“What are we doing to protect ourselves from cyberattacks?”
It’s a question every CFO eventually asks their team.
Although the question suggests IT-specific concerns like malware, firewalls, and virus scans, CFOs need to pause and broaden their perspective, examine cyber-related business risk in the areas of physical security and in industrial controls as well.
If, for example, a cybercriminal walks into your headquarters and steals a laptop, or a worm enables hackers to take over the controls of your factory, your problems just got a lot bigger. Attackers could destroy costly equipment and put you out of business for months, ruining your relationships, reputation, brand, marketshare, and shareholder value.
News headlines might lead you to believe that the biggest cyber risk is the theft of financial, medical, password, or other personal information, which exposes consumers to fraudulent charges, embarrassments, and all manner of personal headaches.
Breaches like these can certainly be catastrophic to your business. But like physical property, business data is also an operational asset. It has a distinct value in terms of keeping the business running and, in this analytics age, providing insight. Destruction, corruption, or alteration of, say, logistical data, orders, or GPS information can cripple your business for months.
Worst case? Arguably, it’s when hackers go beyond credit card numbers and data damage and take hold of your industrial controls, potentially bringing power stations down, permanently freezing multimillion-dollar turbines in mid-cycle, blowing chemical vessels up, or causing molten metal to harden midway through fabrication.
When I step back, this multifaceted cyber security challenge looks to me a lot like the commercial property vulnerabilities engineers address every day in their loss-prevention duties as they gird against fire and natural catastrophe. Their first step? Understanding the risk, which goes far beyond ones and zeroes.
Risk on the Premises
It’s often overlooked, but your company’s physical premises can expose it to cyber attack. During working hours, or after hours for that matter, without proper security measures in place, a hacker could conceivably walk right into your building, office, or cubicle and plug an infected thumb drive into the first computer he or she sees. Therefore, you need to make sure your properties, key partners and, ideally, your entire supply chain are physically secure.
Besides keycard building entry, improving physical security requires you to manage visitor, contractor, and employee access throughout your facility and sensitive areas, and what they have access to. It may involve controlling physical access to network rooms and equipment, security tokens for computer access, and implementing both timed lockout and password protection of network devices. And it certainly entails employee security awareness training.
The bottom line is that it’s easy, from a risk management perspective, to get distracted by the complexity of digital network security – firewalls and such – when some of the most gaping security holes can be in your physical premises. As a CFO, you need to make sure professionals are on the ground exploring the premises with those concerns in mind.
In the past two years, cyber attacks have hit energy and utilities companies and defense and aerospace contractors. Two years ago, hackers reportedly were able to bring down a power grid in the Ukraine. In 2014, the German Federal Office for Information Security reported that a German steel mill suffered significant damage when hackers disrupted the control systems so that a blast furnace couldn’t properly shut down.
Also that year, a former Georgia-Pacific paper company employee accessed computers at the company’s Port Hudson, Louisiana, mill from home, affecting the distributed control and quality control systems for machinery used to produce paper towels.
Industrial control system risks like these have become increasingly prominent on risk managers’ radar screen. As we hear all the time from our clients, “I wasn’t even thinking about this a year ago.” The CFO needs to understand the emerging risk as well.
These connected plants and power grids are parts of the Internet of Things (IoT) – commonly thought of as interconnected smartphones, cars, fitness trackers, thermostats, and refrigerators. There are more than 6 billion things in the IoT, with more than 5 million things getting connected every day, according to Gartner.
The IoT, however, also connects operators to industrial controls, sometimes enabling a plant manager to go online from home and tweak plant operations miles away. These systems were designed first to enable access, not to restrict it, and they contain some harrowing vulnerabilities.
Imagine a man-in-the-middle attack that takes control of a plant’s operating console to signal that operations are okay while sabotaging the production line. This industrial control risk is compounded by businesses’ well-intended efforts to run lean, automate, and standardize processes and to simplify complexity for operators.
So what can CFOs do? They can ensure the company is considering measures like vulnerability audits, backup power systems, overrides of electronic controls, and even redundant IT systems that could take over in the event of a cyber attack.
A few things you can do:
Get your IT, finance, and risk management teams together. Your IT group knows all about the technology side of security, but they have little expertise in translating it into business risk. The parties need to understand one another.
Determine what information security standard applies to your industry, and base your cybersecurity framework on its practices. One source of standards is the National Institute of Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity.
Review your insurance coverage to ensure that at least one policy (cyber, crime, property, or liability,) will respond fully to any successful cyber attack.
Identify and classify data based on business criticality, as well as on sensitivity/confidentiality of data.
Identify critical assets and network access points at your facilities (both physical and technological), and determine how access is controlled. Prioritize actions to improve access control where needed.
Create a documented incident-response plan to prepare employees to respond accordingly during cyber events. The plan needs to be part of a complete risk management program, not just a document.
Test the plan. Tabletop simulation exercises can be a very effective means of testing the adequacy of a plan and restoration time windows.
CFOs don’t need to be involved in all the details. But they do need to champion a comprehensive view of cybersecurity. This leadership will help make your company more resilient when the time comes.
Kevin Ingram is senior vice president of finance and CFO of FM Global, a large commercial and industrial property insurer.