4 Steps to Create a Strategic Investment in Industrial Cybersecurity
Cybersecurity is a Business (and Safety) Issue
I believe most of the cybersecurity professionals, including myself, are finding it challenging when we have to lead the business owners to realize the value of cybersecurity.
I had a discussion with a CEO of a water treatment plant in a recent risk management training. He was already aware of the possible impact if their process control system is down due to a cybersecurity incident, which may affect their plant operation. However, he thought that cybersecurity has nothing to do with their water treatment process.
I shared with him a cybersecurity breach that just happened in early 2021 at the Florida Water Treatment Plant. The malicious hacker had increased the amount of Sodium Hydroxide (NaOH) to dangerous levels, which affected their water treatment process after he gained access to their control system by using a remote access software. Towards the end of our conversation, the CEO started to realize the consequences of cyberattacks, such as loss of productivity and profit.
In this article, we will discuss 4 steps to create a strategic investment in industrial cybersecurity to bring value to the business with a better Return of Investment (ROI).
Step 1: Prepare for the Worst
The first step to find out if you need cybersecurity is to think of the worst case scenario, consequences that could happen in your industrial processes and Industrial Control System (ICS) if they got disrupted, modified, or disclosed. For example, the consequences related to water utilities will include tank overflow, water pump burnout and raw sewage released into the river.
You can estimate how much you will need to spend when these hidden agendas, unplanned downtime and quality losses occur in your production environment. Will you sacrifice your employees’ annual bonus to solve the incidents? According to IBM Cost of a Data Breach Report 2021, the average total cost of a data breach is $4.24 million.
Step 2: Gain Situational Awareness
There are numerous cybersecurity products in the market, covering different scopes of cybersecurity, and all of them sound very important in protecting our businesses. But, before you start to purchase any of them, have you found out first what do you really need?
Let us articulate a risk scenario based on the Florida cyber incident mentioned earlier:
“Malicious hacker from the Internet gained remote access to an operator workstation by using remote access software and a shared password to increase the amount of Sodium Hydroxide in the water to a potentially fatal level.”
By referencing the risk scenario above, if we enforce password policy and allow only authorized and approved user to access operator workstation remotely, we could reduce the risk significantly even without introducing a new cybersecurity product. By reviewing and applying configurations securely, we would still achieve our cybersecurity level target.
If you don’t know your problems, then you can’t address them with relevant measures. Risk scenarios constructed during detailed risk assessments will allow you to gain better understanding of the cybersecurity shortcomings in your existing production environment that are outside of your view. By having visibility to these cybersecurity blind spots, you can develop your action plan to address the cybersecurity risks more effectively.
Step 3: Begin with the End in Mind
Before getting the next cybersecurity product for your production environment, you can first review your existing cybersecurity risks to establish a cost-effective security controls and to prevent overspending on redundant or unnecessary cybersecurity features from multiple products.
The security controls can also be consolidated into a list of cybersecurity requirements, and used as your benchmark for system design and validation in industrial project implementation. This customized benchmark will be more relevant and applicable to your environment or projects compared to any cybersecurity checklist you can get from the Internet. It will also provide you the opportunity to improve your cybersecurity operational efficiency. Moreover, your technical team will start to understand the meaning of every cybersecurity actions they carry out.
You can also ensure your vendors’ quality and prevent them from introducing new entry points of cyberattack into your production environment. Only when requirements are defined clearly for the vendors, that you will not be surprised with bad configurations such as installation of firewalls with default passwords, security features that are not turned on, or any other cybersecurity “holes” during auditing or whenever an incident happened.
“If you think good architecture is expensive, try bad architecture.”
— Big Ball of Mud, Brian Foote and Joseph Yoder
Step 4. Investing, not Gambling
Cybersecurity risks can be costly to mitigate after project implementation. When we consider cybersecurity only after we have arrived at the commissioning stage, this would often result in ineffective industrial projects. A change to production environment, such as installation of endpoint or network security solution at this time could affect your productivity, operational efficiency and also cybersecurity especially when the change is not tested and managed properly.
Return of Investment (ROI) can be calculated by checking how much we have managed to save from the cost of cybersecurity incidents, by comparing the cost we have spent on cybersecurity implementation to protect against the incident. To invest money wisely in cybersecurity, we have to make sure the coverage of cybersecurity implementation is able to protect and resume our business from cyberattacks effectively, with a lower and more reasonable cost.
Key Takeaways
- Prepare for the worst case scenarios, find out the consequences that could happen in your industrial processes and Industrial Control System (ICS) if they got disrupted, modified, or disclosed, and the costs to solve the issues
- Gain situational awareness from a detailed risk assessment in order to address the cybersecurity risks effectively with cost-effective security controls
- Start with a benchmark for system design and validation to improve your cybersecurity, operational efficiency and vendor quality
- Understand the coverage of your cybersecurity implementation and mitigate cybersecurity risks before project implementation for a better Return of Investment (ROI)
