Boards seek greater confidence as industrial cyber attacks rise

• More company boards are asking for cyber security that goes beyond compliance with regulations, as directors’ understanding of cyber risk matures
• Information security officers are consequently facing the challenge of optimizing cyber security for today’s threat landscape
• In industry, this can involve developing, recruiting, or contracting in specialist knowledge of sector-specific industrial systems
• A tailored approach is needed for complex and large industrial cyber security challenges, says Georgios Mortakis, VP, Enterprise Technology Operations and CISO, Norwegian Cruise Lines Holdings

Cyber security is rising rapidly up the boardroom agenda in the industrial sector as hackers become faster and more creative. Attacks on operational technology (OT) – systems that monitor and control critical industrial assets – increased more than 2000% between 2018 and 2019, according to the 2021 IBM X-Force Threat Intelligence Index. This is happening as OT becomes increasingly connected with IT systems and the Industrial Internet of Things.

Even if boards and C-suites once thought they could opt for implementing enough cyber security measures just to comply with regulation, recent high-profile ransomware attacks are catalysing changes in mindset [Table 1].

“I have been in the cyber security industry for 20 years and have seen an exponential rise in awareness in the last five,” said Georgios Mortakis, VP, Enterprise Technology Operations and Chief Information Security Officer (CISO) at Norwegian Cruise Lines Holdings (NCL). “Incidents in 2020/2021 have erased any doubts, if they remained, that ransomware and other threats are very serious. Even the most defiant board members in many companies realize that cyber attacks could have multimillion or billion-dollar consequences and potentially paralyse infrastructure. Without the basic foundations of cyber security in place, you can become a victim overnight.”

Many directors now ask about their organization’s actual security state instead of whether the board’s legal duties are just fulfilled in terms of complying with statutory regulations.

Mortakis observed: “The default position across industries tended to be ensuring that everyone is happy in a compliance sense, then moving on to another year. However, companies may be compliant just because the cyber security audit samples left something out. Top-level managers who are more risk averse are beginning to ask, ‘What does compliance mean, does it give me a get-out-of-jail card if something has happened?’, and the answer is ‘no’.”

This mindset shift is much needed judging by Gartner research suggesting that 60% of companies operating critical infrastructure are only in the earliest stages of maturity when it comes to having integrated and optimized cyber security for OT and cyber-physical systems.¹

Cyber attacks on OT in the maritime industry alone increased by more than 900% between 2017 and 2020.² Gartner warns that by 2025, cyber attackers will have ‘weaponized OT environments to successfully harm or kill humans’.³ Attacks on OT can already have far-reaching consequences, said Trond Solberg, DNV: “The average cost of recovery from a cyber attack in general is currently around USD 4.2 million.⁴ OT attacks are known to be less frequent but far more severe, and recent major security breaches such as the Colonial Pipeline attack in the US in May 2021 are causing company leaders in the industrial sector to stop and question how well-equipped they are to protect, defend, and recover from attacks.”

“In the Colonial Pipeline case, the ransomware was confined to the company’s IT systems, but they still shut down the pipeline for six days in case the attack could reach the OT and give criminals access to pipeline controls. With more industrial operations today being based on cyber-physical systems, and threats and vulnerabilities being bidirectional, it is not hard to see how a cyber attack affecting critical infrastructure such as a cruise liner, pipeline or wind farm, could lead to a disaster,” Solberg added.

With boardroom awareness rising, CISOs and/or other employees responsible for OT/IT are under increasing pressure to establish, prioritize, and deliver on cyber security goals, with limitations of time and budget always involved. Hiring external domain specialists with deep understanding and experience of a particular industry and its cyber security challenges can be challenging given the limited availability of such experts in some sectors. For a business like cruise lines, pressure can also come from having limited ship time in port to conduct any cyber security audits and OT/IT/communications changes that need to be performed on the vessel itself.

The pressure on in-house teams hinges on the messages that the CISO or equivalent give to top management and the board about the company’s cyber security status, according to Mortakis: “It all depends on how you provide the message, how you pose the risk, the effects, ramifications, and whether you can indicate that it will not happen to your company. I always try to supply the secured risks, and a remediation plan that is realistic and does justice to the environment and scope.”

While every company is different, many take an “unfortunate” approach to cyber security in Mortakis’s view: “They ask, ‘What is my neighbour or peer doing?’ then try to do the same thing. To me, using a template approach for cyber security does not work. You need a tailored approach suitable for the company, environment, and organization you work with. I have always seen that tailored solution resonate positively with decision makers.”

Combining in-house and external cyber security expertise

Companies facing these challenges often engage with external advisers to establish the required cyber security more rapidly, or to leverage the know-how of a bigger security community that is more able to stay updated and gain experience across companies and sectors. Typically, it is not an either/or decision, says Mortakis: “I’ve worked both in-house and as an external consultant and would say that a combination of both is needed.”

For example, a company CISO needs internal know-how such as how the OT/IT network is mapped out – for ships, for instance, how does this vary between vessel classes? Other issues to handle internally include vulnerability assessment, remediation programmes, and how the company’s operational and cyber security teams collaborate, Mortakis suggested.

“But it’s always good to have an external expert to supplement and complement the internal activities,” he added. “They can bring in checks and balances, which are very important, and a fresh perspective into the overall risk classification – how is the risk assessment being done internally compared with what external auditors are seeing and doing? The key to making this work is leadership to ensure that combined security efforts are aligned towards agreed goals. You can’t do everything in-house, but make sure everyone is pulling in the same direction.”

Deciding what cyber security solutions to use

Some CISOs have another potential choice, between customized and off-the-shelf (OTS) cyber security solutions.

OTS may work for smaller environments or OT/IT networks with simple architecture and operation, according to Mortakis: “It’s like insurance. You need a basic level of coverage, and single or combined OTS solutions can sometimes provide fundamental cyber security controls that everybody should have. But the more complex, customized, and large the OT/IT environment becomes, the more limitation OTS solutions have. Needing to comply with regulation adds to complexity, and if there is a corporate acquisition, the acquired company will have its own environment.”

The point about customization is apt as power and utilities lead the way on cyber security for OT, DNV’s Solberg said: “They are among the most mature in Gartner’s analysis, and that matches our experience with customers. Some even conduct their own research into OT cyber security and are what I would describe as ‘best in class’, which includes tailoring solutions to their own environments and needs.”

Taking a holistic approach to OT-IT cyber security

In this fast-moving cybersecurity environment, DNV is fielding more enquiries from customers asking for support from the company’s holistic OT-IT cyber security expertise and specific domain knowledge in power and utilities, shipyards, oil and gas, telecoms infrastructure, and maritime. Solberg said: “Our twin focus on both OT and IT means we can help customers to see the whole picture. Clearly, this is also useful if they suffer a cyber attack in either OT or IT and are concerned that it may extend to both.”

Mortakis concluded: “There’s a lot of theory out there, but I look for vendors with proven and specialist experience and who can walk the talk. One reason I selected DNV to work with around my needs on the operational side is that they are very specialized for OT cyber security assessment.”

Read more about DNV cyber security services

REFERENCES

1. ‘Market guide for operational technology security’, K Thielemann, W Voster, B Pace, R Contu, Gartner, 13 January 2021, report ID: G00737759
2. ‘Cybersecurity: Attacks on OT systems are on the increase’, N Blenkey, marinelog.com, 20 July 2020 [online]
3. ‘Gartner predicts by 2025 cyber attackers will have weaponized operational technology environments to successfully harm or kill humans’, Gartner Inc., news release, 21 July 2021 [online], www.gartner.com
4. ‘Cost of a Data Breach Report 2021’, study conducted by the Ponemon Institute and sponsored, analysed, reported and published by IBM Security