Is the current attention to cybersecurity justified?
By Steve Mustard
Although I agree with some of the points that Dean Ford made in the Final Say column “Beware of the hype” in the May/June 2019 issue, I must disagree with the key message: “The cyberthreat is merely one of many threat factors to overall risk management, and it gets far too much attention.”
I agree that cybersecurity, like many new things, is something that gets pushed by sales teams eager for opportunities to sell their products and services. But is all that attention to cybersecurity justified? In the article, Ford states that if cybersecurity truly was a top-five biggest perceived threat to operations, “every utility would be budgeting lots of money to address it. That is not happening, and the more advanced utilities and companies are not wasting resources on it for very good reasons.”
In fact, advanced utilities and companies do invest heavily in cybersecurity. According to consulting and services firm Leidos, cybersecurity spending in 2018 by the oil and gas industry was $1.87 billion. Cybersecurity is a top five risk for oil and gas supermajors, who take this risk so seriously that they fund a consortium called LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) to share best practices and research new solutions. LOGIIC is managed by the Automation Federation on behalf of the Department of Homeland Security. A typical oil and gas supermajor will fend off 50,000 cyberattacks every day, so it is no surprise that they invest so heavily in managing this risk.
It is true that some organizations do not take the cybersecurity threat seriously and do not invest in managing this risk. ISA’s training relating to the ISA/IEC 62443 standard goes to great lengths to dispel the common myths that result in a failure to address the cybersecurity risk. Still, the perception that the risk is overblown persists, not helped by articles like Ford’s.
One of the most common misunderstandings is that an organization needs to be a target to be affected by a cybersecurity incident. The WannaCry and NotPetya incidents of 2017 should dispel this myth once and for all. Both incidents swept up many organizations that were not specific targets. In the case of WannaCry, this included the U.K.’s National Health Service, Nissan, and Renault, all of whom were forced to stop operations until the issue was resolved. In the case of NotPetya a few months later, it was Maersk and Merck & Co., amongst others. Recovery from the incident cost Maersk an estimated $300 million.
All the organizations affected were ill-prepared for a cyberattack. Most were running old Windows machines without critical patches, and none had incident response plans to cover such an attack.
I agree with Ford that “with a sound risk management and disaster recovery plan, you not only address cybersecurity incidents, but you also mitigate fires, theft, weather events, rogue employees, etc.” However, if done properly, I doubt that cybersecurity will not be one of the top risks to be addressed.
According to Cisco, one in three organizations have experienced cyberattacks on operational infrastructure but, according to IBM, only 38 percent of global organizations claim that they are equipped and able to handle a complex cyberattack. Although these figures are bad, many cyberincidents go unnoticed or unreported, so the situation is likely much worse.
It is true that a lot of risk reduction can be achieved with relatively low-cost activities. It is not necessary to invest in expensive tools and services to achieve a good risk posture. ISA’s whitepaper “Industrial Cybersecurity for Small- and Medium-sized Businesses” is a great place for any size organization to start its journey.
As ISA members, we need to do a better job of quantifying the cybersecurity risk to industry so that it is properly managed. There is no need for hype, but, at the same time, we should not underestimate it. For organizations, it is not a matter of if they will be impacted by a cyberattack, but when.