Enterprise risk management (ERM) used to be straightforward. However, with the constantly changing cyber risks every organization faces, the framework needs to expand to encompass cybersecurity risk management (CSRM). All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they conduct their ERM program.
When looking at ERM and factors commonly considered, nothing has changed significantly in the past 15-20 years. However, the need for and evolution of CSRM has added a few new twists to the traditional ERM governance process. For example, there are unique risks that need to be considered when looking at cyber risk for manufacturers, manufacturing and critical infrastructure organizations.
What’s new or unique about CSRM?
Cybersecurity risk management needs to take into account the typical ERM risks like natural disasters, including weather and unexpected physical events that impact production and business in general. In addition to these factors, CSRM must also consider the risk of cyber physical outcomes. The domino effect of an unexpected cyber breach on cyber physical systems that impacts food production, water safety or health care equipment, for example, can have life or death consequences.
Because CSRM can be new to the thinking of many organizations, assumptions are commonly made that can lead to exposures that cost organizations millions, impact their brand reputation and have negative consequences for their end consumers.
Traditionally, when considering cyber in ERM, organizations tend to look only through the lens of digital outcomes, not considering the inherent risks of all the potential devices driving their operation. With automated machinery, Industrial Internet of Things (IIoT) and remote access so prevalent, more thought needs to be given to the potential exposures created in the industrial production network around digital safety and operational integrity.
Four common CSRM myths and missteps
1. IT has it covered
Many organizations will assume the CIO or CISO has the manufacturing plant floor or critical infrastructure equipment covered through information technology (IT) enterprise security. This couldn’t be farther from the truth. IT isn’t regularly equipped or trained to understand or protect operational technology (OT) industrial control systems (ICS) equipment. IT security tools and their approach are actually incompatible with OT ICS plant floor equipment.
2. My IT budget can cover my OT security needs
Many times, organizations don’t adequately fund their OT security or don’t even realize it needs to be a line item in the budget separate from IT security. The lifecycle for OT equipment is typically much longer than IT enterprise equipment. The risks with this equipment and these systems grow over time, as they go predominantly unmanaged until something breaks or a breach occurs.
You will find a significant amount of legacy OT equipment with unpatched Windows updates and default passwords across just about every production, manufacturing and critical infrastructure environment. Once a breach occurs, it can be too late. Going through the process of identifying connected devices and other common vulnerabilities and exposures (CVEs) is a key step to digital safety for manufacturing and critical infrastructure organizations.
3. Our cyber insurance will cover us
Another common myth is that cyber insurance will cover you. Transferring responsibility for cyber or digital safety for OT-related adverse events to cyber insurance is a huge risk. The shifting insurance landscape, especially in relation to cyber-related and internal error-triggered adverse events, is exposing less coverage and covering fewer events. The point being, don’t count on cyber insurance to save you; the stakes are getting higher.
4. We can use internal resources
Internal IT teams are not usually trained or equipped to manage both enterprise security and operational security. In addition, the workplace is experiencing a shortage of industrial security talent in the marketplace. The smart way forward for most organizations is a partnership between operational owners, IT owners and external cyber-industrial experts. Leveraging experts that specialize in digital safety and can operationalize cybersecurity solutions are an astute way to protect your organization without the cost of hiring a dedicated internal industrial cybersecurity team.
ERM vs CSRM: what’s the difference?
ERM is about risk reduction and reducing company exposure due to adverse events, while CSRM is about damage reduction after an event and proactively reducing risk by identifying and addressing exposures. With the escalation of cyber events, CSRM needs to play a larger role in enterprise risk management. Both can protect an organization from adverse and negative consequences in different ways.
Ensure your ERM includes CSRM
No organization can afford to go blindly forward without a well thought out CSRM plan as a core component of their ERM plan. Determining risks and vulnerabilities across the entire organization, from the enterprise to the plant floor, is a mandatory step in the process. For most organizations, a partnership between manufacturing and infrastructure experts that specialize in digital safety and operationalizing cyber safety solutions is the intelligent way to discover and counter real risks.
Many organizations realize they don’t have the expertise or experience in-house to be able to effectively protect themselves from the changing climate of cyber risks to plant equipment and critical infrastructure. Equipment and technology-neutral partners offer deep expertise about plant floor vulnerabilities, equipment visibility, continuous monitoring, and operationalizing equipment and digital safety. You can start with an internal tabletop exercise where they can facilitate the key stakeholders together to address ownership and accountability for the CSRM plan development and execution.
An ounce of prevention and proactivity is worth a pound of cure and defense. Be proactive rather than reactive. Take steps now to get safer sooner.