Boards of Directors need to understand the risks from Industrial Control Systems (ICS) cyber security

Sept. 29, 2015

The PG&E San Bruno natural gas pipeline rupture and the Volkswagen emissions scandal were ICS cyber incidents that put the respective corporations at risk and led to the resignation of the respective CEOs.

The Boards of Directors function is to identify and judge risk to the organization. As one member of a utility board stated, “A Board needs to know what the company is exposed to in terms of risk and what the consequences are of that exposure. Given a specific security deployment protecting an asset – what possibilities exist for breach? There should be an explicit list that the Board sees so they know the company is not 100% protected, nor will it be. For each items on the breach list – what is the maximum damage that might be done if the breach occurs? The Board needs to understand these questions if it is to fulfill its fiduciary responsibility and understand how management has determined to allocate resources.”  Yet, very few Boards understand the potential implications of ICS cyber incidents. To an industrial organization, the largest risk to the well-being of the organization is from compromising the ICSs not data breach.

There have been almost 750 ICS cyber incidents with impacts ranging from trivial to significant equipment damage to significant environmental damage to impacting regulatory issues to deaths. An ICS cyber incident does not need to be malicious to create a risk to the organization the Board needs to address. 

I want to focus on two ICS cyber incidents that demonstrate the potential ICS cyber risk to the financial well-being of the organization - the PG&E San Bruno natural gas pipeline rupture and the Volkswagen emissions scandal. Both were ICS cyber incidents that directly led to the resignation of the respective CEOs and both had multi-billion dollar impacts on the organization. Because they were ICS cyber incidents, IT had no knowledge of the relevant issues in either case. Both cases were caused by intentional activities though neither was malicious in the traditional sense and neither was caused by a traditional insider. The long term impacts of both cases put the respective corporations at risk. In PG&E’s case, the California PUC is now investigating whether PG&E should be split up because of systemic safety issues stemming from the San Bruno natural gas pipeline rupture. In Volkswagen’s case, Volkswagen may have lost an entire market - diesel cars - as well as their reputation as a maker of well-designed vehicles.

To meet their fiduciary responsibility, Boards need to address ICS cyber security as well as data breaches.

Joe Weiss