The newly released Security and Exchange Commission (SEC) cyber incident disclosure rules have been met with mixed reviews. Of particular concern is whether public companies who own and operate industrial control systems and connected IoT infrastructure are prepared to fully define operational risk, and therefore are equipped to fully disclose material business risk from cyber incidents. This concern also provides a fresh opportunity for preparedness.
The rules require registrants to disclose material cybersecurity incidents (via an 8-K filing) no later than four business days after determining that the incident is material. Additionally, the rules require public companies to annually disclose information regarding their cybersecurity risk management and governance strategy for assessing, identifying and managing material cybersecurity risks as part of their 10-K filing.
Operational risk in OT and IoT
Cybersecurity incidents continue to disrupt production, with companies like Clorox reporting product shortages a month after disclosure. At least one major US public company disclosed a cybersecurity issue in an 8-K filing with the SEC. In September, MGM Resorts in Las Vegas reported an incident that took its systems offline. The casino payment infrastructure was unavailable, slot machines were inoperable, and guests could not access rooms.
Operations with components that were originally not accessible via the internet have increasingly become digitized and connected as networked technology connects systems to systems, sites to sites, and people to everything. Operational risk refers to any situation that causes a loss of view or loss of control to your connected processes and functions, where view and/or control cannot be recovered automatically or remotely from manipulation.
Response and recovery often lead to unplanned downtime, extended manual operations, and significant financial costs. Identifying which processes and functions are most important for business continuity involves a process referred to as “crown jewel analysis” to identify critical assets contributing to operations uptime and revenue. Identifying these assets allows security teams and executive leaders to prioritize which systems, including OT and IoT, require unique security protections and detections.
Once critical assets are identified, they need to be categorized or inventoried, because your team will be incapable of performing root cause analysis on any asset that is not accounted for, monitored, baselined, hardened, or queried. Security teams at public companies who have identified and outlined their operational risk and critical assets have three key objectives before December 15:
- to understand operational risk and map it to their company’s definitions of materiality
- to evaluate and take stock of OT/IoT assets not covered by existing IT security controls or capabilities
- to incorporate both assessments into reporting requirements outlined in the SEC rule for describing how the organization assesses, identifies, and manages material risks
Avoiding vs. mitigating operational risk
The reactive nature of cybersecurity has led to a reality in which boards and executive leaders attempt to mitigate risk by tasking security teams to avoid risk. However, risk avoidance eliminates hazards, activities, and exposures that can negatively affect an organization and its assets. Alternatively, risk mitigation accepts the inevitability of events and impacts of situations that cannot be entirely avoided.
The SEC rule requires organizations to report how they do (or don’t) enable security teams and managers to understand, evaluate, and mitigate material risk. Teams and managers tasked with securing OT and IoT assets and networks often lack visibility into these systems, connections, and network traffic. This lack of situational awareness allows for accidents and misconfigurations to go unlogged, and longer dwell time for threat actors seeking to manipulate or destroy portions of your business.
Companies with complex interdependent processes depend on equipment, communications, and business operations to supply goods, services, and resources nearly 24/7, 365 days a year. These operations and just-in-time processes can be significantly impacted by incidents originating in IT or OT networks. Incidents that directly or indirectly impact OT – or the process machines and engineering equipment – can result in high-consequence events that can be devastating initially and as cascading impacts continue.
Preparation for high-consequence events is similar to the Department of Homeland Security’s National Incident Management System. The DHS NIMS includes five components: plan, organize equip, train, exercise, and evaluate and improve. These five components are vital for cybersecurity. If health and human safety, avoiding unplanned downtime, and increasing mean time to recover is important for avoiding material impacts, operational risk cannot be ignored.
For companies beginning or maturing their due diligence journey with operational risk, there are four questions to answer:
1. What systems, assets, devices, and components does our business rely on most?
2. What is the current threat landscape for threats and vulnerabilities in OT and IoT control systems?
3. What vulnerabilities exist and are exploitable in my business, operations, and networks?
4. What existing security controls and policies are applied to OT and IoT devices and networks, if any?
Answering these questions and leveraging existing (and sometime sector-specific) standards, frameworks, and best practices for OT and IoT security can assist in SEC reporting requirements.
If cybersecurity is a marathon and not a sprint, preparing for SEC Rule 17 is the warmup. Due diligence for operational risk will build the muscle and resilience required for the long run.