How One Industry Exemplifies the Importance Of Cybersecurity In Critical Infrastructure Assurance

And What We Can Learn From It

By Brian Hesse, Co-Owner, President, and Chief Executive Officer of PerenniAL

Summary

Cybersecurity professionals, as with virtually every other organizational function, are always challenged to respond to competing and conflicting imperatives. Based on the author’s more than 25 years of experience of management in the aluminum industry, this article sets out replicable ways of dealing with and harmonizing competing priorities. Starting from a top-down view, and then identifying specific threats and challenges, the conclusions reflect the general application of actionable information for managing risk and achieving cybersecurity compliance and efficiency.

Critical Infrastructure and the Role of Aluminum

Currently within the purview of the Department of Homeland Security (DHS) and its subsidiary the Critical Infrastructure Security and Resilience Agency (CISA), the designation of 16 sectors of critical infrastructure and the responsibility for assuring their security and resilience encompass nearly every vital economic activity.

It is highly likely that the employers of every CISO in some fashion operate in one or more of these sectors. Similar requirements for these organizations are in large part applicable to those levied upon my industry. For your convenience, the list of the 16 sectors is posted online at https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors

Drilling down, Aluminum is listed in the Critical Manufacturing Sector, and specifically designated as a “core” of the sector in the Sector Overview.

The Critical Manufacturing Sector identified several industries to serve as the core of the sector:

• Primary Metals Manufacturing
• Iron and Steel Mills and Ferro Alloy Manufacturing
• Alumina and Aluminum Production and Processing
• Nonferrous Metal Production and Processing

Conflicting and Competing Priorities in Aluminum

While specifically only applicable to the aluminum market, the current situation illustrates how an industry can face forces which can fundamentally impair its ability to support a vigorous sector of our critical infrastructure. Your industry will probably face different challenges, but the principles of responding to such threats are likely to be very similar.

Without needlessly reciting history or straying far from the thrust of this article, the nub of the matter is that the American aluminum industry is currently about 1 million metric tons of processed aluminum (“billets”) short of the annual needs of the critical manufacturing sector.

We rely to a large extent on the importation of processed aluminum billets, from numerous other countries. Among them is Russia, which is currently subject to sanctions in the form of a 200% [not a typo] tariff on this product.

The tariff is an application of our foreign policy with respect to Russia, and is accompanied by claims of national security being threatened by reliance on this particular international source for the needed billets.

But tariffs are a blunt instrument. Tariffs were originally intended to accomplish one or more of several principal purposes: protection of domestic industry, raise revenue, and modify the behavior of market participants. Unfortunately, they can also stifle the legitimate needs of American industry.

That is the case here. We are all familiar with the so-called Law of Unintended Consequences, which usually comes into play in government functions. By essentially making one source of the needed aluminum billets unaffordable, we are starving the manufacturing sector of essential materials. The unintended consequence is the loss of manufacturing capacity, the loss of jobs, an unnecessary threat to the supply chains of our critical infrastructure, and our national security.

That is where things stand in my industry – we are hobbled by the conflict of several governmental imperatives.

Information Technology and Operational Technology

Of course, there are the obvious applications of IT and OT in the aluminum industry, just as there are in the endeavors of readers of Cyber Defense Magazine.

Participants in the aluminum industry rely on Supervisory Control and Data Acquisition (SCADA), IT, OT, and other computer-based systems. We are subject to many of the same requirements as other organizations using these systems. In collecting, transmitting, sharing, and storing data, we must maintain its confidentiality, integrity, and accessibility.

We, too, face conflicting priorities, and must find ways to comply and harmonize our responsibilities. Let me mention a few of them.

• Privacy concerns and rights of consumers, vendors, customers, and regulators often conflict with duties to comply with legal process for discovery under criminal investigations.
• Artificial Intelligence applications are growing in the impenetrable thicket of patents, copyrights, and other protected intellectual property.
• We all operate on the Security-Convenience spectrum, choosing how to balance the two priorities
• Risk Management is another overlap in our activities, especially choosing which risks to retain and resolve and which ones to lay off on a third party (cyber liability insurance, for example)
• We also must recognize that compliance with Legal and Regulatory requirements may not always be sufficient to avoid liability for our organization’s acts or omissions

How we are addressing these challenges

Based on my belief that in the marketplace, as in life, we are more alike than we are different, we are taking several parallel steps in our future strategy and operations. We have established ourselves in the industry as both a niche player and a vertical expansion vehicle. There are four principal initiatives we are pursuing to implement our program, and I believe that in your capacity with your own organization, you will find them instructive.

Internal

We have created an organization culture to encourage our employees to be dedicated to the mission of our company. They understand and value the work we do, and are committed to our success. Training and education are an integral part of our advancement program. In cybersecurity terms, we assure that everyone is aware of the latest developments and prepared to avoid cyber attacks.

Marketplace

As we source products to deliver and support the critical infrastructure sector of manufacturing, and aluminum in particular, we conduct very detailed information and analysis of supply and demand data, our competitors, and relevant trends affecting our business.

That includes both upstream and downstream verticals, as our vendors, customers, and related providers are constantly engaged in mergers and acquisitions.

Government

Any organization operating in an industry subject to State and federal laws and regulations, or doing business directly with any level of government, or receiving any funding from government sources, inevitably faces requirements to comply with some form of statute or regulation.

We conduct an ongoing review of the places where our operations intersect with these types of requirements.

Of the three branches of government, our general approach is to work directly with the agencies of the executive branch first, since that is where laws are applied and enforced and where regulations are promulgated.

In the event of conflicts in public policy priorities, or inconsistencies in legislation, we occasionally provide information to legislators where that may assist them in making needed changes to statutory law.

In general, we prefer to avoid the costly and lengthy judicial process, but we do follow legal actions taken by others in our industry, including the trade associations of which we are members or supporters.

Community

Last, but never least, we work to support and coordinate our activities with the communities where we have operations or where others in our industry can do so. We encourage our company leaders and all employees to be active in their own communities. It’s just good business.

Conclusions

Cybersecurity is a growing and well-recognized element of every successful business. Its importance is demonstrated by the awareness of top management and directors of organizations, and further reflected in the budget and staffing provisions in this area.

The CISO does not exist in a vacuum, and the successful integration of cybersecurity into the organization’s overall activities depends on navigating a broad two-way street: the CISO must keep current on the mission and values of the organization, and the leaders of the organization must assure that all employees, from top to bottom, are cognizant and duly respect the role of cybersecurity.

About the Author

Brian Hesse is Co-Owner, President, and Chief Executive Officer of PerenniAL. He has 26 years of experience in the aluminum industry in a variety of executive leadership, sales and marketing positions, including President/Chief Executive Officer for the Americas at Rusal America Corporation; Vice President/Sales and Marketing for the Americas at Vedanta Resources Limited; Global Defense Sales Director and Americas Sales Director – Industrial at Aleris International, Inc.; and Director of Global Accounts at Ryerson Corporation, where he began his career in the industry.

Brian serves as Chairman of the Board for Big Brothers Big Sisters in Westchester County, NY, and is a frequent volunteer at the organization’s events. He also is a Board Member of the Northwest Missouri State University Foundation, where he is a graduate. In his free time, Brian enjoys tennis and other outdoor activities with his family. Brian is an avid Kansas City Chiefs fan.

The PerenniAL website is at https://www.theperennial-group.com/ and Brian can be reached online at https://www.linkedin.com/in/aluminumexpert/