Dan Burton on Unsplash
Carrot 1 611c36bc95682

Carrots – Not Sticks – Should Motivate Tech Investments

Aug. 23, 2021
The ongoing cybersecurity crisis demonstrates that putting off tech investments can be unnecessarily painful.

Investing in technology requires resources. And if it’s an emerging technology, devoting precious resources can ultimately prove unwise. After all, some technologies are little more than smoke and mirrors. Fortunately, totally regrettable investments have steadily become the outliers today rather than the norm.

Far too often, encouraging manufacturers to make technology investments requires some sort of motivation (carrot) or outside demand (stick). The scenario, regrettably, repeats itself time and again. 

One prime example – the pandemic – was the stick that forced companies to finally embark on the digital transformations they previously avoided or deferred to a later date. The need for cybersecurity, especially within an increasingly digital environment, is another unfortunate example. 

The need for better cyber protection is universal. However, some operational environments, like our nation’s water infrastructure, are in especially precarious situations. U.S. critical infrastructure is subject to a variety of cybersecurity regulations, but they lack uniformity. U.S. water systems are a mishmash of 50,000 smaller entities, often with small budgets. However, they still need things like remote Internet access to operate substations where budgets do not provide for a person to physically sit there and manage day-to-day operations. 

History has shown repeatedly that intrinsic motivation rarely wins out in these situations. The question is: What will encourage the needed investment? 

The carrot. Lack of resources often surfaces as the No. 1 reason inhibiting technology investments. However, current infrastructure legislation provides funding to support water and wastewater infrastructure projects, including cyber, with a goal of ensuring clean-water infrastructure resiliency and sustainability. "This funding is something that will be helpful to some of these smaller entities with nominal cybersecurity budgets," says Eric Chien, lead technical director at cyber-security firm Symantec, a division of Broadcom. 

The stick. The threat landscape continues to heat up with a broad scope of attack tools within today’s hacking arsenal, including ransomware. In the last few years, ransomware has held a steady 3% to 4% rate of all detected malware, according to NTT’s Global Threat Intelligence Report. In 2020, the number of malware attacks including ransomware increased roughly 50%.  Ransomware activity is again increasing exponentially in 2021. The expectation is that ransomware will be at 12% of all detected malware before the end of 2021, which represents millions of detections and could indicate a total increase of about 300% in the past two years or one attack every 11 seconds

Let that sink in. 

From the Oldsmar, Florida, water treatment incident to the Colonial Pipeline, critical infrastructure and operational technology are clearly under attack. No one is safe with targets going well beyond the big attacks that make the headlines. 

“We hear a lot about the bigger attacks because of the disruption and the potential payoff if attackers put in the work. But these smaller entities are now becoming the prime target for ransomware because attackers realize they have no recourse if they hit them,” says Chien. “They know they will pay because they don't have a playbook and often lack the ability to restore from backups.” 

When it comes to cybersecurity, there is no silver bullet or magic black box to protect your operating environment. In many of these incidents, a lack of attention to fundamentals is the one commonality. Having security frameworks and guidelines for people to follow would be a great step forward. 

"Things like rotating passwords, monitoring credentials, using multifactor authentication and, in the water infrastructure example, only allowing remote control from one particular location rather than directly from the internet," he says. "Also, having playbooks in place so that people know how to react when an incident happens." 

Bottom line: Resources are always limited, but it is unfortunate so many organizations wait for the stick before making needed investments. Hopefully, it won’t take someone assuming control of a key piece of machinery before your organization makes the needed investments. 

About the Author

Peter Fretty | Technology Editor

As a highly experienced journalist, Peter Fretty regularly covers advances in manufacturing, information technology, and software. He has written thousands of feature articles, cover stories, and white papers for an assortment of trade journals, business publications, and consumer magazines.

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!