Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow
Original Source: https://www.tripwire.com/state-of-security/risk-based-security-for-executives/ceo-personally-liable-cyber-physical-security-incidents/
By TRIPWIRE GUEST AUTHORS 11/17/20
Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined.
Converging Worlds
The growth in the number of attacks discussed above is at least partially tied to OT’s ongoing convergence with Information Technology (IT). Previously, IT and OT were worlds unto themselves. IT personnel mainly helped to maintain the PCs, servers, and other technology assets that interacted with or, in some way, handled enterprise-related information. In contrast, OT staff members primarily managed controllers and segmented the industrial network. There was some collaboration, but this was limited to specific purposes like submitting work orders and billing.
These worlds converged when many organizations began undergoing a digital transformation. Through this transformation process, organizations arrived at the belief that they could optimize their OT assets’ performance by connecting them to the Internet and IT systems. This convergence has introduced an abundance of network and computing devices into industrial environments that weren’t previously accessible via the web, thus expanding the IT systems attack surface in OT environments.
Malicious actors didn’t waste any time in modifying their attacks. Indeed, TRITON (also known as TRISIS), WannaCry, and other malware made headlines for successfully targeting organizations’ industrial environments. Each of these attacker groups shaped their malicious activity to accord with their motivations. Some infiltrated organizations surreptitiously to conduct espionage and leverage whatever knowledge they gained about their targets to give a leg up to a competing country or organization. Others were a bit “louder” in their approach by seeking to disrupt their victims’ industrial systems in the hopes of undermining the economy, national security, and/or public safety of the country in which the targeted organization resided.
With these threats in mind, it’s sobering for IBM X-Force to report that over 200 new ICS-related CVEs were released in 2019. This discovery led researchers to predict that attacks against OT and ICS targets will continue to increase in 2020 and beyond.
Limiting Factors
Organizations with industrial environments aren’t blind to these threats. Even so, some feel that they aren’t in a position to do anything about those dangers because of the costs associated with purchasing an industrial security solution. MarketsandMarkets found that organizations specifically need security measures that cover their entire industrial environments. This requirement causes OT security solutions to be expensive and organizations to opt for multi-threat solutions that don’t require high upfront costs like licenses or maintenance activities.
But if you think industrial cybersecurity is expensive, try an accident. An unintended or malicious cyber incident can cause catastrophic failures similar to the Buncefield oil storage facility explosion, Taum Sauk dam failure, and Texas City refinery explosion.
The issue here is what’s at stake. Organizations with industrial environments tend to operate Cyber-Physical Systems (CPS) that are responsible for ensuring smooth operations in plant environments such as critical infrastructure. If they are disabled or compromised, CPS can cause malfunctions in the plant environment that endanger public safety, threaten property destruction, and/or cause natural disasters. Hence, Gartner predicts that the financial impact of attacks against CPS will continue to rise, with the total cost reaching $50 billion by 2023 in compensation, regulatory fines, and reputation loss. (Those costs don’t even account for the value of human life.)
The Issue of Accountability
There’s an important development in the works, however. Indeed, Gartner also sees liability for CPS attacks ultimately extending to 75% of CEOs by 2024. This personal liability for CEOs reflects the fact that many enterprises are not aware of their organizations’ CPS and their vulnerabilities. This situation could result from rising shadow IT as personnel from outside IT install hardware and software to drive automation and modernization efforts at work.
But even when they’re aware of which CPS the organization is responsible for managing, CEOs and the Board might not be pursuing a sound security strategy for these assets. The reality is that CEOs and the Board are unaware that typical CPS risk assessment reports shared with them have an underrepresented view of the real operational, public health, and safety and environmental risks.
These assessment reports are developed through a ‘coordinated view’ approach. Assessors and plant operations and engineering stakeholders exchange information as part of this approach, but with a limited common understanding of the cyber-physical systems’ nature and complexity. This approach leads to an unbalanced focus on prioritizing IT network and system risks, which are generally more well understood than the more significant CPS risks in OT that require further assessment of their physics and engineering. While the coordinated view approach to risk assessment is in some ways better than isolated cyber risk assessments conducted by IT, operations, and engineering in their respective domains, it does not offer a ‘converged view’ of the CPS risk problem.
Hardening Their Industrial Assets
Organizations need a way to harden their industrial assets to avoid the costs of an industrial cybersecurity incident both in terms of corporate fees and personal liability to CEO and board members. Organizations must leverage frameworks like ISA/IEC62443, NERC CIP, and MITRE to strengthen their OT assets’ security and select industrial cybersecurity solutions that help create a reliable cyber operational resilience program. To develop a better understanding of industrial frameworks, to align IT/OT, and to use the right tools for the job while obtaining executive buy-in, take a read of the eBook by Tripwire, “Navigating Industrial Cybersecurity: A Field Guide.”