This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.
Building Organizational Cyberresilience
Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.
The process is similar when it comes to cybersecurity. Zero (cyber)risk does not exist. But cyberresilient businesses can recognize and accept their vulnerability to cyberthreats and take measures to guard themselves, lowering the impact on their organizations, employees, customers, and reputations. What sets them apart is their ability to remain operational after a cyberattack and manage the resulting disturbances.
The effects of cyberattacks are many, and damages can be severe. No matter their nature, target, or scope, cyberattacks can tarnish the reputation of organizations and rattle the trust of stakeholders, i.e. customers, employees, shareholders/investors, the general public, etc.
In a core sector like transportation, organizational resilience is a must, both to ensure the economic survival of organizations and to secure their vehicles, equipment, and data networks. Integrating cybersecurity rapidly to organizational and operational processes is crucial.
At the Heart of IT-OT Convergence
Until a decade ago, information technology (IT) and operational technology (OT) were two fairly distinct areas. In the early 2000s, cybersecurity efforts were mainly focused on IT infrastructure, and cyberthreats, which were fewer and far between, almost never targeted operational systems. The systems did not communicate and the teams responsible for them had no need to collaborate.
Things have evolved and the emergence of cloud-based solutions has connected most operational systems to the Internet – for better and for worse. While advantages are undeniable, the situation also creates new vulnerabilities that businesses must analyze closely.
IT teams and implemented strategies still often reflect a misreading or poor understanding of operational systems, which hinders the comprehensiveness, effectiveness, and synergy of their approach.
Promoting convergence between IT and OT helps coordinate the work of the teams that oversee information systems and engineering departments. Using a cross-functional approach makes it easier to secure and make operational systems and their connected equipment an integral part of a shared, cohesive cybersecurity program.
Fully integrating networks (cloud, Internet of Things, etc.) to the implementation of a unified governance, process, and policy framework for IT and OT heightens businesses’ security for both their information and operational systems.
Businesses generally have an organizational cybersecurity program that defines activity in terms of information security – for which international standard ISO/IEC 27000 is used as a benchmark – but such programs are nonetheless ill suited to the reality of operational systems. As IT and OT face distinct, and sometimes divergent, issues, it is possible, and even beneficial, to include elements of organizational cybersecurity in order to promote the secure development and maintenance of operational systems.
If an organizational cybersecurity program has yet to be implemented, it is important to analyze operational processes and standards before moving on to any other cybersecurity-related activity. Determining gaps between current development processes and cybersecurity measures is an essential step in identifying vulnerabilities and potential security breaches.
This process is set to become an industry standard and compares to implementing a quality management program (ISO 9000). It involves implementing security controls from the very beginning of operational system design work. Doing so requires time, effort, and specific skills that can be provided by resources from outside the organization to support the process.
Over time, having a proactive approach to cybersecurity has a positive impact on company engineering decisions by fostering the secure development of new operational systems from the early design phase.
It’s Not Only About Technology
While a single vulnerable system can be enough to open a security breach into a digital environment, the ways to avoid such situations and the solutions to be implemented are not all technological in nature.
Organizational and human factors also play a crucial role in businesses’ ability to manage cyberrisks. Organizations have everything to gain by laying the foundations of a cyberculture that influences their actions, investments, technological innovation strategic planning, and the evolution of their processes and policies to secure systems. Effects will be all the more beneficial for businesses’ long-term health and success as decisions are supported by top management and communicated well to all teams.
One first step involves training all employees on the basics of cybersecurity to raise their awareness of the importance of practising good digital hygiene and the potential impact of their actions on company systems security. Promoting a solid understanding of these issues and business needs helps keep employees accountable.
Add to these awareness efforts more specialized training from IT teams as part of the business’s organizational cybersecurity program, to promote conducting risk analyses on systems and subsystems and clarify stakeholders’ roles and responsibilities. By developing a shared cybersecurity framework, the engineers responsible for individual subsystems will be able to respond to risk analyses and IT teams’ attack scenarios. Product managers will be kept informed of risks that may affect specific products.
Enhancing company cybersecurity requires specific skills and an effective strategy in the hands of a dedicated, duly coordinated team that is well represented at the upper management level.
Defining and implementing a cybersecurity program that is adapted to operational systems requires advanced expertise that current IT teams in the industry may not have. Businesses may need to recruit specialized resources or call on external expert cybersecurity services to support their efforts. Such dedicated resources capable of understanding and dealing with cybersecurity issues ensure that company stakeholders are kept informed and engaged throughout the organization.
In an ideal organizational structure, these efforts are coordinated by an executive-level specialist whose mission it is to uphold information and data security. This person, the Chief Information Safety Officer (CISO), plays a different role than the Chief Information Officer (CIO), whose tasks mainly focus on the strategic planning of organizational information technology initiatives. By working closely with the executive team, the CISO is aware of the company’s evolution, its development opportunities, and strategic direction when it comes to innovation. They can then see to it that operational cybersecurity concerns are integrated from the outset.
Transitioning to making cybersecurity central to business operations and strategic planning is crucial. The process may be long and complex, and it must take into account company constraints and avoid trying to change everything all at once. A gradual, properly explained implementation will encourage employees to adopt these important changes. A balance must be struck between the need to strengthen security activity and to ensure continued daily operations.
Just as businesses began undergoing a digital transformation a few years ago, a transition to cybersecurity is unavoidable. Businesses must adapt quickly to these new constantly shifting constraints. While most increasingly understand the related risks, many are still struggling to collect data and mobilize the resources they need to act.
One thing is certain: the days of handling cyberthreats in a vacuum are long gone, as every economic sector and organizational activity is affected. The time has come to secure current operational systems and make cybersecurity a design criterion for future systems. Today, clients are increasingly demanding confirmation that cybersecurity analyses are included in system development cycles, before even purchasing or implementing these systems.
As organizations grow cyberresilient, the ideal process will involve eliminating potential security breaches from systems right from the design stage. Until then, how can you ensure systems meet market requirements and expectations?
Read the first feature of our series.