In the nuclear power industry, a cybersecurity incident or error could be a life or death issue on a mass scale. Because of this reality, cyber risk in nuclear power plants is governed more rigorously than it is in sectors free of industrial control systems (ICS) and other types of high-risk operational technology (OT). It’s time for this to change.
Even without radioactive metals and remote-controlled industrial machines, the ramifications of a cyber-attack are increasing for most other industries. Today enterprises are a standard target of crippling nation-state attacks including those resulting in tens of billions of dollars in theft, and the disruption of hospitals and global business. As a former nuclear power plant cybersecurity manager and now a cybersecurity consultant advising a variety of industries, I see first-hand the need for all companies to implement more stringent OT cybersecurity governance protocols.
Below are four important governance lessons companies can take from the world of high-stakes OT security:
1. Seek out the opinions of others and share the cyber risk.
Prior to working in nuclear, I worked in businesses where speed was a priority and personal responsibility for decisions was a central part of company culture. There often wasn’t time for “peer review” as a formal step in decision-making processes. It wasn’t until I worked in OT security that I more deeply understood the value of deliberately approaching risk management decisions as a team.
Risk management and reduction should be a team sport. Best practice is this: When you are making a decision that involves security or compliance risk, obtain input from other knowledgeable stakeholders, including colleagues in different but related departments. Someone with a different point of view may see critical variables or outcomes that you have not considered, and knowing these factors could help you make a better business decision. Expediency and taking ownership of choices are not on their own bad for security or risk, however neither should be at the expense of identifying and sharing associated risk.
2. Aggressively manage change as part of everyday cyber risk management.
While working at the nuclear power plant, there was a project to implement a Security Information and Event Management (SIEM) solution on a network dedicated to the security and monitoring of an ICS. During the move to production, the project team had to install a newly released software version to overcome a technical issue. What wasn’t known at the time was that the new version would cause a conflict with an existing, critical file integrity monitoring system. If the monitoring system went down, attackers might have gotten into the ICS unnoticed. In hindsight, the team didn’t do enough vetting on the change. Companies should always manage change methodically.
In cyber risk management,slowing down to prioritize change management is a challenge: It goes against the ethos of the popular Agile development process; keeping up with constant changes in an organization’s risk posture is already hard; and the drive to innovate faster than the competition is hard to repress. However, to effectively and responsibly manage risk, you should know exactly how any change you make is going to ripple throughout the systems. This is especially important before pushing new code. In the case of nuclear energy, a mistake like this could accidentally bring down the systems controlling the temperature of the uranium, or in the case of a hospital, it could cause doctors to lose access to patient records. There are many best practices around change management, and I would suggest following those aggressively.
3. Confidentiality may not be your greatest cyber risk. Consider all of the possibilities.
Security professionals tend to think that data protection and privacy are the top priority. A security team must consider all of the tenets of the CIA triad (Confidentiality, Integrity, and Availability).
In an OT setting, safety system availability is more important than confidentiality—human life is on the line. Alternatively, if someone sees a chemical safety data sheet (a document that describes the makeup of a chemical), that is far less of a concern than someone changing the information on it. As such, Confidentiality is less critical then Integrity for chemical data sheets. In a research setting, someone seeing data is not ideal, but losing that data could be catastrophic, causing years or decades of progress to be lost. Imagine if these losses hit a lab researching remedies for cancer or Alzheimer’s. In other cases, availability may be the greatest priority, especially for streaming businesses or SaaS providers that face great liability for downtime. When prioritizing risk reduction efforts, be sure to consider all types of possible losses to ensure you’re directing your resources to the greatest risks.
4. After a cyber-incident, find out how it happened. Perform root cause analysis.
When I worked at the nuclear power plant, I went to a three-day training class dedicated to root cause analysis—an investigation where you find out how and why the incident happened. In nuclear, root cause analysis is a serious, high-priority process that takes weeks and ends with review by the chief nuclear officer. Since leaving the energy industry in 2014, I’ve never done a single root cause analysis. In other industries, not every attack warrants analysis as intensive as one in an OT environment, but these investigations simply aren’t done enough.
Whether it is a data breach, insider threat, or system outage, once you know what happened, find out how it happened. A business process may need to be changed; the identity and access management program may need to be fixed; or perhaps change management was not methodical enough. Whatever it may be, after you have contained and remediated, take the time to figure out the cause so the error isn’t repeated.
By adopting these more stringent governance protocols from the world of OT, your cyber risk story changes. It requires effort and transformed thinking in many cases, but having a broader view of the consequences of your organization’s actions, aggressively managing change, considering risks beyond information leaks, and learning what happened to prevent reoccurrence, increases the visibility of cybersecurity risk beyond the security team. It also results in a cybersecurity story that champions CISO leadership, multi-department cooperation, and high-level, enterprise-wide risk reduction.