Cyberattacks on ICS/OT systems more likely to have credit, ESG impact than a corresponding IT attack, Fitch Ratings says

Credit rating agency Fitch Ratings views cyber risk as a growing threat for rated entities and considers an operational technology (OT) system attack to be more likely to affect credit than a corresponding attack on IT, due to the potential time to remediate and its impact on cash flow.

In the report titled, ‘U.S. Cyber Risks in Operational Technology (How Operational Technology Influences Cyber Risk for Critical Infrastructure),’ Fitch Ratings explores the IT/OT challenges in the power and utilities and water and sewer sectors, which have been recent targets of cyberattacks. Authored by Gerald Glombicki, Omid Rahmani, Michael Ruggirello, Meg Tubridy, Carla Norfleet Taylor, and Rebecca Meyer, the report also focused on the regulatory support, credit impact, and ESG considerations for these sectors. 

“An attack on operational technology is more likely to have a credit and an ESG impact than a corresponding attack on information technology,” Glombicki, a senior director at Fitch Ratings, wrote in the report.

Attacks on OT are increasing in both frequency and severity, Fitch Ratings said in its report. “A report from Claroty found industrial control systems’ vulnerability disclosures grew 110% over the last four years and saw a 25% increase in 2H21 compared with 1H21. A report from Ponemon calculated the average cost of a cybersecurity incident to be $3 million and take an average of 316 days to detect, investigate and remediate,” it added.

Historically, IT and OT systems were physically segregated and attacks on OT systems were rare; however, IT and OT systems are converging to leverage bigger data sets in real-time to optimize performance, costs, safety, uptime, and system efficiencies. “These convergences, if done correctly, can greatly enhance operations and resiliency, but when done incorrectly, can weaken both operations and resiliency. An attacker that moves laterally and elevates privileges on an OT system can create much more harm compared with an intrusion into an IT system,” according to Fitch Ratings.

The report also said that there are many reasons why OT security remains a challenge, including lack of funding and limited understanding of the cyber risk environment of an OT network by senior management. “A unique challenge to the OT environment also is the potential cultural divide between IT and OT teams regarding importance,” it added.

To date, Fitch has not downgraded a rated entity due solely to a cyber event, though cyber breaches resulted in specific rating sensitivities post-incident in some cases, the report said. As a result, Fitch will not make a positive rating action based on good cyber security hygiene and strong controls, but poor cyber security could result in negative rating actions, it added.

Analyzing the water and waste sectors, Fitch Ratings said OT systems are more legacy-based and were generally not designed with cybersecurity. “Cyber events that compromise a water utility’s IT or OT infrastructure can trigger significant operational and financial risks. OT breaches are particularly impactful for public water systems, which provide life-sustaining services to customers through the provision of safe drinking water and treatment of wastewater. While these systems typically exhibit a strong resiliency to manage unexpected events, the effects of a damaging attack could affect overall credit quality,” it added. 

Limiting the impact of IT breaches on OT infrastructure is important for water system managers, the Fitch Ratings report said. While IT breaches at the public utility level are a broad concern and can disrupt operations, OT breaches are likely to impact credit quality significantly. 

The report also said that cyber-driven OT risks for the water sector include remote access to the ICS, which may have kinetic implications for physical infrastructure controlled by OT. As a result, OT breaches are an immediate public safety concern to residential and commercial customers and the overall operational and financial risk. 

The public water sector has not historically benefited from a broad and coordinated federal cyber defense strategy in the same manner as the public power sector. However, recent legislative and executive action suggests cyber preparedness and resiliency for water systems are becoming a policy priority at the federal level. 

The White House and Environmental Protection Agency (EPA) announced a new ‘action plan’ that aims to encourage water utilities to adopt technology that detects cyber threats to OT in January. Technology updates can be costly for water utilities. However, federal funds available to public water utilities from ‘The Infrastructure and Jobs Act’ are expected to offset some of the costs associated with these updates, which, in turn, should help prevent, respond to, and offset cyber incidents. 

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 recently created enforceable standards for data breach reporting. The Act’s provisions will require critical infrastructure entities to report covered cyber incidents to the Department of Homeland Security (DHS) and all ransom payments driven by ransomware intrusions. 

Fitch believes that this level of transparency will help establish a baseline for the frequency of attacks on the water and sewer sector. The increased transparency efforts should also focus management attention on prevention efforts to help reduce potential reputational damage, as being a frequent reporter of cyber incidents could indicate weak governance.

Fitch views the inability to adequately protect cyber and other infrastructure from attacks as an asymmetric risk related to management and governance. “To the extent, Fitch determines that a utility lacks the capacity to adequately manage cyber risk, or if there are concerns related to transparency, communication, or reputational damage following a cyber incident, a weaker management and governance assessment may constrain, or otherwise pressure, a public water utility’s rating,” the report added.

The report also includes cybersecurity in its analysis of the water sector and as part of its ESG framework. Cyber risk is a social risk in terms of safety and security and governance risk in terms of management effectiveness. “A utility’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating,” it added.

The Fitch Ratings report said that OT systems in the power and utility sector were largely not designed with cybersecurity in mind, leaving the OT systems vulnerable to direct attack and an IT breach that spreads to an OT system. “A cyberintruder could disrupt daily lives and local economies and inflict physical harm through the manipulation of OT systems. Power production and delivery OT are exposed to IT risks with IT/OT convergence, for example, with certain power company installations of work management, supply chain, and billing and settlement systems. These increase the risk of unauthorized access, potentially allowing a cyberattacker to gain access to mission-critical power production and delivery systems,” it added. 

Companies in the sector differ significantly in size, service territory, and ownership while also being subjected to varying amounts and severity of cyber incidents. Entities in the sector are deemed essential to the operation of the bulk power system. Accordingly, they are subject to heightened scrutiny by regulators, including monitoring and enforcement, relating to minimum cybersecurity requirements and the implementation of industry-wide best practices.

Entities in the power and utility sector that are considered essential to the electricity grid in the U.S. and Canada (and a small part of Mexico) are required to follow North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards on cybersecurity. The NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission. “The existence of and required adherence to NERC CIP standards, which are monitored and enforced (versus recommended), sets entities in the power and utilities sector apart from other critical assets in different, unregulated sectors,” the report added.

Fitch said in its report that it views this sector as relatively well prepared to monitor and manage cyber risk due largely to regulatory requirements. However, to the extent a cyber event causes disruption to operations and reduces earnings and/or increases costs, such an event could adversely affect the issuer’s credit profile. “Competing operational and capex investments may impede timely and significant IT and OT investments, including ability to access industry talent. Fitch believes a major cyber incident at a public utility would be allowed an avenue for timely cost recovery to the extent that cyber investment needs fall outside of the normal budget and rate cycles regardless of ownership,” the report added.

Fitch considers cybersecurity in assessing its ESG Relevance Scores for issuers in the power and utility sector. “Cyber risk is viewed from both a social and governance risk perspective. It could be a social risk in terms of safety and security, and it could be a governance risk in terms of how effectively management addresses cyber as a risk in the business,” it added.

Fitch is expected to discuss IT/OT in other industry verticals in future research.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.