On Friday of this past week, many countries around the world
marked the one-year anniversary of the invasion of the Ukraine. I certainly have my views on this entire
matter, but that is a topic for a different kind of blog setting.
There have been many ramifications from this war, especially
from the Cyber front. There were huge fears
of Ransomware attacks, Phishing attacks, and even the invasion of our own
Critical Infrastructure. While there
have been some hacks here and there, to the best of my knowledge, there has
been no large scale one, at least not yet.
But is the latter threat, the one on Critical
Infrastructure, that scares me the most.
Alarm bells have been flying off from all parts of the Cyber front that
we need to take this much more seriously than we are now as a society. Heck, even our own Federal Government has been
issuing alerts this year as well.
Unfortunately, as I have written about before, our Critical
Infrastructure was designed back in the 1960s and the 1970s.
Back then, nobody even thought of Cybersecurity, rather, the
main focus was that of Physical Security.
Because of this, many of the technologies are now outdated, and in fact,
are even no longer produced. So we are
stuck with a conundrum here: We simply
can’t rip out the legacy systems and put new ones in, and at the same time, we
simply cannot put in new patches and upgrades because the technology is so old.
So what is one to do?
Well, it all comes down to basics.
I came across an article this morning, which offered such tips. Here is what the author proposed:
1)
Employees are the greatest threat:
We have heard about this who knows
how many times. Quite frankly, I don’t
agree with it all. Employees are
actually one of your greatest assets.
They can literally be the eyes and ears that you need in order to keep
up with any threats, especially when it comes to Insider based attacks. Rather, it is the environment that
they are in which leads to their bad Cyber Hygiene habits. What I mean by this is that it all comes from
the top. Heck, if the C-Suite doesn’t
care, why should the employees? You can
rant and rave as much as you want about how important Cyber Hygiene is in your
security awareness training programs, but that won’t mean a hill of beans
unless the upper management leads in this effort. So if you are CISO at an oil supply company,
you better be darned sure that that you are practicing good levels of Cyber
Hygiene if you expect your employees to do the same.
2)
Social Engineering is the next new normal:
Now, this is something that I fully
agree with. The Cyberattacker of today
is going to be ditching the older ways in which they could encroach upon your
digital assets. Now, they will be trying
to con your employees (and even other key stakeholders) into giving out
information and data. A typical attack
here would be a phone call to an administrative assistant working at a nuclear
facility to give away some secrets. Or,
it could be a Business Email Compromise (BEC) attack which is sent to your
Accounting department asking them to send millions of dollars to an phony,
overseas account. Now, this is where I
believe that a good security awareness training program should focus on. As a CISO, you need to be teaching your
employees what to look out for if they feel they are close to becoming a victim
of one. In fact, just in the last year,
Social Engineering attacks cost the Critical Infrastructure over $4.8
million per each incident.
(SOURCE: https://securityintelligence.com/posts/whats-new-2022-cost-of-a-data-breach-report/?_ga=2.36984227.2031350507.1674256954-834892342.1674256954). But here is something else you need to keep
in mind: Just because your
employee may have fallen victim to a Social Engineering attack does not mean
that they are the weakest link in the proverbial security chain!!!
3)
Beware of the IoT:
As you might already know, this is
an acronym that stands for the “Internet of Things”. In a very general sense, this is where all of
the objects that we interact with on a daily basis in both the physical and
virtual worlds are all interconnected together.
While this can bring in many great benefits, it also has its own set of
pitfalls as well. Many companies in
Corporate America have now started to embrace this new kind of technology, and
in fact, have started to deploy it. But
the gravest security risk here is that as a CISO, if you do follow suit with
this, you are simply expanding the attack surface for the Cyberattacker. So if you are leading the security
initiatives for a Critical Infrastructure, be very careful as to how you deploy
any kind of IoT device. Remember, the
vendors who make these kinds of products to bot factor security into them. If they do, it is very minimal at best. And always make sure that you set the
security default settings to your own requirements.
My Thoughts On This:
As a CISO, trying to make your Critical Infrastructure as
Cyber resilient as possible can be one of the most difficult things that you
can ever face, given the obstacles just described. In fact, you may not know where to turn
to. But the good news here is that is a
starting point. The Cybersecurity &
Infrastructure Security Agency (also known as “CISA”) has come out with a new
framework, which can be seen at this link below:
https://www.cisa.gov/topics/industrial-control-systems
This would be a good place to get started. Another good place would be to stop thinking
that your employees are to blame for every Cyber incident that happens. We are all in this together!!! It is very important not to cast
blame first until a complete forensics examination has been completed.