A decade ago, executives at energy, utility and manufacturing businesses did not worry about potential cyberattacks the same way they might have cared about major safety or environmental risks. Operators believed that air gaps between networks and proprietary technology were adequate defenses against malware, and that attacks on cyber-physical processes were simply very unlikely.
In recent years – especially the past year alone – that has all changed. Today, the C-suite is quickly realizing that the critical infrastructure that supports the global economy is now directly in the line of fire from hackers, malicious insiders, and nation-state threat actors alike.
To protect critical infrastructure and manage cyber risk associated with industrial operations, executives need to execute well across three dimensions: improve visibility, incorporate modern cyber defenses, and ensure preparedness in case an incident does occur.
Elevated State of Awareness
The C-suite is responsible for overall corporate risk, and the awareness of the need for IT security has never been higher, unfortunately, due to various breaches that have made headlines. Industrial cybersecurity has now become an important aspect of the threat surface to monitor and manage as Operational Technology (OT) and IT systems converge. To keep critical systems running and protect the financial results and reputation of your organization, it is essential to also improve industrial cybersecurity and operational visibility.
Here’s why this has become an especially timely conversation: The U.S. government has released unprecedented alerts about Russian government cyberattacks targeting energy and other critical infrastructure sectors. In addition, the World Economic Forum reports “[A] growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in systems that keep societies functioning.”
Most recently, the Department of Energy announced in May 2018 Executive Order 13800 that focuses on strengthening the cybersecurity of Federal network and critical infrastructure. The imperative sets forth to fortify and ensure our energy and critical infrastructure is resilient in the face of increasing threats, stemming from an August 2017 report that shares the assessment of the energy infrastructure as a significant target within the nation’s critical infrastructure.
“It all starts with acknowledging the problem is real – and that the threat is increasing.”
The DOE’s decision to now make public their August 2017 Assessment of Electricity Disruption Incident Response Capabilities report reinforces the importance that these threats of cyberattacks continue to have on our critical infrastructure. Declaring the real potential of a cyber warfare attack on US soil is the first step to admitting there is a problem, next is taking the necessary security precautions to protect our most critical infrastructures, so something catastrophic doesn’t happen.
Businesses need to follow suit and those that are part of the nation’s critical infrastructure must prepare for the likely inevitable attack. The importance of our energy and critical infrastructure on America’s (and the world’s) economy puts a clear target on those organizations from nefarious threat actors, often exacerbated at times of geopolitical unrest or friction like current global events.
Three Keys to an Improved Security Posture
As an executive, how do you prepare for the operational, business and reputations risks posed by cyberattacks on OT infrastructure? How do you manage industrial cybersecurity risk and protect your organization’s reputation? Following are the three keys to improving the security posture of your critical infrastructure organization:
Improve Visibility: You can’t protect what you can’t see
Visibility is key to being responsive to a threat or crisis as it happens. This requires having the right tools that provide visibility into industrial networks and their risk exposure, thereby improving critical infrastructure cyber resiliency and operational reliability. OT has traditionally lagged behind IT in terms of visibility, however in today’s world, companies need to have as much visibility into OT as they expect in IT.
Improving visibility requires real-time network monitoring and an accurate, continuously updated network asset inventory – this is vital to detecting cyber threats and process anomalies and improving cyber resiliency and reliability.
In addition, centralized management must deliver consolidated OT cybersecurity and visibility across regional or multinational facilities to reduce support costs for remote sites, speed up troubleshooting and improve staff efficiencies. Every facility should be aligned and provide visibility across the organization so decisions can be made in context with the most accurate, current information.
Incorporate Modern Cyber Defenses: AI and machine learning take center stage
Advances in artificial intelligence now allow process-oriented anomaly detection to deliver the same levels of cyber protection in OT as in IT. With distributed facilities and thousands of devices in complex installations, artificial intelligence is a must to effectively manage volumes of data to extract actionable insights. Without it, the firehose of data and alerts creates fatigue while consuming countless human hours to work through support tickets, alert files and other reports. Machine learning can alleviate a tremendous amount of that work, ensuring staff spend their energies and intelligence on the pressing matters most suitable for the human brain in terms of analysis and decision-making.
Solutions that use machine learning to understand the OT environment and adapt should be a key consideration in any solution you deploy to fortify your organization’s security posture. By learning autonomously and adapting, as well as tapping into artificial intelligence, the right technologies can ensure your staff is focused on the jobs they need to do to mitigate and respond to threats – not on chasing alerts, responding to false positives or miss threats hidden in the flood of data.
It all starts with acknowledging the problem is real – and that the threat is increasing. From there, a Crisis Preparedness Plan can be developed, refined and implemented. What you communicate, how you communicate, and through which channels you choose to communicate, all impact the outcome: whether a company’s reputation and trustworthiness is bolstered or diminished. In talking through best practices for crisis preparedness plans with Standing Partnership’s Mihaela Grad as it applies to managing OT risk, here are the four keys to establishing the right plan:
Align all your crisis response plans: Assemble all existing policies, business continuity, operational and communications plans, plus reports that outline the risks your organization faces. Determine how current they are and list the gaps. When something goes awry, having minimized the gaps ahead of time will save valuable amounts of time when minutes matter most.
Build or update a cross-functional crisis team: Your crisis response team should include representatives from across the organization – safety operations, legal, IT/OT, customer service, communications, HR, etc. – spanning head office and remote operational units. Most issues don’t conveniently happen during business hours, so be prepared for potential disruption by having a clear, designated team ready to respond at a moment’s notice.
Develop a written plan: It’s best to have a written crisis response plan that contains response team members and responsibilities, assessment criteria, decision protocols and responses to scenarios most likely to impact your organization. A plan eliminates second-guessing and speeds up response time during a crisis. Ideally, it is reviewed and updated every six to twelve months. While it may be impossible to predict every scenario, by documenting as many real or material scenarios, it puts your organization in the best position to respond swiftly, take corrective action and protect the brand in the eyes of customers and stakeholders.
Train your team: A plan without training isn’t worth much. Gather the cross-functional crisis response team at least once a year to run through the communications plan, and make sure members can execute seamlessly during high stress situations. Practice 1,000 times for the moment you hope never comes. Training helps the team be ready, and more comfortable, when something unusual and urgent happens.
Having a plan ready in the face of adversity when threats target critical infrastructure organizations—or any organization—is vital to effectively managing risk and protecting the brand’s reputation. Using the latest in technologies such as AI and machine learning are key to shoring up cyber defenses ahead of time to avoid an incident in the first place. Lastly, and most importantly, is to have real-time visibility into the OT environment as systems become more and more connected. Understanding what’s happening with context when something occurs enables staff to respond appropriately—this is ultimately the integral piece to improving industrial resilience and operational visibility.
Today’s business leaders are expected to protect the entire organization beyond IT systems, including OT environments that run critical infrastructure. Realize the threat of cyberattacks is on the rise in this industry. Use the right technologies to give you real-time visibility, practice regularly and be prepared knowing that it can happen to your organization. That could be the difference between your brand being chastised after a breach – or celebrated for how you quickly responded and thwarted the threat.