Three Ways to Boost Business Resilience and Maintain Critical Infrastructure Security Risk Management

or to bookmark this page

Click here to bookmark this page

Click here to remove bookmark

Three Ways to Boost Business Resilience and Maintain Critical Infrastructure

3 Ways to Boost Business Resilience and Maintain Critical Infrastructure

The past few weeks have been eye opening for anyone concerned with emergency management. Events in Florida and Texas have highlighted the importance—and vulnerability—of water systems and other critical infrastructure to business continuity. In short, we’ve been reminded that anything that affects your facilities, operations or people can put your business at risk. 

Water systems, natural gas systems, electrical grids and other infrastructure components are integral to business operations—and increasingly vulnerable. If you are responsible for keeping a business, facility or utility running, your business continuity plan must take these systems into consideration. No operation is too small to be a potential target of nefarious action from internal or external actors, unintentional human error or natural disaster. 

Most organizations establish general emergency guidelines to deal with events such as workplace violence, fire, civil unrest and weather emergencies. But as part of Kroll’s work performing risk analyses and developing and testing collaborative crisis management plans, we’ve identified several threats that businesses often overlook or underestimate. Awareness of these potential threats is the first step toward plugging the gaps in your plan and protecting your business.

Think Like a Hacker

Oldsmar, Florida, a small city of 15,000 in the Tampa Bay area, doesn’t seem like a prime target for hackers. But on February 5 of this year, an employee of Oldsmar’s water treatment plant foiled a potentially deadly attack when they noticed that their system was being controlled remotely. The employee quickly discovered that the attacker had increased lye in the water supply to more than 100 times the normal level. However, reports of the incident note that the employee almost dismissed the fact that their system was being controlled externally because supervisors often accessed computers remotely. The reason? The increase of remote work in response to COVID-19. 

Security experts have estimated that the Oldsmar cyberattack took all of 3 to 5 minutes. The New York Times reports that Russian hackers have been probing U.S. energy and electrical utilities for nearly a decade. And the rate of cyberattacks has only increased over the past year. No system is too small or too mundane to avoid the attention of hackers.

In fact, it’s the little things that often offer cyber attackers a way into your business’ network. Supervisory control and data acquisition (SCADA) systems—the programmable logic controllers (PLCs) and remote terminal units (RTUs) that enable today’s smart devices and automation—are a primary point of vulnerability. And SCADA is at the root of another unexpected entry point: physical security systems. Yes, hackers have been known to gain entry through popular brands of security cameras.

What You Can Do

Automation, the internet of things and smart factories are here to stay. An increase in remote work is likely for the foreseeable future. Businesses must find ways to strengthen cyber security and hunt down every potential entry point. A thorough cyber security assessment by trained experts is your best option for finding easy-to-miss second- and third-tier backdoor vulnerabilities and determining mitigation factors. 

Prepare For Extremes

Recent winter storms have caused widespread devastation to businesses and homes throughout Texas. Even organizations with extensive business continuity and emergency management plans have been broadsided by the near-complete breakdown of the state’s critical infrastructure. Atypical freezing temperatures caused a chain reaction of infrastructure emergencies: As natural gas pipelines froze, power generation stations shut down. As electricity failed, water lines froze and burst. The result? The “costliest disaster in state history,” according to The Texas Tribune.

With bigger and deadlier natural disasters apparently on the rise, businesses need to reconsider the way in which they formulate emergency response. Most resilience plans take a “middle-of-the-road” approach, balancing potential problems and expected costs. Few account for extremes—a problem now illustrated in graphic detail in Texas.  

What You Can Do

Consider extremes in your emergency management plans. Yes, implementing backup plans for extreme events that threaten your physical infrastructure can be costly. But identifying and understanding the potential vulnerabilities that such events present are not. Your crisis management plan should at least acknowledge every possible hazard—which leads us to the next gap.   

Plan Beyond Your Property Line

The Texas disaster and the global pandemic have both highlighted the importance of considering external factors, such as critical infrastructure and supply chains, in your business continuity plans. These factors might be outside of your control. But identifying them provides the opportunity to, at a minimum, open conversations that could lead to change. 

For example, do you know which substation provides power to your facilities? Have you spoken to a power company representative to determine what that substation will do if it loses power, heat or water? What about water and wastewater? Your business might not technically utilize them, but your facilities likely can’t operate without them. How much do you know about your local water infrastructure and its cyber security and crisis management planning?

What You Can Do

Conduct a risk assessment to identify the infrastructure resources you need to maintain full or limited continuity of operations in the event of an incident. Determine who provides critical infrastructure to your facilities. Form a relationship with those organizations. Ask about their emergency planning. If the answer is concerning, decide how you can mitigate a loss of power, heat, water or wastewater if necessary—or even whether a change in location is warranted. 

Help Is Available

The best way to identify opportunities to enhance and strengthen your business continuity plan is to run a business risk analysis, especially if you haven’t done so recently; the threat landscape has changed significantly within just a few years. Risk management experts can conduct a thorough assessment, collaborate with you to create a plan that works for your unique needs and even provide training to help you respond with confidence to events like the ones in Florida and Texas. Be sure to look for the depth of experience necessary to recognize hidden hazards and extreme use cases and to help you develop a plan that meets international standards if necessary. Investing in a thorough assessment, planning and training process now can save you untold dollars in the future.

Three Ways to Boost Business Resilience and Maintain Critical Infrastructure 2021-03-10T00:00:00.0000000 /en/insights/publications/boost-business-resilience-maintain-critical-infrastructure /-/media/kroll/images/publications/featured-images/2019/business-resilience.jpg publication {E5F5E6AC-928C-4F00-B3EF-BC497B368B58} {EE6D4652-BA99-4E22-86A3-1ED23D31BB7D} {95D1F1A3-DBCA-4FBB-B16D-F58120535C4F} {E3A68501-1023-4EB6-BD75-84618D6D10FF} {C1553C7C-7EC1-4739-8E42-1C393608C216} {0656499C-E690-458B-9A64-4E04FB7B58D8} {E39587AD-8F0B-4FE2-865F-969BC5501096} {CE589BFE-43ED-4214-8CBC-A96989570B0F} {911A8E3E-0E6C-4303-A7D0-63E02AA205CF}

Other Areas We Can Help

Security Risk Management

Security Risk Management

Helping clients anticipate/respond to a myriad of facility, operational and employee security challenges.

Security Risk Management
Resilience Consulting

Resilience Consulting

Services include assessments, plan designs, drills and emergency security services.

Resilience Consulting
Resilience Consulting

Business Continuity

Identify weaknesses in existing business continuity planning along with recommendations to improve.

Business Continuity
Operational Security Services

Operational Security Services

Resolve a myriad of issues such as workplace violence, corporate espionage, supply chain disruption, etc.

Operational Security Services
Security Consulting

Security Consulting

Threat assessments, policy review and development, and master planning.

Security Consulting
Security Systems Consulting

Security Systems Consulting

Work with clients and developers on diverse projects, from inception to facility management.

Security Systems Consulting
Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk

Insights

Podcast

Kroll’s Security Concepts Podcast

Podcast
Video Library

Security Risk Management –
Hear Ongoing Global Security Insights From Our Security Risk Management Experts

Video Library
Cyber

Human Resource and Security Teams Should Work Jointly to Reduce the Risk of Cyberattacks

Cyber
Cyber

Five Considerations on Service Providers' Privacy and Security

Cyber