By Filipe Beato, Cyber Resilience Lead at the World Economic Forum`s Centre for Cybersecurity and Natasa Perucica, Research and Analysis Specialist at the World Economic Forum`s Centre for Cybersecurity
Industries are in the midst of a digital transformation where infrastructure and systems are being connected to the internet and emerging technologies, such as artificial intelligence and internet of things (IoT), are being embraced to optimize performance and improve day-to-day industrial operations. The number of technologies finding their way into industrial operational environments and the new categories of connected objects is both impressive and bewildering. To illustrate, forecasts suggest that the number of industrial internet of things (IIoT) connections will reach 36.8 billion in 2025, an increase of 107% from 2020.
While digital technologies and connectivity unlock new business growth and efficiency opportunities in industrial environments, they also contribute to the expansion of the cybersecurity threat landscape, presenting risks that can lead to financial, reputational, legal and even physical and environmental damage.
In the face of proliferating cyber threats, it is no surprise that the value of the global industrial cybersecurity market is expected to grow to $29.41 billion in 2027, at a 8.2% compound annual growth rate in the period 2019-2027.
Cyber threats to critical infrastructure are increasing and challenging public safety, society and economic stability.
While no industry is spared cybersecurity threats, some are more susceptible than others to risks with far-reaching consequences. Critical infrastructure organizations, including those in energy, healthcare and manufacturing, have become a key target for malicious actors, with more than 60% of attacks in 2021 targeting operational technology. Gartner, the technological research and consulting firm, even predicts that cybercriminals are likely to weaponize operational technology and cause “harm or kill humans” by 2025.
The energy sector, which is crucial for the running and development of every other industry, has suffered a number of cyber incidents in recent years which have not only disrupted operations and the supply chain but also contributed, at times, to panicked consumer behaviour and higher energy prices. Such effects were, for instance, felt in May 2020 when a ransomware shut down the Colonial Pipeline, a major gasoline and jet fuel pipeline spanning 5,500 miles.
The healthcare sector has also suffered. A report by Check Point says that cyberattacks rose by 86% in 2022 compared to 2021. On average, the industry experienced roughly 1,410 security breaches every week. Such attacks often result in disruption of access to critical health data, such as prescriptions, laboratory results, as well as patient admission and discharge functions.
While such attacks expose patients to both cyber and physical risks, they also bear a significant cost for healthcare institutions. For the past 12 consecutive years, the health industry, more than any other industry, endured the highest data breach costs reaching a record $10.1 million in 2022.
With the proliferation and rapid adoption of innovation and digitalization resulting in connected factories and products, the manufacturing industry became the most targeted sector in 2021, with 65% of the incidents leading to disruption of operations and supplies and tampering the quality of end products. At a time when supply chains are under stress, a cyber event could be hugely damaging for the global economic outlook.
Managing cyber risks is not easy task, especially when industries are facing three main challenges:
- Divergent culture and priorities: Historically, a culture gap prevailed between the approach taken towards enterprise and industrial operational technologies, particularly regarding security. With both environments converging, an integrated approach on security is required.
- Diversity of technologies: Organizations rely on modern, proprietary and legacy technologies, some of which were built to last a lifetime but without necessarily cybersecurity in mind. In addition, innovation and adoption of emerging technologies expand the complexity of managing cyber threats.
- Multifaced and complex ecosystem: The hyperconnectivity and complex supply chain networks and dependencies, where trust is extended to third-party providers with different cybersecurity practices and levels of maturity, is a further challenge to security.
Moreover, these three challenges coexist with external factors that shape the cybersecurity space.
Geopolitical instability as a trigger for leadership action
As conflicts take on a digital dimension, there is growing concern among cyber and business leaders that “global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years”. This is particularly worrisome for organizations operating critical infrastructure, such as energy, healthcare and manufacturing – which are increasingly becoming a target for nation-state actors, hacktivists and other attackers motivated by political, economic, or strategic gains. Multiple sources indicate that at least 150 cyber incidents have taken place since geopolitical tensions have intensified. Such developments are influencing leadership action on cybersecurity with recent findings suggesting that global geopolitical instability has had a moderate or substantial impact on cyber strategy for 74% of business and cyber leaders.
Regulation as a driver of cyber resilience
In addition to the business sector, governments and regulators are also driving efforts to ensure that cybersecurity is strengthened in nations and regions by updating regulations and proposing new standards, in particular for critical infrastructure. Recently, the European Commission proposed a Cyber Resilience Act to address the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software. The act complements existing legislation such as the NIS2.0 Framework which was recently approved by the European Parliament and European Council and aims to bolster the EU’s cybersecurity capabilities and resilience by expanding its coverage to include more sectors.
In light of growing cyber risks, the US government has also sought to improve the cybersecurity of key industries. In May 2021, following the Colonial Pipeline attack, President Biden signed an executive order outlining a number of measures to modernize cybersecurity. Among other things, it led to the signing into law of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, whereby critical infrastructure organizations need to report cyber incidents and ransomware payments to the Cybersecurity Infrastructure Security Agency (CISA).
In response, CISA published a set of technical rules to protect critical infrastructure information and launched a strategic plan for 2023-2025 to collectively reduce risk and build resilience to cyber and physical threats to the nation’s infrastructure.
Nations in the Asia-Pacific region have also been active in updating cybersecurity strategic plans to address threats to the industrial environment and operational technologies. Singapore, for example, updated its Cybersecurity Strategy in 2021 to feature resilient infrastructure as a key pillar; Japan in 2021 included new approaches to advance digital transformation and cybersecurity; and Australia launched the Security Legislation Amendment (Critical Infrastructure Protection) Act in 2022 providing additional obligations and guidance for critical entities.
All these activities demonstrate how nations are taking concerted measures to address growing cyber threats to critical infrastructure industries. Some governments are also engaging and seeking international partners to develop mechanisms to share learnings and improve collaborative action.
How to transform cyber resilience into a global team sport?
The dependency on the digitalization and connectivity of critical infrastructures is growing exponentially and so are the risks. At the World Economic Forum, multistakeholder communities have been collaborating to take global action at both an industry and cross-industry level to strengthening cyber resilience.
Independent of the industry, there are three key actions that would help organizations and ecosystems strengthen cyber resilience.
- Make cyber a business imperative while capitalizing on digitalization.
Businesses are moving towards more digitalization, connectivity and emerging technologies for strategic and competitive value. These drivers, along with the growing sophistication of cybercriminal operations, increase the risks and the potential impact of a cyberattack. It is important, therefore, to ensure that cyber resilience is part of the business strategy from the outset. To that end, business executives need to recognize and understand the associated challenges in order to apply correct prioritization and mitigation actions to capitalize on the business benefits. Organizations should establish a comprehensive cybersecurity governance model while leveraging existing global frameworks and standards, build a holistic view of the ecosystem and its broader impact, and ensure that resilience and security by design is embedded in operations and business decisions.
- Embed cybersecurity in the organization’s DNA
To achieve this, organizations need to cultivate a cybersecurity culture in the workplace at all levels – from operations to leadership. At the leadership level, cyber leaders should proactively communicate with executives and the board to convey cybersecurity as a business imperative and strategic priority. Cyber practitioners should communicate in business terms rather than confusing executives with technical jargon. The leadership should also understand that organizational cybersecurity is a shared responsibility guided and coordinated by the chief information security officer and, as such, is not the responsibility of any single individual. At the employee level, a cyber-aware culture can be promoted through periodic training and cybersecurity campaigns to increase education and highlight secure procedures.
- Ensure collaboration across the ecosystem
With the increasing complexity of industry and cross-industry supply chains and ecosystems, it is key that critical infrastructure organizations have a holistic view of their ecosystem and work closely to build resilience. Cyber incidents are a question of when, not if, and to mitigate vulnerabilities early and respond to threats more rapidly in real time, businesses should collaborate with government officials and regulators before security breaches occur to ensure incident reporting and information sharing systems are well understood. Cooperation should also extend to third parties that provide goods and services to critical infrastructure organizations. Organizations are as strong as their weakest link and attackers will target these weak links in supply chains to compromise the other entities in the network. To that end, ecosystem players should share cyber-threat information, and develop and test incident scenarios to better react in case of attacks.
Cyber resilience is not a destination but a continuous journey. As such, it cannot be regarded as a one-time, or a one-actor effort. At a time when the cyber threat landscape is in constant flux, it requires cross-organization and cross-industry collaboration to ensure business continuity and security.
About the Authors
Filipe Beato is a Lead at the World Economic Forum`s Centre for Cybersecurity, where he is responsible for Cyber Resilience initiatives driving collaborative action to strengthen cyber resilience across industry ecosystems, such as Energy and Manufacturing. Filipe is a cyber resilience and digital professional with a focus on strategy, transformation and innovation on public-private sectors with 10+ years of experience in helping organizations shaping and delivering their global cyber and digital strategies and transformations by bridging a strong technical background with business strategy. Filipe holds a PhD in Applied Cryptography from the University of Leuven, MSc in Computer Science from the University of Bristol, and BSc in Computer Engineering from the New University of Lisbon.
Natasa Perucica is a Research and Analysis Specialist at the World Economic Forum`s Centre for Cybersecurity, where she co-leads activities of the Centre`s Cyber Resilience in Oil and Gas initiative. She is also involved in the Centre`s efforts on cyber capacity building and skills development. She received her bachelor and master`s degree in Political Science from Université Catholique de Louvain in Belgium and is currently pursuing a PhD in Social Theory, Digital Innovation and Public Policies at Università degli Studi di Salerno.
Filipe Beato and Natasa Perucica can be reached through Mr. Sahil Raina – [email protected] Media Relations Lead at the World Economic Forum