In 2013, the United States’ National Institute of Standards and Technology (NIST, Gaithersburg, MD, nist.gov) was tasked with developing a framework that would become an authoritative source for cybersecurity best practices. Other countries have similar standards or are actively working on versions. In some places, such as France, these standards carry the weight of law.
According to Andrew Kling, director of Cybersecurity and Software Practices for Schneider Electric (schneider-electric.com, Andover, MA), the standards that emerged from the NIST framework established an ordered, structured approach to addressing cybersecurity challenges and helped translate vague, fear-based concerns into commonsense risk analysis, risk-tolerance assessment, and risk avoidance.
“Confronting the cybersecurity challenge as part of a focused risk-management program,” Kling noted, “allows an organization to take on one of the biggest threats to its ability to deliver shareholder value. For plants to operate profitably, they must protect the reliability of their assets and operations. Cybersecurity attacks threaten their reliability, which in turn jeopardizes their ability to turn a profit.”
He explained that, while the set of core cybersecurity practices necessary to manage cyberthreats are well known, there are still barriers to adoption. For the most part, these obstacles are related to an improper understanding of the risks at hand, as well as to an organization’s ability to resist them.
Consequently, despite regulatory and risk-management incentives, Kling said finding companies that effectively address cybersecurity is rare. To his way of thinking, it’s time to change the conversation away from the fear of a cyber attack to something understood in all boardrooms: How do cyber attacks threaten the reliability of plant assets and operations and their ability to contribute to the bottom line.
This requires managers to know and understand their plants’ cybersecurity positions and appetites for risk tolerance. This information helps them recognize the difference between where they are managing cyber risks and how much gap there is to close. Here’s where a strategy to improve an operation’s cybersecurity readiness through comprehensive security-risk management pays off.
What’s an operation to do? Andrew Kling points to these specifics:
• Discuss and understand your risk-management plan and objectives (which usually means protecting your ability to produce).
• Locate responsibility for risk management in your organization so that decision making, execution, and incident response are efficient and successful. Assess your risk-management workflows.
• Ascertain the value of your manufacturing processes and assets to your organization and potential attackers. Basically, you need to calculate your security risk. For example: If the plant were to go down for a day due to a cyber attack, loss of production would equal $X.
• Model the cyber-threat landscape. Analyze threats specific to your industry and your plant. Remember that threats are constantly evolving as new skills, techniques, and tools emerge. You might need expert help.
• Determine where security-risk-management functions should integrate into your organization’s infrastructure. These functions can take many forms, i.e., risk avoidance, mitigation, acceptance, and/or transference.
• Construct a cybersecurity plan that lets the organization respond to an evolving threat landscape. Analyze options to the plan and rank the effectiveness of its elements in reducing risks.
• Prioritize and execute the plan to manage your organization’s cyber risks.
• Keep in mind that program elements, such as bug patching and threat monitoring, are continuous. A cybersecurity risk-management plan isn’t a single event, but a continuous operation.
In short, have a plan, execute it, measure its effectiveness, and, if necessary, adjust it. Taking these simple steps to manage your cybersecurity risks can have a significant impact (in a good way) on your bottom line. MT
—Jane Alexander, Managing Editor