Enterprise Risk Management (ERM) used to be straightforward. However, with the constantly changing cyber risks every organization faces, the framework needs to expand to encompass enterprise cybersecurity risk management (ECRM). All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they conduct their ERM program.
When looking at ERM and factors commonly considered, nothing has changed significantly in the past 15-20 years. However, the need for and evolution of ECRM has added a few new twists to the traditional ERM governance process. For example, there are unique risks that need to be considered when looking at cyber-risk for manufacturers, manufacturing, and critical infrastructure organizations.
What’s new or unique about ECRM?
Cybersecurity risk management needs to take into account the typical ERM risks like natural disasters including weather and unexpected physical events that impact production and business in general. In addition to these factors, ECRM must also consider the risk of cyber physical outcomes. The domino effect of an unexpected cyber breach on cyber physical systems that impact food production, water safety, or healthcare equipment for example, can have life or death consequences.
Because ECRM can be new to the thinking of many organizations, assumptions are commonly made that can lead to exposures that cost organizations millions, impact their brand reputation, and have negative consequences for their end consumers.
Traditionally when considering cyber in ERM, organizations can tend to look only through the lens of digital outcomes, not considering the inherent risks of all the potential devices driving their operation. With automated machinery, IIoT and remote access so prevalent, more thought needs to be given to the potential exposures created in the industrial production network around digital safety and operational integrity.
Four common myths and missteps
1. IT has it covered
Many organizations will assume the CIO or CISO has the manufacturing plant floor or critical infrastructure equipment covered through IT enterprise security. This couldn’t be farther from the truth. IT isn’t regularly equipped or trained to understand or protect Operational Technology (OT) Industrial Control Systems (ICS) equipment. IT security tools and their approach is actually incompatible with OT Industrial Control Systems (ICS) plant floor equipment.
2. My IT budget can cover my OT security needs
Many times organizations don’t adequately fund their OT security or don’t even realize it needs to be a line item in the budget separate from IT security. The life cycle for operational technology (OT) equipment is typically much longer than IT enterprise equipment. The risks with this equipment and systems grow over time as it goes predominantly unmanaged until something breaks, or a breach occurs.
You will find a significant amount of legacy OT equipment with unpatched Windows updates and default passwords across just about every production, manufacturing and critical infrastructure environment. Once a breach occurs it can be too late. Going through the process of identifying connected devices and other CVE vulnerabilities is a key step to digital safety for manufacturing and critical infrastructure organizations.
3. Our cyber insurance will cover us
Another common myth is that cyber insurance will cover you. Transferring responsibility for cyber or digital safety for OT related adverse events to cyber insurance is a huge risk. The shifting insurance landscape, especially in relation to cyber related and internal error triggered adverse events, is exposing less coverage and less covered events. The point being, don’t count on cyber insurance to save you, the stakes are getting higher.
4. We can use internal resources
Internal IT teams are not usually trained or equipped to manage both Enterprise security and Operational security. In addition, the workplace is experiencing a shortage of industrial security talent in the marketplace. The smart way forward for most organizations is a partnership between operational owners, IT owners and external cyber-industrial experts. Experts that specialize in digital safety and can operationalize cybersecurity solutions are an astute way to protect your organization without the cost of hiring a dedicated internal industrial cybersecurity team.
ERM vs ECRM what’s the difference?
ERM is about risk reduction and reducing company exposure due to adverse events, while ECRM is about damage reduction after an event and proactively reducing risk by identifying and addressing exposures. With the escalation of cyber events, ECRM needs to play a larger role in Enterprise Risk Management. Both can protect an organization from adverse and negative consequences in different ways.
Ensure Your ERM includes ECRM
No organization can afford to go blindly forward without a well thought out ECRM plan as a core component of their ERM plan. Determining risks and vulnerabilities across the entire organization from the enterprise to the plant floor is a mandatory step in the process. For most organizations, a partnership between manufacturing and infrastructure experts that specialize in digital safety and operationalizing cyber safety solutions is the intelligent way to discover and counter real risks.
Many organizations realize they don’t have the expertise or experience in-house to be able to effectively protect themselves from the changing climate of cyber risks to plant equipment and critical infrastructure. Equipment and technology-neutral partners offer deep expertise about plant floor vulnerabilities, equipment visibility, continuous monitoring, and operationalizing equipment and digital safety. Develop your ECRM plan leveraging experts like Velta Technology to move quickly. You can start with an internal tabletop exercise where they can facilitate the key stakeholders together to address ownership and accountability for the ECRM plan development and execution.
An ounce of prevention and proactivity is worth a pound of cure and defense. Be proactive rather than reactive. Take steps now to Get Safer Sooner.