Companies need to reassess their cyber-physical security risk
Chief financial officers (CFOs) and audit committees need to have a radical reimagining of what cyber-physical security risk means for their organizations.
Due to innovative business models behind ransomware-as-a-service, fundamental increase in reliance on vulnerable information technology (IT) systems by physical process controls and the evolving cyber insurance market means that every industrial organization needs to reassess its risk matrix to take into account these cyber physical security system “black swan” events, which may be much more gray than truly black.
About 18 months ago, Gartner analysts began to refer to operational technology (OT) or industrial control systems (ICS) cybersecurity as “cyber physical” security. For many people who work on OT and ICS systems, however, cyber physical sounds like some buzzword created by marketing people to make them sound cool. No one who runs a plant or a transportation system or a transmission grid ever referred to what they do as “cyber physical engineering.” But the reality of Colonial Pipeline, Molson Coors, Westrock, Honda, and another 30 or 40 industrial ransomware incidents in the past year makes it clear that the term describes the risks appropriately.
Whether or not the attackers breached the OT systems, the effect was to shut down manufacturing processes. In some cases, this was self-imposed due to an abundance of caution that the malware might spread and do more damage. In others, it was due to operations relying on many systems traditionally defined as IT to produce effectively – supply chain connections, pricing and revenue collection, payroll, etc. The reality is that even without IT-OT convergence in the technical sense, it already exists from a business sense. IT threats in industrial businesses can have operational impacts. Hence the term cyber physical rather than OT can be appropriate.
The reality is that cyber physical security risks are accelerating much faster than boards or chief financial officers (CFOs) realize and have already likely reset the risk matrix for most industrial organizations, perhaps without them realizing it. Audit and risk committees and CFOs regularly review current risks and emerging threats to the company. Emerging risks from climate change, evolving terrorist threats around the world and core cybersecurity have become more prevalent in the past decade. However, the shifting tectonic risk-plates of cyberthreat business model innovation, cyber insurance maturity and IT-OT convergence have changed the risk profiles for most industrial organizations radically in the past 12 months – and will continue to do so over the next two to three years.
Cyber-physical threat business model innovation
One of the findings from the 9/11 commission was that one contributing factor to the U.S.’s lack of preparedness was a failure of imagination in how innovative attackers can be. This is absolutely true in the world of cyber physical systems. Unlike most other threats to industrial organizations, the cyber physical security threat innovates to try to find new ways of hurting people. Climate change doesn’t innovate to make things worse. Hurricanes don’t invent new “business models” to make the wind blow stronger. Threat actors, however, innovate specifically to cause harm.
This innovation is accelerating at rapid pace. Before May 1, 2021, most industrial CFOs and audit committee chairs may not have known of Darkside or the term “ransomware-as-a-service.” Now it is on every board agenda. But this is just one of the new business models. The reality is that the cyber criminal industry is forming and reforming continually, looking for new ways to make money and perhaps cause societal impact when paid by the right group.
As the prices of personal information have declined given the supply that now exists, new forms of value creation have emerged, such as ransomware, data-leak extortion, IP theft, etc. These are all ways of monetizing the attack tools. Platforms arise, such as Darkside, REvil and others to enable third parties with access or an angle into the organization to share in the profits.
For the past 10 years or so, industrial organizations (other than power companies and some critical facilities) have been under the radar given the profit focus on personal information theft. The landscape has shifted, however, as ransom, extortion and other revenue models emerge. Industrial organizations are now the prime targets. Companies that make something or have to deliver a service using production systems have a much greater urgency to recover their data. Because they were not on the frontlines historically, their defenses are lower than similarly sized and situated financial or retail firms, so cyber physical security has to become a greater focus of risk committees of industrial organizations.
The rapid acceleration of IT-OT convergence means that industrial organizations are potentially adding to their risks at just the same time as new business models are now targeting them to a greater extent. IT-OT convergence is not an option. It already exists in almost every industrial organization. As mentioned above, cyber physical systems are intertwined with IT systems from billing to supply chain to human resources. However, Industry 4.0 and similar initiatives are increasing these connections, all in the productive pursuit of efficiency and innovation, and thereby the risks to the cyber physical systems themselves.
The notion of the air gap was never real in practice in most organizations. But in many industrial processes, the critical processes were self-contained at a plant or within a line. Advanced manufacturing, cloud analytics, etc. increase connections and the risk of intrusion.
Several recent client examples highlight this growing trend:
- Windfarms connected to vendors’ cloud infrastructures to enable advanced analytics on turbine performance and then an inbound connection to make changes to tune the turbine for optimum performance.
- Original equipment manufacturer (OEM) vendors including LTE or 5G modems in the backplane of controllers or stand alone to enable process data to stream directly to the cloud with no limitation on inbound paths from the cloud.
- Connectivity of remote, formerly serially connected devices and lines to enable better uptime and process visibility to increase predictive information to reduce outages.
All of these and thousands of other use cases can have great return of investment (ROI), but at the same time are creating, or expanding, exposure to cyber physical system threats.
Cyber insurance reset
Three years ago, Verve team members met with a senior insurance executive who bemoaned the market inefficiency as new entrants were pricing cyber risk at what he believed was below the real risk rate due to a lack of robust historical claims data. Three years later, the market has dramatically hardened as claims data has started to come back. This has led to a 50% increase for some customers and potentially more coming in the next two to three years.
The practical reality for industrial CFOs and audit and risk committees is that insurers are now going to ask more questions about the cyber physical systems risks that they are covering. The Colonial Pipeline is only one (albeit very famous) incident. Cyber insurers know of hundreds more from claims databases both in ransoms paid as well as recovery and incident response costs incurred. They will start to expect the same level of security management in the OT systems as in the IT ones. They will also expect to understand how those systems interact so that even if the threat does not cross the boundary that is the operational implication of an IT system attack.
Further, AXA in Europe has already announced that they will no longer cover ransomware payments in an effort to reduce the attractiveness of ransomware to attackers. The result may mean a dearth of ransom insurance availability. This shift will likely cause industrial organizations to need a much deeper assessment of their own risks to know how much and what to insure.
These three elements are radically shifting industrial organizations’ risk matrix. This is not an evolving threat like climate change or the aging of the workforce. This is a revolution in risk that can have massive consequences on financial performance as well as trust from supply chain partners. Imagine a just-in-time plant hit with ransomware and being down for six weeks and the impact on that company’s reputation. Cyber physical systems resilience may even become a strategic advantage.
Industrial company boards and CFOs need to make this a priority to reassess their current cyber physical security threat risk and refine strategies to reduce that risk strategically.