09/24/2024 | News release | Distributed by Public on 09/24/2024 12:32
This client is a global manufacturer of diverse industrial and automotive parts.
A holistic security governance and compliance program, inclusive of data privacy, was needed to define and advance the client's cybersecurity posture. Uncertainty as to which threats posed the most risk and which assets to prioritize made this a challenge, which was even more pronounced in the Operational Technology (OT) space.
To begin prioritizing cybersecurity gaps in the OT environment, Protiviti conducted 30+ triage risk and 20 total quantitative assessments on business-critical assets using insights from on-the-ground manufacturing site visits. Protiviti established risk scenarios, led a quantitative risk assessment pilot, and performed five future state control implementation analyses to prioritize allocation of limited cybersecurity funding.
With a FAIR program in place, the client now has a comprehensive understanding of its risk landscape, including critical assets and dependencies, a thorough list of potential cyber threats, and improved understanding of risk tolerance, which support using cybersecurity budget to address the most critical risk areas first. We also helped prioritize which product lines and components at each location would reduce risk today, and which could be deferred to effectively distribute upfront investment.
With the evolution of publicly reported ransomware events and the significant losses incurred by manufacturing organizations that are unable to operate for days, or even weeks at a time, many manufacturing organizations have renewed interest in how resilient their continuing operations are in the face of cybersecurity threats. In the last year, organizations have faced several hundred million dollar reported losses and resulting supply chain issues have received growing publicity from single ransomware events. This provides a clear business case for investing in cybersecurity controls, but in operational technology (OT) environments it can be difficult to understand where funding would be most impactful.
This global organization, which manufactures highly specialized technologies for the automotive industry, recognized it lacked a clear understanding of its most critical enterprise-level risks across multiple areas, including which threats posed the most risk to the company's OT environments. As a result, this lack of visibility and disparate OT security practices caused challenges for the organization's decision-making and funding decisions. A Factor Analysis of Information Risk (FAIR) quantification program was the best solution to effectively prioritize potential cybersecurity investments, but the company had limited risk quantification expertise. Protiviti brought a holistic approach to the organization's cybersecurity compliance challenges and developed a FAIR program to complement a broader approach to address product security, data privacy, and manufacturing technology risk across a single cybersecurity roadmap.
The client initially selected Protiviti to perform a FAIR analysis at two of its international manufacturing locations. This involved:
Ten cyber risk scenarios were quantified using the FAIR methodology to model the potential annualized loss exposure (ALE) should a scenario materialize. Additionally, the team identified 18 actionable observations, each prioritized quantitatively, to strengthen OT security controls, including:
These observations were analyzed in aggregate but were also looked at specific to individual product lines or locations. Rather than target a single risk with an organization-wide program, this allowed the client to better invest cybersecurity resources in the areas where they would make the most difference.
Combining site-level data gathered through onsite visits with the quantitative analysis using the FAIR methodology, the team identified and scoped risk scenarios that reflected the client's risk landscape and controls. The most likely risk scenarios for this client included:
For each set of risk scenarios, site level threat and asset data were analyzed to quantify and prioritize risks and direct cyber controls investments to the most critical risk areas.
Due to our comprehensive risk analysis, the client repositioned its risk management strategy globally. Throughout the scope of this three-month project, we:
30+
Triage risk assessments completed
20
Quantitative risk assessments completed
5
Future state control
implementation analysis completed