Enhancing Cyber Resilience Strategies in Global Manufacturing with the FAIR Methodology

With the evolution of publicly reported ransomware events and the significant losses incurred by manufacturing organisations that are unable to operate for days, or even weeks at a time, many manufacturing organisations have renewed interest in how resilient their continuing operations are in the face of cybersecurity threats. In the last year, organisations have faced several hundred million dollar reported losses and resulting supply chain issues have received growing publicity from single ransomware events. This provides a clear business case for investing in cybersecurity controls, but in operational technology (OT) environments it can be difficult to understand where funding would be most impactful.

This global organisation, which manufactures highly specialised technologies for the automotive industry, recognised it lacked a clear understanding of its most critical enterprise-level risks across multiple areas, including which threats posed the most risk to the company’s OT environments. As a result, this lack of visibility and disparate OT security practices caused challenges for the organisation’s decision-making and funding decisions. A Factor Analysis of Information Risk (FAIR) quantification programme was the best solution to effectively prioritise potential cybersecurity investments, but the company had limited risk quantification expertise. Protiviti brought a holistic approach to the organisation’s cybersecurity compliance challenges and developed a FAIR programme to complement a broader approach to address product security, data privacy, and manufacturing technology risk across a single cybersecurity roadmap.

Starting with a FAIR analysis

The client initially selected Protiviti to perform a FAIR analysis at two of its international manufacturing locations. This involved:

• Establishing a high-level risk register to quickly assess risks across these locations, establishing a common language and process for OT risk management.
• Developing a comparative analysis to effectively triage risk scenarios based on level of criticality to identify top risk scenarios for additional analysis.
• Identifying and assessing the most critical organisational risks and identifying the business impact in financial terms.
• Developing risk clarity reporting to identify and optimise risk treatment opportunities.

Ten cyber risk scenarios were quantified using the FAIR methodology to model the potential annualised loss exposure (ALE) should a scenario materialise. Additionally, the team identified 18 actionable observations, each prioritised quantitatively, to strengthen OT security controls, including:

• Site governance: Core IT support processes and activities were handled in an ad-hoc and unstructured manner resulting in a lack of clearly defined roles and responsibilities for core security and privacy functions including asset and configuration management, patch and vulnerability management, and disaster recovery.
• Production device inventories: Asset and component inventories were not consistently maintained and were updated on an inconsistent or ad hoc basis.
• Production device configuration management: Production devices were not always consistently configured and maintained using industry-leading practices. For example, the team could externally access the Internet via production line devices.
• Production device patch management and hardening: There was no formalised, comprehensive patch and vulnerability management programme supporting manufacturing site technology. Devices were patched manually and often fell out of security compliance.
• Access to production systems: A lack of secure user accounts and access management within both manufacturing sites, including a lack of user access reviews, consistent provisioning and deprovisioning processes, and the sharing of accounts between users.

These observations were analysed in aggregate but were also looked at specific to individual product lines or locations. Rather than target a single risk with an organisation-wide programme, this allowed the client to better invest cybersecurity resources in the areas where they would make the most difference.

Analysing risk scenarios

Combining site-level data gathered through onsite visits with the quantitative analysis using the FAIR methodology, the team identified and scoped risk scenarios that reflected the client’s risk landscape and controls. The most likely risk scenarios for this client included:

• Ransomware: Ransomware accounted for four of the top five overall scenarios. Factors impacting the overall ranking of these scenarios include the historical frequency of similar events within the client’s environment, vulnerability of the systems supporting each product line (i.e., OS or software version), revenue derived from each product line, headcount supporting each product line and average wage of those supporting the line, response efforts required to remediate the incident, and potential chargebacks or canceled purchase orders with regards to lack of availability.
• Denial-of-service: Factors impacting the overall ranking of these scenarios included the historical frequency of similar events within the company’s environment, production line network dependency, and the current network architecture of each manufacturing site in scope.
• Environmental outage: Environmental scenarios are often “long tail” risks, as they are extremely unlikely to materialise, but the potential magnitude could be substantial.
• Forms of loss, including primary productivity, secondary fines and judgments, primary response, and primary replacement values.

For each set of risk scenarios, site level threat and asset data were analysed to quantify and prioritise risks and direct cyber controls investments to the most critical risk areas.

Ready to tackle risks head-on

Due to our comprehensive risk analysis, the client repositioned its risk management strategy globally. Throughout the scope of this three-month project, we:

• Established comprehensive risk landscape clarity for the client, including a detailed asset library, thorough list of potential threats, and related outcomes.
• Effectively used the results of risk assessments to support the client’s drive to establish an overall risk management programme.
• Evaluated recommendations for operational technology security improvements and prioritised each based on the expected future state risk reduction.
• Operationalised the FAIR programme for the client so that the programme is now self-sufficient and repeatable. 

Impact by the Numbers: