If you weren’t one of the 3,000 security leaders from across the United States who gathered at the Gartner Security & Risk Management Summit 2019 in National Harbor, you missed an important talk.
Suzanne Spaulding, former Under Secretary for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS), and Nozomi Networks Advisor, hosted a session called Accelerating Industrial Cyber Security; Protecting Production & Profits.
Suzanne began by sharing her take on the changing threat landscape, and went on to discuss effective ways to build cyber resiliency in industrial and critical infrastructure. Read on to find out what she recommends.
The Changing Cyber Threat Landscape
“The World Economic Forum indicated recently that cyberattacks are one of the top five global risks for critical infrastructure. Effectively managing this risk is critical for business and for the nation. But what I’ve quickly noticed when engaging in cyber security conversations is that we spend a lot of time talking about threat and vulnerability, and not enough time assessing and addressing impact.
I think a shift needs to occur to make cyber security more tangible to business leaders. Rather than talking just about threats and vulnerabilities, we need to focus more on impact and consequences. The executives I’ve met in government and business are deeply concerned about continuity of operations and the impact of business interruptions. Moreover, this is something they understand. So, I think that shifting the discussion beyond IT/OT network issues to the business consequences of a cyberattack will go a long way towards securing the investment needed to protect the IT/OT network.
We’re facing a new and frightening threat landscape. Geopolitical tensions around the world are increasing, and threat actors are expanding their capabilities and destructive intent. Russia and China are the most capable of damaging attacks and, depending upon what else is happening in the world, may at any time have reasons to deploy that capability. Other countries are assessed to have less capability but also lower thresholds for use. For example, a few years ago, Sony Pictures suffered a destructive attack from North Korea and a casino in Las Vegas was hit by a destructive attack (attributed to Iran) after the owner made public comments about bombing Iran. We now live in a world where governments with malicious intent and the funds to create a cyber army can create havoc well beyond their own country’s borders.”
Two Key Factors for Building Cyber Resiliency
“The new threat landscape is creating unique needs across all industries, but especially for critical and industrial infrastructure organizations that are undergoing digital transformation. Based on my experience at DHS, I think there are two key things they, and all businesses, need to do to build operational resiliency against exploding cyber risks.”
1. Identify and Track All Your Assets
“It all starts with knowing what you have on your network, regardless of where assets are actually located. When I was at DHS, we asked each department and agency to tell us how many devices they had connected to the internet. They came back to us with numbers that we used to build the budget for technology that would support continuous diagnostics mitigation. When we deployed the tool, the actual number of devices was unbelievably higher than what we were expecting. Not only did this blow our budget, it made us realize how hard it was to create an accurate, up-to-date asset inventory. Yet this is so critical to gaining operational visibility. As they saying goes, you can’t protect what you can’t see.”
2. Detect Threats Quickly and Early
“It’s also critical to identify risks as they come into your system. Thinking again about my time at DHS, this equates to starting with a terrorist watch list of known and suspected threat actors. In cyber security, we start with known threat signatures, with threat indicators that we’ve already identified. But that isn’t enough.
At DHS, we then built a profile of terrorist attributes – did they buy a one-way ticket, did they apply through a country of concern, and so on. In cyber security, we need to build a profile of anomalous device and process behavior – is a device communicating in a new way, is network traffic much higher than normal, etc. You need to know what’s normal in your unique OT environment, and continuously monitor communications to spot anomalies that could indicate an attack or other problem.
This not only eliminates the need for staff to go around to a facility and check on assets, it reduces the time it takes to understand what’s going on, and begin remediation. Fortunately, advanced technology like that offered by Nozomi Networks does all of this in an automated way. This is a huge step forward, one we recognized as revolutionary at DHS.
Our old answer to the challenges created by IoT and expanding cyber threats was to simply unplug. An air gap environment would protect you. But we want all businesses and all citizens to be able to take advantage of the wonderful benefits of living in a connected world. In order to do that, you need to have appropriate levels of security.
In today’s world, a more advanced approach to security is needed – one that centers around the ability to monitor assets and connectivity in real time so that we can all be connected and safe.”
The Cost of OT Cyber Security Incidents
As Suzanne noted in her talk, a shift in thinking needs to happen to make cyber security more relevant to business leaders. To help move the discussion towards impacts and consequences, we’ve compiled an analysis of the most prominent cyberattacks that occurred in the past five years across a variety of industries. I think you’ll find our Executive Brief “The Cost of OT Cyber Security Incidents and How to Reduce Risk”, available below, very interesting.
