Apr. 19, 2022
Dear Sir/Madam, Having worked within the Operation Technology industry for over 30 years, I found your proposal to modify SEC reporting requirements very interesting. I work as a freelance OT security consultant for many major clients and have added the comments below for consideration. One of the most common traits I come across, is that businesses do not necessarily have the in-house expertise to understand their business well enough to convey the types of information being proposed. Indeed, CISO’s (with an IT Background) typically do not have the necessary understanding of automated production/manufacturing environments. This compounds the issue in that most boards of Directors may not adequately understand cyber risks to their CPS (Cyber Physical Systems). From an institutional investor's perspective, this will increasingly carry greater risk. The comments below are only a small sample of points you may find pertinent and I would be more than happy to continue the conversation as a ‘contributing member’ to the draft SEC requirement. I have included a LinkedIn profile link to highlight my background within this area as a point of reference. LinkedIn Link:- https://www.linkedin.com/in/john-smith-2b8b1741 I hope you find the comments below of use. These are all my own personal comments in how I personally would like to see risk conveyed, specifically those which relate to Operational Technology:- All entities should provide a report on their OT real-estate in the form of a risk based score following a cyber security risk assessment which relates to the environment e.g. NIST 800-82, IEC 62443 or NERC CIP. The nature of the business and the operators environment should be a consideration when disclosing cyber posture. I.e. OT cyber security should be measured in context to the operations and environment. This will convey a ‘true’ understanding of the current cyber posture and indicate to the investor, where a particular business is weak or strong against threats posed by that, such as an institutional or nation state threat actor. The SEC should mandate the use of a particular security framework according to the industry e.g. NERC-CIP, or develop a high level framework - see comments below at point 8. The SEC should mandate a periodic OT cyber audit against the original cyber assessment. This is to provide a report that the business is meeting its current cyber posture, leveraging new technologies and mitigating current and future cyber risks. Form 8-K should stipulate the type and location of where a business should monitor and provide cyber posture related information i.e. the business entity should be capable of conveying cyber status across its entire business. In the case of Operational Technology, this should be the full OT environment including Industrial Control Systems down to sensor level, not just connectivity in to the OT domain. This is of particular importance given that most organisations are protecting entry in to their systems, but are not adequately realising the full ‘attack’ vectors which can be exploited. E.g. 3rd party supply chains or inside threats (there are many attack scenarios possible). In order to provide a report within 4 days, the business needs to display evidence that they understand their business from an attack perspective. I.e. Businesses should be made not only to have a security assessment, but should also be asked to assess and understand their respective environment - different businesses, geolocations and installations have different attack vectors/motives and as such, an ICS and Enterprise IT attack scenario should be part of the investigation. All security requirements should mandate that an external entity should conduct the assessment from an impartial, independent position. There needs to be independent consistency for the SEC and industry self governance will not provide this. The assessment should not only consider cyber security from an information security perspective, but in relation to OT, should consider security from several lenses, such as Engineering, personnel & process safety and asset hardening etc. OT has significant security requirements which revolve around ‘cyber physical systems’, not information security. It may be the case that the SEC should define and adopt a high level CAF (Cyber Assessment Framework). This should include indicators of good practice, such as good at detecting and incident, but poor at protecting against. If using a mature security framework, forms 10-Q and 10-K should be modified to show what the risk score was at the time of the incident and what it is after additional security mitigations have been made. This is to show the potential investor how much progress has been made in the form of a metric. E.g. ‘We have introduced technology and/or procedure ‘X’ to mitigate against the previous incident. This has increased our PROTECT rating from 24% to 72%’ or we have moved from NIST 2 to NIST 4 (on a scale of 1-5). Form 107 should be amended to show that not only does the board hold a member which has cyber security expertise, but that the member has expertise relevant to the particular industry. E.g. If it is a chemical plant, the cyber board member may be a CISO from an IT background, but has no experience or expertise in relation to the cyber security of safety instrumented systems. This is extremely important given that process expertise is essential in understanding cyber risks. The manufacturing process may contain valuable IP, but may also be explosive, hazardous or radioactive for example. Most boards utilise a CISO for all cyber security. In relation to any business which holds a process plant or manufacturing division, there is a strong argument to suggest the CISO is not best placed and that the board cyber representative for Operational Technology, should be from an Engineering background with security expertise. I have seen numerous occasions where the CISO is relied upon and utilises ‘high level’ cyber assessment frameworks. This not only leads to a false sense of security from the business perspective, but also could convey the wrong security posture to the institutional investor. In addition, the use of an IT security driven approach within OT environments, leads to a business utilising COTS (Common Off The Shelf) IT biased products to secure OT. Something they were not designed for, robust enough for and they ultimately, may only provide limited protection to the ‘Crown Jewels’ of the business. In terms of section B and form 8-K, because most OT secure assessments have not fully considered the domain right down to ICS (Industrial Control System) level, there is growing concern that OT related incidents are not discovered and subsequently reported. This then can lead (form the investors perspective), to a scenario where by the investor has committed significant capital and in turn, could lose the advantage offered by product superiority through loss of IP confidentiality. This then begs the question, is the business capable of detecting ‘all’ forms of incident based on varying attack vectors and to all parts of the business? All the above and much more, will help to form the basis and determine, how/if an organisation is capable of detecting and reporting the required information in an XBRL standardised format Kind regards, John Smith.