Presenting OT Security Risk to the Board

By Phil Neray, VP of Industrial Cybersecurity at CyberX

Operational Technology (OT) networks were traditionally kept separate, or “air-gapped,” from IT networks. However, new business requirements associated with the efficiency benefits of digitalization, such as smart environmental control systems, just-in-time manufacturing, and interactive systems tied to Big Data, are forcing increased connectivity between IT and OT networks. This has led to an increase in attack surface and cyber risk.

Protecting OT networks is a challenge. While some OT networks may have similarities to IT networks – and lend themselves to the traditional types of security measures used to protect them, such as SIEMs and firewalls – there are many characteristics of OT networks that differ from traditional IT systems. These differences include: specialized protocols such as Modbus for PLCs; difficulties with patching systems that run 24/7; legacy embedded devices with proprietary architectures; differences in network behavior; and long equipment replacement cycles.

This means that simply transferring security processes and technology from IT to OT will not succeed in protecting OT networks. It’s important that your board of directors understand these key differences, as well as risks associated specifically with OT networks.

 

Framing a Board Discussion Around OT Security

A key goal of the boards of most enterprises is to maintain an appropriate balance between protecting the security of the enterprise and its ability to function, as well as controlling financial outlays from losses.

Boards care about “strategy – not operations,” “risk oversight – not risk management,” and “business outcomes – not technology details.”1

Boards care about “strategy – not operations,” “risk oversight – not risk management,” and “business outcomes – not technology details.”1

A recommended approach of engagement with your board involves six questions outlined by the US Department of Homeland Security (DHS).

Question #1: What’s at risk – are assets prioritized and potential consequences identified if our ICS is compromised? Can we sustain operations of critical processes following a cyber incident?

 #2: Who is ultimately responsible for cybersecurity?

 #3: Is there Internet connectivity to our ICS environment? If no, how did we validate that fact?

 #4: Is there remote access to our ICS network? If so, why, and how is it protected and

monitored?

 #5: Do we have a DHS HSIN account to receive alerts and advisories?

 #6: Are best practices being applied?10

Ideally, in any discussions with your board regarding OT security risk you will be able to describe your OT cybersecurity efforts in the context of a cybersecurity framework based on OT industry best practices.

Identifying Key Metrics to Present to Your Board

Time, safety and continuation of services are of great importance, since many ICSs are in a position where failure can result in a threat to human lives, environmental safety, or production output.2

A critical element in eliciting a meaningful metric is to gather the relevant information about one’s system and to align that metric with measurable goals and strategic objectives which lie within the scope of a given project or the domain of an enterprise structure. Categories may include enterprise, operational, and technical metrics.3

Simple metrics might include checks to ensure that employees received appropriate background checks, activation of locked gates, or data being encrypted at appropriate levels.

Cyber Insurance for ICS/OT

One of the responsibilities of a board is to transfer risk inherent in operating an enterprise. That is often done through the purchase of insurance policies from third-party enterprises.

ICS-specific cyber insurance is also available. However, unlike the predictable costs associated with the loss of personal data, or the relative ease of projecting the amount of revenue lost from an e-commerce site not being available during a specific period, modeling the costs associated with attacks against an ICS and related infrastructure tend to be unique.

As such, the insurance premiums charged to protect against ICS/OT-type losses tend to be very customized – and much higher than IT-related cyber insurance, as it is near impossible in many cases for an insurance underwriter to spread your distinct ICS/OT risks across multiple policy holders.

It is imperative to provide the BoD with a financial model that enables them to engage in an informed discussion with insurance providers. This will enable your Board to decide whether to utilize third-party insurance to transfer risk or self-insure.

Presenting OT Security Risk to Your Board

While it may seem obvious, preparing to present to your board should include knowing your audience: Who are they? What is their background? What role do they serve on the board? What are their biases and passions?

Keep the presentation short and to the point

Keep the presentation short and to the point (Gartner’s Rob McMillan suggests a 7-slide approach), and focus on facts, risks, the future and actionable plans. Topics to be discussed may include4:

 

  • Disclosure of any known threats, including insider, supply-chain/third-party risks, nation-state, etc. and potential business impact for each risk
  • The maturity of your cybersecurity efforts that includes a mapping of your cybersecurity framework to an accepted capability maturity model. This should include enterprise readiness, areas of most concern, ability to transfer (outsource) risk, etc.
  • Updates on key security metrics that you are tracking
  • Anecdotes about other enterprises within your industry that have experienced – and addressed – ICS cyberattacks

 

Summary

There are increasing security risks associated with OT networks. According to the most recent SANS Survey, the current lack of visibility into the security and resiliency of OT networks is far-reaching – with the majority of respondents (59%) stating they are only “somewhat confident” in their organization’s ability to secure their ICS/SCADA infrastructure.

In addition, the increasingly blurred lines between traditional IT networks and OT networks has introduced additional challenges.

Given the potential implications to the health and safety of human lives, environmental damage, financial issues such as production losses, negative impact to a nation’s economy, and in a worst-case scenario the very ability of a society to function, it’s important that OT network security be addressed in a manner like IT network security – including having board-level visibility.

Centralized leadership for both IT and OT security, combined with a security program that incorporates a cybersecurity framework designed specifically for OT networks, along with the

appropriate ongoing monitoring and measurement of that program, will help enterprises manage and minimize their OT security risks.

 

 

 

 

Endnotes

 

1 Gartner – Security & Risk Management Summit 2018 – ‘What Your Board Wants

to Know’

2 NIST Guide to Industrial Control Systems – SP 800-82

3 Sandia National Laboratories – Security Metrics for Process Control Systems

4 Gartner – Security & Risk Management Summit 2018 – ‘What Your Board Wants

to Know’

 

About the Author: Phil Neray is the VP of Industrial Cybersecurity for CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.

(Twitter: @redecker99)

Photo Credit: Pigeoneyes.com Flickr via Compfight cc