By Heather MacKenzie and Mihaela Grad
Over the last ten years there has been a significant shift in the level of concern over industrial cybersecurity risk. Executives at energy, utility and manufacturing businesses didn’t use to lose sleep over potential cyberattacks in the way they might have over major safety or environmental risks. At the plant level, operators believed air gaps and proprietary technology were sufficient defenses against malware, and that attacks on cyber-physical processes were very unlikely.
Fast forward to today, where the industrial sector is digitizing and automating processes at an increasingly rapid rate. While connected systems deliver new value and improve productivity, they also introduce exposure to cyber risk.
The accelerating concern about cyber threats by world leaders and the C-suite that came from the World Economic Forum in The Global Risks Report 2018, makes it clear:
“[A] growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in systems that keep societies functioning.”
No organization is immune to crises.
Data breaches often top the list of potential threats. In a Standing Partnership/Edison Research survey of 1,000+ executives, 34 percent reported IT and security issues had created a reputation problem in the past, with more than half anticipating similar problems in the future.
The energy sector is particularly vulnerable. Recent revelations about cyberattacks orchestrated by Russian hackers against U.S. energy companies emphasize how important crisis readiness is. The number of distributed denial-of-service (DDoS) attacks is projected to grow to 3.1. million by 2021, according to Cisco.
Increasingly, companies are judged not by whether they experienced a crisis, but by how they handled it. Successful crisis management is measured by the ability to navigate the situation with a stable stock price and an untarnished reputation.
Risk, Crisis Differences
Crises can end up caused by external or internal factors. A natural disaster is an external threat beyond your control, yet it’s still important to respond with speed and transparency. Organizations typically rebound faster from external crises because it is easier for stakeholders to forgive unintentional harm.
On the other hand, incidents resulting from purposeful misdeeds or negligence that could have been prevented (e.g., poor cybersecurity measures or unethical behavior) are more difficult for stakeholders to “get over,” often leading to reputational damage.
Not every risk causes a crisis, but those you should have known about and taken steps to address are the ones most likely to cause damage. It is recommended to periodically review potential threats and develop plans for preventing them from escalating, or mitigating the impact should they happen.
For example, cyber hacking is a threat that companies have no control over. However, acknowledging the risk allows the organization to evaluate its IT/OT infrastructure and operational policies to identify and close loopholes, and establish procedures for a timely and effective communications response.
A poorly handled crisis has broad implications. Regardless of what caused it, impact on stock price and brand is almost immediate.
Reported losses from cyberattacks run in the millions – Merck: $780M, Maersk: $300M, FedEx: $300M. If your efforts around crisis preparedness are met with reluctance, bring up Accenture’s $11.7M per organization cost of cyber crime.
So, how do you prepare for a crisis? What you say, how you say it and the channels you say it through can either bolster or diminish your customers’ and stakeholders’ trust.
There are crisis preparedness best practices organizations can follow, including:
Align all your crisis response plans — Assemble all existing policies, business continuity, operational and communications plans, plus reports that outline the risks your organization faces. Determine how current they are, and list the gaps.
1. Build or update a cross-functional crisis team — Your crisis response team should include representatives from across the organization – safety, operations, legal, IT/OT, customer service, communications, HR, etc. – depending on your business and industry. If you have a head office and remote operational units, determine who from each location should be on the team. Make sure contact information is up-to-date, and that each member has a back-up.
2. Develop a written plan — It’s best to have a written crisis response plan that contains responses to scenarios most likely to impact your organization. A typical plan includes the response team list and responsibilities, criteria for assessing severity, a decision-making protocol, key messages, list of communications channels, and sample communications such as internal and external announcements, media statements, social posts and press releases. A plan eliminates second-guessing and speeds up response during a crisis. Ideally, it is reviewed and updated every six to twelve months.
3. Train your team — A plan without training isn’t worth much. Gather the cross-functional crisis response team at least once a year to run through the communications plan, and make sure members can execute seamlessly during high stress situations.
To assess and manage OT risk, and protect your corporate brand, preparedness is key.
Advanced technology and proven reputation management strategies make it a whole lot easier.
Mihaela Grad is vice president at Standing Partnership, a reputation management consultancy. Grad leverages her experience in life sciences, agriculture and pharmaceuticals to build and execute plans to manage corporate reputations. Heather MacKenzie is an ICS Cybersecurity Specialist at Nozomi Networks. She has worked in industrial cybersecurity since 2008. She helps OT/IT teams responsible for industrial control networks understand cyber risks.