A couple weeks back, our colleague Rick Kaun wrote a blog on why he believes (counter to Dale Peterson's perspective) that achieving NIST CSF maturity begins with a robust asset inventory.
This debate took on new meaning last week as one of our clients debated how to prioritize their OT cyber security spend given the COVID-19-driven economic downturn. No longer was the debate theoretical. It had real dollars, cents and impact behind it.
Many companies are currently struggling with how to reassess and reprioritize their planned budgets for 2020 and 2021. The government shutdowns created a dramatic decline in demand for most industrial goods – from power to chemicals to automotive. The entire oil and gas industry is experiencing a lull, worse than what we saw during the financial crisis of 2008.
Certainly, there are some industries doing well – some food companies, some pharmaceutical/biotech/medical equipment companies, etc. But, in general, the crisis forces difficult choices to prioritize an amount that was already likely too low for the threat posed.
This cost pressure comes at an awkward time when the risks are likely increased. The rise in work from home mandates create more risk to IT systems which are responsible for 90% of ICS attacks.
Further, limitations of staff at plants create an additional need for remote access to critical systems, creating greater risks to what often were seen as “air-gapped” systems (although few were actually air-gapped).
So, how should leadership teams prioritize protection options against all of the possible threats they might encounter? What initiatives should rise to the top as cuts happen? What should security teams focus on protecting to ensure the most return on their investment?
It is important to note upfront that there is no single answer to these questions for prioritizing this year’s spending. Organizations have different starting points, different tool kits, and different risk factors. However, as one tries to answer this question, we found it helpful to refer to the following framework to help guide the prioritization effort.
Ensure funding to support personnel to maintain and operate security already deployed.
Over the past several years, many organizations began investing in OT cyber areas such as segmentation, application whitelisting, and potentially perimeter network monitoring.
We often find that when cyber budgets are threatened, the necessary human resources to maintain the security enabled by these prior investments often get impacted. For instance, network segmentation is only as good as the rules in the firewalls, etc.
In times of stress and especially where there is greater need for remote connectivity, these rules somehow manage to get adjusted and not reset to their original secure status. The cheapest form of security is the one you’ve already invested in.
The bottom line: Ensuring the prior investments and successes remain successes is the best starting point for any budget discussion.
Continue (or begin) to think programmatically about your OT cyber program instead of one-off “magic bullets”.
The most successful organizations approach cyber security (whether IT or OT) as a programmatic effort with a sequence of initiatives that build on one another to add greater levels of security over time. As budgets narrow, the tendency is to search for a silver bullet: if I just had segmentation, we’d be so much more secure. Or if we can only do one thing, better to have an IDS…at least we have something.
We caution against this urge. A one-time shock such as COVID-19, if not managed carefully, can derail successful programs long after the crisis abates. As organizations abandon (or never pursue) a program, the next year then becomes a search for the next magic bullet. Getting the program back on track is very difficult once it has fallen off.
Instead, if budgets are severely cut, maintain a programmatic approach by adjusting the cyber security program. For instance, go deeper on the most critical plants, factories, and sites rather than spreading thinner across all sites just for consistency.
In almost every industrial organization, certain facilities (or perhaps processes) are more critical than others. Maintain the program, but just on the most critical sites/plants. Or if the intent was to provide a comprehensive endpoint management program across all devices, narrow the program to focus on those that are most critical and/or those that you might actually be able to update/upgrade in a timely fashion.
The bottom line: Avoid the magic bullet syndrome and keep your eye on the ultimate prize.
Err on the side of parts of the security program with simpler deployment, rather than just prioritize based on budgeted amounts.
Customers often reach out to us after they have started down a path of a certain security component/element once a deployment becomes unwieldy. This is typically due to organizational challenges or the need to make hardware work effectively in different plant environments or the complexity of tuning the system. The reality is that more often than not, these elements exceed their budgets or the project becomes narrowed and down-scoped to fit within what was originally budgeted.
As you prioritize spend, consider not just the budget but also the possible variances from unforeseen challenges. The top ”at-risk” elements would include: hardware-based solutions or even software-based that require onsite or specialized resources to deploy and configure the hardware (not to mention the supply chain challenges of buying hardware during the current crisis); monitoring solutions that require significant tuning before they are effective at identifying threats; manual efforts such as manual-based inventory or patch management as this labor may never become available so focus on elements that drive a level of automation.
The bottom line: Prioritize simpler deployment options with automation that helps streamline processes to build on.
Take full advantage of solution offerings beyond their initially intended purpose to reap more benefits.
Security is often thought of as a cost center. The only benefit is seen as the potential to reduce the attack surface or the impact from an attack. But many elements of a comprehensive security program have operational benefits that go beyond security and may even offset some of the costs.
In normal times, these other benefits are often ignored in the business cases of cyber security solutions as the risk reduction is critical. But in times of crisis, it is important to ensure a comprehensive view.
Several types of alternative benefits exist. For instance, a robust asset inventory saves significant costs in providing regulatory information in many industries. In power for instance, many plants operate behind data diodes. The cost of manpower (not to mention the health risks) to send people to those plants to gather required data is significant.
Elements that aggregate asset data through diodes into a centralized database for reporting may pay for themselves at least in part in reduced labor cost. Or, some elements provide an integrated ability to alert on operational issues within plant systems such as devices which are performing improperly. This data, if aggregated centrally and analyzed, can provide operational ROI in lost downtime as well as reduced labor cost for maintenance and troubleshooting.
The bottom line: Kill two birds with one stone and adopt tools that provide additional advantages.
The list can be extensive, but it is important that as OT cyber security priorities are established, the 360-degree view of the project is seen, not just the cost for security.
This framework helps industrial organizations find an appropriate, effective, and efficient path to improved security with even tighter budgets. Read more about how to establish a robust cyber security program.