Cybersecurity and the threat of malicious actors make headlines every day. Boards of directors are recognizing cyber threats as one of the most significant risks. To date, this cybersecurity discussion has centered largely on IT systems; however, the industrial control system (ICS) that operates a facility is often as critical as or more critical than the IT system to an industrial company’s financial results.
The FBI issued a warning in 2016 to the nation’s power companies that the sophisticated cyberattack techniques used to bring down portions of the Ukraine’s power grid in 2015 could easily be used against U.S. firms. In fact, the most recent report of Russian hacking was identified last week by the U.S. Computer Emergency Readiness Team (U.S. CERT).
According to an alert released by U.S. CERT, a seven-year-old group known as Dragonfly orchestrated the hacking campaign, which hit U.S. government entities and domestic companies in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors. “In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities,” states the report.
The results of such an attack could be catastrophic, as Pew Research Center reports that 61% of experts agree a major cyber attack would occur by 2025 causing far-flung harm to the nation’s security and capacity to defend itself. The cost of such attacks will be tremendous. Lloyd’s estimates a blackout across 15 U.S. states would affect 93 million people and cost the economy between $234 billion and $1 trillion.
Despite the need for ICS cybersecurity, three key challenges impede many operations executives from pulling the trigger on that investment. John Livingston, CEO of Verve Industrial Protection, identifies three reasons for that hesitancy:
lack of tools
lack of talent.
1. Risk/fear by leadership of operational disruption from deploying cybersecurity measures. Most operational leaders do not believe their systems are under significant threat. The lack of publicized successful attacks and the general architecture of these networks lead to the belief that these systems are immune to the threats seen on the IT side.
“As a result, the risk of doing something is greater than the risk of doing nothing,” says Livingston. “Potential operational risks include putting security software on control systems equipment that may disrupt normal operations; changing passwords that may create delays in response to a critical operational issue; and adjusting network architectures that may limit access to critical employees or vendors. All of these risks are very real, so I do not intend to downplay them. They must be addressed in any solution.”
2. Lack of tools and approaches that are tuned to the unique challenges of securing industrial control systems. The IT cybersecurity market has grown with a focus on protecting traditional IT devices, explains Livingston. The tools often don’t work in the operations-technology (OT) environment without significant adjustment and tuning. In fact, if improperly installed, they can cause more risk than protection.
3. Talent shortage of people with both operational expertise and cybersecurity knowledge that can be applied to these unique circumstances. A report from Frost & Sullivan and the International Information System Security Certification Consortium, or (ISC)², found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. At the same time, the number of experienced ICS engineers is declining rapidly as fewer young people go into this career. When you combine the need for ICS and cybersecurity expertise, the talent shortage is extreme.
What can be done?
While the challenges are very real, Livingston recommends four key measures companies can take. Each step is specific to a company’s CFO, as CFOs are a natural bridge between the chief information officer (CIO) or chief information security officer (CISO) with their IT backgrounds and the operations executives.
1. Know what you can do, not just what you cannot do, in ICS. There is a lot you can do, but OEMs and people who have been burned by poorly implemented solutions have convinced owners and operators that these systems are too sensitive to protect. Or at a minimum can only be protected by the OEMs themselves. “I encourage the CFO to bring an independent view and assess what can be done, if done appropriately and safely,” says Livingston. “As we like to say, ‘Take back control of your network,’ from the OEMs holding it hostage.”
2. Pick a standard for security and build a maturity plan. There are many standards that can be applied to ICS security from NIST and NERC CIP to CSC20 and IEC/ISA. All have their pros and cons, and an organization could debate them for a long time. Livingston’s advice is to select something and begin the journey. Each stage of security maturity has benefited over the previous. And they get better as you add new layers over time. A standard allows a CFO to measure centrally against a metric that is common across all industrial control systems.
3. Build security into your capital, as well as operations and maintenance planning. By doing this you don't have separate budgets for security and operations. Security is a fundamental feature of operations, like maintenance or safety is. Like safety and maintenance, security is a part of ensuring consistent, reliable operations and should be a part of all capital and operational planning discussions.
4. Consider a holistic approach. Take a holistic approach to managing the security risk that not only includes tools and processes for protection, but also purchasing targeted insurance for those risks that do not warrant the expense necessary to protect. “You won't be able to secure everything, or every possible attack,” explains Livingston, “but you should build foundational elements and then insure what you can.”
The role of CFO in ICS security is absolutely critical. For non-services companies, the protection of these systems is fundamental to sustaining financial results. The CFO is uniquely positioned to bridge the space between the CISO and the operational leadership to drive to a solution using the four steps outlined above to begin a cybersecurity maturity journey and make this a part of every planning discussion.