Cyber risk is business risk. Global companies have accepted this fact and are learning to deal with it (although some are quicker studies than others).
In critical infrastructure, cyber risk is not just business risk, but it is also a systemic risk that can threaten lives and the stability of nations. The dependence of households, businesses, and vital institutions on certain infrastructure has always made reliability of those components paramount. In critical infrastructure systems, dealing with physical risks such as natural disasters or component failure has always required robust mitigation and recovery plans. Today, however, ensuring this reliability requires a cybersecurity and resilience strategy that is just as carefully planned.
Furthermore, it is no longer enough for any one company to secure its own networks. Instead, combating cybersecurity risks in critical infrastructure requires signification cooperation between layers within companies, between companies across an ecosystem, and between companies and governments.
The idea that a computer vulnerability could cross the cyber-physical divide and impact the real world was once only theoretical. However, at least since 2007, when the “Aurora” experiment proved that cybersecurity risks in the utility industry are not constrained to the network domain, and certainly since 2010 when the Stuxnet virus was able to generate actual failure of physical systems, we have seen that this threat demands attention. Moreover, usage of new digital technologies to impart efficiencies into power grids and other infrastructure, enabling decentralized control has accelerated the pace at which our virtual and physical worlds are merging, thereby expanding the surface for malicious actors to exploit.
The only way to deal with this rapid expansion of the attack surface is to establish mechanisms to work together to solve critical cybersecurity issues. In order to successfully ensure cyber resilience in critical infrastructure, individuals, companies, and governments will need to cooperate more effectively.
Understanding and mitigating risk is a leadership responsibility. In most companies, it’s a responsibility that ultimately sits with the board of directors. However, thanks to the relatively novelty of cyber risk, most board members are woefully underprepared to set corporate strategy in the face of cybersecurity challenges, let alone foster the development of a security culture. That needs to change quickly.
Many corporate boards do not feel equipped to manage cyber risks with the same level of confidence that they manage other risks. Leading practices have not yet become part of the standard set of board competencies. This knowledge does, however, reside with technical managers.
This is why cooperation is the key to success. Manager of technical (IT and OT) functions must be much more prevalent in boardroom discussions. At the same time, boards, senior executives and technical managers have to come together to develop a common language (ideally a language that uses risk and business-focused rather than technology-focused terms) in order to understand each other and understand the risks they need to mitigate in order to achieve the benefits that technology can bring to the company.
"It is no longer enough for any one company to secure its own networks"
But even if an infrastructure company has the perfect security culture and has made security and resilience a component of its overall strategy, that company is still working in an ecosystem where cyber risk travels fast and spreads wide.US Secretary of Homeland Security, Kirstjen Nielsen, put it best at the RSA Conference in San Francisco in April of 2018, when she said, “Hyperconnectivity means that your risk is now my risk and that an attack on the ‘weakest link’ can have consequences affecting us all.”
Infrastructure systems are so complex that the organizations involved rely on countless partners to provide business critical components and services (everything from core operational assets and smart devices to legal and consulting services). Each of these partnerships require some level of systems interaction and may even involve the exchange of highly sensitive information. This only adds to a firm’s exposure as these partnerships create a broad, complex, and multidimensional ecosystem. Malicious actors can then exploit this multiplicity of new connections, vastly expanding vulnerabilities.
Therefore, leaders in these critical areas need to take an ecosystem-wide view and evaluate the role and impact that connected enterprises (producers, distributors, vendors, users, regulators, etc.) have on their cyber resilience strategy (and vice versa).
Whether the attacker is a terrorist, a criminal gang, or even another nation, states have historically born the sole responsibility for security within their borders. Thanks to digital networks and the internet, however, borders are now fluid, easily permeable, and the entirety of an attack surface may be in private hands. For this reason, especially where critical infrastructure is concerned, we need to develop a new logic of cooperation between public and private.
Effective cooperation requires a renegotiation and redefinition of roles and responsibilities. For the most part, cybersecurity obligations have been left to the private sector, implicitly in exchange for more limited regulation regarding how a firm goes about securing its networks (although it may not always seem more limited). Governments will need to step up their efforts to ensure more system-wide security while, at the same time, foregoing the creation of cyber weapons that can be turned against their own infrastructure. In order to better ensure overall security, companies must take a more constructive approach to working with regulators to foster greater security. If done thoughtfully and with input from all stakeholders, governments can incentivize security-by-default through smart and agile regulation working with the companies putting these technologies into place.
We need to all work together to proactively define and understand our shared responsibilities to protect the networks that underpin critical infrastructure. Otherwise, we may be left in a future state where no one understands their responsibilities, and no one takes responsibility, until it's too late.