The classic 5 x 5 risk matrix with consequence broken out by category: financial, health & safety, customer impact, and reputation. Create scenarios and see where they fall on the martrix, with the ever present challenge of determining likelihood.
The first surprise, many of the scenarios are acceptable risks in the matrix for financial, health & safety, and customer impact consequences. We often wrongly believe any outage or OT cyber incident is unacceptable. It’s not desired; it is a failure of security; and there are likely other events during the average year that cause a greater consequence that have become accepted risks.
The second surprise is that the perceived impact to the company’s reputation of these scenarios, as viewed by executive management and often the operations and cybersecurity teams, falls in the red. It’s unacceptable risk that must be reduced.
The kneejerk reaction is to reduce the likelihood of the scenario. What new security controls can we, should we deploy? The best answer in this situation is more likely consequence reduction. How do we reduce the reputational impact of the incident occurring?
If the scenario has a medium to low consequence for the other consequence categories, then there is a mismatch between perception and reality that should be addressed. This perception needs to be addressed in two areas:
- Customers, shareholders and media – – having the communications and media strategy ready prior to the incident is key, as it is in all areas of incident response. Oldsmar is a great example where the communications and media strategy, with the right verification and preparation, could have convincingly stated that the community was never at risk.
They had unhackable safety measures in place. Even if the adversary had complete control of the network they could not deliver dangerous water to customers. They had known a cyber incident was likely to happen at some point in time, as it will for most utilities, and planned for it. While they will learn from this incident and improve cyber security, their cyber incident response plan worked exactly as designed. The public was never at risk.
The reputational consequence shouldn’t be higher than the highest consequence level in another category. This is reality. If perception is expected to be higher than reality, it means there is work to do on the communications and media strategy. If you want to hedge this, perhaps allow reputation to be at most one level higher than the highest consequence in another category. - Executives and Managers – – this is where I often see unrealistic views of consequence. Executives saying we can never have a cyber incident. “Even a small incident with minimal impact will have a high consequence impact to our reputation”. I sympathize with this as Oldsmar, Colonial Pipeline, Norsk Hydro and even the ancient Maroochy Shire incident get slides in a high percentage of OT security presentations. The certainty achieved through consequence reduction and some real world numbers on all cause outages and incidents can remedy this overstated view of impact to reputation.
This is partially a maturity issue and partially a culture issue. Maturity will come as OT cyber incidents become less rare and if they remain a small consequence compared to other factors such as weather, pandemic, workforce and supply chain. Culture is tougher because the security industry is largely responsible for hysteria. We will need to rein ourselves in.