What are you doing to protect yourself against cyber attacks? ;
“What are we doing to protect ourselves from cyber attacks?”
It’s a question every CFO eventually asks their team.
Although the question suggests IT-specific concerns like malware, firewalls and virus scans, CFOs need to pause and broaden their perspective, examine cyber-related business risk in the areas of physical security and in industrial controls as well.
If, for example, a cyber criminal walks into your headquarters and steals a laptop, or a worm enables hackers to take over the controls of your factory, your problems just got a lot bigger. Attackers could destroy costly equipment and put you out of business for months, ruining your relationships, reputation, brand, market share and shareholder value.
News headlines might lead you to believe that the biggest cyber risk is the theft of financial, medical, password or other personal information, which exposes consumers to fraudulent charges, embarrassments and all manner of personal headaches.
Breaches like these can certainly be catastrophic to your business. But like physical property, business data is also an operational asset. It has a distinct value in terms of keeping the business running and, in this analytics age, providing insight. Destruction, corruption or alteration of, say, logistical data, orders or GPS information can cripple your business for months.
Worst case? Arguably, it’s when hackers go beyond credit card numbers and data damage and take hold of your industrial controls, potentially bringing power stations down, permanently freezing multimillion-dollar turbines in mid-cycle, blowing chemical vessels up, or causing molten metal to harden midway through fabrication.
When I step back, this multifaceted cyber security challenge looks to me a lot like the commercial property vulnerabilities engineers address every day in their loss-prevention duties as they guard against fire and natural catastrophe. Their first step? Understanding the risk, which goes far beyond ones and zeroes.
Risk on the premises
It’s often overlooked, but your company’s physical premises can expose it to cyber attack. During working hours, or after hours for that matter, without proper security measures in place, a hacker could conceivably walk right into your building, office or cubicle and plug an infected thumb drive into the first computer he or she sees. Therefore, you need to make sure your properties, key partners and, ideally, your entire supply chain are physically secure.
Besides keycard building entry, improving physical security requires you to manage visitor, contractor and employee access throughout your facility and sensitive areas, and what they have access to. It may involve controlling physical access to network rooms and equipment, security tokens for computer access, and implementing both timed lockout and password protection of network devices. And it certainly entails employee security awareness training.
The bottom line is that it’s easy, from a risk management perspective, to get distracted by the complexity of digital network security—firewalls and such—when some of the most gaping security holes can be in your physical premises. As a CFO, you need to make sure professionals are on the ground exploring the premises with those concerns in mind.
In the past two years, cyber attacks have hit energy and utilities companies and defense and aerospace contractors. Two years ago, hackers reportedly were able to bring down a power grid in the Ukraine. In 2014, the German Federal Office for Information Security reported that a German steel mill suffered significant damage when hackers disrupted the control systems so that a blast furnace couldn’t properly shut down.
Also that year, a former Georgia-Pacific paper company employee accessed computers at the company’s Port Hudson, Louisiana, mill from home, affecting the distributed control and quality control systems for machinery used to produce paper towels.
Industrial control system risks like these have become increasingly prominent on risk managers’ radar screens. As we hear all the time from our clients, “I wasn’t even thinking about this a year ago.” The CFO needs to understand the emerging risk as well.
These connected plants and power grids are parts of the Internet of Things (IoT) – commonly thought of as interconnected smartphones, cars, fitness trackers, thermostats and refrigerators. There are
more than six billion things in the IoT, with more than five million things getting connected every day, according to Gartner.
The IoT, however, also connects operators to industrial controls, sometimes enabling a plant manager to go online from home and tweak plant operations miles away. These systems were designed first to enable access, not to restrict it, and they contain some harrowing vulnerabilities.
Imagine a man-in-the-middle attack that takes control of a plant’s operating console to signal that operations are okay while sabotaging the production line. This industrial control risk is compounded by businesses’ well-intended efforts to run lean, automate and standardise processes and to simplify complexity for operators.
So what can CFOs do? They can ensure the company is considering measures like vulnerability audits, backup power systems, overrides of electronic controls, and even redundant IT systems that could take over in the event of a cyber attack.
This article originally appeared on cfo.com, and can also be found in Reason magazine Issue 1, 2017, which you can read here.