Customer objective: 
To assess cybersecurity and business risks in eight facilities representing different business types, across a very large geographic region.

Interviews with stakeholders, plant walkthroughs, and detailed network analysis using proprietary tools and artificial intelligence.

Personnel and schedule: 
Four consultants plus support personnel; four months from project start to completion.

Challenges and results: 
This well-known organization supplies services to a global footprint of business and government customers, and many of its operations are deemed to be critical infrastructure. We determined that the overall business-risk profile was dominated by cost control and continuity/robustness of operations, with a small national-security component owing to the social importance of their services. Their service-delivery is highly distributed geographically. As a result, they face an urgent “skills gap” problem because of the impossibility of hiring enough trained cybersecurity professionals to handle the large footprint.

This company is in an industry where rapid technological innovation is a competitive necessity, which means their industrial controls and automation change quite often. They are also leading a number of digitization and IOT initiatives to cut costs and remain competitive. The resulting high rate of change in cyber-physical systems means that new cybersecurity risks are continually appearing, and are very difficult to manage. Their goal in performing a cyber assessment was not only to identify areas of concern, but also to develop more efficient processes for managing cyber-risk.

We performed a plant cybersecurity and risk-management assessment based on the NIST CSF Framework. We closely examined nine representative facilities. In addition to ICS and automation cybersecurity, we examined physical plant security; personnel and management processes; fire safety and access-control systems; and connections with civil infrastructure such as power, water and natural gas feeds.

We determined that this company relied primarily on network isolation for plant security. In a number of cases, particularly high-value processes were well-isolated and self-contained. Other systems depended on connections to corporate networks.

We found a variety of procedural errors and cybersecurity-policy violations which were caused mostly by normal errors as systems and equipment evolved. We detected a large number of unusual network activities which turned out to be mostly benign, but were still surprising in their extent. We recommended process improvements for efficiently monitoring cyberphysical systems using artificial intelligence to overcome the skills gap and cost-effectiveness problems.

We presented our findings to senior leadership and subsequently engaged with the customer to develop more scalable and cost-effective cyber-risk management processes.