Boards of directors: The final cybersecurity defense for industrials

There is no doubt that the number of cyberattacks will continue to grow and escalate in the coming months and years because of the steady adoption of new technologies and digitization. What remains to be seen, however, is how cyber defenders will ward off these newfangled, sophisticated assaults coming from all directions.

Cyber defenders could simply focus on managing the day-to-day task of putting out cyber fires, but what true cutting-edge organizations really need is a strategic security plan outlining their approach and direction, and that is exactly where an organization’s board of directors can shine.

Yes, a board of directors deals with issues relating to the company, its shareholders, its employees, and the public, but it also helps define objectives, establish major goals, and stay focused on the company’s direction over time.

But as cyberthreats continue to grow as a result of increased digitization, cloud adoption, advanced connectivity, and AI—including generative AI (gen AI)—boards of directors across all business sectors can provide direction on where and how an organization can remain cybersecure.

To that end, board members need to understand the organization’s landscape.

One case in point is the industrial operational technology (OT) space. As this sector embraces digitization, its “attack surface” is skyrocketing. In a space that boasted about being air-gapped, or unplugged from the internet environment in years past, these new capabilities have made it vulnerable to attack—and threat actors are champing at the bit.

To get an understanding of the impact on the OT sector alone, consider the numbers, which show that the threat of cyberattacks continues to grow because of increased digitization, computing scale, and advanced connectivity.

Of 64 OT cyberattacks publicly reported in 2021 (an increase of 140 percent over the number reported in 2020), approximately 35 percent had physical consequences, and the estimated damages were $140 million per incident.¹Andrew Ginter and Greg Hale, “OT security incidents: 2021 trends and analysis,” Waterfall Security Solutions, May 11, 2022. Geopolitical risks in 2022 resulted in an 87 percent increase in ransomware incidents, with 72 percent of the overall rate increase over the 2021 figures coming from Europe and North America (40 percent more in North America, 32 percent more in Europe, and 28 percent more in other continents, compared with 2021 data).²“The cost of OT cyber security incidents and how to reduce risk,” Nozomi Networks, 2020.

Each organization can look at multiple landscapes when considering cybersecurity:

• Digital OT. This is where physical systems (such as plants and facilities) become enabled via IT (or computer) networks that are used to control and monitor the operations from centralized or distributed centers. Digital OT allows for monitoring critical field operations from a central or local control center and remotely sending commands to a physical system operating in a remote area. While digital access to physical systems is incredibly important for operational efficiency and safety, it is also challenging because it introduces new potential cyberattack pathways. Furthermore, legacy OT equipment came online decades before digital became viable, so most systems are difficult to secure.
• Cloud and edge computing. This is highly important for streaming video that can monitor a physical security perimeter and cost-effective intensive computing. However, these types of systems also introduce security challenges because of the level of integration with IT systems and the potential of providing closed-loop feedback to the plant control systems.
• Internet of Things (IoT) and Industrial IoT. Devices allow for remote monitoring for such things as pressure, internal pump viscosity, and temperature levels. They enable a high degree of real-time and precise information to be accessible from far away. Because these devices are deployed widely and are inexpensive, security is not often built in, leaving them highly vulnerable to even basic attacks. IoT connections grew to 16.7 billion in 2023, a 16 percent increase from 2022.³Fernando Brügge et al., State of IoT: Spring 2023, IoT Analytics, May 2023. In the first six months of 2023, IoT malware globally was up by 37 percent, resulting in a total of 77.9 million attacks, compared with 57 million attacks in the first six months of 2022.⁴2023 SonicWall cyber threat report: Charting cybercrime’s shifting frontlines, SonicWall, 2023.
• AI. AI-enabled systems can provide cognitive insights for business leaders from seemingly unconnected data sources, utilize machine learning to automatically improve AI-driven systems and capabilities, and automate near-human decision making in complex operational and business processes. While these capabilities help business leaders keep pace with the speed of global operations, they also offer the potential for an attacker to take over or negatively affect a targeted organization.

The attack surface is expanding

No matter the industry, an evolving digital environment creates an expanding attack surface, where threat actors are becoming more innovative and sophisticated, which means they are modernizing their capabilities to take advantage of vulnerabilities.

One area where threat actors find vulnerabilities is public clouds, where there is often security misconfiguration of cloud instances, sometimes also called “buckets.” Security configuration of cloud instances is most often an accountability that sits with the company using the cloud, but security engineers are still learning how to secure the cloud. In quite a few companies, there is also a lack of strong central oversight and governance of cloud use. A company’s ability to maintain a competitive digital edge depends heavily on the cloud, and if not well used, it can expose a company to huge risk.

Another evolving area is that crime groups are now technologically on par with nation states. For years, nation states have held the upper hand. With nearly unlimited funding and the ability to execute real-world attack campaigns against live targets, nation state hackers were in an elite class. But now cyber operatives are putting their skills to use for personal financial gain. Because of the popularity of ransomware, attackers can now pool their skills and resources to create for-profit cyber armies. In 2023, ransomware payments hit a record $1.1 billion.⁵The 2024 crypto crime report: The latest trends in ransomware, scams, hacking, and more, Chainalysis, February 2024. This significant increase has boosted the financial resources of cybercrime groups to billions of dollars. This combination of talent and financial aggregation has created hacker organizations that effectively rival nation states. They now have their own R&D functions, specialized training academies, and networks of vendors for specialized skills.

Attackers are pooling skills

By pooling their skills to create groups, attackers are becoming more specialized. The increasing demand for specific skill sets or types of capabilities has grown a thriving cyberattacker economy. This, in turn, has enabled attackers to break off and effectively become individual contract “hackers for hire,” selling their skills for personal profit. Investigations into the hacker-for-hire markets have found that these freelancers charge between hundreds of dollars and thousands of dollars per job for tailored attacks, with the upper end targeting large and important multinational corporations.⁶The cost of hiring a hacker on the dark web: Report, Comparitech, August 2023.

Another more contemporary trend among threat actors is using gen AI to develop novel attack techniques. There are excellent and important uses for gen AI, but not all of its capabilities are used for good. Since the introduction of ChatGPT, there have been cases where threat actors have used it to explore existing code libraries for vulnerabilities, improve existing hacking tools, and even create never-before-seen tools to steal PDFs, images, and Microsoft Office files from target systems. Then there are the unknown attacks on the horizon as threat actors invest in their own R&D.

Meanwhile, “time to exploit” (TTE) continues to drop year over year for crime groups, now taking only seven days compared with several months in years past.⁷According to Rapid7's 2022 Vulnerability Intelligence Report. Sensitive information from highly capable and effective next-generation technologies is of interest to cyberattackers. Beyond just stealing capabilities to try to keep pace, attackers are anticipating achieving or leveraging full operational capability of next-generation technologies such as quantum. The best recent example of this is active data “harvesting” campaigns by government attackers in anticipation of quantum decryption.

Defenders are soaking up knowledge

While the offensive capabilities of threat actors may seem overwhelming, they serve as good intelligence because defenders are learning rather than sitting still.

Over the past four to five years, organizations have been strengthening their cyber defense capabilities. Although the number of cyberattacks continues to grow at incredible year-over-year volumes, the number of significant attacks (those associated with more than $1 million in impact or more than one million files leaked) has remained relatively static (exhibit). This goes to show that defenders continue to improve their capabilities, which have increased for a myriad of reasons, such as executive focus and investment, regulatory and legal pressure, and customer and shareholder expectations. Some organizations, however, have brought in military-grade cyber talent and defensive tools, increased defense capabilities (such as security automation and self-healing networks), and improved collaboration and information sharing among different defensive groups.

While attackers continue to invest, innovate, and grow, defenders must remain vigilant and understand that security is an ongoing endeavor. They must focus on building resilience, which means building as many capabilities as possible to enable a fast response and complete recovery in the case of a cyberincident.

To achieve best-in-class resilience, defenders can follow these six key actions:

• Human capital, training, and certification. Organizations should ensure sufficient capacity, capability, quality, and outcomes for their cyber teams. This means hiring enough qualified professionals and ensuring they receive the support and training needed to be effective. Moreover, there needs to be a standard by which they are measured that demonstrates real improvement. But with a shortage of up to 3.5 million qualified security professionals, according to one survey, other technology professionals need to step up and do their part. Cybersecurity is the application of technology tools and techniques to solve a particular problem. Engineers who build and maintain technologies in those domains already have much of the knowledge and skill necessary to build and maintain effective security. That means upskilling cyber professionals via training, certifications, and on-the-job learning is an effective way to gain additional skills, knowledge, and experience.
• Integrate cyber governance and risk management. Embedding security into technology cannot happen piecemeal. If implemented that way, attackers can exploit gaps between protected parts of an environment. Instead, a top-level strategy reinforced with strong and cohesive governance will ensure the necessary level of alignment.
• Secure third-party and supply chain. This is becoming a huge area to keep an eye on. Companies employ vendors, contractors, and consultants, as well as purchase hardware and software from a vast array of providers across a wide-ranging supply chain. While companies focus on their own security, they also have to work to hold third parties to the same high standard, which is easier said than done. Companies need to understand the level of business criticality for third-party suppliers and the corresponding level of business risk.
• Plan and practice response and recovery. Companies need to plan and prepare for the possibility of an incident. Before an incident occurs, organizations must create a plan and regularly rehearse it. They need to pre-establish relationships with cyber specialists, and key technology providers need to be on call. Immediately upon learning of an incident, there must be a “break glass” capability to quickly bring to bear threat and defense stabilization. This means launching at-scale forensics immediately, organizing the technology team for rapid patching and configuration changes, and fast-tracking decision making on necessary response and recovery actions. In parallel, to calm the threat and defense situation, a company simultaneously needs to launch into stakeholder stabilization. This means leaders need to act decisively when considering what to share with which stakeholders, key customers, and vendors. They must also determine which important third-party relationships get proactive outreach. Priorities for internal and external stakeholder management need to be clear and strategic. As soon as the threat, defensive situation, and stakeholders are stabilized, the organization needs to implement recovery operations.
• Embed security architecture and engineering by design in digital transformations. Security professionals know that having secure digital products, systems, and environments is not just valuable but an essential part of building digital trust with customers and other important stakeholders. That same thought process should be followed by technology teams. They need to understand that security is more than a value add; it is as essential to their development road maps as it is to the customers who will use their products. Since the best security becomes embedded by design rather than bolted on, organizations need to push digital leaders to ensure that security is a key part of every digital product.
• Leverage AI for security operations and intelligence. AI is here to stay. There is an attacker right now using AI to build or improve an attack tool. Is there a defender leveraging AI right now to ensure a secure environment?

Boards can play a role

Against this backdrop, and as mentioned earlier, boards of directors can play an important role in protecting organizations from the increased risk of cyberattack.

First and foremost, board members provide oversight and guidance. They should ensure that executives and their teams set a high standard for cybersecurity. They should then follow through on achieving them by ensuring that security is embedded by design in digital products and that technology teams share responsibility for cybersecurity. The board is the last line of defense in ensuring such initiatives get planned and funded.

Boards also look at risk prioritization and trade-offs. They are often intimidated when it comes to determining risk levels and giving fact-based inputs into risk trade-offs. In addition, the vocabulary and reporting capabilities used by security teams with their boards are often inconsistent and technical. As a result, it can be overwhelming for board members who want to contribute meaningfully to reducing cybersecurity risk but are not quite sure how. A board member does not need to have specific knowledge about cybersecurity to add value. Instead, they need to test and ask the cyber team about potential business impacts. This means the cyber team should equate cyber issues and controls with business risks.

Board members can oversee budget and resources. Again, a member does not need to know much about cyber to add value to conversations about budget and resources. The most important questions to ask are not about levels of spend, but rather allocation and inclusion: asking the cyber team to define how much security budget goes toward addressing top-tier risks, for instance, or what portion of a new product budget is inclusive of the necessary security spend.

Another key component is to ensure accountability and reporting. Cyber teams, and the executives they report to, spend a huge amount of time and effort preparing reports for the board. Boards should make sure the security team feels the mantle of accountability to deliver on what they promised. There needs to be clear risk appetite and thresholds, and executives must remain accountable for achieving them.

Boards can provide insight

Board members provide experience, insights, and connections. Each member carries a wealth of experience, an impressive resume, and a lifetime of valuable relationships. Although it may not be immediately apparent, board members may be valuable sources of cyber information and insight without even realizing it.

In a digital environment where technology continues to advance and threat actors may seem to hold the upper hand, there needs to be an all-hands-on-deck mentality to ensure a secure environment. When it comes to cybersecurity, the ultimate compliment for an organization is that nothing happens—the enterprise keeps running uninterrupted.

A board of directors can lead that charge.