What does Industrial Cybersecurity Risk Management look like from the Moon?
When Buzz Aldrin, the second man on the moon, was asked why space tourism was taking so long to get off the ground, he said: “One impediment is the fear of catastrophe. And I’m not sure how you deal with that. Does it mean we don’t fly civilians in space? Do we only do it from our couches? Is the destiny of the human species to sit back and play with our mouse and computer and imagine, fantasize? We are scared out of our wits. We are a risk-averse society now.”1
We can think of this statement using terms from the world of Industrial Control System (ICS) cybersecurity. Aldrin is someone who was willing to stand on the “magnificent desolation” of the lunar surface not knowing if the Ascent Propulsion System would work to return the crew to Earth. He is expressing that he doesn’t see a similar willingness to take risks in society now. He seems to have a higher-than-average Risk Appetite.
Risk Appetite is a major concern for the industrial enterprise, too. Of course, we would like to have zero risk, but this is impossible in any endeavor. We must find a balance between risk and reward. Enterprises can point to benefits for shareholders, employees and the public to balance against the risk of things going wrong. Typically, employees who receive greater benefits from operations than the public will accept a higher risk. The risk that an enterprise finds acceptable to achieve its aims is called the Risk Appetite. An enterprise may get away with having a higher-than-average Risk Appetite, but this may be difficult to justify in the event of a safety incident.
We don’t have to accept every risk. Four ways to manage risk are Avoid, Transfer, Mitigate or Accept. Risk can be defined as likelihood multiplied by consequences and it is common to express consequences of whatever type (safety, environmental, lost production, reputation, regulatory, etc.) in financial terms. Otherwise, it is difficult to make comparisons and prioritize. So, if there is a 10% chance of a $1 million loss in the next 10 years, expenditure of $100,000 to avoid it is worth considering.
For industrial enterprises, the biggest consequences of cybersecurity incidents usually come from physical hazards associated with the plant. In practice, though, enterprises struggle to get a handle on cybersecurity risk as they don’t have a useful record of their assets. Hexagon’s cybersecurity solution, PAS Cyber Integrity® solves this using the multi-vendor backup and configuration files to build an evergreen deep inventory from the control system down to the level of valves, pumps and instruments. Users then run a vulnerability assessment of their inventory using a daily updated feed of vulnerabilities from the National Institute of Standards and Technology (NIST) and including user-graded Impact Factors which describe how this asset could affect other assets or physical processes. PAS Cyber Integrity will also provide a network topology of IT and OT networks to show how risks can propagate and to highlight at-risk and high-impact assets. With this approach, users can finally get control of Cybersecurity Risk Management, bringing it into the overall Risk Framework of the Enterprise alongside financial and physical safety risks.
We can never avoid risk completely. But with proper Risk Management, we can shoot for the stars while keeping appropriate control of risks. Or as Aldrin would say:
“History will remember the inhabitants of this century as the people who went from Kitty Hawk to the moon in 66 years, only to languish for the next 30 in low Earth orbit. At the core of the risk-free society is a self-indulgent failure of nerve.”2