A pertinent need for firms to keep focus on cyber risk management

OVER the last 20 years, there have only been a small number of cyber attacks that have caused outages of industrial control systems (ICS) in operations technology (OT).

Among the high-profile attacks are Stuxnet in Iran, Triton in Saudi Arabia, and the Ukraine power system. This limited number led to a "it has never happened before to organisations like us" attitude, and a hesitancy to spend resources to address OT cyber risk.

In 2021, this has changed with ransomware hitting Colonial Pipeline in the United States and causing them to shut down a key petrochemical pipeline in the eastern part of the country. A seven-day shutdown caused major panic to get petrol and other products for consumers and businesses. It was beginning to affect producers as they had nowhere to put their product.

Shortly after the Colonial Pipeline incident, JBS, the world's largest producer of beef and pork, had to shut down operations and delivery of products, also due to ransomware.

These two incidents, on top of some less consequential attacks on small water utilities, has raised the attention of government legislators and regulators, industry organisations, asset owners that provide products and services, as well as the general public.

With this attention, it is critical that all involved in providing a reliable and resilient critical infrastructure not get distracted by a long list of good practice cybersecurity controls and focus on the real issue of managing OT cyber risk.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Colonial Pipeline and JBS are great opportunities for learning. It is true that some basic good practice cybersecurity controls were missing on certain systems in both companies, and this allowed the attackers to access the IT systems and install ransomware.

However, the main lesson to be learned is not that good security practices need to be deployed and maintained. The main takeaway is companies need to ensure that a compromise of their IT, or enterprise, network will not cause operations required to provide the product or service to be unavailable for an unacceptable period of time.

In both the Colonial Pipeline and JBS ransomware incidents, the ICS and OT systems were unaffected.

The companies chose to shut down operations - initially to prevent the potential spread of ransomware and continuing because they learned they could not provide the product or service without some of the systems on the IT network.

In a perfect world, neither IT nor OT will ever be compromised. We have decades of data showing that the likelihood of compromise of an IT system is not small, even in a company with a mature information security programme.

There are too many people doing too many things on too many networks, including general Web access and e-mail, to expect perfection.

Therefore, a good practice security controls response to the recent incidents is misplaced. Instead, the response should be based on cyber risk management.

What is the risk? A cyber attack that compromises and makes unavailable systems on the IT network will prevent the company from providing the product or service to their customers until these systems are available.

Some of the risk reduction options include:

• Deploying additional security controls and doing a better job of maintaining existing security controls to reduce the likelihood of IT network compromise.

• Eliminating OT's reliance on systems on the IT network to produce and deliver products and services. This is getting more difficult with increased digitisation of all aspects of the business.

• Creating and testing a plan to operate without the IT network within a certain time period. This sets the maximum outage or consequence to customers and the operations portion of the business risk.

This could be moving to manual operations, moving to alternate processes, deploying substitute systems, perhaps limited, in OT, or implementing an emergency operations status with customers that changes the normal business operational requirements.

• Create and test a plan to recover the required systems in IT to support operations within an acceptable time period.

The common factor in the second and fourth options is they set a cap on the consequence to customers of an IT cyber incident.

Consequence reduction can be presented to management with a high degree of confidence as compared to likelihood reduction security controls where only rough and directional estimates can be viewed as credible.

While this is just an example, it represents an approach of managing OT cyber risk rather than getting into a contest to see who can deploy and maintain the most good practice security controls.

Risk is what the directors and executives in a business or organisation are required to manage. OT security professionals need to present recommendations and solutions in terms of business risk.

• The writer is a member of the Cyber Security Agency of Singapore's Operational Technology Cybersecurity Expert Panel.The panel's inaugural meeting on Sept 29-30 will initiate a conversation about OT cybersecurity, with the panel presenting recommendations on strategies to enhance the cyber resilience of Singapore's OT sector.