand, but it will become clear to them if they can see the quantified risks to the operations, and understand that the risk management plan must be tailored to the environment (IT or OT).

“Make sure that responsibilities and accountability are clear and that sufficient support is given. Thereafter adopt a proactive and risk-based approach to addressing cyber challenges in OT environments. Early on address the need for educating staff,” Sandberg said. “It makes a lot of sense for senior managers and board members to seek outside advice. Almost like a personal coach on these complex matters that can support a more forward-leaning approach to cyber risk management.”

The executives evaluate decision-making frameworks or methodologies that boards can employ to evaluate and mitigate strategic risks unique to OT environments. They also address the crucial factors that boards must consider when assessing the influence of cyber risks on the overall business strategy. 

The NIST Cybersecurity Framework is widely used for evaluating and managing cybersecurity risk as it is comprehensive, inclusive, and flexible enough to accommodate cybersecurity risks across both IT and OT, Doetzl said. “It is also complementary to other frameworks, such as ISO 27001. The crucial success factor is for the board and senior management to recognize that these risks must be treated and managed at the enterprise level as part of its license to operate.”

“On the influence of cyber risks on the overall business strategy, there should be a comprehensive inventory of all IT assets that the company or the organization possesses, including its internal systems, devices, data, applications, and processes, and even ensuring that all personnel have been provided proper training to use them,” according to Doetzl. “A thorough and complete understanding of the likelihood of a breach as well as the impact it can create is essential.

Springer said that discussions of risk need to be a business conversation that looks at the risk versus the amount of time and resources it takes to address the issue. “For example, let’s consider patching vulnerable devices. Patching is a big challenge in OT due to the lack or delay of patches, production needs, or fear of device failure and lack of a replacement. An organization may want to assume the risk of a given vulnerability due to presumed low probability of a cyber event. For those production-sensitive devices or where the probability is high, patching still may not be possible.” 

In this scenario, Springer added that mitigating efforts such as segmentation, micro-segmentation, virtual patching or shielding and deception can offer greater levels of defense for high-risk and vulnerable devices. “Organizations should not waste time, resources, and money on fixing a vulnerability that’s not a high priority. Thus, vulnerabilities need to be prioritized by cyber and production risk factors, when and if the device can be patched, and if not, what mitigative security solutions can be readily deployed to safeguard high-risk and vulnerable OT devices.”

On the decision-making frameworks or methodologies that boards can employ to evaluate and mitigate strategic risks unique to OT environments, Cusimano pointed to the ISA/IEC 62443-3-2 standard and the Cyber PHA technique. Addressing crucial factors that boards must consider when assessing the influence of cyber risks on the overall business strategy, he provided health, safety, environmental, and availability consequences.

Risk in OT environments should be dealt with in the same manner as all other risks handled by the board, Sandberg said. “The board must realize that as we are heading into an accelerating digitalization, connected digital system controlling everything from our cars to our food production and electricity supply.” 

Sandberg added that cyber security is becoming a matter of life and death and a functioning society. “Cyber security is becoming as central to businesses, society, and people as safety and security in general. The budget for cyber security will have to be increased accordingly until it is no longer considered a separate budget but incorporated in building our systems much as one expects a CE-marking or a fire suppression system being,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems