The newly released Security and Exchange Commission (SEC) cyber incident disclosure rules have been met with mixed reviews. Of particular concern is whether or not public companies who own and operate industrial control systems and connected IoT infrastructure are prepared to fully define operational risk, and therefore be equipped to fully disclose material business risk from cyber incidents. This concern also provides a fresh opportunity for preparedness.
The rules require registrants to disclose material cybersecurity incidents (via an 8-K filing) no later than four business days after determining that the incident is material. Additionally, the rules require public companies to annually disclose information regarding their cybersecurity risk management and governance strategy for assessing, identifying and managing material cybersecurity risks as part of their 10-K filing.
Cybersecurity incidents continue to disrupt production, with companies like Clorox reporting product shortages a month after disclosure. At least one major U.S. public company has already disclosed a cybersecurity issue in an 8-K filing with the SEC: in September, MGM Resorts in Las Vegas reported an incident which took its systems offline. The casino payment infrastructure was unavailable, slot machines were inoperable, and guests were unable to access rooms.
Let’s take a look at what operational risk looks like for OT and IoT, and why organizations preparing for the new SEC rule need to understand how it applies to their operations.
Operational Risk in OT & IoT
Operations with components that were originally not accessible via the internet have increasingly become digitized and connected as networked technology connects systems to systems, sites to sites, and people to everything. Operational risk refers to any situation which causes a loss of view or loss of control to your connected processes and functions, where view and/or control cannot be recovered automatically or remotely from manipulation. Response and recovery often lead to unplanned downtime, extended manual operations, and significant financial costs.
Identifying which processes and functions are most important for business continuity involves a process referred to as “crown jewel analysis” to identify critical assets contributing to operations uptime and revenue. Identifying these assets allows security teams and their executive leaders prioritize which systems, including OT and IoT, require unique security protections and detections.
Once critical assets are identified they need to be categorized or inventoried. It may be true that you cannot protect what you can’t see, but your team will also be incapable of performing root cause analysis on any asset that is not accounted for, not monitored, baselined, hardened, or queried. Security teams at public companies who have identified and outlined their operational risk and critical assets have three key objectives before December 15:
- to understand operational risk and map it to their company’s definitions of materiality
- to evaluate and take stock of OT/IoT assets not covered by existing IT security controls or capabilities
- to incorporate both assessments into reporting requirements outlined in the SEC rule for describing how the organization assesses, identifies, and manages material risks
Avoiding vs. Mitigating Operational Risk
The reactive nature of cybersecurity has led to a reality in which boards and executive leaders attempt to mitigate risk by tasking security teams with avoiding risk. However, risk avoidance eliminates hazards, activities and exposures that can negatively affect an organization and its assets. Alternatively, risk mitigation accepts the inevitability of events and impacts for situations that cannot be entirely avoided.
The SEC rule requires organizations to report on how they enable (or don’t enable) security teams and managers to understand, evaluate, and mitigate material risk. Teams and managers tasked with securing OT and IoT assets and networks often lack visibility into these systems, connections, and network traffic. This lack of situational awareness allows for accidents and misconfigurations to go unlogged, and a longer dwell time for threat actors seeking to manipulate or destroy portions of your business.
Companies with complex interdependent processes depend on equipment, communications, and business operations to supply goods, services, and resources nearly 24/7/365. These operations and just in time processes can be significantly impacted by incidents originating in IT or OT networks. Incidents that directly or indirectly impact OT – or the process machines and engineering equipment – can result in high consequence events that can be devastating both initially and as cascading impacts continue.
Preparation for high consequence events is similar to the Department of Homeland Security’s National Incident Management System. The DHS NIMS includes five components: plan, organize and equip, train, exercise, and evaluate and improve. These five components are vital for cybersecurity. If health and human safety, avoiding unplanned downtime, and increasing mean time to recover are important for avoiding material impacts, operational risk cannot be ignored.
For companies beginning or maturing their due diligence journey with operational risk, there are four questions to answer:
- What systems, assets, devices, and components does our business rely on most?
- What is the current threat landscape for threats and vulnerabilities in OT and IoT control systems?
- What vulnerabilities exist and are exploitable in my business, operations, and networks?
- What existing security controls and policies are applied to OT and IoT devices and networks, if any?
Answering these questions, as well as leveraging existing (and sometime sector-specific) standards, frameworks, and best practices for OT and IoT security can assist in SEC reporting requirements. If cybersecurity is a marathon and not a sprint, preparing for SEC Rule 17 is the warmup, but due diligence for operational risk will build the muscle and resilience required for the long run.