Key SCADA Security Questions for CEOs

Editor’s Note: This is an excerpt from ISSSource.

It wasn’t that long ago when cyber security seemed like a foreign language to those folks entrusted with running companies. It was not like they didn’t know about it, but it just was not top of mind.

Not anymore.

With cyber threats evolving to the point where they are affecting their companies and their customer’s companies, chief executives are taking a new look and approach to how they attack cyber security.

They know meeting objectives and delivering on business initiatives means they need to rely on information systems and the Internet. That means a cyberattack could cause severe disruption to a company’s business functions or operational supply chain, impact reputation, or compromise sensitive customer data and intellectual property.

Companies face a series of cyber threats some that pack such a powerful punch they need to enact a security program that goes way beyond just compliance. One Ponemon Institute study in 2011* found the average cost of a compromised record in the U.S. was $194 per record and the loss of customer business due to a cyber breach was around $3 million.

With that in mind, the US-CERT created a document that provides key questions to help guide cyber security risk management for a company, along with key cyber risk management concepts.

With evolving cyber threats, chief executives are taking a new look and approach to how they attack cyber security.

The Top 5 Cyber Security Questions for CEOs

Here are five questions chief executives should ask about cyber risks:

1. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
2. What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
3. How does our cyber security program apply industry standards and best practices?
4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
5. How comprehensive is our cyber incident response plan? How often is it tested?

Important Cyber Risk Management Concepts

In addition, US-CERT listed key cyber risk management concepts:

Incorporate cyber risks into existing risk management and governance processes.

Cyber security is not implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.

Elevate cyber risk management discussions to the chief executive.

Chief Executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks aligned with the business needs of the organization. Regular communication between the chief executive and those held accountable for managing cyber risks provides awareness of current risks affecting their organization and associated business impact.

Implement industry standards and best practices, don’t rely on compliance.

A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to understand current threats and enable timely response and recovery. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.

Evaluate and manage your organization’s specific cyber risks.

Identifying critical assets and associated impacts from cyber threats are critical to understanding a company’s specific risk exposure– whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cyber risks to an acceptable level.

Provide oversight and review.

Executives are responsible to manage and oversee enterprise risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.

Develop and test incident response plans and procedures.

Even a well-defended organization will experience a cyber incident at some point. When network defenses end up penetrated, a chief executive should be ready to answer, “What is our Plan B?” Documented cyber incident response plans exercised regularly help to enable timely response and minimize impacts.

Even a well-defended organization will experience a cyber incident at some point. When network defenses end up penetrated, a chief executive should be ready to answer, “What is our Plan B?”

Coordinate cyber incident response planning across the enterprise.

Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the Chief Information Officer/Chief Information Security Officer, business leaders, continuity planners, system operators, general counsel, and public affairs. This includes integrating cyber incident response policies and procedures with existing disaster recovery and business continuity plans.

Maintain situational awareness of cyber threats.

Situational awareness of an organization’s cyber risk environment involves timely detection of cyber incidents, along with the awareness of current threats and vulnerabilities specific to that organization and associated business impacts. Analyzing, aggregating, and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.

A network operations center can provide real-time and trend data on cyber events. Business-line managers can help identify strategic risks, such as risks to the supply chain created through third-party vendors or cyber interdependencies. Sector information-sharing and analysis centers, government and intelligence agencies, academic institutions, and research firms also serve as valuable sources of threat and vulnerability information that can enhance situational awareness.

What key SCADA Security questions and concepts would you like to ask the head of your organization? Do you agree with the ones described in this article? Why or why not?

*The Ponemon Institute 2012 version of their “Cost of Cyber Crime Study” is now available and is a great document to share with your senior leaders.

Practical SCADA Security thanks Greg Hale and ISS Source for this article.

Related Content to Download

Presentation - "Industrial Security is a Mindset"   Download this presentation and benefit from: The cost to industry of cyberattacks and how following security best practices reduces it Why Defense in Depth needs to include the human side of the equation The importance of vigilance and continuous improvement to having strong defenses

Related Links

• ISSSource: Security Checklist for CEOs
• US-Cert.gov:  Cybersecurity: What Every CEO Should be Asking
• Ponemon.org: 2012 Cost of Cyber Crime Study
• Blog: SCADA Security: Big Picture Planning is Key
• SCADA Security is a Mindset - ISSSource Explains Why at Belden Design Seminar
• Blog: Industrial Data Compromise – the New Business Risk
• Blog: SCADA Security: Justifying the Investment

Subscribe to the "Practical SCADA Security" news feed