To anyone working in cybersecurity, it is not news that just about every critical infrastructure industry is significantly behind on their path toward cybersecurity maturity. There continues to be a fundamental friction between the estimation of cyber risk and the short-term thinking of today’s quarterly budgetary decisions. Security professionals have continuously anticipated that each new cyber incident, from Stuxnet to SolarWinds, would serve as the wake-up call to boards and decision-makers that finally produces the appropriate cyber budget commensurate to the current risk profile.
While industry is slowly and reluctantly beginning to pay attention to what seems like a near-daily barrage of new cyberattacks, for too long these events have been treated as mere background noise rather than a systemic threat to the infrastructure that makes society run. Cost savings from under-investing in cybersecurity deliver instant gratification that has been more attractive than the investment required for proper cyber monitoring and protection, and organizations are increasingly paying the price for this short-term thinking.
When considering information technology (IT) cybersecurity, the financial and societal consequences of a data breach of sensitive information can be difficult to quantify and therefore difficult to justify robust investment to a board of directors. However, in operational technology (OT) the financial costs of an attack are far easier to quantify in terms of production downtime, incident response services, and asset replacement. As attacks on OT infrastructure have become frequent in the last decade, this relaxed attitude toward cyber risk by executives and boards of directors have become both socially irresponsible with critical services such as electricity, food, and water at risk and a clear violation of fiduciary responsibility to protect the organization’s bottom line.
How many executives currently think about cyber risk and why it fails
Whether you’re selling electricity, cars, or coffee, every business decision an executive undertakes should ultimately accomplish one of three things:
- Increase margin/revenue
- Decrease costs
- Reduce risk.
While this is an over simplified view of business objectives, it is a useful construct that lays out the three primary objectives that create or deliver stakeholder value. If you can increase revenue or decrease costs you increase the business’ cash flows, enabling you to invest in growth, your employees or community, or generate a return for your investors. If you can reduce risk, you can improve the stability of future cash flows, which brings clear value in terms of business planning and continuity.
When determining and committing to the investments required in implementing a robust cybersecurity program, executives often default to the second in the list – decreasing costs. This short-term pressure to reduce costs (especially in publicly traded companies) leads organizations to balk at the capital and cultural outlay to combat a threat that may not seem “clear and present” enough to them yet, kicking the can down the road and adopting a compliance-driven security posture until it is too late.
Each time a new OT cyber incident occurs, the mental gymnastics that organizations exhibit to explain away the risk to their operations is truly impressive. When Industroyer shut off the lights to over 200,000 people in Kiev, organizations claimed it was not applicable because “that wasn’t the United States” when our grid infrastructure is similarly vulnerable. When an unsophisticated actor attempted to poison the drinking water in Oldsmar, Fla., with dangerously elevated levels of Sodium Hydroxide, organizations claimed it was not applicable because “we’re more secure than Oldsmar”—as if upgrading past Microsoft Windows 7 and avoiding shared TeamViewer credentials was the gold standard for cybersecurity.
There can always be another excuse, and behind every newly tailored excuse there will be yet another successful compromise and attack until we reach a collective understanding “just enough to comply” isn’t nearly enough.
The digital transformation and the bad trade executives are making
Whether digital transformation, Industry 4.0, or Industrial Internet of Things (IIoT) is your buzzword of choice, the process to make industrial infrastructure “smart” in the quest for operational efficiencies has been in the works for decades. This has been substantially accelerated during COVID-19, as organizations require greater digital access and visibility of their infrastructure due to the demands of remote work wherever possible. While these changes have potentially enabled greater operational efficiency by empowering organizations to make data-driven improvements to processes such as production and maintenance, it has remarkably expanded the cyberattack surface and the risk that comes with it.
While the Digital Transformation can over time help decrease costs through operational efficiency, executives overlook their third decision-making objective: decreasing business and operational risk. Commoditized and under-secured IIoT devices that enable Industry 4.0 are a double-edged sword for infrastructure operators and can often provide a trivial gateway into an organization’s networks. These and other IIoT devices cause the further convergence of IT and OT systems, which makes critical infrastructure increasingly cyber-porous.
In short, executives are making the tacit trade of short-term cost savings for longer-term cyber risks because operational efficiencies can be easier to quantify and trace directly to the bottom line. Additionally, boards of directors are failing in their functions of controlling business risk and reining in erring executives. However, in this age of ever-increasing critical infrastructure incidents and nation-state attacks this is an irresponsible trade that will always catch up, harming both society and the bottom line in the process.
How inadequate cyber risk management tracks to the bottom line
There is an abundance of ways that cyber incidents track to the bottom line – a combination of “hard” costs that are easily quantifiable and “soft” costs that are more difficult to nail down. In the realm of high-profile IT cyber attacks, the costs of incident response teams and public relations consultants are rather clear, but it proves difficult to determine exactly how much compromising a customer’s sensitive information “costs” in terms of lost future revenue and degradation of brand goodwill. However, cyber incidents on the OT side consist of additional hard costs that any operations manager could tell you such as the cost of asset replacement, legal liability for compromises of employee or public safety, or the minutes to hours to days of production downtime.
To be fully clear:
- OT cyber incidents are common – 9 out of 10 Organizations in Utilities, Manufacturing, Energy, and Healthcare experienced an OT Intrusion last year – up 19% from 2019 (Fortinet, 2020)
- OT cyber incidents are costly – the average annual cumulative loss attributed to an OT Cyber Incident was $347,603 across manufacturing, oil & gas, utilities, and government (Kaspersky, 2017)
Critical infrastructure industries need to come to terms with the clear reality of the situation – the OT threat is real, it is rapidly growing, and it has significant costs to the business operations and bottom line.
The most overlooked area – Purdue model level 0/1
In the growing awareness of ICS cybersecurity, the majority of the focus is placed on the layers closest to the control system entry point – the business IT network. As network segmentation is perpetually imperfect, there is a tendency to focus on the highest layers of the control system and detecting an adversary as they make the jump from IT to OT and soon after.
However, nation-state actors have proven through scenarios from Stuxnet, Industroyer, Triton/Trisis, and countless others that they are able to traverse control system networks undetected and reach the lower layers to enact their will. These layers directly control the cyber-physical processes that create and deliver energy, manufacture products, and transport drinking water. The risk to these deepest layers is real – 25% of reported ICS vulnerabilities in the second half of 2020 affected Level 0 or 1 (Claroty, 2020).
A continued cause for concern is Levels 0 and 1 are significantly composed of legacy equipment that communicates via serial communications – unauthenticated and unencrypted communication that are currently rarely monitored. Additionally, the term “legacy” equipment is substantially a misnomer as a large number of serial-connected systems are installed in the present day (ex. The Westinghouse AP1000 Nuclear Reactor, Baeckel, 2021).
While this abundant and insecure technology is here to stay, the outlook isn’t futile. Monitoring serial communications allows infrastructure operators to have confidence in the integrity of their operational health data as well as detect cyber intrusions when adversaries are testing their cyber-physical capabilities at Level 0/1 rather than once it’s too late.
Bringing critical infrastructure to a modern cybersecurity posture
While the operators of the critical infrastructure that powers our homes and delivers our drinking water increasingly know they must fully wake up to the threats around them, what will convince them to? We can only hope that it doesn’t take the proverbial “Cyber Pearl Harbor” scenarios such as the electric grid being taken down in a major American city before all critical infrastructure stakeholders begin to act like our lives depend on it – because for some of us it might.
Executives and boards of directors need to understand and actively combat their tendency to trade cost-savings for cyber risk, as it is irresponsible business management and presents a systemic risk to their bottom line, their organizations, and to our society. If we can build cyber resilience into our nation’s critical infrastructure in advance rather than cleaning up the mess once it’s made, we can preserve our bottom lines and the critical services that keep society functioning.