Americas

  • United States

Asia

Oceania

mhill
UK Editor

4 reasons why CISOs can’t ignore climate change

Feature
Jun 02, 20228 mins
CSO and CISORisk Management

Climate change is causing disruptions to the supply chain and critical services, and attackers are keen to take advantage of it.

storm disaster recovery disruption rain umbrella tornado challenge weather
Credit: Getty Images

Climate change may not be an issue synonymous with cybersecurity, but there is a growing need for the security sector to recognize and address the impact a changing climate is having. A new report from the World Meteorological Organization (WMO) stated that there is a 50% chance that, during the next five years, the global average surface temperature will exceed 1.5°C above the preindustrial average for the first time in an individual year.

Climate-related factors such as shifting weather patterns, resource availability, and mass migration could alter the cyberthreats organizations and governments face, introducing new or heightened risks in an already complex landscape.

Despite this, climate change remains a little-discussed topic of risk in boardrooms and teams within most enterprises, according to cybersecurity advisor, researcher, and change maker Chloé Messdaghi. “I’ve met with various executives in cybersecurity who have yet to discuss the potential impact of climate change to their business,” she wrote in a recent blog post. “When climate change is mentioned, it’s usually dismissed. Dismissed due to deniers of the existence of climate change or simply because they haven’t found the time to understand the potential risks.”

Climate change is one of the biggest challenges facing the future of the cybersecurity sector, Messdaghi tells CSO, and the topic must become higher up the agenda across businesses to address its implications. Here are four reasons why the cybersecurity sector cannot ignore – and must takes steps to address – climate change.

1. Critical resources become key attack targets

One of the most significant aspects of climate change is its effect on accessibly to key resources. For example, periods of drought can limit access to clean water while heavy storms can knock out electricity and gas pipelines, potentially leaving people without power, heating and food. When such critical resources are threatened, they and the systems that supply them become highly attractive attack targets for malicious cyber actors seeking to cause maximum havoc at times of crises.

Messdaghi cites droughts in California as a prime example. “Water resource becomes very limited, and it becomes something very sacred, that we want to protect. If you think about nation state actors and how they may want to attack California in the future, the best way may be to go after its clean water. With climate change, the weather is going to get ever more severe and unpredictable, and that means changes and challenges towards our businesses.”

A recent joint cybersecurity advisory has already warned of advanced persistent threat (APT) adversaries using custom-made tools to attack industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, and in the event of key resources becoming limited, the likelihood of nation state actors or criminals taking advantage with attacks such as ransomware or DDoS increases. The advisory advocated for organizations in the space to implement enhanced security approaches to address growing threats posed to ICS/SCADA systems.

2. Power outages, energy shortages threaten cybersecurity protection

Heightened attacks targeting critical resources and systems are not the only security concern associated with climate change. Violent storms and drought-induced forest fires can lead to power outages and take systems offline, with renewable energy shortages adding to challenges. Security providers that rely on data centers to deliver their services could find themselves unable to do so, leaving organizations vulnerable, KnowBe4 CEO Stu Sjouwerman tells CSO. Vendors that are tied to one location could struggle, and so it’s important for businesses to invest in providers that take an agile approach to operations that can be moved at short notice, he adds.

“It is also possible that crisis response to a major weather event – as part of a business continuity response – could lead to security corners being cut to restore services more quickly,” says Andrew Barratt, vice president of cybersecurity consultancy Coalfire.

3. Mass migration increases remote working risks

Climate-associated factors such as rising temperatures are beginning to make some global locations less habitable, with more extreme conditions threatening to trigger mass migration across towns, cities, states and even national borders. This poses another potential security headache, and one that has already come to fruition throughout the COVID-19 pandemic. As the last two years have shown, when large numbers of people are forced to suddenly relocate, it can disrupt established working patterns and force individuals to adopt remote, riskier habits such as using less secure internet connections, devices, and network access points for work purposes.

Organizations have had a “good run” at tackling this during the pandemic where remote/hybrid working has become a trend, says Messdaghi, but it’s still an issue to acknowledge in the future as more established working patterns return. “It’s about having an agile and trusted identity and authentication process where you’re able to view and see where people are connecting from and making sure that you have all the precautions possible to eliminate potential risks,” she adds.

4. Climate-related financial and logistical challenges emerge

Climate change is also creating new financial and logistical challenges for organizations as security endeavors to keep up with threat demands, Peter Lowe, principal security researcher at DNSFilter, says. “As threat actors worldwide become more professional and organized, our preparations, defenses and responses need to keep up, and all that means increased dedicated cybersecurity resources. With climate change pushing up energy prices and imposing geographic restrictions, our choices of how to deploy resources are being limited, so as well as keeping up on a technical level, new logistical and financial challenges are starting to appear. New cybersecurity technologies and defenses must be carefully weighed as to how they’re decided on.”

This means greater care and attention is needed regarding where money is spent and in selecting the choices with the lowest environmental impact, which can make the vendor research process longer and more costly, Lowe adds. “Data center selection and workforce deployments need to consider where renewable energy is being produced, and what the impact is on the local environment. City centers or other areas with high pollution levels need to be avoided, and remote workers from regions with a lower environmental footprint must be considered even if they cost more or are less convenient.”

Supply chains are also an integral factor to consider, both from a resilience perspective with potential disruptions more likely from climate change events, but also from the standpoint of environmental impact, Lowe says.

Cybersecurity’s role in addressing climate change

Cybersecurity vendor Rapid7 established its own Environment Sustainability Committee in 2020. Raj Samani, Rapid7 senior vice president, chief scientist, tells CSO that the cybersecurity sector, as part of the wider technology industry, must address climate change. “Climate change is no longer an issue which the technology and cybersecurity industries can turn a blind eye to. The industry has already had an impact on climate change, with the ICT industry being responsible for between 2% to 4% of global carbon emissions. Additionally, it is not just carbon emissions that the industry is pumping out, but also high energy usage. For example, the sector’s electricity usage is estimated at 7%, and cryptocurrency has a 0.55% demand for electricity production.”

Demands for technology are increasing, and it becomes the industry’s responsibility to do something, Samani adds. “The technology sector has the opportunity to lead change; a report by the International Telecommunications Union showed technology can help monitor the climate, support food security, and stop deforestation.”

The cybersecurity sector must not underestimate its power to drive change, and there are measures it can put in place to address climate-related problems, Samani says. “Organizations need to be measuring major greenhouse gas (GHG) emissions, so business leaders can identify which departments have the greatest impact on climate change. A regular review of GHG emissions will allow the cybersecurity industry to reduce carbon-intensive activities and improve energy efficiencies and the procurement of renewable energies.”

Offices should have goals, practices, and metrics in place to create more sustainable workspaces, such as waste audits in headquarters and large offices to measure waste reduction along with banning single-use items to help reduce landfills, Samani says.

Changes already appear to be happening in the sector, with UK cybersecurity services company Bridewell recently announcing it has become carbon negative, making it the first UK cybersecurity organization to achieve carbon net zero in accordance with recognized standards. The firm said it reached net zero through a combination of initiatives, including a switch to renewable energy, offsetting, and climate projects, stating that it wants its journey to act as a blueprint for those looking to drive sustainability improvements and that it is sharing its experiences with other like-minded businesses and customers to help embed sustainability into their cybersecurity strategies.

mhill
UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author