- Companies need to create alignment, from the board level down, to assess the risk of a cyberattack on operational technology, according to Robert Lee, founder and CEO of industrial cybersecurity firm Dragos, speaking on a Dragos-Rockwell Automation webinar last week.
- OT drives revenue for industrial companies and top executives, board members and CISOs must properly allocate resources to make sure those operations are protected and can continue to function in the wake of an attack, Lee said.
- CISOs need to decide what are the relevant threats for their particular company and focus on informing senior leadership about those threats, Dawn Cappelli, VP of global security and CISO at Rockwell Automation.
Companies have historically focused on the impact of ransomware and supply chain attacks on information technology but have often failed to account for the potential impact on operational technology, according to the panel.
"A lot of these companies have a ton of intellectual property," Lee said, "and it's not maintained on an email server. It's in your manufacturing lines, it's in your production environment."
The SolarWinds supply chain attack from 2020 and the historic surge in ransomware attacks forced a renewed dialogue about how cyberattacks can essentially halt production at major industrial firms.
Some of the most critical ransomware attacks in the U.S. in 2021 involved attacks on IT that forced the temporary shutdown of OT, creating real impacts on production capabilities and having tremendous impact on customers. During May 2021 ransomware attack on Colonial Pipeline, the largest U.S. fuel supplier, the company shut down supply lines for about six days.
Corporate boards should be informed about potential risk scenarios that may impact certain industries, Lee said. For example, electric utilities should be aware of the 2015-2016 power grid attacks in the Ukraine, while oil and gas companies should have knowledge about the 2017 attacks that hit Saudi Arabia.
Some CISOs make the mistake of not sharing certain information with board members because it's considered too technical, Lee said. But corporate boards are often very capable of understanding important threat information without getting into the minute detail of everything that happens at the security operations level.