Here’s a pop quiz: When you hear the term “cyber security,” what comes to mind?
1. Crime
2. Disease
If you picked the first choice, I’m not surprised. Most people think of cyber security in terms of criminal activity (cyber theft), civil unrest (hacktivism), and spying or espionage (state-sponsored activities). But I would argue that while associating cyber security with crime seems quite natural, instead comparing it to public health and fighting disease is a more useful paradigm.
If we approach cyber security as an issue of digital disease, with the antidote as healthy networks, we might actually gain ground in protecting ourselves from the effects of malicious cyber activity.
In other words, cyber security is a public digital health issue.
Consider personal health: We all know that exercising, eating healthy foods and taking care of our social needs contributes to well-being and enables us to live longer. Maintaining excellent health requires unwavering focus and dedication for all aspects of our well-being. Similarly, cyber security is an ongoing part of a company’s culture that demands constant vigilance and maintenance.
Organizations must emphasize situational awareness and ask themselves, “Do we know what the risks are, and do we have a strategy in place to respond to the wide variety of risks in existence today?” Only when we treat cyber security as a state of being—as our system’s health—are we cyber-ready and resilient in the face of increasingly sophisticated attacks.
According to the SANS Institute’s SANS 2016 State of ICS Security Survey, organizations are increasingly taking a reactive approach to cyber security, such as by waiting for vendors to provide patches once a bug is detected. In 2015, 37 percent of respondents took that approach, but that has now grown to 47 percent.
Organizations should not sit and wait for vendors and suppliers to alert them to a potential incident. This is particularly true for industrial organizations with vulnerable operational technology (OT) environments. OT-driven companies should work with vendors to recognize and respond to threats, but not rely on them alone. Instead, they must actively monitor internal traffic and industry alerts, as well as implement threat-detection and -protection tools.
To maintain good cyber hygiene, organizations with connected OT environments and connected devices must educate employees on how and why cyber security is a fundamental part of their company’s culture, conduct asset inventories and regular security assessments, and roll out a robust incident response (IR) plan to mitigate the impact of a cyber-attack. These steps may include:
Training: People are the most critical element in cyber security. Raising awareness among non-technical staff about risky behaviors and aligning technical staff across procedures for safe digital operations, and about their roles in the event of an incident, will help to ensure that an organization improves its resiliency against cyber threats. As threats become more persistent and advanced, training tailored to the industrial cyber landscape will help businesses meet the growing need for new skills, and drive better awareness around OT-specific security requirements for both operators of assets and IT security professionals.
Asset inventory and assessment: According to the SANS Institute, only 26 percent of organizations have performed a security assessment within the past quarter. Considering that the average length of time between a breach and the discovery of an infiltration (dwell time) is between four and six months, the data suggests that assessments should be conducted more frequently. Further, NIST Guidelines mandate asset inventory and management as the first critical step to improving an organization’s security posture. In IT environments, computers interact with the network every time someone logs in, making it easier to keep track of access and network traffic. In OT environments, however, assets may be connected, but not actively communicating with other machines. This doesn’t mean they aren’t vulnerable. Operators must keep tabs on their equipment to recognize risks and appropriately scale resources for a response effort.
Incident Response: Organizations can increase awareness and implement great tools, but without planning and preparing for real scenarios and incidents, they won’t increase their readiness for an attack. According to FireEye’s 2016 Industrial Control System (ICS) Vulnerability Trend Report, approximately 33 percent of the vulnerabilities examined did not have a fix available at the time of public disclosure. This means that more than one-third were zero-day vulnerabilities. When vulnerabilities and attackers are unknown, organizations must quickly and efficiently execute incident response programs. Organizations with large OT environments must have incident response preparations for OT vulnerabilities and should be regularly exercising the plan to identify and remediate any incorrect assumptions or miscommunications. There should be an incident captain, defined roles and responsibilities, clear lines of communication with detailed contact information and continuous updates for key stakeholders, suppliers and customers that may be impacted.
While organizations need to shift the association around cyber security away from “crime,” this process doesn’t diminish the severity of the threats—the majority of which are, in fact, crimes. According to the SANS Institute’s 2016 assessment of ICS security, 17 percent more organizations placed blame on hackers this year than they had in 2015, and attributions to organized crime were up 11 percent in 2016. (Employees, activists and suppliers were among the other sources respondents indicated.)
Attacks on industrial organizations and connected devices are more likely associated with planned attacks and skilled attackers. These organizations must embrace cyber security as a standard business practice and remain constantly vigilant concerning the health of assets and the networks on which they communicate. OT cyber security begins with awareness and grows into a robust practice through increased training and cultural transformation across the organization.
Rebecca Lawson is the executive director of cyber for Wurldtech, GE Digital. Lawson has a long-standing background of 25 years in product management, strategy, marketing communications and business development. She is also a frequent public speaker and the published author of several technology-related publications.