Ransomware is an Operational Problem

This past week provided another reminder that cybersecurity is not just the problem of the CIO. The ransomware attack on the U.S.-based Colonial Pipeline, which delivers roughly 45% of the fuel used on the East Coast of the country, highlights that this is a concern for the entire C-level. Cyberattacks are not isolated to accessing credit card numbers, bank accounts and other sensitive data — they target the physical operations.

Earlier this week, Barika Pace, a Gartner senior director analyst specializing in securing emerging technologies, published a blog highlighting that responsibility for security goes beyond IT and risk leaders. If that doesn’t change, she points out, we may be stuck in a cycle of never-ending ransomware attacks followed by extortion. Below is a contextualization of her recommendations.

Broad Problem Needs a Broad Solution

Take a cue from how you are reacting to this latest threat. If the discussion is exclusively with the CISO and the CIO working with risk and security operations, Barika suggests that you should double down on your cryptocurrency holdings because the “bad actors” may find an opportunity in your organization. There exists a growing security puzzle consisting of aging infrastructure, bad cyber hygiene, poor end-of-life equipment management, employee reluctance to work with cybersecurity staff, and increased use of original equipment manufacturer (OEM) devices and software providers. The proliferation of the Industrial Internet of Things (IIoT) and operational technology (OT) has expanded the use of OEM devices and the role third parties play in your security.

Causes of product security failures for industrial and critical infrastructure environments are known (see Figure 1).

Why Do So Many Get Security Wrong?

As operations digitalized, many failed to do one thing: productize security. This failure often results in policies appropriate for analog operations, not those needed by digitalized organizations. This means organizationally, they make the following mistakes:

1. The wrong people are doing product security. When CISO and CIOs act as sole security officers, core competencies that need to be effective, such as operational roadmap, planning and lifecycle management, are not properly cultivated. Too many security decisions are left to engineering, meaning proactive thoughtful productization of security features get watered down to secure by design elements that hackers have already figured out.
2. Failing to see convergence. As ransomware on OT and IIoT environments increases security convergence of IT, operational technology and physical security must be addressed.
3. Supplier risk is going unchecked against new digital offerings. Traditionally, supplier risk has focused only on the data and IT infrastructure security of the supply chain and has missed crucial elements, such as product security, which needs to be factored in for a holistic view. More importantly, supply chain leaders are using old vendor risk policies with OEMs that have drastically changed their products and services to become digital.
4. A static approach to security. As bad actors find new ways to attack these environments, too many take a static approach to security. Companies are too slow to embrace and prioritize emerging security solutions.

This past weekend was another reminder that the issue of cybersecurity has moved well beyond the office of the CISO and CIO and into the rest of the C-suite, particularly into that of the chief supply chain officer. The supply chain has a gap to close by focusing on an integrated digital security approach which looks holistically across IT and data, product, and operations-related technology.

Thank you Barika for your contribution to this week’s blog.

Michael Uskert
Chief of Research
Gartner Supply Chain
Michael.Uskert@gartner.com