The World Economic Forum (WEF) recently published Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers. This is timely coming weeks after the Colonial Pipeline incident, which was a resilience failure not an OT security failure. Operations, the delivery of liquids through the pipeline, could not continue when systems on the enterprise network related to billing were compromised.
According to public information, there was no way for pipeline to operate safely or as required by Colonial Pipeline without these enterprise systems. This would not be true of a resilient system that would recognize a security incident on the enterprise network is not a very low probability event.
Unfortunately the WEF paper is not about resilience. It appears that it simply replaced the word security with resilience, 197 times. Almost the entire paper is talking about cyber security controls to reduce the likelihood of a compromise of OT cyber assets and systems.
Some cyber security controls can help make a system more resilient, but these are only a subset of possible actions related to an ICS attempting to improve or achieve resilience. Some good questions to ask are:
- Can we continue to meet our mission to deliver products or services if the enterprise network is compromised? (Do we have a work around if these systems aren’t available, even if it is sub-optimal? Even it is not immediately available?)
- Can we continue to meet our mission to deliver products or services if the OT network is compromised? (For those cyber assets or systems whose unavailability would prevent us from meeting our mission, can we reliably restore them in an acceptable time? Can the purpose of these systems be met in another way?)
- If our OT network is compromised will it cause or allow a high consequence event? (A lot of the consequence reduction activities in the CCE or Cypher PHA are unrelated to security controls.)
Almost never will we be able to reduce the likelihood of a compromise to zero. A resilient company and its systems recognize this and is prepared to meet their mission in the event of an enterprise or OT cyber incident.
The WEF’s recognition that a resilient system is a better goal than a secure system shows wisdom. Now the details behind preferring that word and achieving resilience should be recognized in an updated Version 2 of the paper because resilience is not a synonym for security.