Cyber Security Awareness Month Series Part 1: The Basics of Cyber Risk Management for Critical Infrastructure Executives and Board Directors
In appreciation for Cyber Security Awareness Month during October, we are excited to provide a three-part article series on Cyber Security Risk Management for Critical Infrastructure Executives and Board Directors. This series will cover the following topics:
- The Increasingly Threatening Cyber Threat Landscape for Critical Infrastructure Operators
- Guidelines on How to Build an Effective Cyber Security Risk Management Programs
- Proven Techniques on How to Implement Effective Cyber Security Governance Practices for Your Program
Cyber Security is not an IT issue – it is a risk management and governance concern that executives and Boards must tightly oversee, manage, and support. This includes physical security due to the association of physical breaches of key facilities and assets. Cyber security management should not be a standalone initiative; rather, it must be integrated into your overall enterprise risk management program.
This first part of the series provides a high level of context on the Cyber Security Threat Landscape and Key Risks for Critical Infrastructure Operators.
Enjoy the series, and we hope this will assist you in your cyber security risk management initiatives!
The Increasingly Threatening Cyber Threat Landscape for Critical Infrastructure Operators
Critical Infrastructure operators are now facing an increasingly threatening and complex cyber threat landscape. All operators- small, medium, and large in any geographic location- are at risk.
In a recent report, the Connecticut Utilities Regulatory Authority stated that electric, gas and water companies are increasingly vulnerable to cyberattacks, and that the array and sophistication of cybersecurity threats is increasing every year [1].
U.S. federal and international authorities have issued urgent warnings to critical infrastructure providers to take precautions against potential retaliatory cyberattacks from alleged Russian state actors and criminal cyber groups [2].
Ransomware also continues to be prevalent with local governments and overwhelmed utilities are most likely to pay ransoms [3].
The recent IBM/Ponemon Institute Cost of a Data Breach Report stated ‘‘The average cost of a data breach for critical infrastructure organizations studied was USD 4.82 million – USD 1 million more than the average cost for organizations in other industries. Twenty-eight percent experienced a destructive or ransomware attack, while seventeen percent experienced a breach because of a business partner being compromised [4].”
As a result of the increasingly threatening cyber threat landscape, critical infrastructure executive teams and Boards of Directors are increasing the priority of cyber security, often placing it within the top 5 overall risks for their enterprise, with many assessing cyber security to be one of the top 3 overall risks posed to their business. The trend is clear: cyber risks are increasing.
Ransomware – A Prevalent Threat
Due to lucrative payouts, ransomware continues to increase in frequency and costs to all sectors worldwide. Threat actors have identified critical infrastructure, and specifically the Operational Technology (OT) environments of critical infrastructure, as attractive targets. OT environments are the computing devices, systems and networks that control and support operational functionality such as energy delivery, water supply, and gas transmission and distribution.
Case in point, two state-owned utility companies in Brazil suffered separate ransomware attacks, forcing them to temporarily shut down certain operations and services. Sensitive data was stolen and dumped online, including network access logins and engineering plans [5].
The much-publicized ransomware attack on Colonial Pipeline resulted in the closure of the 5,500-mile pipeline system, which left thousands of gas stations in the Southeastern US without fuel [6].
And most recently, the ransomware group behind the Colonial Pipeline attack struck again, this time hitting a Luxembourg-based critical infrastructure company’s pipeline operator (Creos) and electricity operator (Enovos) [7].
Threat actors including organized crime and nation states have developed extremely advanced and effective ransomware techniques that requires a proactive approach and effective implementation of a Cyber Security Program for optimal protection.
Supply Chain/Third Parties
Supply chain/key third-party vendors represent a significant cyber security risk to critical infrastructure entities due to the level of risk associated with insider staff, who have historically been the #1 Cyber Risk factor.
Threat actors use key third–parties as ‘pivot points’ into the intended targets, which are the customers of the third party. By breaching a third party, threat actors can gain ‘trusted access’ into a multitude of companies. This was the case when approximately 18,000 companies were impacted by the SolarWinds Orion Update function breach [8].
Third parties should be viewed as ‘untrusted entities’ and ‘stack ranked’ in terms of risk presented to your organization. A formal risk management program should then be applied to the highest priority vendors. This program should include defining access control, information exchange, monitoring and maintenance of those vendors, culminating in signed contractual obligations for their protection.
Operational Technology
As stated earlier, OT environments are an attractive target for threat actors. Securing OT systems is more difficult than securing IT systems for three reasons. Firstly, since operators typically rely very heavily on their OT vendors for support and maintenance while these vendors vary greatly in their cyber capabilities. Secondly, OT systems are often comprised of legacy elements where cyber security was is not considered. Lastly, OT cyber protection mechanisms are less mature than those for IT.
A critical infrastructure entity not only carries all of the IT security risks of other sectors, but they also have additional challenging risks associated with their OT environments.
Best practices dictate that there be one overall cyber risk management program for the entity, with differing treatment of IT and OT assets and resources as applicable at the procedural level.
Summary
The cyber risks associated with a critical infrastructure entity are significant. Without proper implementation and governance of a cyber security program, the financial stability, operations, and reputation of your entity can be greatly impacted.
The second article in this series, to be released in September, will provide guidelines on how to build an effective cyber security risk management program. The last article of this series, to be released in October (in time for Cyber Security Awareness Month), will describe proven techniques on how to implement effective cyber security governance practices.
Acumen’s Cyber & Physical Security Risk Management Services
Acumen offers a full spectrum of Cyber and Physical Security Risk Management Services , including risk identification and prioritization, risk management program development, governance alignment, resourcing, budgeting, and training. We assist our clients in managing cyber and physical security risk via a cost-effective and pragmatic approach. We work as an extension of your team as a trusted advisor, providing industry and threat landscape updates and advice on how to increase your cyber security maturity.
As an Industry Trusted Advisor, Acumen can assist you. For more information: