When it comes to cybersecurity, 2021 was a wake-up call for most industrial sectors. Cyber vulnerabilities in operational technology (OT) were exposed and we learned that critical American infrastructure can be crippled with the click of a button. Attacks were present in the news monthly, with the most highly publicized including the shutdown of one of the nation’s largest pipelines, Colonial Pipeline. The recent surge of cyber incidents and the correlating effect on operations highlights the fact that threat actors have moved beyond traditional information technology (IT) targets, where their main goal is to obtain important information and data, to OT, where their primary mission is to cause physical disruptions or harm.
By Ryan Moody, President and CEO at ABS Group
As the end of the year approaches and we begin making organizational plans for 2022, CISOs within industrial sectors must take time to reflect on this year’s unprecedented events and how they should shape their priorities.
First, CISOs need to reassess their cybersecurity programs to properly address the current threat landscape. We now know that cybercriminals have set their sights on making an impact in OT environments; therefore, CISOs must completely shift their focus. The traditional solutions implemented in an IT environment do not address the unique needs and circumstances of OT.
To build out an entirely new cybersecurity program that addresses IT and OT cyber environments independently, CISOs must educate and garner buy-in from their board of directors. This crucial task will not be quick or easy to accomplish, but if done correctly, it can result in greater resources that will enable organizations to keep their digital and physical assets secure and preserve their reputation.
Educating the Board: Dispel Myths and Misconceptions
Although many boards know their organizations need to act on cybersecurity following the barrage of incidents in 2021, the biggest obstacle standing in the way is education. Most of the public – including board members – do not understand the differences between IT and OT networks and the challenges of protecting the less mature OT networks from threat actors. The media coverage and conversations on the topic are filled with myths and misinformation. There is also no real clear understanding of the distinction between IT and OT cybersecurity, which presents a significant risk to organizations.
CISOs should begin their discussions with their boards by educating the members on common myths about cybersecurity versus the realities. They should be prepared to explain:
- IT Cybersecurity Solutions Do Not Work in OT Environments: It’s a common misconception that IT and OT are the same. CISOs need to debunk this myth by clearly communicating the differences between IT and OT with tangible examples. In an IT environment, a click on a computer screen sends an email. That same click in an OT network could open a valve or stop an engine, leading to a catastrophic event. The primary goal in an IT attack is data; an OT attack targets the lifeblood of a business: your operations. Technologies used to monitor IT networks for cyber-attacks such as agents and active scanning are mostly incompatible with and will disrupt OT systems. OT security requires highly specialized domain expertise along with cyber expertise. A cyber-attack in an OT environment might look like a simple maintenance failure – you need expertise that can understand the difference.
- Compliant Does Not Equal Secure: Government regulations can only go so far; cybercriminals are constantly adapting, and compliance-driven rules can’t keep up with their pace. Most organizations do not realize that even if you are complying with all the latest regulations, you still won’t be secure. While government regulations have their place and provide frameworks for action, they will never be the sole answer to the problem. There is much more work to be done outside of regulatory requirements.
- Stopping One Attack Does Not Prevent the Next: Attackers can adapt far more quickly than cybersecurity can evolve. CISOs need to address the myth that solving the last attack will make their organizations safe. Because attackers are constantly evolving and learning, implementing a solution that would have prevented the last attack, does not prevent the next or the one after that. They must be proactive with training, policies and monitoring to plan for, defend against and respond to all future attacks.
Generating Buy-In from the Board: Focus on Business Risk and Impact
Companies won’t spontaneously invest in cybersecurity. CISOs are often challenged by the board to explain what the real impact will be should a cybersecurity event occur. And since many board members don’t fully understand cybersecurity, let alone the key differences between IT and OT, CISOs must focus on what will resonate most. The need to emphasize the impact of cyber-attacks on market valuations, competitive advantages, ability to bid, and key financial performance indicators.
CISOs should also explain why managing cyber risk for both IT and OT environments is a business imperative. Their discussions should offer examples of how previous cyber-attacks in IT and OT have impacted the business performance and operations of those that have been a victim of these types of attacks. For example, the Colonial Pipeline cyber incident caused an entire shutdown of the pipeline operations that supplied 45% of fuel to the East Coast, cost the company millions in ransom, and had a substantial impact on the supply chain.
Rising to the Challenge of Communicating with Boards
Communicating cybersecurity, and more specifically the different approaches to managing IT and OT cyber risks, to the board will not be an easy task for CISOs as they map out their needs and priorities for 2022. However, they must remember that education is key and that an attack on OT systems can significantly impact people, property, and the environment. Cyber attackers will not stop; they will only increase their activity and become more intelligent as they leverage the weakness of organizations. Boards of directors must grasp this concept, and act now (not later) if they wish to keep their organizations truly secure. 2021 opened pandora’s box, and it will take focused effort and investment to close it.
About the Author
Ryan Moody is President and CEO of ABS Group of Companies, Inc. (ABS Group). He previously served as Vice President of Strategic Development for the American Bureau of Shipping (ABS), where he was responsible for guiding and supporting ABS’ and ABS Group’s strategic activities and corporate growth globally. He brings 18 years of experience primarily in the oil and gas sector. Prior to ABS, he held leadership positions at Siemens Government Technologies, Siemens Energy, and FMC Technologies. His experience includes engineering, business segment management, product management, cybersecurity strategy, and corporate strategy. Moody holds a B.S. in Mechanical Engineering from Texas A&M University and an MBA from the University of Houston.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.