OT Cybersecurity in 2021 and Beyond Series: Part II – Risk Management

“A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.”

- Garner

While 2020 may be most notable for the COVID-19 pandemic, the year also saw massive shifts in technology and connectivity. First, both technology and connectivity were put to the test in a way unseen previously as nearly the entire business world moved from offices to working from home. And with it came the onslaught of cyber-attacks.

From cyber threats to the U.S. power grid and attacks targeting Australia to Garmin’s five-day outage and the SolarWinds supply chain attack, 2020 revealed the stark truth that technology adoption seems to far outpace security — especially when it comes to operational technology (OT).

Organizations can waste no time in protecting their critical operations. And to help, Mission Secure collaborated with guest authors from various perspectives to share their insights on what’s next for OT cybersecurity and what organizations need to consider as they plan their 2021 cyber-protection strategies and beyond. This series covers three key topics: the threat landscape (Part I), risk management, and protection.

In Part II, Sid Snitkin of ARC Advisory Group, the leading technology research and advisory firm for industry and infrastructure; Steve Mustard of the International Society of Automation, a non-profit professional association and standards organization; Julian Clark of Ince, an international legal and professional services firm; and Mission Secure’s Bob McAleer, discuss the evolution of OT cyber risk impacts, management, and operational resilience. Check out their responses organized by topic and see how 2021 may reframe cyber risk management for defense, critical infrastructure, and process industries.

Question: How will cyber risks impact organizations in 2021 (e.g., cyber insurance, mergers, acquisitions, regulatory penalties, etc.)?

Risk Trend #1: Just seeing the tip of the iceberg

Julian Clark, Global Senior Partner at Ince: While in a position as Senior Partner of a full-service commercial law firm, my personal legal background is in shipping; this is why I consider cyber risk impact as a “Titanic Scenario.” Corporates are aware of the risk and do so much to “keep an adequate lookout,” but what we have seen up to the end of 2020 in cyber risk is very much the tip of the iceberg.

Bob McAleer, President of Mission Secure Defense: 2021 Prediction — The cybersecurity landscape will change and change fast. The U.S. will begin to mount a serious national defense on nation-states and criminal organizations that have enjoyed porous and uncoordinated defenses and tepid reprisals. And, somewhat unseen, U.S. national cyber assets will get the teeth it needs to defend forward. To counter U.S. cyber adversaries, the government has rightly recognized that it needs to re-organize, re-distribute decision and funding authorities, and re-think how it partners with industry.

Sid Snitkin, Vice President of Cybersecurity Services at ARC Advisory Group: The COVID-19 pandemic wreaked havoc on industrial companies around the world. Quarantines and job losses created major disruptions in the production and delivery of products and services. Companies were forced to slash operating budgets and delay capital projects. These developments directly impacted the 2020 industrial cybersecurity market and will continue to impact spending throughout 2021. But the impact will vary across industries, regions, and products:

• Reduced sales of new control systems and upgrades will constrain demand for conventional security solutions, like firewalls and endpoint protection.

• The growing role of CISOs in OT cybersecurity will drive demand for products that enable better visibility of OT assets, security hygiene, and threats.

• Shortages and high costs of cybersecurity resources will continue to drive high demand for cybersecurity services.

• Ransomware and sophisticated supply chain attacks will continue and fuel demand for more advanced cybersecurity products and services that enable rapid detection and response.

• More remote workers and acceleration of digital transformation efforts will fuel demand for cybersecurity products that provide end-to-end security across IT, OT, Cloud, Mobile, and Edge applications.

“Corporates are aware of the risk and do so much to ‘keep an adequate lookout,’ but what we have seen up to the end of 2020 in cyber risk is very much the tip of the iceberg.”

Julian Clark
Global Senior Partner at Ince

Risk Trend #2: Quantifying OT cyber risk

Bob McAleer, President of Mission Secure Defense: For two consecutive years, the U.S. Director of National Intelligence (DNI) has said that cyber threats pose the number one threat to national security. The U.S. government has come to the decisive realization that a decentralized approach to cybersecurity is wholly insufficient — and puts national security and institutions at considerable risk. The 2019 John McCain National Defense Authorization Act (NDAA) commissioned the Cyberspace Solarium Commission (CSC), a bipartisan effort of policy experts, legislators, and practitioners who made eighty action-oriented recommendations — including draft language for Congressional committees. Twenty-nine of those recommendations were enacted in 2020’s landmark 2021 NDAA. As CSC co-chair Senator Angus King said, “…it’s safe to say that this is the most important piece of cybersecurity legislation ever passed.”

The NDAA’s reach and the CSC’s recommendation went far outside the U.S. Defense Department. Their reach will affect every branch of the Federal Government, every state, and every industry sector. In effect, there is a bipartisan shift to a more whole of nation approach to protect our economy and instruments of national power against cyber-attacks. In my opinion, this is our government at its best. Corporate cybersecurity, too, will change from a long-term risk versus near-term profit calculation to a recognized pillar of responsible management.

Julian Clark, Global Senior Partner at Ince: We are heading on a collision course with a cyber risk target that will cause huge commercial disruption, significant potential financial exposure, and possibly irreparable reputational damage. Failure to adequately protect data (which can so easily be accessed via an OT breach) will expose corporates to the risk of severe regulatory penalties. We have seen numerous examples of damage to M&A projects as a result of a cyber-attack, and at present, insurance coverage does not adequately address the risk.

Steve Mustard, 2021 President of the International Society of Automation (ISA): Insurers have invested considerably in understanding IT cybersecurity risk and are now routinely offering cyber-breach policies based on objective measures of preparedness. In the OT space, insurers are now grappling with what a cyber incident means to an organization with health and safety, environmental, or production consequences. What is certain is that insurers want to be able to quantify what preparedness looks like in this space, and once they are able to do that, businesses will see that demonstrating good cybersecurity posture will result in better premiums, making a clear financial case for investing in this area. The ISA Global Cybersecurity Alliance (ISAGCA) is already focused on this area, and we can expect to hear more in 2021.

“In the OT space, insurers are now grappling with what a cyber incident means to an organization with health and safety, environmental, or production consequences.”

Steve Mustard
2021 President of ISA

Risk Trend #3: A focus on resilience - unprepared is unacceptable

Bob McAleer, President of Mission Secure Defense: Much of the U.S. fighting force is vulnerable today to asymmetric cyber threats that emanate from control systems designed without consideration to cyber-attacks. Is OT cybersecurity a single-layer firewall and monitoring? Or multi-layer monitoring and defense? At Mission Secure, we believe in the latter — and it provides organizations with operational resilience.

“Resilience encompasses the ability to anticipate, withstand, rapidly restore core functions and services, and evolve as an organization in the wake of a disruptive event. A resilience-based approach assumes that some compromises and disruptions are impossible to deter or prevent and, therefore, organizations should invest in being better prepared when these instances occur.”

Dr. Erica Borghard
Senior Fellow, Atlantic Council; previously Assistant Professor, Army Cyber Institute, USMA

Steve Mustard, 2021 President of the International Society of Automation (ISA): The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory in October this year to warn that any company affected by ransomware that pays a ransom may be in violation of OFAC regulations and be subject to fines. In 2019 Duke Energy was fined $10M by the North American Electric Reliability Corporation (NERC) for 127 violations of the NERC Critical Infrastructure Protection (CIP) regulations between 2015 and 2018. While this was an unusually large fine (consistent with a major violation of regulation), NERC continues to fine companies that are failing to follow their cybersecurity regulations.

In both cases, it appears that regulatory bodies are now clamping down on businesses who should by now, know better. It seems that the message is that it is no longer acceptable to be unaware or unprepared for the risk of cyber-attack.

“…the message is that it is no longer acceptable to be unaware or unprepared for the risk of cyber-attack.”

Steve Mustard
2021 President of the International Society of Automation (ISA)

Over 30 years ago, organizations first embraced IT and quickly realized that a host of cybersecurity concerns needed to be understood and addressed. It’s an undesirable pattern repeated in 2020 as individuals, businesses, and government leveraged technology to new extents only to find themselves unprepared to manage cyber risks and combat cyber adversaries.

And while the business case for continuing to modernize OT today is the same as it has been for decades — increased safety, efficiency, and production at a lower cost — it is clear the OT landscape has also changed and continues to do so rapidly. The threat of a cyber-attack on OT networks is a critical consideration, reframing the conversation and strategies around operational resilience management.