- When calculating risk, companies should factor "likelihood" out of the equation, according to Andy Bochman, senior cyber & energy security strategist at Idaho National Laboratory, during an Accenture virtual conference in March. "The reasons are because it takes too long. And we know that even while we're doing it, we're probably wrong," he said.
- Companies in critical infrastructure and operational technology (OT) avoid risks based on likelihood, said Bochman. Because these systems are often rich targets for adversaries, he recommends companies focus on removing or reducing risk by prioritizing consequences.
- In the nuclear business, "we needed likelihood to make initial prioritizations," Agustin Valencia, head of OT Global Cybersecurity at Iberdrola, said during the conference. Likelihood cannot become the focus, because risk calculation needs to go beyond the technology. If the same technology exists in a rural area and an urban one, they will face disproportionate risks despite being the same.
Digital transformation shrinks the gap between IT and OT, calling organizations to factor diverse systems into risk calculations. Risk is "not a matter only for cybersecurity, but their whole digital transformation," said Valencia. The cloud is going to place a larger role in IT and OT, which is in part increasing risks.
The NSA is asking agencies to determine what the value of IT/OT connection is to the enterprise. Value is derived from convenience, using the same workforce between IT/OT, or leveraging IT tools for monitoring OT environments.
That convenience is a direct threat to OT security.
"IT exploitation increasingly can serve as a pivot to OT destructive effects," the National Security Agency (NSA) said in an advisory issued last week. The agency said recent exploitation of IT management software and its supply chain, affected the government and Defense Industrial Base (DIB).
The NSA is recommending network-owners in the National Security System (NSS), Department of Defense and DIB "perform a detailed risk analysis prior to creating cross-domain connections (e.g., IT-to-OT, internet-to-OT) and for all currently connected OT."
When diving into where IT and OT risks overlap, it begins with the end user. In both environments, companies have to be able to "put the end user and the process in the center of the things that we have to analyze," said Valencia.
Because cyber risks are grouped with overall business risks now, Valencia doesn't focus on categorizing risk. Instead, he wants to know the details that could interfere with how frequently risks are updated.
The private sector owns the majority of critical infrastructure, leaving a small role for the federal government in determining operations and security mandates. That is slowly changing. The Biden administration stood up a 100-day plan for addressing security issues within OT and industry control systems (ICS).
"We've never seen anything quite like this before. We've just seen the government really going back and forth about what they should do and seemingly not doing much," said Curtis Simpson, CISO of Armis. "This wasn't just an advisory coming from intelligence agencies; the federal government has now taken that advisory and they're applying it themselves," he said referring to the 100-day plan.
As part of the plan, the Department of Energy issued a request for information regarding a secure energy system supply chain, based on a coordinated effort.
"If you look at businesses reliant on operational technology, the most critical elements of their business are driven by that technology. Nothing else in the business matters as much," said Simpson. Between the Cybersecurity and Infrastructure Security Agency (CISA), intelligence agencies and the White House issuing advisories with detailed threat analysis, "everyone wants more information," said Simpson. "They're trying to understand the risk and trying to understand how they should tackle it.