Cybersecurity issues: risks and liabilities
In many ways, cybersecurity is like the weather: everyone talks about it, but no one is doing anything about it. That has to change, suggested Chad Pinson of insurance giant Aon’s cyber solutions practice. In a recent report, Aon officials suggested that as cyberattacks increase, there will be increased attention—and increased liabilities. Pinson discusses some of those issue with Plant Engineering.
Plant Engineering (PE): What do you see as the cybersecurity vulnerabilities in the manufacturing sector? Are there any particular segment in that sector that might be more vulnerable?
Pinson: Many manufacturing companies still view the impact of cyber risk as a concern mainly for consumer-oriented companies in sectors that traditionally handle large volumes of sensitive data. However, the cyber risks to manufacturing organizations extend far beyond the risks of a data breach—to operational and business disruption, negative impact on goodwill, public, and employee safety, theft of trade secrets, exposure of embarrassing, confidential, or material non-public information, and financial theft.
Manufacturing organizations often use and rely on industrial control systems (ICS). These ICS systems are often located in remote, unmanned locations, or in manufacturing facilities removed from corporate headquarters or IT support. As a result, many ICS systems (and their attendant SCADA or PLC devices) are increasingly connected to corporate networks or the Internet. In our experience testing these networks, many companies mistakenly believe that these firewalled systems do not pose a risk to their wider business because of intended network segmentation between the ICS and corporate environments.
However, during penetration testing, we are often able to move with relative ease from a corporate environment to a firewalled ICS and vice versa—meaning a sophisticated attacker could do the same. These connected systems open up manufacturing companies to the potential for attackers to target them for the purpose of causing mass destruction, industrial accidents, or chaos, for example, by exploiting vulnerabilities to affect the accuracy of sensors and gauges, the function of valves and motors, or the control and oversight of critical physical assets and property.
In addition to these significant cyber risks surrounding ICS, manufacturing companies are also at risk of falling victim of attackers seeking to access their networks in search of commercially valuable information, such as trade secrets, intellectual property (IP), and research and development plans. They are also likely to be targeted for financial theft and wire fraud, for example, through phishing or social engineering attacks. Given their reliance on operations and access to information, manufacturing companies are also at risk from ransomware attacks, which may hold high-value targets as encrypted hostages while demanding large sums of money in proportion to the value of the asset.
PE: What are the key elements to a proactive cybersecurity plan? How can you balance the costs and benefits of implementing such a plan?
Pinson: Given the volume and range of cyber risks manufacturing companies face, implementing a proactive cybersecurity plan is critical. In terms of the costs and benefits, significant data and information that can help quantify the impact of disruption and losses on manufacturing companies now exists.
Performing quantification and technical assessments by working closely with the security and risk teams can help manufacturers identify how much risk a company faces, how much risk a company can or should take on, how much they should remediate, and how much they should transfer through insurance products.
Many companies begin their cybersecurity program with an incident response tabletop or simulation exercises, skipping the crucial steps of assessment and improvement. This can speed up the process initially and may save the upfront costs of conducting an assessment and any remediation, but ultimately means the incident response plan will need to be enacted far more often, and their overall cybersecurity program will be undermined by a lack of basic data and security hygiene and processes.
The first phases of assessment, testing, and improvements across a manufacturer’s people, process, and technology, help companies to establish what and where the company’s critical assets are, including sensitive data or connected systems, and how protections should be prioritized based on critical functions. Companies do not have infinite budgets for cybersecurity programs, so this is a critical step in terms of a good cost-benefit analysis.
After identifying critical assets, an assessment allows manufacturers to determine how well those assets are currently secured. Findings and recommendations arising from the assessment provide manufacturers with an actionable plan to remediate issues, improve risk mitigate, and lower their overall risk profile. After an assessment and remediation, manufacturers are in a much better position to test their newly improved cybersecurity posture via penetration testing and tabletop exercises.
The incident response planning process itself should involve experts who have experience handling meaningful cyber incidents, so they have first-hand knowledge of the issues that can arise in an incident, as well as experience that provides insight into what steps in response to those issues are appropriate, and what steps are ineffective or even potentially harmful. This prevents the plan from being purely theoretical, and helps tailor it to the organization’s risk profile, culture, and processes.
The incident response plan should define concrete roles and responsibilities—from the technical teams, to legal, HR, communications, operations, the board, and any external experts—and should be practiced with all the stakeholders involved. At the same time, the plan should not be totally prescriptive. Certain areas of it should be malleable, allowing for specific decisions and actions to be left to the discretion of experts at the time of the incident.
For example, laws and regulations around cyber incidents continuously change and are updated, so in many cases it is more effective for the incident response plan to mandate the general counsel’s office or outside counsel is brought in to advise and provide guidance regarding the appropriate response at the time of an incident.
Similarly, the communications team needs to know who the audiences are that should be communicated with and how—from supply chain partners, to customers, to government authorities. But, the precise details such as the specific content of communication, as well as the timing of communication, should generally be flexible and not specifically described in the incident-response plan.
The best incident response plans also include a clear process for scoring, classifying, and prioritizing incidents, and explain how they should be escalated and at what point. For example, a lost USB with no confidential information on it does not merit the same response as a network intrusion by a nation state affecting the manufacturing facility.
As part of a proactive cybersecurity plan, having outside counsel and a team of incident responders on retainer (even a $0 retainer) is another step that can minimize the damage done at the time of a cyber attack by minimizing or eliminating the time required to negotiate and execute engagement letters during an incident. Incident responders who arrive on the scene with prior knowledge of the company’s environment, operations, and processes are better equipped than those first called at the time of the attack.
PE: You mention biometrics and multi-factor authentication as two ways to address cybersecurity threats. Are there other things a small to mid-sized manufacturer can and should do to address their network security issue?
Pinson: Small to mid-sized manufacturers can address their network security issues by taking steps such as a customized cybersecurity assessment as a starting point, and implementing some of the steps outlined above such as prioritizing their critical assets for protection. Some other fundamentals they can consider include monitoring access controls, implementing a proper password management system, and creating better configuration around firewalls.
Many operational tools and applications already in use in a company’s environment have security features. But those features must be understood, configured, and then used. For example, at least one commonly used enterprise email application has optional access control monitoring features that can help minimize phishing attacks and unauthorized access to email accounts.
It is also advisable to make sure that the right investments are being made in the people in the organization, for example, so that the IT team does not have to function as the security team at the same time.
Smaller companies can also implement organizational changes such as creating a cross-sectional security committee that includes data owners and users, systems owners and users, as well as business managers, operations specialists, and others who can drive security and cyber risk management into business processes.
PE: Talk about the issue of insider risks; it seems that many networks are vulnerable more from inadvertent security breaches than from deliberate attacks.
Pinson: The weakest link on an organization’s cyber defense system is often its people, who may act negligently, carelessly, or even maliciously against the organization. The threats posed from employees can be as simple as unwittingly clicking on a phishing email link, or losing a laptop containing sensitive information.
But insider risks can also extend to deliberate theft of commercial or sensitive information for personal gain or vendetta. Companies consistently underestimate their critical vulnerability in this area and many companies still allow excessive access among their workforce to sensitive data, processes, and information, with little monitoring or control around user access or activity.
To manage the human element of cybersecurity, companies need to implement training and awareness programs, and create a culture in which employees become a valuable ally in identifying suspicious activities and feel comfortable in reporting incidents or mistakes without fear of negative professional consequences. Manufacturers can also install data-loss-prevention tools and configure existing applications to better protect against insider risks.
For example, companies can configure internet access to limit the use of certain websites that are often the source of malware introduced into the environment, or webmail websites or cloud storage services that are often used to transfer data out of the corporate environment carelessly or maliciously.
Effective third-party risk management programs are also crucial in mitigating insider risks, as it is not just employees who pose a risk, but also contractors, supply chain partners, business associates, and anyone with access to the networks.
Chad Pinson is Executive Managing Director at Aon.