Security is not enough. The real goal is resiliency
Digital transformation opens a tangle of security risks. But with careful thought and the right support, the rewards are within your reach.
January 2010
Stuxnet begins to damage centrifuges at a uranium enrichment plant in Iran. The attack lasts for months. Stuxnet is a malicious computer worm which can seek out the logic controllers that are used to automate various electromechanical processes - including those used on ordinary factory assembly lines.
December 2015
An attack on the Ukraine power grid leaves 230,000 people without electricity for hours. The perpetrators use a power station’s own digital supervisory control and data acquisition (SCADA) system and shut down a number of sub-stations. SCADA was originally developed for everyday industrial use.
June 2017
A global pharmaceutical company fell victim to a cyber-attack using the ‘NotPetya’ ransomware. The incident costs the firm $310 million in a single quarter – about average for a successful NotPetya attack.
Today
viruses, worms and ransomware are easily obtainable from public download sites. So is advice on modifying them for your own purposes.
If this sounds incredible to you, try googling ‘where can I download Stuxnet?’ Click on the links at your own risk.
Are you a target?
We all know the value of data and how we can use it to become better informed and more efficient, and to increase business agility. But there’s a conundrum, which is this:
You can’t capture all the data you need without being connected to its sources. And the more connected you are, the more vulnerable you become to cyber-attacks.
It only takes one successful hack to ruin your reputation and brand.
There is absolutely no doubt that cyber-attacks are growing exponentially. Research from security analyst Online Trust Alliance has revealed that cyber incidents targeting businesses nearly doubled from 82,000 attacks in 2016 to 159,700 in 2017.
The firm also noted that the true number could be more than 350,000, when you allow for the incidents which are carefully hushed up.
Bottom line? Being attacked is not a question of ‘if’, it is a matter of ‘when’.
Defending against the inevitable
Online Trust Alliance calculates that 93% of cyber-attacks can be defeated by adopting best practice – updating security and systems software; better processing of emails; devising, implementing and enforcing enterprise-wide security policies, and so on. That should take care of the indiscriminate attacks.
But even if you do all that, there still remains the 7% of attacks which will get through. That’s more than 1 in 14. And those attacks, by definition, will be very sophisticated indeed.
So how do you go about building robust defences against such powerful, precisely targeted attacks?
The first thing to do is to seek out a security specialist which has first-hand knowledge of your industry. Aerospace manufacturers, for example, will have different systems and security requirements to automotive manufacturers. Both will have completely different requirements to nuclear power stations or rail operators.
Mitigating the risk
There is, of course, a huge difference between Information Technology (IT) and Operational Technology. Although IT is widely understood, your particular Operational Technology is likely to be unknown territory for the majority of IT security firms. That’s an important difference.
It’s important because you are likely to have unique vulnerabilities which could render standard security measures entirely insufficient. You therefore need security specialists with direct personal experience of – and expertise in – your particular industry.
After all, it is unreasonable to expect an advisor to spot what is abnormal if he doesn’t have a good working knowledge of what normal looks like. Without this insight, any decision that is made about advanced security is merely guesswork.
Let’s take one example. With the right industry expertise and specific knowledge of your Operational Technology, your security partner will have a good idea of what the most obvious points of entry to your network are. These can be monitored by machines for suspicious activity. If a potential attack is detected, it is flagged for human interpretation and, if necessary, isolated or blocked out.
In other words, although attacks are inevitable, suffering damage from them is not.
What to consider when selecting a cyber security partner
Engage a firm of security specialists which has a proven track record in your sector and understands your operational technology. This is crucial.
Work with your chosen supplier to identify the risks and opportunities presented by digital transformation, their specific importance to you and what can be done to mitigate or exploit them.
Here are a few of the things you need to think about when choosing a security partner:
- Do they have the skills and experience to anticipate the threats and risks that are particular to your organisation, in your industry?
- Do they have an active threat intelligence operation, or are they mostly reactive?
- Do they have the resources to detect and analyse potential security incidents early in the attack chain?
- Do they have the human (as well as machine) resources to monitor your systems 24 hours a day, 365 day a year?
- What are some of the metrics that they use to detect abnormal behaviour? Have they used these elsewhere in your market sector and how can they be tailored for your organisation?
- Do they keep up to date with the latest developments in security, and do they share that knowledge?
- If an attack does breach your security, or if there is an insider attack, how quickly will they be able to recover and restore your critical data? Are you sure?
Security is a never-ending, always fluid process. Ideally, you should team up with a partner who can provide 24/7 year-round protection, monitored by experienced cyber-security experts who have access to industry-specific threat intelligence and who can identify behaviours and incidents which are outside of the norm for your enterprise.
Let’s be clear about this. With cyber-attacks of increasing sophistication doubling every year, it’s simply not enough to be ‘secure’. Your real goal is resiliency.