For years, security leaders have struggled against the perception by executive leadership that security is a cost center. Given the rash of breaches, frequency of government advisories, and stepped-up regulatory environment, that perception has been slowly changing. But now there is new urgency to remove this barrier.
Successful industrial, healthcare, and commercial organizations have begun to unlock the value of digital transformation and cyber-physical system (cyber-physical systems) convergence. Connecting operational technology (OT) environments to IT networks, out to the Internet, and to a range of Extended Internet of Things (XIoT) devices leads to greater automation, control, efficiency, and convenience. For those who are able to truly excel at it, digital transformation can be a differentiating advantage. But that advantage can quickly evaporate, and organizations can find themselves on shaky ground when threat actors take advantage of new attack vectors that emerge because of increased cyber-physical systems connectivity.
The unavoidable truth is that the more important cyber-physical interconnectivity is to your business, the more essential cyber-physical systems security is as a business enabler. So, cyber-physical systems security must move forward in lockstep with digital transformation initiatives as the costs of not doing so are far too high.
According to the Cost of a Data Breach Report 2022, the average cost of a data breach for critical infrastructure organizations was $4.82 million—$1 million more than for organizations in other industries—with healthcare incurring the highest average cost at $10.10 million. Where remote work was a factor, average costs increased by nearly $1 million. Lengthy dwell time also contributes to rising costs. For the past seven years the average time to identify and contain a breach has been 277 days. That’s plenty of time for a minor incident to escalate into a major breach.
Depending on the amount of downtime incurred, the costs of a breach can soar even higher. For example, the average automotive manufacturer loses $22,000 per minute when the production line stops. And 45% of respondents to Claroty’s Global State of Industrial Cybersecurity report say the operational impact of a downtime event would cost their organization $500,000 or more in revenue per hour, with 23% saying $1 million or more. There are plenty of real-world examples that support these types of numbers. Looking at the healthcare sector alone, a massive cyberattack that led to major disruption in patient care for weeks cost Scripps Health $133 million and Tenet Healthcare lost $100 million after a month-long outage.
However, the costs of attacks against critical infrastructure such as hospitals, oil pipelines, water utilities, and food and beverage companies are not only financial. Attacks that take advantage of cyber-physical systems and underlying connected assets can have much more dire consequences because they threaten the physical world we live in and the systems we depend on, putting lives and livelihoods at risk.
The bottom line: The cost for critical infrastructure organizations of doing nothing is not tolerable. The longer an organization goes without the right cyber-physical systems security capabilities in place, the more likely they are to experience a major breach.
Reducing the annual loss expected from a cyberattack is the primary way investments in cybersecurity will pay back a business. The following risk-reduction ROI formula, a variation on CISSP®-ISSMP®’s ROI formula that divides annual loss expectancy by the cost of countermeasures, is useful to measure the return on investment (ROI) from one or more cybersecurity controls.
If you assume one occurrence per year and use data from the Cost of a Data Breach report, it is a straightforward exercise to justify investments that reduce risk. If your organization’s risk threshold is high and you decide to spread the risk of such an attack out over two to three years, recognizing that costs continue to rise, you can still build a compelling case for investments in cyber-physical systems security tools, training, outsourced services, and hiring additional security talent.
Alternatively, you can extrapolate from your organization’s historical data on incidents to determine the occurrences and costs. The danger there is that past performance does not guarantee future results, particularly given how the world has changed fundamentally during the pandemic. The explosive growth in the interconnectivity of cyber-physical systems, coupled with the rapidly evolving geopolitical landscape and opportunistic criminals, makes for a dangerous situation. For this reason, widely recognized, current, third-party surveys can provide a more reliable and accurate picture of risk.
In addition to a reduction in business risk, there are other benefits to factor in when going to executive leadership and the board for additional security budget.
Compliance: Investments in certain tools can help organizations comply with regulations and avoid fines, loss of clients, lawsuits, and other legal actions.
Operational Resilience: In industrial and healthcare environments operational resilience is crucial because revenue is generated and customers’ lives are improved when OT networks are up and running. Even a partial disruption due to lack of visibility into what is happening on the network can reduce productivity and revenue.
Digital Transformation: As organizations continue to look to digital transformation initiatives to drive business value, the right proactive security measures can ensure those initiatives are backed by a strong security posture so organizations can reap their full value.
At Claroty, we understand the complex and evolving threat landscape that critical infrastructure organizations operate in. Organizations struggle to detect, manage, and secure assets in OT environments, particularly in our expanding universe of cyber-physical systems and connected equipment and devices. At the same time, sophisticated attacks on cyber-physical systems require extensive preparation by adversaries and usually take a significant amount of time to carry out, with lots of lateral movement. We believe the biggest advantage defenders can have is to know their networks better than the adversary, so we have designed our suite of products to deliver that advantage and maximize ROI.
Comprehensive Visibility: The Claroty Platform is an agentless solution that provides asset visibility to identify vulnerabilities and suspicious behavior across cyber-physical systems and underlying, connected devices. Understanding your risk posture is an excellent first step to prepare proactively and focus on addressing likely paths of attack.
Curated Alerts: Visibility provides the foundation for continuous threat detection and curated, context-rich alerts to get to the bottom of anomalous activity quickly. With granular details of all assets, processes, and connectivity paths in your network, as well as definitive insight into what normal looks like, you can respond rapidly and confidently when alerts are triggered. Early intervention can eliminate or minimize the impact of an attack.
Proactive Security Controls: Attack vector mapping identifies the most at-risk assets and zones in your network and simulates the various means through which an attacker could penetrate that network, with a focus on lateral-movement scenarios so you can proactively remediate risk. Additionally, virtual segmentation controls communication using policy-defined groups of assets that communicate with one another under normal circumstances, and alerts you right away to lateral movement if an attacker establishes a presence so you can reduce dwell time. You can also track variables like firmware and software versions of assets to inform and accelerate risk and vulnerability management to cyber-physical systems and underlying assets.
Secure Remote Access: Remote work is here to stay, so the need to safeguard OT networks from threats introduced via unmanaged and unmonitored access by remote users is a “must have.” Claroty Secure Remote Access (SRA) empowers administrators to control access based on roles and policies, centrally manage user credentials, gain visibility into all remote connections and activities, and terminate sessions or view recordings in retrospect for forensic purposes if needed.
A Unified Front Against Cyber Threats: We believe the best cyber-defense strategy is a unified front against threats by consolidating cyber-physical systems security with existing IT security capabilities for a holistic approach to risk mitigation. A unified approach to governance offers significant performance advantages and maximizes ROI by allowing organizations to leverage their existing resources and personnel wherever applicable.