I’m giving a keynote at an upcoming event, Fortinet’s Secure OT 2020 on Nov 24-25, that has as its theme “Innovation Through Disruption. While I’ll focus mostly on three ICS disrupting innovations in the next 1-3 years, I gave some thought on what is causing the disruption.
The knee-jerk answer is increased threat. The idea that adversaries have learned about ICS, know the potential value or impact of compromise, and now the likelihood of an ICS focused attack has increased substantially. A review of the volume and tenor of conversations and content makes this appear to be fact.
A large part of the over $.5B of venture funding in ICS detection vendors has bombarded the ICS community with this message that there are nation state / APT’s out there constantly trying to attack most ICS sectors to cause high impact events. This is often amplified by consultants and others selling products and services. The media then picks up these messages because it leads to clicks. It’s what their readers want. I asked Kelly Jackson Higgins of Dark Reading and Jim Finkle of Reuters (at the time) at S4x18 are they traffickers in FUD. Not a lot has changed in what gets articles written and clicks in the subsequent three years.
Surprisingly even asset owners are involved in hyping the threat. Southern California Edison’s President and CEO Pedro Pizarro wrote last week that the “millions of attacks have been prevented this year in the electric power industry alone“. I’m sure that any company is facing “millions of attacks” in the broadest sense, and most of these are easily and automatically discarded at the Internet perimeter. Even those that are more sophisticated suffer from what Jason Larsen called actor inflation.
While the threat to ICS has increased exponentially in the past decade, it started at such a tiny number that it still remains small. While there are attacks, successful and unsuccessful, that we will never hear about, the actual number, as compared to other IT systems, and the actual impact is still miniscule.
The ICS threat hyperbole has served a helpful function though. It has revealed the hidden ICS cyber risk related to high consequence that began in earnest after 9/11. Operations had, in most cases, sincerely believed that there was no cyber risk because they had not had a malicious cyber incident. As Richard Clarke would say, it has never happened before.
The board of directors and executives with risk acceptance and management responsibilities were unaware of the possibility of a cyber or cyber/physical attack causing a high consequence incident. Something with a large financial, safety, environmental or reputation impact. The threat hyperbole served a purpose. It woke up boards and executives to ICS cyber related risk. In many cases they were upset that these risks had been hidden.
So in my view, the cause of just beginning and likely to grow disruption is the awareness of ICS cyber related risk at the board/executive level. And more importantly who the board and executives will look to and hold responsible for managing this risk. It’s not Operations. It may never have been, but because in most cases they downplayed or ignored this risk they are not trusted on this issue. Instead the CISO or CRO or come other C-level will be held responsible.
The CISO, or whoever is responsible, will want to have visibility to what affects ICS cyber risk and will want to have as much congruence as possible with the way cyber risk is managed throughout the company. This will cause an increasing amount of disruption over the next five years. The definition of disruption is a rending asunder; a bursting apart; it’s not business as usual or small incremental change.