Oh look! Squirrel!
I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.
This subject just gets me going so I am writing about it. I welcome feedback and opinions.
I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.
When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings off the hook and my email fills up:
“Can you help us?”
“We need to understand what has happened”
The urgent requests came in all forms.
I call back and whether it’s an hour or a day, it seems the goldfish has swum around the bowl and everything is new again. Or a squirrel ran across the yard, a complete distraction and everyone has forgotten about cybersecurity. Or it’s lunchtime. Everyone has a lot on their plate, that is known, but cybersecurity cannot be addressed only when an event happens and then forgotten. The cybersecurity effort has to be kept in the forefront thoughts of everybody. How do we accomplish this? It’s not easy. Training is great; role based training is excellent. Reminders like emails at regular intervals helps; posters and signs are a great step.
What also really helps, along with the continual reinforcement is the active accounting for the human factor by reviewing your current situation and implementing preventative counter measures. Keeping senior management apprised of recent events both internal and external to the organization and what the result was, and what steps are being done to prevent a similar event from becoming an incident to you helps to keep them engaged. And their engagement and support means a budget and resources.
Some of the steps that need to be taken include:
- Adequate and ICS specific policies in place and trained upon
- Confirming patch and anti-virus updates are being accomplished as designed and planned
- Any changes to infrastructure are controlled through change management processes
- Training and knowledge refreshes are done on a regular basis
- Have an assessment performed by an objective 3rd party.
- Follow up on the recommendations in a timely manner
- Have a follow up assessment performed once mitigations are implemented
- Generally one of the most common recommendations is to segment the network. Make sure the devices are industrial, you have control over them and only necessary protocols are permitted
- Assign a group or committee to promote and promulgate cybersecurity throughout the organization. It should be dedicated to the Industrial Control system but one for the enterprise side should be in place as well. Both groups have a common goal, use the resources that group may already have in place
The bottom line is I don’t have the magic answer for how to keep the cybersecurity focus alive. I wish I did. I am looking for that magic bullet to make control systems secure before that “something” happens.
How do you keep the effort moving forward? How much success have you had? Did an incident have to occur to you before the effort was taken seriously?