Cyber risk management is increasingly becoming a focal point for large industrial facilities, where operational technology (OT) plays a vital role in controlling equipment and automation. As cyber threats evolve, the financial implications of attacks can wreak havoc on even the most prepared organisations. This shift is prompting an urgent reevaluation of responsibilities concerning OT security and the role of Chief Operating Officers (COOs) within businesses.
The complexities of cybersecurity in this context are outlined in a recent report by Cybersecurity Insiders, which highlights a noticeable gap between Chief Information Security Officers (CISOs) and OT managers regarding who is responsible for overseeing the security of specific systems and devices. Vulnerabilities in equipment could potentially allow for malware installations that compromise not just OT systems but adjacent network communications and safety mechanisms.
The potential for sabotage is also present. Threats can manipulate controls to damage hardware, mislead operators by interfering with data, or even shut down machinery, leading to significant business interruptions. With such an intricate web of risks, the expectation is that risk-based OT security will become mainstream in the coming year, particularly among COOs who are tasked with maximising operational production.
As the principal decision-maker on spending related to operations, maintenance, and reliability, the COO must assume a greater role in cybersecurity discussions. The COO's pivotal position in the organisational hierarchy suggests that complacency regarding OT cyber risk could lead to increased vulnerabilities, especially if they choose to defer necessary upgrades to legacy systems, mistakenly believing that such risks are manageable.
In mature organisations, there may be a clearer delineation of responsibilities, with cyber concerns falling under the purview of the CISO or Chief Information Officer (CIO). However, in many cases, Engineering, Controls, and other OT teams remain isolated from IT departments, further complicating the cybersecurity landscape. The ascending importance of the COO in these discussions signals a need for cohesive management over cybersecurity risks.
The publication also emphasises the often-overlooked relationship between physical and cybersecurity. Traditionally considered separate disciplines, experts increasingly recognise that improved physical security can mitigate many cyber risks and vice versa. As the methodology for assessing risks evolves, the categorisation of physical access as a potential cyber-attack vector is anticipated to become standard practice.
Another element influencing COO decision-making is the pressure from cyber insurance providers who are mandating better cyber risk management practices among enterprises. Over the past five years, basic cybersecurity measures such as network backups, multi-factor authentication, and comprehensive employee training have become prerequisites for cyber insurance coverage. This trend is expected to intensify as industrial sectors, including manufacturing and energy, continue to experience cyberattacks.
Approaches to impact-based risk assessments are becoming essential in this landscape. These assessments estimate potential financial losses due to cyber events, providing a clearer understanding of the operational disruptions and associated costs that threats pose. Communicating cybersecurity in financial terms offers COOs a more tangible rationale for justifying investments in mitigating measures, aligning them with their profit-and-loss responsibilities.
Looking ahead, the integration of digital twins and artificial intelligence (AI) is expected to transform how organisations address cyber risks. By creating digital representations of their operational ecosystems, businesses can simulate various scenarios, improving their readiness and resilience against cyber threats.
Despite these advancements, challenges remain. Companies continue to grapple with human factors such as training staff to recognise AI-enabled phishing attempts and ensuring that partners uphold adequate cybersecurity standards. Problems can also arise from ineffective onboarding processes for contractors and acquiring companies that lack basic cyber hygiene.
To navigate these multifaceted risks, it is imperative that cyber risk management for OT facilities is informed by a thorough evaluation of the potential severity of incidents, ensuring that financial priorities are set accordingly. In doing so, organisations can model damages from cyberattacks and engage in proactive cyber risk management, ultimately bolstering their cybersecurity investment decisions in a rapidly evolving landscape.
Source: Noah Wire Services