CEOs Could Be Held Personally Liable for Cyberattacks that Kill

As IT systems, IoT and operational technology converge, attacks on cyber-physical systems in industrial, healthcare and other scenarios will come with dire consequences, Gartner predicts.

A full 75 percent of top brass at companies will be personally on the hook for cyber-physical security (CSP) incidents by 2024 – especially those that involve fatalities.

That’s according to the Gartner research firm, which predicted this week that CEOs soon will no longer be able to hide behind their corporate legal teams if things go wrong.

Gartner defines CPSs as “systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).” The security implications for such systems have been heightened as IT systems, IoT and the operational technology (OT) that controls physical systems continue to converge. Physical systems that were previously separated or siloed can now be reached through a compromised IT network or IoT endpoint. At the same time, many companies are unaware that they have OT systems connected to enterprise networks; or, they may not be following proper network segmentation or other precautions.

Threatpost Webinar Promo Bug Bounty

Click to register.

These convergences are mainly found in critical infrastructure and clinical healthcare environments for now, but will become more widely deployed with the expansion of 5G, and as innovations in the world of smart buildings, smart cities, connected cars and autonomous vehicles, and telehealth/remote surgery continue to roll out, the firm noted.

In these environments, “incidents can quickly lead to physical harm to people, destruction of property or environmental disasters,” according to the firm. “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.”

Gartner also predicted that the financial impact of CPS attacks resulting in fatal casualties will reach more than $50 billion by 2023. This encompasses the costs for organizations in terms of compensation for loss-of-life, litigation, insurance, regulatory fines and reputation loss.

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner, in a media statement. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

In July, for instance, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. They’ve been targeted in the past, in the TRITON attack of 2017.

Thus, a focus on cybersecurity in the CSP space is critical going forward, the firm noted. The prohibitive cost in dollars and reputation of cyber-physical casualties to organizations will lead to an increased focus on OT and CPSs. Senior executives and board members will demand better visibility and control of the security posture of the organization’s CPS, and Gartner told Threatpost that it expects the relatively young market of OT-specific security capabilities to skyrocket from $250 million in 2018 to $1.115 billion next year, a CAGR of 45.7 percent.

“A focus on ORM – or operational resilience management – beyond information-centric cybersecurity is sorely needed,” Thielemann said.

In terms of best practices, Gartner recommended that organizations first identify all connected assets in the organization, regardless of whether these are considered IT equipment, OT equipment, building management systems, smart appliances or any other type of (wireless) connected device. Then, they should adjust risk-assessment methods currently in use to determine the likelihood and impact of events affecting human and environmental safety. After that, they can develop a classification method that takes physical aspects of data and systems into consideration rather than just a data-classification scheme; and then deploy an awareness campaign to ensure that all stakeholders both inside and outside the organization are aware of the cyber-physical risks that emanate from connected systems in the organization.

“Keep an eye out for any regulation that might come into force as a result of the first cyber-physical casualty,” Thielemann added.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles