Moody’s gave a presentation entitled “The Financial and Credit Implications of Cyber Risk” October 23rd at the EnergyTech 2019 Conference in Cleveland. It is evident that control system cyber security has been a stepchild to IT security. Consequently, each time there is another significant IT cyber attack, control system cyber security falls “further off the table”. Because of Moody’s ability to reach the Boardroom, their interest in control system cyber security and its associated risk can be a game changer. According to the Moody’s presentation:
- Cyber event risk is a rising tide
- The financial impact of an attack can lead to weakened credit
- Sectors assessed as high or medium-high risk that use control systems include hospitals, utilities, medical devices, pharmaceuticals, and water/wastewater
- Cyber attacks are under reported
- The Moody’s cyber risk assessment approach includes vulnerability and operational impact
- Highest risk sectors rely on technology, are highly interconnected, and have limited ability to revert to manual operation
The implications are:
- Cyber attacks are under-reported for several reasons. One is lack of control system cyber forensics and training which leads to an inability to identify incidents as being cyber-related. A more disconcerting issue is intentionally not disclosing incidents as cyber which has happened far too often. In fact, there is an open issue with the Federal Energy Regulatory Commission (FERC) AD-19-18 on transparency of cyber incident reporting (formal comments were due this week).
- Organizations using control systems are dependent on technology, much of which has no cyber security or ability to be secured. On October 29, 2019 a joint cyber security (ISA99)/process safety (ISA84) working group identified there are currently no process sensors that are cyber secure (I will have more to say about this in a future blog). If you can’t trust what you measure, cyber security, safety, reliability, and resilience are all in question. That is, process measurements are critical for determining enterprise risk as they are the basic input.
- There is minimal training for control systems/Operations personnel to recognize upset conditions as potentially being cyber-related. This is part of the culture gap and broken governance model.
- It is the control systems that cause significant operational impact. Moreover, it is the control system devices with no cyber security that can cause catastrophic failures that could be existential to any manufacturing, industrial, or medical facility.
- Cyber security requirements for the electric industry are not comprehensive enough to address the control system issues that can be catastrophic. If the NERC CIPS were more than a compliance exercise, the electric industry would not be viewed as high-to-medium risk.
- Organizations, particularly utilities, would have difficulty reverting to manual operation for any significant period of time
It is critically important for the safety and reliability of our infrastructures that credit rating agencies such as Moody’s consider control system cyber security in their risk ratings assessments. For that, there needs to be control system metrics for evaluating technology and people. Based on history, Moody’s (and other credit rating agencies) participation may be the only way to get senior management to take appropriate actions to address control system cyber security, and thus, reduce enterprise risk.
Joe Weiss