Close this search box.
Close this search box.

What CEOs Should Know About Protecting Cyber Infrastructure

CEOs are quickly realizing that the critical cyber infrastructure that supports the global economy is now directly in the line of fire from hackers, malicious insiders, and nation-state threat actors alike.


A decade ago, executives at energy, utility and manufacturing businesses did not worry about potential cyberattacks the same way they might have cared about major safety or environmental risks. Operators believed that air gaps between networks and proprietary technology were adequate defenses against malware, and that attacks on cyber-physical processes were simply very unlikely.

In recent years – especially the past year alone – that has all changed. Today, CEOs are quickly realizing that the critical infrastructure that supports the global economy is now directly in the line of fire from hackers, malicious insiders, and nation-state threat actors alike.

To protect critical infrastructure and manage cyber risk associated with industrial operations, executives need to execute well across three dimensions: improve visibility, incorporate modern cyber defenses, and ensure preparedness in case an incident does occur.

Elevated State of Awareness

The C-suite is responsible for overall corporate risk, and the awareness of the need for IT security has never been higher, unfortunately, due to various breaches that have made headlines. Industrial cybersecurity has now become an important aspect of the threat surface to monitor and manage as Operational Technology (OT) and IT systems converge. To keep critical systems running and protect the financial results and reputation of your organization, it is essential to also improve industrial cybersecurity and operational visibility.

Here’s why this has become an especially timely conversation: The U.S. government has released unprecedented alerts about Russian government cyberattacks targeting energy and other critical infrastructure sectors. In addition, the World Economic Forum reports “[A] growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in systems that keep societies functioning.”

Most recently, the Department of Energy announced in May 2018 Executive Order 13800 that focuses on strengthening the cybersecurity of Federal network and critical infrastructure. The imperative sets forth to fortify and ensure our energy and critical infrastructure is resilient in the face of increasing threats, stemming from an August 2017 report that shares the assessment of the energy infrastructure as a significant target within the nation’s critical infrastructure.

“It all starts with acknowledging the problem is real – and that the threat is increasing.”

The DOE’s decision to now make public their August 2017 Assessment of Electricity Disruption Incident Response Capabilities report reinforces the importance that these threats of cyberattacks continue to have on our critical infrastructure. Declaring the real potential of a cyber warfare attack on US soil is the first step to admitting there is a problem, next is taking the necessary security precautions to protect our most critical infrastructures, so something catastrophic doesn’t happen.

Businesses need to follow suit and those that are part of the nation’s critical infrastructure must prepare for the likely inevitable attack. The importance of our energy and critical infrastructure on America’s (and the world’s) economy puts a clear target on those organizations from nefarious threat actors, often exacerbated at times of geopolitical unrest or friction like current global events.

Three Keys to an Improved Security Posture

As an executive, how do you prepare for the operational, business and reputations risks posed by cyberattacks on OT infrastructure? How do you manage industrial cybersecurity risk and protect your organization’s reputation? Following are the three keys to improving the security posture of your critical infrastructure organization:

Improve Visibility: You can’t protect what you can’t see

Visibility is key to being responsive to a threat or crisis as it happens. This requires having the right tools that provide visibility into industrial networks and their risk exposure, thereby improving critical infrastructure cyber resiliency and operational reliability. OT has traditionally lagged behind IT in terms of visibility, however in today’s world, companies need to have as much visibility into OT as they expect in IT.

Improving visibility requires real-time network monitoring and an accurate, continuously updated network asset inventory – this is vital to detecting cyber threats and process anomalies and improving cyber resiliency and reliability.

In addition, centralized management must deliver consolidated OT cybersecurity and visibility across regional or multinational facilities to reduce support costs for remote sites, speed up troubleshooting and improve staff efficiencies. Every facility should be aligned and provide visibility across the organization so decisions can be made in context with the most accurate, current information.

Incorporate Modern Cyber Defenses: AI and machine learning take center stage

Advances in artificial intelligence now allow process-oriented anomaly detection to deliver the same levels of cyber protection in OT as in IT. With distributed facilities and thousands of devices in complex installations, artificial intelligence is a must to effectively manage volumes of data to extract actionable insights. Without it, the firehose of data and alerts creates fatigue while consuming countless human hours to work through support tickets, alert files and other reports. Machine learning can alleviate a tremendous amount of that work, ensuring staff spend their energies and intelligence on the pressing matters most suitable for the human brain in terms of analysis and decision-making.

Solutions that use machine learning to understand the OT environment and adapt should be a key consideration in any solution you deploy to fortify your organization’s security posture. By learning autonomously and adapting, as well as tapping into artificial intelligence, the right technologies can ensure your staff is focused on the jobs they need to do to mitigate and respond to threats – not on chasing alerts, responding to false positives or miss threats hidden in the flood of data.

Ensure Preparedness

It all starts with acknowledging the problem is real – and that the threat is increasing. From there, a Crisis Preparedness Plan can be developed, refined and implemented. What you communicate, how you communicate, and through which channels you choose to communicate, all impact the outcome: whether a company’s reputation and trustworthiness is bolstered or diminished. In talking through best practices for crisis preparedness plans with Standing Partnership’s Mihaela Grad as it applies to managing OT risk, here are the four keys to establishing the right plan:

Align all your crisis response plans: Assemble all existing policies, business continuity, operational and communications plans, plus reports that outline the risks your organization faces. Determine how current they are and list the gaps. When something goes awry, having minimized the gaps ahead of time will save valuable amounts of time when minutes matter most.

Build or update a cross-functional crisis team: Your crisis response team should include representatives from across the organization – safety operations, legal, IT/OT, customer service, communications, HR, etc. – spanning head office and remote operational units. Most issues don’t conveniently happen during business hours, so be prepared for potential disruption by having a clear, designated team ready to respond at a moment’s notice.

Develop a written plan: It’s best to have a written crisis response plan that contains response team members and responsibilities, assessment criteria, decision protocols and responses to scenarios most likely to impact your organization. A plan eliminates second-guessing and speeds up response time during a crisis. Ideally, it is reviewed and updated every six to twelve months. While it may be impossible to predict every scenario, by documenting as many real or material scenarios, it puts your organization in the best position to respond swiftly, take corrective action and protect the brand in the eyes of customers and stakeholders.

Train your team: A plan without training isn’t worth much. Gather the cross-functional crisis response team at least once a year to run through the communications plan, and make sure members can execute seamlessly during high stress situations. Practice 1,000 times for the moment you hope never comes. Training helps the team be ready, and more comfortable, when something unusual and urgent happens.

Having a plan ready in the face of adversity when threats target critical infrastructure organizations—or any organization—is vital to effectively managing risk and protecting the brand’s reputation. Using the latest in technologies such as AI and machine learning are key to shoring up cyber defenses ahead of time to avoid an incident in the first place. Lastly, and most importantly, is to have real-time visibility into the OT environment as systems become more and more connected. Understanding what’s happening with context when something occurs enables staff to respond appropriately—this is ultimately the integral piece to improving industrial resilience and operational visibility.

Today’s business leaders are expected to protect the entire organization beyond IT systems, including OT environments that run critical infrastructure. Realize the threat of cyberattacks is on the rise in this industry. Use the right technologies to give you real-time visibility, practice regularly and be prepared knowing that it can happen to your organization. That could be the difference between your brand being chastised after a breach – or celebrated for how you quickly responded and thwarted the threat.

Related: The Perils Of The Digital Divide


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.