The world seems to be fixated on the cyber threat. There are exceedingly elaborate methods used to capture, characterize, and share the signatures of emerging threats in real-time. In an effort to stay one step ahead of the threat (or at least not too far behind) are public and private efforts that include machine-to-machine exchanges of threat information. We have STIX and TAXII, we have threat analytics, threat collaboration, and even threat managed services. Our ability to identify threat actors has advanced to the point where the federal government has issued arrest warrants for citizens of other countries. Going after the threat actors does seem like a good use of all this threat information. However, the question remains as to just how much this helps the defenders of critical infrastructure.
One of the touted benefits of threat information sharing is that from a defender’s perspective, it allows you to focus your efforts and erect mitigation for those known threats. This sounds like a good thing as long as you are not the first one targeted by the threat. This is a case where being first is decidedly a negative. If you happen to be the first one targeted by the threat, then it could be days-months-years before the threat is identified and mitigations are shared with other likely targets. So, you can hope you are not the first, but hope is not a very effective mitigation strategy. One of the characteristics of large plant ecosystems is that they do not change overnight. In other words, even with advanced notice of a threat, the only immediate solution in many cases would be to shut the plant down, and that is not a likely scenario.
Granted, there are no silver bullets. Whatever an asset owner does will cost something. Even doing nothing has an eventual cost. Perhaps throwing up defenses just-in-time to thwart a threat is one way to minimize the cost of cyber security. Clearly, if you are standing in the batter’s box and a fast ball is barreling toward your head, the best thing to do is duck. But, the analogy breaks down when you imagine that all the players on the other team can also throw a ball at you as well as every one of the 30K spectators. In this extreme example it becomes clear that ducking is not the best strategy. You really need a 360 degree defensive posture. You need more than just awareness of the threat, you need to know about all the possible attack vectors. This level of knowledge is not something that can be gained overnight and takes concerted effort as well as management support (i.e., budget). The first step in this journey to a more secure and robust future for critical infrastructure is to establish a process-based solution that provides continuous improvement over time.
Knowing what the threat is doing, how it is morphing over time, and getting better at attribution is a very good thing for those whose job it is to go after them. However, critical infrastructure asset owners may be better served to establish a sustainable and measureable cyber security program that provides a robust capability with continuous improvement over time. This approach (sometimes referred to as the Quality Movement), while not yet the standard approach for industrial control systems security, is well established in many other sectors such as automobile manufacturing.
If you know your systems intimately, if you have a well-established cyber security capability (with performance metrics in-hand), you are on your way to a less threat-centric existence. The next time you see someone turn pale at the news of yet another more sophisticated threat, you can relax and order another cappuccino with your morning paper. If you would like a blueprint on how to build such a future, I invite you to study the Robust Industrial Control Systems Planning and Evaluation (RIPE) Program.
Perry Pederson