Our attitude towards national cybersecurity has been broken. This is not just what happened recently-cyber security has been undermined for decades.
After I testified to the Senate Subcommittee on Terrorism, Technology, and Homeland Security about the cyber risks faced by critical infrastructure, especially the Industrial Control System (ICS) used to manage these infrastructures, a ransomware attack on the Colonial Pipeline system occurred. Nearly 17 years. infrastructure. Although there are other events before this that should trigger a fundamental change in our cybersecurity approach, I, like many other long-term observers, believe (perhaps naively) that this will be the wake-up call that our business leaders need.
Whether we press the permanent snooze button again remains to be seen. But there is a way to repair our broken system: adopt a risk-oriented cyber security approach to bridge the gap between cyber security and business once and for all, and align the entire enterprise with Polaris, focusing on which risks are most important to the organization.
The significance of the colonial pipeline attack
Everyone knows that an incident against the colonial pipeline is coming. The warning light has been flashing red for 20 years. Just four years ago, a Russian threat group called “Sandworms” dismantled the Ukrainian power grid. A year later, the NotPetya ransomware attack cost shipping companies Maersk and FedEx US$300 million each. There will be more colonial pipeline attacks against other critical infrastructure and enterprises.
But what this incident really shows is that business leaders and boards of directors urgently need to have a dialogue with their chief information security officer on cyber risks, in a way they can understand. The damage caused by the colonial pipeline attack is huge, but it is also measurable. Although the incident is regrettable, it may actually help some non-IT leaders understand cyber risks. After all, quantifiable things are more maneuverable.
Cyber risk should be treated and treated like any other operational risk. Cyber threats are not hypothetical—they are imminent and very real risks for companies. However, without understanding that risk is a business issue, not a technical issue, critical infrastructure owners and operators may not focus their resources on the right things.
The Obama, Trump, and Biden administrations have all launched strategies to shift to a risk-oriented approach to cyber security. However, the decision of the board of directors did not reflect this nationally recognized and growing automated network risk quantification priority. By increasing the use of risk-oriented security procedures, it is possible to better manage everything from resource allocation to operations and processes. This approach provides greater flexibility and better strategies for prioritization, and it is usually more cost-effective in the long run.
Solve priority challenges
My review of the content of the publicly reported colonial pipeline attack, coupled with a personal conversation with an outstanding ICS expert in the United States, led me to believe that there are two main factors that may have contributed to the temporary loss of this very critical energy infrastructure. :
- Business and cyber security leaders did not engage in detailed conversations about cyber risks and potential financial and operational impacts.
- We have known for decades that ICS systems operate in dangerous interconnections with business networks. Conducting risk dialogues based on real-world threat intelligence will make the ransomware scenario a top priority.
- Like all other companies, Colonial Pipeline’s cyber defenders (threat analysts and incident responders) are drowned in alert data, unable to prioritize their workflows and respond automatically.
- Just two months before the colonial pipeline attack, the Department of Homeland Security issued a ransomware alert to the Energy Department. This threat intelligence should provide information for risk quantification and for coordinated and automated responses throughout the security technology stack.
A risk-oriented approach to cyber security takes the adversary into consideration. Thinking like a threat participant forces you to analyze and evaluate the scenarios you need to prepare-and the risks that need to be considered, which may require new investments. Not only is the threat landscape and its relevant parts of your business changing, but the controls, applications, endpoints, and data types that exist in your environment are also changing. The risk-oriented approach makes your cyber risk quantification work beyond point-in-time assessment and makes it procedural.
The colonial pipeline attack freezes the business decision system rather than the control system, which leads me to believe that we still have not succeeded in explaining the importance of cyber risk to business leaders. The cyber risk community needs to find a way to let business leaders and government agencies understand the consequences and potential long-term effects of cyber threats. We need to prove that from an investment perspective, all leaders should accept the importance of risk management. Passive measures are not enough, and outdated manual risk management plans cannot stand the test of time.
Dan Verton is a former intelligence officer in the US Marine Corps and has written many books on cyber security. He is currently a director of ThreatConnect.View the complete bio