The Emerging Business Risk Management Strategy for OT Cybersecurity

The Emerging Business Risk Management Strategy for OT Cybersecurity

As the number of cyberattacks on industrial control systems increases—as does their visibility to the public—many businesses in the automated manufacturing space are shifting cybersecurity strategies to protect their industrial networks. Many companies have determined that the old “security by obscurity” strategy is not feasible and are searching for new methodologies.

Many of Yokogawa’s clients have found that new approaches often transcend budgeting cycles for cybersecurity projects due to their coincidence with industrial asset insurance, HSE, and disaster recovery strategies. The cybersecurity strategy has transitioned from a problem to fix to a risk to manage. When businesses look at cybersecurity in this manner, it removes the mystery and becomes an issue upon which management can act.

At Yokogawa’s 2021 virtual conference, a panel of experts from various security-related fields gathered to discuss the paradigm shift for industrial cybersecurity as it relates to business risk management. While all the panelists possess significant technical expertise, as would be expected from cybersecurity experts, they were asked to participate in this discussion due to their risk management know-how. All have a great deal of experience in OT and, in particular, the process industries.

Today’s Unique Cybersecurity Challenge

Moderator Matt Malone, a cybersecurity consultant, asked the panelists about the unique challenges their clients are facing today. Jerry Caponera, Vice President of Cyber Risk Strategy for ThreatConnect works with a wide variety of companies. He says, “People don’t think it is going to happen to them. There’s a comfort in inaction, in the status quo.” The companies he works with know that the threat is real—but not to them. “Since they haven’t had to deal with it so far, why should they deal with it, now?”

Resource limitations typically lead to inaction. Despite that, Caponera advises that companies must still avoid the situation in which they deal with only when it is too late. Unsure of the next step, clients often ask how they prioritize. He recommends, “Don’t wait for regulations. Compliance does not equal security. Also, do it now—while it is easy. Don’t wait until it becomes difficult.”

David Llorens, Director of Risk Consulting for RSM US, adds, “In their corporate governance, most companies do comply with industry regulations but, when they look at their OT architecture in detail, they find cybersecurity implementations to be simplistic, for example, limited to firewalls. They want to make a one-time investment and move on. However, threats keep changing; the target keeps moving. Executives need to understand why they must continue to invest in cybersecurity.”

According to Cyber Growth Leader Tom Finan with Willis Tower Watson, “Executives want to think in terms of business impact and are quickly lost when confronted with technical terminology. They need to determine what is really mission-critical. With boards and executive management, it is easier to understand risk and allocate resources to manage it.”

“Underwriters, today, are looking more into a company’s maturity level, how well they understand their IT and OT vulnerabilities, and whether they are deploying their resources where they could do the best. That’s becoming a dividing line between organizations that can obtain cybersecurity insurance and those that are not.”

Caponera added, “There are options. Companies can look at Option A, Option B, etc., assess the relative risks, and make an informed decision. Cybersecurity has to make sense to the business. In cybersecurity, we cannot be “Dr. No,” that is, an inhibitor to the business. We must be enablers.”

Facing the Consequences

According to LLorens, organizations must consider five key consequences if they are unable or unwilling to manage cybersecurity risks.

Given recent news coverage, the most prominent is a ransomware attack that could shut down a significant portion if not all of a company’s operations.

The second consequence, which, could be worse than the first, is a potential safety breach that results from a cybersecurity incident. Companies must consider the network’s physical connections to the plant, which could lead to consequences in process safety and risks to personnel safety.

Then, there are financial impacts such as paying a ransom or containing it in some manner. The fourth consequence is that the company’s reputation is tarnished. Finally, the company will have to allocate time and resources to entertain vastly increased attention from regulators. As Caponera added, they are always looking to make an example of someone. Companies must be careful to avoid being the first to experience a new type of attack. “Your company name will be in the news for years to come,” Finan added that several recent OT cybersecurity breaches have resulted in public policy changes. 

OT Cybersecurity Underwriting is Evolving

The experts went on to broach the subject of cybersecurity insurance. Caponera likened it to life insurance, something you don’t want to use but need as a last resort. Finan’s view is that cybersecurity insurance is one part of a comprehensive cyber risk management program.

The insurance industry has become far more sophisticated, and a company may not secure a policy. For example, the insurance industry is well aware that the “bad guys” have discovered such OT entities as SCADA systems and explored vulnerabilities. In the past, SCADA served as an excuse for security by obscurity. Today, it is not just a matter of securing information. The recent ransomware incidents have held operations, not just information, hostage.

Meanwhile, the insurance industry and manufacturing industry continue to learn and adapt. In the case of insurance companies, they are learning more about OT. On the manufacturing side, as Finan stated, “if company managers can explain to an underwriter why they are safe, why they are investing against risks the way they are, and what they have learned from past mistakes, that ability is a differentiator that will allow the company is secure a policy.”

Caponera added that collaboration and communication are critical in light of the evolving relationship between the insurance and manufacturing industries. Suppliers of OT such as control systems must be involved. “We have to start treating cyber as something normal and common to all companies. If you think you are unique in the risks you are facing or the way you are facing them—or even if you must admit that you are still running Windows 95 on some of your control systems, it’s okay. We know you are, so does everybody else, and so do your competitors. We can handle it. If we don’t collaborate and communicate, nobody is going to win.”