Organizations Must Establish a Culture of Resilience With Strategies That Are Independent, Measurable and Usable
Today, the digital world is propelling connectivity and data growth to new heights. While their associated capabilities and information can give organizations a competitive advantage, these ever-evolving technologies can also expose critical infrastructure sectors to new threats that require cybersecurity mitigation measures.
For more than a decade, regulatory requirements — such as North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) for the power industry — have established basic guidelines for criteria such as cybersecurity, reliability of operations and the like. However, the basic guidelines established through regulatory standards are just that: base guidelines, neither prescriptive nor comprehensive. For example, industrywide challenges resulting from the coronavirus pandemic were not taken into account when these baseline standards were originally developed years ago.
Base guidelines are a mere subset of what skilled risk managers consider adequate cyber resiliency and risk management. Undoubtedly, there is a gap between what is mandated from a regulatory perspective and what is required to meet minimal viable risk mitigation needs for an organization.
Although perhaps too shallow, regulatory guidelines see that some level of risk mitigation is implemented. By comparison, nonregulated industries are frequently assessed to be in even worse shape. During the same time frame of roughly a decade, we’ve observed that in the absence of a regulatory baseline being established, organizations of nonregulated sectors frequently see cybersecurity purely as a cost or perhaps even a surcharge. Consequently, they often choose to forego investment into cybersecurity mitigations. This means these organizations have little to no cyber risk management in place to fend off cyber-related incidents or instill a level of resiliency. In an age when the threat landscape continues to rapidly expand, cyber resiliency represents a fundamental building block to businesses. A lack of cyber resiliency puts these businesses at risk like never before.
Companies must instill a culture of resilience in which security improvements are emphasized as a fundamental component of an organization’s individual corporate culture, and risk-based approaches become the norm. A culture of resilience can establish a set of values and a sense of responsibilities that contribute to protecting company assets and operations from security threats.
Perhaps more importantly, these values and responsibilities go above and beyond regulatory requirements, seeing that reasonable cyber resiliency is achieved. With a culture of resilience, cybersecurity becomes everyone’s responsibility.
Meeting Baseline Regulatory Requirements Is No Longer Enough
Given the ever-expanding and intensifying threat landscape, organizations are confronted with an onslaught of threats to their success. Unlike in information technology environments, where the focus remains on data security, cyber incidents within operational technology environments tend to come at a significantly higher impact, cost and consequence — usually involving direct impacts to organizational operations or worker safety.
Even before the coronavirus pandemic, the current threat level to the North American energy sector was assessed as “high” and it is expected to remain at that level as the number of detected intrusions continues to rise. Successful intrusions can lead to integrated-system disruptions such as operational systems used for situational awareness and energy trading or can have a more localized impact such as loss of visibility, control, measurement, safety and mechanical or electrical systems. Organizations with zero security or minimal security are easy targets for would-be attackers.
Given the fiduciary requirements bestowed upon CEOs, CFOs and boards of directors for organizations, it is critical that regulated organizations recognize the importance of cyber resilience, and that they avoid settling with a compliance culture. In this context, a compliance culture is characterized by a workforce focused solely on meeting baseline regulatory requirements, nothing more. Organizations must do more than simply conduct compliance checks and file their safety and regulatory documents properly. It is the security professional’s responsibility to level with executive leadership and convey what is at stake, as well as what must be done to mitigate anticipated risks while simultaneously improving organizational resiliency.
Establishing a Culture of Resilience
A culture of resilience is attainable through the deployment of proactive strategies, including:
• Defining and implementing a minimum viable security standard.
• Investing in training and awareness programs.
• Establishing and tracking incentives for attainment.
• Implementing proper change management programs.
By establishing a culture of resilience, best practices are independent, measurable and usable. Cyber and organizational resiliency both become top priority for the organization. Stakeholders can sleep better at night knowing the organization remains vigilant in its focus to eliminate risks to its success.
Regulatory standards and compliance cultures may improve non-incident performance for companies, and that is not a bad thing. But in today’s environment, the only way to implement cyber resiliency is to improve incident preparedness and performance, whether the incident represents a cyber-related incident or otherwise. That is how we mind the gap, and it is the difference between performing well in good times and performing well regardless of external circumstances.
Minding the Gap
There are recent market developments that may positively impact the gap between regulatory requirements and adequate risk management On June 18, 2020, we learned the Federal Energy Regulatory Commission (FERC) is considering a shift in its strategy to incentivize utilities that are striving to close the proverbial gap. One of the top approaches FERC has noted would align with National Institute of Standards and Technology (NIST) standards as opposed to NERC standards.
This would be a significantly positive development, giving utilities a much better understanding of security mitigation measures that matter most. Historically, these types of changes have not been taken lightly and typically take quite a long time to be ratified and implemented. As a result, asset owners, whether in regulated or non-regulated industries, should not wait for action to be taken by FERC. Instead, by taking risk management into their own hands, organizations can take the steps needed to protect the health and vitality of the business.
Learn More About ICS Security and Resilience at SecurityWeek’s 2020 ICS Cyber Security Conference: October 19-22, 2020