Having the conversation with senior management about operational technology cybersecurity and obtaining sufficient budget to mitigate and manage risk continues to be a challenge. Many in management still see cybersecurity as insurance and compliance as a tax. Who wants to spend money on that? Nobody!
IT has been budgeting for many years for firewalls, network equipment, endpoint detection response, managed detection and remediation, security information and event management tools, etc. OT staff always have a project underway upgrading OT systems, building new plants, and so on, and there is a well-oiled process for these kinds of budget requests. So, how do you compete for a new category of investment: OT cybersecurity?
First, think about your senior manager's background. If you are presenting this information to the CFO or the finance team, they will understand a risk-based conversation. Position the spending as risk reduction. If the person came up through sales and marketing, such as the CEO, you may need to be prepared to discuss revenue loss as part of the justification. You can certainly point to the Colonial Pipeline incident, the Merck production outage, or the Maersk shipping attack as concrete examples. If the C-level sponsor came up through operations, presenting your case as comparable to a safety program will resonate, as many of the concerns are the same. You may also need to present a combination of these approaches.
Second, help define the risk. With the increasing number of cyberattacks on OT companies, the costs to clean up after a breach or a ransomware attack on OT systems are no longer theoretical. Incident response costs, legal fees, ransomware payments, overtime for employees working on mitigation, increases in cyber insurance policies (50% to 100% if insurers will even renew), betterment costs to systems, and loss of revenue due to production outages are well-documented costs to remediate a major cybersecurity event.
Third, define what the "betterment" needs to be to prevent an attack. If you're attacked and there is a payout by the insurance company, it will require you to prove that you have beefed up your defenses to keep policies in place. Insurers define these costs as "the betterment." If you're having a risk-based conversation, position your budget request as something that will be required at some point after an attack. So, either invest now and reduce the risk of an attack, or be prepared to spend this money later along with substantial remediation costs.
Fourth, present your budget request as something measurable based on a standard. Senior managers complain that IT is always looking for budget but aren't sure what they're getting for the money. Presenting an outcome-based program that will measure the effectiveness of the spending will assist with the analytical types in the C-suite. Choosing one of the OT cyber standards such as the NIST Cybersecurity Framework, the CIS Controls, IEC 62443, or a subset of these foundational controls will allow you to periodically report (or have an internal or external audit) to the C-suite on the effectiveness of the spending. Presenting the Center for Internet Security's (CIS) top five cybersecurity controls can help keep the conversation focused. CIS has published studies showing that by implementing the top five controls, organizations can reduce cyber-risk by 85%. Having a program discussion vs. a technology discussion will help frame the issue as a business case, not just throwing money at tech.
Given events over the last year alone, it should be apparent to boards and C-suites of all organizations that skimping on the OT security budget is the equivalent of personally inviting a malevolent cyberattacker into the organization. However, given the traditional focus of the cyber stack, OT security engineers and personnel should approach senior management with this emphasis on risk reduction benefits and with a concrete plan to secure budget and funding before it's too late.