A January 22nd Lawfare piece points out that most of the coverage of SolarWinds has focused on the impact on IT systems while equally damaging, but as yet not visible impacts on operational technology (OT) have not received adequate attention.
Microsoft President Brad Smith highlighted that the full impact of the breach as it is currently understood is only in an early phase. The article points out that since OT systems control the physical world, potential impacts stemming from the breach could be far more damaging.
We have addressed the heightened risks of the merging of IT and OT across a number of sectors over the past year. The combination of a vastly expanded threat surface, increased reliance on digital technology to function and a huge spike in ransomware attacks on companies in 2020 has resulted in a significant increase in the downside financial risk associated with poor cyber governance. This applies not only to industrial and energy companies most often associated with OT, but also to companies across all sectors that utilize OT to fulfil essential functions.
SolarWinds may yet bring these risks into focus in 2021 across any number of companies that 1. Were impacted by the breach and 2. Are heavily reliant upon OT.
FireEye explained why OT disruptions are so financially costly: “...ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.”
C-suites should be focusing on ensuring the necessary controls and processes are in place to lower the downside financial risks of a disruption. Investors should be asking C-suites:
- What is the potential cost of an operational disruption in $ terms if OT is disabled?
- What $ resources are being invested in controls and processes to limit risk of disruption?
In the case of SolarWinds and future large-scale breach events, investor and C-suite complacency will also come with an ever-larger price tag.