The chairman and CEO of a small-cap publicly traded group had recently attended a week-long Executive Program for Presidents at Harvard. Using Target's cyber-breach case as an example, they discussed how cybersecurity has become one of the most concerning risks for corporations. He was surprised to learn how hackers were able to break-in by exploiting the HVAC system connectivity. He came back determined to make cybersecurity a top priority for his company.
The group serves many Fortune Global 500 companies across various industries such as industrial equipment, defense, aerospace, medical, transportation, etc. via its Electronics Manufacturing Services (EMS) business unit. The CEO understood that operational disruptions could have ripple effects on its highly valued customers. He tasked the company's CFO and CIO to perform a cybersecurity audit and report the outcome to the board.
The audit uncovered a few areas to strengthen such as endpoint security, intrusion detection, and advanced threat protection from phishing. The review, however, completely missed the fact that plant equipment and HVAC systems are also connected to the network. The CEO quickly inquired if the facility systems or any of the plant equipment were connected to the network, and perimeter controls were sufficient. The team needed to get those answers quickly.
ResiliAnt was engaged to inventory and profile all connected industrial systems, and identify the associated vulnerabilities. The engagement revealed that 84% of equipment had three or more vulnerabilities, needing operating systems, software and firmware level patches.
The company decided to include vulnerability management program into its operating mechanism to proactively manage cybersecurity risks. The CFO was chosen to be the executive sponsor for this new program.