Justifying Industrial Site Cybersecurity Investments to your CEO
Strategies for Funding Cybersecurity Initiatives
Plant managers often struggle to convince their CEOs to fund ongoing cybersecurity investments. Their requests for funding face low odds of success for two main reasons. First, cybersecurity requirements are often defined as short-term finite projects to be funded during the current budget cycle as opposed to being positioned as long-term investments necessary for conducting business. Such an approach makes it difficult to come back the second year to request additional funding (“I thought we funded this project last year!”) Cybersecurity is an evolution and protection has to be kept up to date on an ongoing basis or else the initial investment is wasted. Investments in cybersecurity need to become a regular line budget item. Then cybersecurity should imbed itself in business process, much in the same way total quality management (TQM) projects did 20 to 30 years ago.
Second, plant managers fail to link their proposal to business benefit. C-suite executives express frustration that such proposals from plant personnel lose them in detailed technology discussions surrounding firewalls, complex authentication practices, DMZs and perimeters. Instead, CEOs look for how suggested cybersecurity investments can provide savings, competitive advantage, or faster time to market.
Address executive fears and review what is at stake
As a first step, executives need to be presented with a succinct description of the cybersecurity situation. From fiscal year 2011 to fiscal year 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74% jump. It is projected that such threats will continue to grow in scope and frequency.
The sources of threats include not only invisible hackers that are patrolling the internet in search of soft targets, but also internal employees and outside suppliers that come into the industrial sites. Theweakest links are the people who administer and use the systems. Their actions, either intentional or unintentional, can increase the security risk to systems.
made it easy to penetrate the control environment. As a result,
the concept of ‘inherent’ security doesn’t exist anymore
Dr. Peter Martin, Vice President and Fellow, Schneider Electric
Cyber-attacks already are costing companies worldwide an estimated $300-400 Billion each year and that number is projected to increase sharply. Plant managers would greatly help executives by quantifying the business’s financial exposure should a cyber-attack result in unanticipated downtime. Some large industrial companies estimate their cost of downtime at $360 Million a day. In addition, when a plant shuts down unexpectedly it takes 3 to 4 days to get everything started up again. These are sobering lost revenue numbers.
Another potential concern among executives is the amount of money it will cost to upgrade existing systems in order to render them cyber secure. Most industrial sites rely on a control system architecture that dates back 30-40 years. Executives foresee that it will cost them millions of dollars to rip out these productive, yet aging systems.
However, this costly and abrupt scenario of “rip and replace” is avoidable, if a proper cybersecurity strategy is implemented. The immediate point is that inaction is not an option. Cybersecurity in now a cost of doing business. The question is, what is the optimal approach?
Older systems may not need advanced protection
As of 25 years ago, industrial sites did not need cybersecurity. Although computers and connectivity were prevalent, no mature internet existed. Industrial systems were inherently cyber secure because there was no way for outsiders to get into them.
The advent of the Internet and devices like thumb drives created the need for development of more robust security policies. The added connectivity made it easy for outsiders to penetrate the control environment. Therefore, over time, the inherent security of control systems became more and more exposed. However, an assessment or audit of the installed base of equipment can determine which systems are still both highly productive and inherently secure. Such system can be left alone until the day it is determined that those particular systems will be more productive as connected systems.
their job easier has increased. It now doesn’t take a lot of
knowledge to take advantage of a situation and deploy a
- Michael Pyle, Vice President, CSO Product Cybersecurity Center,
Architecture & Innovation, Schneider Electric
The double-edged sword of connectivity
Executives should be made aware that cybersecurity threats grow in proportion to the expansion of connectivity. A lack of digitization and the related connectivity can cut into production efficiency gains. For example, it is projected that the flood of Industrial Internet of Things (IIoT)-enabled smart devices will facilitate information exchanges among control systems resulting in efficiency gains of up to 26 per cent. On the other hand, failure to enforce cybersecurity best practices, that are made necessary because of the efficiency fueled connectivity, will result in increased downtime, and increased threats to human and process safety.
The happy medium is increased digitization and connectivity (in order to stay competitive and grow revenues) with a sufficient degree of cybersecurity (and this sufficient degree differs within each company and within each industry).
An initial strategy is to build firewalls to keep outsiders from coming into the corporate network and getting into the control system. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability.
Gradual approach to strengthening cybersecurity infrastructure
Responsible control systems manufacturers and now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.
Manufacturers like Schneider Electric, for example, apply a Secure Development Life Cycle (SDL) approach to products such as their new Achilles Level 2 Certified M580 PLCs. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help to ‘harden’ products, making them more resilient against cyber-attacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.
compliance, are big drivers for having companies expand their
levels of cybersecurity"
- Gary Williams MSc ITSEC, Senior Director Technology,
Cybersecurity & Communications, ISO27001 Lead Auditor, Schneider Electric
Suggested initial investment
A prudent first step is to present the CEO with a plan for evaluating the cybersecurity state of affairs within the organization. By enlisting a reputable, experienced control system cybersecurity expert, cybersecurity architecture, design, and implementation plans can be formulated based on existing assets. By identifying the various assets and the criticality of those assets, issues such as standards and compliance can be addressed and an architecture can be designed that protects both new and older assets.
For related information, click on any of the links below:
• [White paper series] Preparing for the IIoT, exploring the impact
• Optimizing profitability in the connected enterprise