[BreachExchange] Cyber Risks Threaten Physical Security, Industrial Controls

[Audrey McNeil]

http://ww2.cfo.com/risk-management/2017/02/cyber-risks-threaten-physical-
security-industrial-controls/

“What are we doing to protect ourselves from cyberattacks?”

It’s a question every CFO eventually asks their team.

Although the question suggests IT-specific concerns like malware,
firewalls, and virus scans, CFOs need to pause and broaden their
perspective, examine cyber-related business risk in the areas of physical
security and in industrial controls as well.

If, for example, a cybercriminal walks into your headquarters and steals a
laptop, or a worm enables hackers to take over the controls of your
factory, your problems just got a lot bigger. Attackers could destroy
costly equipment and put you out of business for months, ruining your
relationships, reputation, brand, marketshare, and shareholder value.

News headlines might lead you to believe that the biggest cyber risk is the
theft of financial, medical, password, or other personal information, which
exposes consumers to fraudulent charges, embarrassments, and all manner of
personal headaches.

Breaches like these can certainly be catastrophic to your business. But
like physical property, business data is also an operational asset. It has
a distinct value in terms of keeping the business running and, in this
analytics age, providing insight. Destruction, corruption, or alteration
of, say, logistical data, orders, or GPS information can cripple your
business for months.

Worst case? Arguably, it’s when hackers go beyond credit card numbers and
data damage and take hold of your industrial controls, potentially bringing
power stations down, permanently freezing multimillion-dollar turbines in
mid-cycle, blowing chemical vessels up, or causing molten metal to harden
midway through fabrication.

When I step back, this multifaceted cyber security challenge looks to me a
lot like the commercial property vulnerabilities engineers address every
day in their loss-prevention duties as they gird against fire and natural
catastrophe. Their first step? Understanding the risk, which goes far
beyond ones and zeroes.

Risk on the Premises

It’s often overlooked, but your company’s physical premises can expose it
to cyber attack. During working hours, or after hours for that matter,
without proper security measures in place, a hacker could conceivably walk
right into your building, office, or cubicle and plug an infected thumb
drive into the first computer he or she sees. Therefore, you need to make
sure your properties, key partners and, ideally, your entire supply chain
are physically secure.

Besides keycard building entry, improving physical security requires you to
manage visitor, contractor, and employee access throughout your facility
and sensitive areas, and what they have access to. It may involve
controlling physical access to network rooms and equipment, security tokens
for computer access, and implementing both timed lockout and password
protection of network devices. And it certainly entails employee security
awareness training.

The bottom line is that it’s easy, from a risk management perspective, to
get distracted by the complexity of digital network security – firewalls
and such – when some of the most gaping security holes can be in your
physical premises. As a CFO, you need to make sure professionals are on the
ground exploring the premises with those concerns in mind.

Industrial Risks

In the past two years, cyber attacks have hit energy and utilities
companies and defense and aerospace contractors. Two years ago, hackers
reportedly were able to bring down a power grid in the Ukraine. In 2014,
the German Federal Office for Information Security reported that a German
steel mill suffered significant damage when hackers disrupted the control
systems so that a blast furnace couldn’t properly shut down.

Also that year, a former Georgia-Pacific paper company employee accessed
computers at the company’s Port Hudson, Louisiana, mill from home,
affecting the distributed control and quality control systems for machinery
used to produce paper towels.

Industrial control system risks like these have become increasingly
prominent on risk managers’ radar screen. As we hear all the time from our
clients, “I wasn’t even thinking about this a year ago.” The CFO needs to
understand the emerging risk as well.

These connected plants and power grids are parts of the Internet of Things
(IoT) – commonly thought of as interconnected smartphones, cars, fitness
trackers, thermostats, and refrigerators. There are more than 6 billion
things in the IoT, with more than 5 million things getting connected every
day, according to Gartner.

The IoT, however, also connects operators to industrial controls, sometimes
enabling a plant manager to go online from home and tweak plant operations
miles away. These systems were designed first to enable access, not to
restrict it, and they contain some harrowing vulnerabilities.

Imagine a man-in-the-middle attack that takes control of a plant’s
operating console to signal that operations are okay while sabotaging the
production line. This industrial control risk is compounded by businesses’
well-intended efforts to run lean, automate, and standardize processes and
to simplify complexity for operators.

So what can CFOs do? They can ensure the company is considering measures
like vulnerability audits, backup power systems, overrides of electronic
controls, and even redundant IT systems that could take over in the event
of a cyber attack.

A few things you can do:

Get your IT, finance, and risk management teams together. Your IT group
knows all about the technology side of security, but they have little
expertise in translating it into business risk. The parties need to
understand one another.

Determine what information security standard applies to your industry, and
base your cybersecurity framework on its practices. One source of standards
is the National Institute of Standards and Technology (NIST)’s Framework
for Improving Critical Infrastructure Cybersecurity.

Review your insurance coverage to ensure that at least one policy (cyber,
crime, property, or liability,) will respond fully to any successful cyber
attack.

Identify and classify data based on business criticality, as well as on
sensitivity/confidentiality of data.

Identify critical assets and network access points at your facilities (both
physical and technological), and determine how access is controlled.
Prioritize actions to improve access control where needed.

Create a documented incident-response plan to prepare employees to respond
accordingly during cyber events. The plan needs to be part of a complete
risk management program, not just a document.

Test the plan. Tabletop simulation exercises can be a very effective means
of testing the adequacy of a plan and restoration time windows.

CFOs don’t need to be involved in all the details. But they do need to
champion a comprehensive view of cybersecurity. This leadership will help
make your company more resilient when the time comes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170209/c29993f9/attachment.html>