The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Cyber Security for the Proactive Board
December 20, 2021 | Robert Bergman
As industrial cyber security and critical infrastructure breaches mount, senior information security officers (SISOs), IT directors, heads of engineering and others who lead cyber security initiatives are being called on to present their situation and solutions to their boards. A recent study conducted by the Ponemon Institute suggests that this may still be the exception rather than the rule.
The Ponemon Institute surveyed 603 IT security and OT security practitioners at the C-level, managerial and director level in the United States, all of whom were familiar with cybersecurity initiatives and ICS and OT security practices within their organizations. Only 35 percent of respondents reported directly to the Board of Directors. Of them, 41 percent say they report only when a security incident occurs while 59 percent report annually, bi-annually or quarterly. OT risk assessments and changes to the ICS and OT threat landscape were the topics of more than half the reports, with vulnerabilities and protection practices covered by just under half of the respondents.
“If management executives, the Board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats,” writes Matthew Scott, commenting on the study in Chief Executive magazine. Scott recommends that boards “conduct a comprehensive review of the cyber security measures currently being implemented by all IT teams” and create a cybersecurity or IT committee that reports to the Board or appoint a cybersecurity expert to the Board.
In its recent report, The Changing Role of the Board in Cybersecurity, Deloitte suggests the following additional steps the Board might take:
Adopt a cybersecurity framework
Deloitte recommends that boards consider adopting the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST).
“Most cybersecurity strategies have moved from the flawed Castle-and-Moat security model to a Zero-trust model, as the world perimeter becomes non-existent in this cloud dominated, mobile-driven, and work from anywhere world. The Board should be up to date on these changing cybersecurity models and strategies so that they can make more informed decisions when a cyberattack takes place,” they write.
Take a holistic enterprise-level security approach
The Deloitte authors call for proactive enterprise-wide security solutions, focusing on the overall cyber resiliency of the organization. This includes ensuring that third parties such as business partners, contractors and other vendors who interact with them also maintain an acceptable level of cybersecurity. Also, as industrial systems become more digital as part of Industry 4.0, they call for attention to IT/OT integration.
Protect the crown jewels
“With the advent of advanced adversaries, there will always be gaps in cybersecurity controls, which makes it impossible to protect everything. The best practice is to look at key assets or crown jewels (which may differ from one organization to another according to industry-based regulations) and have risk or value-based governance mechanisms around it,” write the authors of the Deloitte report cited above.
Certainly, for oil & gas, energy, water and other key infrastructure components, those crown jewels are the automation systems that impact production, safety and sustainable operations.
“With the advent of advanced adversaries, there will always be gaps in cybersecurity controls, which makes it impossible to protect everything. The best practice is to look at key assets or crown jewels … and have risk or value-based governance mechanisms around it.” Deloitte
Create Cyber talent
The Board can also help ensure that the management has the requisite skills, resources, and approaches in place to reduce the likelihood of a cyberattack and mitigate any damages that may occur. Per Chief Executive magazine’s Matthew Scott, this might include separating IT and information security teams and having cyber experts on the Board.
“A cyber expert will also be able to understand the overall cyber landscape and probe the organization’s cyber compliance posture. While talking to the management about talent, it is also imperative for the Board to ask about Human Layer Security (HLS), which is often overlooked.”
Robust reporting mechanisms
Deloitte further recommends quarterly or bi-annual reporting, as well as cyber gaming exercises that can help the Board to identify possible vulnerabilities and measure the overall resilience of the system.
Turning the tables
How cyber security is presented to the Board is also critical in eliciting support for cyber security initiatives. Here are some tips for anyone who must present cyber security to the Board.