Securing C-Level buy-in is becoming increasingly crucial for implementing cybersecurity measures across industrial and operational environments. Support from top management helps to ensure appropriate resource allocation and emphasizes the importance of implementing cybersecurity in the organizational structure. C-level executives play a critical role in integrating cybersecurity practices by setting the tone of seriousness and protocol compliance from top to bottom. Their participation helps develop a plan of action to address emerging security threats and ensure compliance with existing regulatory standards.

Moreover, C-Level executives can foster a culture of continuous learning and improvement by encouraging their teams to stay informed about the latest cybersecurity trends and best practices. By advocating for a holistic approach to cybersecurity, top management enhances security measures while nurturing a sense of responsibility and ownership among employees, motivating them to safeguard the organization’s most critical assets with dedication and vigilance.

Challenges and importance of securing C-Level buy-in

Industrial Cyber consulted with industrial cybersecurity executives to discuss the primary challenges in securing C-Level buy-in for cybersecurity measures. They explored why executive support is crucial for the success of cybersecurity initiatives in industrial and operational environments, and the importance of prioritizing cybersecurity within the overall business strategy.

Charlie Lewis, a partner at McKinsey & Company, told Industrial Cyber that the primary challenge is how to balance the broader risk and business agenda with security needs – specifically as OT budgets and execution typically fall under operations and not always security (although this is changing). “The C-level has to understand tradeoffs between growth, investment, and security tradeoffs and why the specific security investment will demonstrate the most return on your risk investment,” he added. 

The first step is making sure C-level execs understand that their enterprise IT cybersecurity does not adequately cover their OT environments, Dawn Cappelli, head of OT-Cyber Emergency Readiness Team at Dragos told Industrial Cyber. “This drives the conversation beyond budget to business risk. We’ve seen the light bulb turn on when these executives realize that the revenue-generating side of their business is not as protected as they thought it was from IT-centric tools, resulting in support for OT cybersecurity initiatives.”

She added that some CISOs need to get the buy-in and resources from a single C-level executive in charge of all industrial operations. “Others are faced with a federated organization structure, where each plant manager has the autonomy to make decisions regarding cybersecurity in that particular plant. In a centralized model, the CISO has to convince a single person with an enterprise-wide strategy, in which resources can be prioritized and optimized across all industrial facilities. A federated model presents a significant challenge, often requiring multiple corporate strategies, drawn-out decision-making processes, and building and working across diverse teams in each facility. 

Cappelli said she has seen CISOs get creative in these situations, relying on gamification, such as cybersecurity scorecards for each plant made visible at the CEO and Board level to promote competition among the plant managers. “CISOs should keep in mind that C-level executives and plant managers are often not aware of the context surrounding OT cybersecurity risk: actual security incidents in OT, emerging cyber threats, and regulations that are pertinent to their operations,” she added.

John Cusimano, vice president for OT cybersecurity at Armexa, told Industrial Cyber that there are several challenges in obtaining C-Level buy-in for OT cybersecurity.

“The first challenge is the lack of understanding of the true risk associated with an OT cyber security breach. The C-Suite certainly understands and knows how to manage risk, but they may not have a good understanding of how much risk is posed to the organization by the OT systems or lack of OT security,” according to Cusimano. “Most organizations fully understand and appreciate the consequence of an enterprise-wide ransomware attack and are applying resources to reduce that risk. But they may not recognize how other threats and vulnerabilities in OT could lead to significant health, safety, environmental, and financial losses should the OT environment be compromised either by a malicious actor or malicious software.”

Second, Cusimano pointed to the budget and the issue of determining who owns the budget for addressing OT cybersecurity. “Is it the CISO? Is it the VP of operations? Or, is it the individual plant managers?” he added.

The final challenge, Cusimano outlined, was that once the risks are understood and appreciated and the budget has been allocated, is guiding the decision makers to appropriately apply resources to addressing those risks. “In other words, the funding could be granted but misapplied, resulting in very little gain in terms of risk reduction.”

Ilan Barda, founder and CEO at Radiflow told Industrial Cyber that the C-Level holds the budgets and steers the strategy of the company. “They must be sold on the necessity of making cybersecurity a priority or it won’t happen.”

However, he pointed out that there are many challenges to obtaining C-Level buy-in including perception of cybersecurity as a cost center; and a lack of understanding as cybersecurity involves complex technical details that C-Level executives may not fully understand, leading to undervaluation of its importance. Complacency is another factor Barda mentioned, adding that “If an organization has not experienced a significant breach, executives may underestimate the risk.”

Barda also highlighted competing priorities, reactive approach, measurement of ROI, and cultural resistance as some of the other challenges faced. 

Regarding the importance of C-Level buy-in for cybersecurity in industrial and operational environments and the prioritization of cybersecurity within the overall business strategy, Barda commented on the need to align cybersecurity with business objectives by ensuring that cybersecurity initiatives support and enhance business goals; engage leadership and stakeholders; and develop a comprehensive cybersecurity strategy. He also pointed out that directives and regulations like NIS 2 and IEC 62443 increasingly demand a risk-based approach where the organization identifies and classifies its critical assets to prioritize protection based on their importance to the business. 

Focus on resource allocation and decision factors

The executives discussed how to allocate resources toward cybersecurity relative to other operational needs. They examined the factors that influence their decisions to invest in new cybersecurity technologies or programs.

“This is more art than science, but by understanding security leaders need to shift from purchasing technologies and tools to buying down risk,”  Lewis said. “Framing investments in terms of risk and how much risk appetite leadership has for certain types of risks, such as loss of sensitive data due to insider or disruption of critical operations due to ransomware, combined with identifying the capabilities that are most impactful in reducing those risks allows for business-backed discussions on where investments should be placed.”

Providing a realistic view, Cappeli said that first of all, an OT cybersecurity strategy won’t be implemented overnight, so it is important to prioritize accordingly. “When we rolled out our manufacturing strategy at Rockwell we started with our highest priority plant, then proceeded with the remaining Tier 1 plants, then Tier 2 plants. We decided we would determine what made sense at the Tier 3 plants when we got to that point. We also prioritized the items on our roadmap, knowing we could only do so much at once, due to financial resources as well as the people to carry out the tasks,” she added. 

She added that although the multi-year roadmap was approved, “we continually worked with business leaders to adjust the plan as needed, based on financial fluctuations as well as changes in the cyber threat environment. In other words, we built a trusted relationship with the OT leaders in the company so that we understood when the plan needed to be sped up or slowed down.”

Cusimano pointed to ‘risk.’ “Risk and the amount of risk reduction achieved per dollar spent or ‘level-of-effort’ spent should really drive all decisions regarding the allocation of resources towards cybersecurity. These investments need to be balanced with other operational needs such as safety and maintenance that are also important to reduce the overall operational risk to the facility.” 

He outlined that there is a relationship between cybersecurity and safety that is important to understand and appreciate because safety incidents can be initiated by a cyber event or a cyber event could suppress automated safety systems. “This is why risk assessment using a common risk tolerance framework, such as a risk matrix, is very important so that all risks to the organization are being measured using the same scale. This will allow leadership to make informed decisions as to where to apply their resources.”

Cusimano added that guidance for how to do this can be found in the ISA/IEC 62443-3-2 standard and by applying techniques and methodologies such as cyber PHA, Cyber HAZOP, cyber bow tie, and cyber informed engineering.

Barda identified that cybersecurity initiatives should align with business objectives, supporting the overall business strategy, mainly enabling safe business operations and protection of critical assets. “The Risk Management Platform should be able to prioritize the mitigation steps that will make the most impact on risk reductions – with respect to the cybersecurity budget. This creates a sort of cybersecurity program – a quantifiable roadmap – that the organization can adopt,” he added.

Exploring approaches to cybersecurity risk management, incident response

The executives analyzed how operational managers handle cybersecurity risks within their environments, detailing the protocols typically used for responding to cybersecurity incidents and the frequency with which these protocols are reviewed.

“Operational Managers should understand X key elements to manage security risk – i) train your employees on how to operate securely in the same manner you do with safety, ii) embed resilience and security into new and existing operational processes, iii) assess, measure, and monitor your third-party risks, and iv) rehearse your cyber incident response plan,” Lewis said. 

He added that for preparing for a cyber incident, having a playbook with key decisions and escalation criteria developed, who takes what action, and steps to take for safe shutdown and startup is critical – however, REHEARSING and preparing teams and leaders is important to execute well in a response. 

Highlighting her Rockwell experience, Cappelli said “Our OT cybersecurity program was a joint program between the CISO and a security leader from operations. We used the NIST Cybersecurity Framework to design our roadmap and decided that we would start by addressing the Detect and Respond functions. We installed an OT cybersecurity platform, and the data went into the SIEM run by the IT security team. 

“The CSIRT’s incident response playbooks for any plant event/incident listed specific contacts for every plant that were brought into the incident response process immediately,” according to Cappelli. “In addition, proactively, the operations team and IT security team worked jointly on the rest of the NIST CSF functions – Identify, Protect, and Recover – for example jointly implementing vulnerability management/patching, security awareness communications, supplier cybersecurity risk management, and so on.”

Cusimano noted that operational managers manage cybersecurity risks by first understanding and quantifying those risks using the aforementioned OT risk assessment methodologies. “Once those risks are understood and quantified then they continue to manage the risks by allocating resources to address risks that exceed tolerable limits.”

He added that once these risks are identified and quantified, an important next step is to evaluate various solutions to remediate said risk. “Sometimes, a more effective approach may be an engineering design change or adding additional non-programmable safeguards. In other words, buying more cybersecurity technology is not always the best answer to reducing cybersecurity risk.” 

Cusimano also mentioned that there are other tools operational managers have in their arsenal, including policy and procedure, and non-technical safeguards, that can be more effective and cost less. “So, a very important step in risk management in OT is to gather a team of SMEs to study the risks and the risk mitigation solutions to determine the best and lowest cost solution,” he added. 

He also listed four basic attributes of a good OT cyber incident response program. These include having good OT incident response plans based on the threat scenarios developed in the aforementioned OT risk assessments; having good incident response playbooks that are again based on the threat scenarios developed in OT risk assessments; conducting incident response training exercises, such as tabletop exercises, to test the effectiveness of plans and the organization’s ability to carry them out; and having incident response resources, both internal and external, at the ready. This often involves having an external organization on an incident response retainer.

Barda recommended that operational managers undertake regular – at least quarterly – risk assessments to identify and evaluate potential cybersecurity threats specific to the operational environment. They should develop and implement risk mitigation strategies, including technical controls. “Managers should establish and enforce security policies and procedures tailored to the operational environment, covering areas like data protection, access control, and incident response while ensuring adherence to relevant regulatory requirements and industry standards. Finally, since more and more employees are handling data, organizations should conduct regular training sessions to educate employees on cybersecurity best practices, emerging threats, and their role in maintaining security,” he added.

Enhancing cybersecurity training and awareness among operational staff

The executives address their strategies for ensuring that their team is well-trained in cybersecurity best practices and highlight the steps they take to enhance awareness of cybersecurity threats among operational staff.

Lewis said that like any aspect of an operational job, like safety, cybersecurity best practices require annual training that is creative, gamified, and tailored to the operational environment. “Additionally, creating fun logos, mascots, and or activities allows for the lessons on awareness to last. For example, one client used stickers of a character and donuts to ask company and role-specific security questions. Additionally, it is important that the OT IT and security staff participate in the security team standups and threat briefings,” he added. 

“Industrial operations is one place where role-based security awareness training and communications definitely makes sense,” Cappelli observed. “Training and ongoing communications should be tailored and limited to those issues that are relevant to their job. We also believed at Rockwell that we needed to build and maintain a culture of security, with ongoing security communications to all employees on relevant topics to keep security in their minds at all times. Therefore, we sent out a monthly security awareness newsletter that was relevant both to home and work,” she added. 

Cusimano expressed that training and awareness start with having a solid OT cybersecurity management or governance program. “For example, you can’t train your staff on OT cybersecurity best practices without first establishing your organizational policies, standards, and procedures. Once that governance framework is in place, it is critical to roll out a training and awareness program in support of the overall effort. Of course, this doesn’t have to be a serial process. For example, once the basic policies have been developed an organization can start to roll out cyber security awareness training broadly.” 

He added that as more detailed governance is developed, such as standards and procedures, role-specific training can be established and deployed to train appropriate individuals on what they need to know for their specific job.

“In the absence of company-specific OT security governance, organizations can get started by leveraging industry standard OT cybersecurity training such as the training offered by ISA,” according to Cusimano. “Such training can be deployed rapidly and will provide excellent training on both fundamentals and advanced cyber security techniques. But, standard training is not enough as it is very general. It is important to also include organization-specific, role-based training on the organization’s policies, standards, and procedures.”

“Organizations should implement regular, mandatory training sessions covering cybersecurity fundamentals, company-specific policies, and emerging threats,” Barda said. “The training should be tailored to different roles within the organization, ensuring that all team members understand the specific cybersecurity risks and responsibilities associated with their position. Employees should be encouraged toward continuous learning through online courses, certifications, and workshops on advanced cybersecurity topics as well as access to a library of up-to-date resources, including e-books, articles, webinars, and videos.”

Ensuring compliance with cybersecurity regulations, role of C-Level management

The executives discussed how they ensure compliance with industry-specific cybersecurity regulations and standards, and examined the role of C-Level management in maintaining and enforcing these standards.

Lewis noted that building a set of minimum-security controls that are tailored to industry and country-specific regulations helps ensure compliance. “However, it is not enough to just assume they are deployed – companies should understand control design, coverage, and effectiveness through monitoring, metrics/reporting, and technical testing. C-level management can expect to receive a standard set of metrics tailored to performance against regulatory standards,” he added.

“At Rockwell, we used the NIST CSF to design our IT and OT security strategic roadmaps and measured and reported our progress against that standard,” Cappelli revealed. “At first this was new for our C-Level executives and most of our Board, but after its initial introduction it provided a clear mechanism for providing status updates.”

Cusimano said that “the first step in ensuring compliance with industry-specific cybersecurity regulations and standards is, of course, identifying and understanding the industry-specific cyber security regulations and standards that apply to your organization in the sectors countries that you operate. That alone can be challenging,” he added. 

“Once the regulations and standards have been identified, the next step is to reconcile them with your existing OT cybersecurity governance,” Cusimano added. “Typically, the best way to do this is to have your organizational policies and standards and framework and a spreadsheet or database and then map the regulatory and industry-specific standards to your corporate standards to identify alignment and gaps.”

Additionally, he added “I think it goes without saying that C-level management plays an important role in maintaining and enforcing these standards. But, if organizations haven’t already done so, they need to integrate OT cybersecurity regulatory compliance into their GRC programs.”

Barda said that there must be clear accountability for compliance within the organization, with defined roles and responsibilities for C-Level executives, management, and staff. “C-Level execs should set a positive example by actively promoting a culture of compliance and cybersecurity awareness throughout the organization. They should engage with employees at all levels to reinforce the importance of compliance and adherence to cybersecurity policies. The C-Level provides strategic direction and oversight by demonstrating a strong commitment to cybersecurity and compliance by prioritizing these areas in the organization’s strategic planning,” he added.

Key cybersecurity trends and preparation strategies for industrial environments

The executives identified trends they anticipate will significantly impact cybersecurity in industrial and operational environments in the coming years. They also explained how they are preparing organizations to adapt to these evolving cybersecurity challenges.

“While industrial and operational environments have not received as much focus or attention as others, our data does show a rapid increase in security patents and investment for this space,” Lewis disclosed. “Those investing in OT recognize that the availability of these systems is critical to maintaining our way of life and hackers recognize their importance too and will increase their attacks as well.”

As a result, Lewis expects to see increased regulatory pressure on operational environments to maintain the standard for security, more discussion on broader ecosystem security risk, and advances in the investment in people who secure operational environments.

“Since 2022 the number and sophistication of cyberthreats and adversary groups in OT has increased significantly,” Cappelli identified. “The trend we are seeing with state actors aligning with hacktivist groups is especially alarming, since hacktivists are eager to take action and cause panic, and state actors can provide them with more sophisticated capabilities. Recent attacks on the water sector by the Cyber Av3ngers and Cyber Army of Russia Reborn are prime examples.” 

In addition, she pointed out that the PIPEDREAM malware family has taken ICS (industrial control system) malware to the next level, as it could be used for widespread attacks against any sector. “But there is some positive news as well. The US government is succeeding in moving to the ‘left of boom,’ discovering both PIPEDREAM and exploits targeted at two Rockwell Automation product vulnerabilities before they were employed.”

“There are a few trends that I foresee having a significant impact on OT cybersecurity in the coming years,” Cusimano said. First, is the rapidly changing and evolving regulatory environment both in the US and around the world. It is difficult for organizations, particularly those that operate globally, to track, adopt, and enforce evolving regulatory requirements.

The second trend is the large increase in the number of attacks targeted at critical infrastructure and manufacturing. There appear to be at least two main drivers for this. The first is the financial gain that a criminal cyber group can achieve by attacking high-value assets or by attacking organizations with significant downtime costs. The second driver is an increase of cyber as a weapon for nation-states to attack and disrupt their adversaries.

The last trend and a disturbing one that Cusimano outlined is the increase in supply chain attacks that have been seen in recent years. “The implications of a major automation system vendor’s build environment being compromised and the vendor inadvertently sending compromised code to their users is frightening. Users inherently trust the code provided by their vendors and could unwittingly install malicious software into their environment. Should this happen on a large scale to a large vendor the impacts could be felt worldwide,” he added.

Barda identified that the cyber landscape in all industries is evolving rapidly. “I will reel off some key trends to watch – There is no end in sight to connectivity and Industrial IoT. Likewise, the frequency and sophistication of cyber-physical attacks will escalate. Nation-state actors as well as hacker syndicates have sufficient incentives and tactics to go after operators of critical infrastructure. There will be an increased focus on supply chain security as supply chains are getting longer and becoming more embedded in machines, networks, and systems used in critical infrastructure and plants,” he added. 

He also pointed to artificial intelligence and machine learning; delivering security solutions from the cloud; adoption of zero trust architecture; and human factors and insider threats continuing to threaten operations in every sector. “Compromised credentials, accidental disclosures, employee mistakes, and bad behavior are plaguing everybody now,” he concluded.