Introducing Industrial Security Insights - OT Security Incidents, Persuading the Board, Cyber Risk & more
Waterfall Security Solutions
Enabling OT with cyber-physical protection
Hello and welcome to the first edition of?Industrial Security Insights.?At Waterfall Security Solutions we serve the world's most (cyber) secure industrial sites. These sites ask different questions and so of course they get different answers. They look at security in a different way. In this newsletter we work to bring you the perspectives of these and other industrial sites.
For example, our Industrial Security Podcast releases a new episode about every two weeks with a different expert guest who takes us on a deep dive into a topic in their field of expertise - showing us a "view of the elephant" if you like. Waterfall's original research reports identify trends in threats and attacks. We explain what these trends mean for defenders, and we predict the future of the threat landscape. Waterfall's guidance documents look at technologies and industries and explain how to apply these insights to the problems that industrial sites face every day.
What follows here is an example of what you can expect in the future. If you like what you see, please press subscribe. And please comment what you think of the content - good, bad or ugly, we can only get better with your feedback. Thank you!
Until next time,
Andrew Ginter / VP Industrial Security / Waterfall Security Solutions
In this issue:
Persuading the Board
By Andrew Ginter, VP Industrial Security
I recently led a round table on “Influencing the board” at the Smart Grid Forums' IEC 62443 Week in Edinburgh – discussing how to get board-level buy-in for spending on industrial cybersecurity. Here are some insights I took away.
A word of background before I start: boards of directors generally do not authorize funding for cybersecurity programs - that's the CEO's job. Boards do get directly involved in very high-level decisions like acquisitions, divestitures and mergers. Boards also decide on who is the right CEO for the business and what that executive's compensation should be. And boards care about “oversight,” which has a lot to do with risk. For example, boards hire financial auditors to address the risk that a CEO or executive team might be deceiving both the board and the shareholders about the performance of the business. Boards also care more generally about other material risks and might hire external auditors to verify cyber risk and other company risk information the executive team presents.
Many boards are not convinced that their businesses have a problem with industrial cybersecurity
Back to our problem - many boards are not convinced that their businesses have a problem with industrial cybersecurity. Many boards care much more about regulatory risk than cyber risk. Many boards are backwards-looking - they are not security experts and so look at statistics about past attacks rather than looking at the current threat environment and projecting future risk. And yes, there is a war in Europe that led to a bump in awareness and willingness to support cybersecurity spending back in the February/March timeframe, but the conflict is dragging on. Today, the average board is slipping back into their traditional stance on industrial cybersecurity, whatever that stance was.
There was one surprising insight about an organization’s reputation. I knew that boards tend to be very aware of risks to their brand - most big businesses have spent billions of dollars on their reputation over previous decades. A major cyber incident like the Colonial Pipeline outage can have a big impact on the reputation of the business - a concrete example of this impact is the new cyber regulations that the US TSA issued 30 days after the Colonial incident. Before Colonial, the TSA was willing to let the industry largely look after itself, believing that that OT security was more or less handled. Not anymore.
It seems that if “everyone” gets hit, then no single organization is necessarily any better or any worse security-wise than anybody else
The surprise: massive incidents like the 2017 NotPetya attack, that took down hundreds of victims, do little to impair the reputations of the affected organizations. It seems that if “everyone” gets hit, then no single organization is necessarily any better or any worse security-wise than anybody else. Insurers worry about massive events like this, which is why many insurers now cap cyber damages claims at $200-$300M - it has become very hard to buy more coverage than that, even for the biggest businesses. But it seems boards are less concerned about these “cyber catastrophes.”
Solutions: the clearest advice from the CSO's and other leaders at the table was to work to understand the board's risk appetite. Understand what risks the board cares about and be aware that risks outside of that envelope are likely to be downplayed. Then, embed security spending into projects that support the board's business strategy – ie: upgrade security postures generally as part of support for strategic business initiatives. Other advice focused on comparison with peers - board members tend to be deep experts on core elements of the business, and less expert on everything else. In these “other” arenas, many board members rely on comparison with peers. These members want the business to be in the “middle of the pack,” or “just above average” risk-wise for everything outside of strategic business risks. So if we can use our auditors or industry reports or other data sources to show that we are falling behind our peers, that tends to get the attention of executives and board members.
Anything that makes individual board members personally liable gets their attention
Finally, anything that makes individual board members personally liable gets their attention. For example, in some industries and some jurisdictions, board members can be held personally liable for injuries or deaths due to inadequate safety measures. Today, board-level liability for deaths or damages due to cyber attacks is pretty much non-existent, but the Gartner Group has predicted that such liability may be only a few years away for a great many boards.
3 key take aways...
The bottom line - boards generally don't authorize industrial security spend but getting budget for such projects is going to be much easier if (1) the improved security is important to a strategic business expansion or comparable initiative, (2) the project is part of a regulatory compliance initiative, or (3) you can show that without the investment, the business is falling behind its peers security-wise.
I hope that was useful. If you'd like to dig deeper into strong security that won't break the bank, feel free to request a (free) copy of my latest book Secure Operations Technology.
领英推荐
Cyber attacks with physical consequences - mostly plant shutdowns - are more than doubling annually. All these attacks defeated conventional IT security programs, and modern ransomware tools and techniques are running only 3-4 years behind the powerful techniques nation-states are using today.
Watch the recording of our latest webinar on Security Week, to dig into how IT-SEC, SEC-OT, SPR, CCE and other engineering approaches all fit into the big picture of managing OT cyber risk
Georgina Williams, Senior Cyber Underwriter at Murich RE joins us to look at how insurers are digging deep into both engineering and security aspects of industrial #cyberrisk
The sophistication of attacks on industrial sites continues to increase rapidly. In this report, we look at #cybersecurity for nuclear generators with concrete examples from specific generators.?
The Colonial Pipeline outage was a shock to senior decision-makers – the pipeline was pre-emptively shut down “out of an abundance of caution” in the face of a compromised IT network. This cautionary shut-down proved there is work to be done to increase the strength of OT security programs.
OT Cyber Security Evangelist | Member EE-ISAC | Director Europe | Proven Engineering Grade solutions for Industrial (OT) Cyber Security | 100% physical protection against outside attacks
2 年Great blog about “Persuading the Board” and cannot agree more that we need to better translate the impact to the different levels into organizations. A project manager, COO, CISO our board member all have different (personal) objectives and KPI.