Cyber security for senior managers
01 December 2021
Cyber security attacks continue to be widely reported in the media. Among the latest high-profile cases is the Colonial Pipeline attack. However, any business, regardless of size, is susceptible to cyber security breaches. It is the responsibility of business leaders to ensure that appropriate measures are in place to reduce the threat.
Representative image: Shutterstock
Click here to view article in digital edition)
Cyber attacks can result in industrial liabilities due to loss of life, damage to the environment and loss of production, as well as direct costs such as those arising from technical fixes, loss of customers and dealing with media and press enquiries. In some cases, criminal proceedings can be brought against businesses or individuals. In one example, quoted in the Chemical and Downstream Oil Industries guidance for senior managers on cyber security, one business subject to a cyber event reported that:
“The initial months of response were all consuming for many employees but what cannot be underestimated is the slow burn over the next two years and the years to come. Articles are written, presentations are made by people without the full knowledge, that must be replied to, to maintain product and company integrity.”
Regardless of local, national and international regulations, managing cyber security risks is good business. It is also important to point out that size and nature of the business are no barrier to attack. And with threats coming from many different sources, including nation states, criminals or even a company’s own employees, it is critical that organisations understand how they may be at risk and from whom.
Understanding your computer systems and networks
Computer systems form an integral part of any organisation, providing essential business functions ranging from email and accounting to control and automation systems which manage plant and process. Understanding the nature of these systems and their inter-connectivity is key. They may reside on servers within the organisation, with third party providers, or may even be cloud based. And it is for business leaders to ensure that these systems are protected.
Before implementing any security measures, it must be first determined what is to be protected (or defended), the connectivity between each system as well as system access rights, both physical and digital. For control and automation systems, the Health and Safety Executive’s Operational Guidance (OG86) ‘Cyber Security for Industrial Automation and Control Systems’ (https://www.hse.gov.uk/foi/internalops/og/og-0086.pdf) provides an excellent reference point to help organisations answer these crucial questions.
Managing the risks
Senior leaders are responsible for the people, processes and technology necessary to protect against cyber threats:
Figure 1 – Sources of cyber attacks - Image: TSA
- People – ensuring that there is sufficient resource, competency and communication with their staff
- Process – ensuring corporate risk registers are maintained with cyber threats and management systems are in place to manage those threats
- Technology – ensuring that appropriate technology is deployed and regularly updated
Business leaders should also ensure that appropriate key performance indicators (KPIs) are established and reported. These should include both lagging indicators, such as the number of unauthorised access attempts, and leading indicators – such as intrusion detection system effectiveness. However, KPIs only measure predetermined parameters – things we know about – and with cyber threats continually evolving, it is also key to have access to speculative information such as media reports.
In addition to ensuring sufficient resources and measuring the performance of the business, focus should be placed on fostering a healthy vision and business culture. A strong organisational culture would include ensuring that there are no barriers to reporting concerns, that incidents and near misses are logged and reviewed in a timely manner, and that teams responsible for Operational Technology (OT) (such as the email servers) and Information Technology (IT) (such as control systems) communicate effectively to share knowledge and best practice. Most crucially, existing business practices may need to change to accommodate fast changing cyber security arrangements and threats. Decision makers will need to be able to react quickly and ensure that communication between management teams and technical specialists is clear, concise and fast.
Competency and vetting
As with all critical operations, it is important to ensure that people are competent to carry out the tasks that are assigned to them. Most businesses will already have a comprehensive Competency Management System (CMS) in place. However, the existing CMS is unlikely to cover all the aspects required for cyber security and will need to be updated to include:
- The IT and OT tasks that may cause a cyber security risk
- The IT and OT tasks that are required to implement the Cyber security measures
- Competencies required to carry out these tasks
- How cyber security threats are reviewed in order to update competencies (Cyber security is rapidly evolving so the CMS should be updated accordingly)
- Where cyber security roles are external to the business, how to maintain intelligent customer capability
General awareness of cyber risks should also be provided to all employees and contractors with access to systems.
Figure 2 – Image: TSA
To provide protection against internally initiated attacks, organisations should ensure that they carry out appropriate levels of vetting. In turn, vetting should be proportionate to the role that the individual is being tasked to do and should cover new staff as well as the movement of staff within the business, as well as contractors – or evidence by the employer that it has been done. It should also be carried out on an ad-hoc basis triggered, for example, by a change in behaviour. However, vetting alone may not provide protection for highly sensitive areas. For this reason, consideration should be given to sharing critical roles, so that key tasks present with both a requester and approver.
Policies and procedures
As with all aspects of a business, the management team should ensure that there is an appropriate cyber security management system in place covering:
- Management of security risks
- Protection against cyber attack
- Detection of cyber security events
- Minimisation of the impacts of cyber security incidents
Interfaces to existing management systems, such as those for competency and process safety, should also be considered.
As part of the cyber security management system, consideration should be given to how auditing against policies and procedures is undertaken. The audit will need to ensure that the cyber security management system is used as intended and is appropriate for use. In addition, it should consider providing evidence of existence of vulnerabilities and verification of any countermeasures.
The UK National Cyber Security Centre provides a Cyber Assessment Framework (CAF) (https://www.ncsc.gov.uk/collection/caf) that allows organisations to assess the extent to which cyber risks to essential functions are being managed.
Vulnerabilities to IT and OT systems may originate from on-site or off-site access. On-site controls are often easier to implement but businesses should also consider how they can manage potential threats from third parties visiting the site to carry out work (for example an automation contractor visiting site to carry out upgrade work). These additional measures could include:
Peter Davidson, Executive Director, Tank Storage Association (TSA)
- Defining and managing access control (e.g. passes/fobs)
- Implementing systems to ensure malware is not introduced
- Restrictions on the use of contractor’s own equipment
- Control of the integrity of software update mechanisms – software patches/virus definitions
- How communication with vendors and third parties should take place, for example to avoid phishing emails
Many businesses also rely on third party services hosted in the cloud, such as email, document management and accounting services. While these services offer extensive benefits, they need to be balanced against the risks that may be introduced. Businesses should therefore ensure the robustness of security measures in place by the provider (e.g. to prevent unauthorised remote access) and that only those systems that need remote access, have remote access. With cloud-based systems a high value target for attackers, appropriate provision should also be made in the event of loss of the services to the business.
Managing cyber security can be complex. It is therefore essential to understand what equipment you have, and how it can be accessed. Only then can the appropriate controls be put in place.
When planning these controls, it is important to remember that regardless of local, national and international regulations, managing cyber risks is good business. With all businesses at risk from a number of sources, and against ever-evolving cyber threats, failure to act could result in significant industrial liabilities and costs.
In this context, the Chemical and Downstream Oil Industries Forum (CDOIF) has recently published guidance on cyber security for senior managers which emphasises why cyber security is a risk to safety for the chemical and downstream oil industry and provides practical advice targeted at senior managers to ensure that risks are being managed and minimised.
Peter Davidson gave a presentation on this topic at the 2021 Hazardex Conference & Exhibition. Visit www.hazardex-event.co.uk for more information on our upcoming events.
About the author:
Peter Davidson is Executive Director of the Tank Storage Association (TSA) which represents the interests of over 45 companies who operate around 300 terminals in the UK or provide equipment and services to the sector. Peter joined TSA following 10 years as the director of Safety, Commercial & Projects at the UK Petroleum Industry Association. Previous to this, Peter managed the Safety Automation Group for ABB in the UK. Peter has responsibility for the day-to-day management of the association, leading on lobbying & advocacy activities and working with the Federation of European Tank Storage Associations (FETSA).
Contact Details and Archive...