Digital Learning for Operational Resilience

The war being raged in the Ukraine by Russia has thrown into sharp focus a number of weaknesses that, although well-known, were ignored for a variety of reasons. Allied to this has been the explicit confirmation and attribution of responsibility to long-suspected perpetrators of nefarious activities.

Whilst issues with global impact arising from the war, both geopolitical and economic, will resonate for decades to come, lessons from the past have been ignored. The age-old saying in business that no single client should account for more than 60% of total revenue holds true today and applicable not just to business, but to areas such as energy and food security.

Political vested interests facilitate the creation of endemic and protracted supplier lock-in just at a time, due to Covid, of corporations on a global scale undertaking third party risk assessments in order to avoid the very thing that politicians have allowed to happen to the countries they supposedly are meant to protect in the manner of a Board of Directors.

Hacks of Ukrainian critical services by Russia highlights nation state capabilities within the digital space to target and successfully execute attacks, rendering infrastructure, operations and communications unable to function. North Korea’s hack of Sony Pictures, Israel’s SCADA attack against Iran with Stuxnet, various Chinese alleged breaches of US networks, extends back for over a decade and commercial enterprises are seeking to strengthen both security and continuity at an accelerated pace post-Covid. Yet the lessons from this war suggest that if a nation state decides to target a specific firm or entity, it will successfully breach defences.

Europe’s dependence upon Russian oil, built up over a sustained period, with collaborative building and funding of the associated infrastructure, such as the Yamal-Europe, Nordstream, Friendship and Baltic pipelines. Co-creation of dependence upon a single supplier, with doubtful governance and leadership, of a critical resource may seem madness in light of the current scenario, yet it has happened. Companies migrating ever more rapidly to the cloud, using a single supplier may be doing precisely the same thing.

Vendor lock-in is a widely accepted risk that needs managing as part of overall enterprise risk management. The components of Governance, Risk and Compliance, Stewardship, Business Continuity Management, IT Risk Management all need revisiting on a frequent basis – perhaps with a greater degree of granularity and increased scope, to include strategic analysis of supplier risk with longer time horizons than previously undertaken i.e., accounting for not only technology evolution by one particular company giving competitive advantage, but also mergers, failures (e.g. Sunguard in 2019 and again April 2022) and takeovers within a 10 year timeline.

Within the risk transfer domain, the Ukraine war has also impacted the ability of risk carriers to price and accept cyber risks within their portfolio given the capabilities of individuals and groups within protected territories to attack corporate entities for personal gain. The ability to gain via crypto markets and disappear creates too high a risk with too great a downside versus profit opportunity to make cyber cover a viable proposition without a government backstop.

In a post-Covid world, where national debt has ballooned through the need to protect populations and businesses, capacity and willingness to add an additional burden, with low public support, is highly unlikely. The alternative means of transferring risk may still be viable in the form of securitization. However, the prospect of carrying corporate risk of high value from a global player that may have upset Russia during the war and thus be a potential target for individual attack makes this look a weak proposition in the short-term at least. An absence of risk transfer through a third party is therefore a tool within the enterprise risk management that has been rendered limited in its ability to achieve digital risk reduction.

A crucial lesson to be learned from the war is one that has been known by those within the relevant sectors and by national cyber security agencies, but ignored to a greater extent by those in power if the inherent weakness within operational technology (OT) and information technology (IT). As with Stuxnet, risks of internet enabled programmable logic controllers (PLC’s) is extremely high due to their prevalence within key infrastructure, utilities, marine and other core sectors for everyday existence.

As cost pressures drive automation to eliminate headcount and manual tasks, so the risks increase. OT development has not developed in security in lock-step with IT, with cyber exposure a consequence. IT facilitates remote management of OT, frequently through the utilisation of third parties. Ukraine’s vulnerability to cyber attacks on infrastructure may have increased awareness of OT/IT risks, but events such as oil drilling platforms being taken offline by a teenager without malicious intent, a vessel hacked whilst in a US port and numerous other events have not resulted in enhanced scrutiny of OT/IT security to any great extent.

Quantar Solutions developed its enterprise software to facilitate the assessment, quantification, valuation of cyber risks to provide capability to its clients to assist them in addressing the above issues.

Leave a Reply

how can we help you?

Contact us at the Consulting WP office nearest to you or submit a business inquiry online.

Looking for a First-Class Business Plan Consultant?

This website uses cookies and asks your personal data to enhance your browsing experience.