Suits The C-Suite

When we talk about cybersecurity, we usually think of information technology systems that manage and access data. But there’s another side of technology that is often overlooked by enterprise security processes — the industrial control systems that handle physical processes through monitoring or direct control, such as valves, pumps and similar systems that have a physical “switching” function. The reason for this is that most of these systems have traditionally been isolated from corporate information networks, operated separately as they have functions outside of processing data — such as regulating power or water flow for utilities companies, the control network of a train system, or medical scanning equipment in a health care entity.

However, as business operations and processes become more complex and data-driven, there has been an increasing need to connect industrial control systems to corporate information networks in order to provide access to vital or relevant information. One example is how power companies are transitioning to digital metering to promote more accurate power quality monitoring and reporting. These systems will need to be connected to the power company’s data systems to link to customer data and information.

Because of this growing interdependency between IT systems and industrial control systems, businesses will need to revisit how they understand cybersecurity within these types of operational technologies. The government has recognized this growing problem and in 2017, through a Department of Information and Communications Technology memo, introduced guidance on how to secure “critical infrastructure” i.e. banking and finance, power and utilities, transportation, health care, telecommunications, and similar industries that are vital to public health, safety or well-being.

Considering that these systems are linked to real physical systems, organizations will need to find ways to seamlessly integrate these systems while ensuring physical and logical security.

The rapid deployment of digital technologies and web-enabled devices brings many advantages, but also increases cybersecurity risks. Because industrial control systems are increasingly being linked to broader IT systems, cyber attacks have more potential to breach customer and employee privacy and incur regulatory action. This can even disrupt critical infrastructure operations and put lives at risk. Every new device connected is one more device that can be compromised by a potential attacker.

In 2017, WannaCry ransomware became a wakeup call when it hit critical infrastructure, impacting over 10,000 organizations in over 150 countries, including those in the health care industry like the UK’s National Health Service. Although there is no evidence that any patients died directly from the attack, thousands of hospital computers were made unavailable, forcing doctors to physically transport lab results by hand and cancel at least 20,000 patient appointments.

In the same year, the NotPetya ransomware attack struck at numerous companies including Maersk and Mondelez, which cost them an estimated $300 million and $100 million, respectively. Overall, the attack did an estimated $10 billion in total damage. Attacks can also come from unexpected directions, such as the instance when US retailer chain Target was hacked through its heating, ventilation, and air-conditioning (HVAC) systems.

Companies that are interconnecting industrial control systems need to understand and manage these threats as not just a significant risk, but potentially a public safety concern. Industrial control systems will now need to be integrated into overall corporate IT and risk management, instead of being managed in silos.

In this broader risk landscape, companies need to consider that:

• A successful attack is inevitable — it is just a matter of when and how much. Organizations get lulled into thinking that they can deploy enough solutions or spend enough money to protect themselves. Organizations will have to live with managing the risk, and not trying to fully eliminate it. Knowing how to react and having the resilience to withstand a cyber attack is the best strategy.

• Interconnection will happen whether organizations like it or not. Vendors recognize that interconnectivity for industrial systems is a wave they have to ride and features for such are already being embedded in the systems that organizations are purchasing. It must be recognized that these features are present and have to be addressed from a policy level.

There are some actions that companies can take to help manage their risks in the face of today’s emerging cybersecurity threats. In the short term, companies should ensure that their security monitoring programs cover everything that it needs to cover. Most security monitoring purchases are limited to corporate information systems. Boards should ask their security departments whether their companies’ current attack detection capabilities extend to industrial control systems.

Since interconnectivity is inevitable, organizations have to extend cybersecurity practices and adopt them more diligently when it comes to industrial control systems. Such practices include implementing standard security baselines, supported by effective incident response plans.

Enterprises identified as part of the country’s critical infrastructure need to take steps to “future-proof” their business. This includes developing more agile and resilient responses to the disruptions being brought about by technology, evolving regulations and compliance challenges across their industry. Organizations within the scope of critical infrastructure need to accept that regulation over cybersecurity controls and breach reporting will become part of their businesses. Investing in cybersecurity systems needs to be considered as part of the cost of doing business.

On the other side of the coin, investment in cybersecurity is an expense that most organizations will not be able to recover directly through traditional return-on-investment models. This is why governments should consider awarding tangible incentives to encourage cybersecurity spending and not just award beyond mere seal of approval from government agencies. However, given the significant risks and threats posed by cyber attacks, can any company actually afford not to invest in cybersecurity?

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co.


Carlo Kristle G. Dimarucut is an Advisory Senior Director of SGV & Co.