Critical infrastructure systems are the backbone that have kept civilization functioning during the global lockdown. The incapacitation of these systems would have had a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. With ever-increasing pressures from external and internal threats, organizations responsible for running critical infrastructure need to have a consistent and iterative approach to identifying, assessing and managing cybersecurity risk. This approach is necessary regardless of the infrastructure organization’s size, threat exposure or cybersecurity sophistication today.
At the recent virtual GRC Summit 2020, MetricStream spoke to four cybersecurity leaders in critical infrastructure organizations, across verticals such as telecom, energy, healthcare and government services.
The global disruption to businesses around the globe has put the spotlight on organizations’ security and business continuity practices. Malicious actors are already exploiting the loopholes as a result of reducing IT staffing and the use of personal devices and insecure public and home networks.
Organizations likewise are encountering an uptick in social engineering schemes aimed at instigating workers to open coronavirus-related messages infected with malware. Meanwhile, many businesses are facing data privacy questions regarding the collection and disclosure of personal information as they monitor the virus’s impact on their organizations.
“We witnessed almost a 60 to 65 percent increase in cyber threats during the first few weeks – between the second and third week of March,” said Manish Tiwari, Chief Information Security Officer, Airtel.
“This includes phishing attacks, and also attempts to do denial distributed denial of service attacks, and many more. And you know, a lot of automation that we actually put in place allowed us to cater to the increased workload,” he added.
Many organizations that have been overwhelmed by the gravity of what just happened panic (understandably so) and either lose focus or fail to gain it entirely. Their actions are erratic and disjointed instead of being coordinated and tactical. Senior management wants to fix every possible vulnerability and attack vector under the assumption that doing so will help them to save face with the Board, the customers and the court of public opinion (movement for the sake of moving). However, the reality of the situation is that by not taking the time to formulate a logical response strategy based on the nature of the vulnerabilities that were present during the attack, they themselves are becoming the primary obstacle that will prevent them from achieving the very thing they are trying to accomplish.
“Don’t skip steps, and don’t skip things you would normally do and require in core project management approaches. Because if you were to skip steps you could reap the whirlwind of hurt.” – Garrett Smiley, CISO and VP of Information Security, Serco Inc.
Prior to the pandemic, automation adoption within the workplace was experiencing a steady upward trajectory as companies – from call centers to warehouses to fulfilment centers and more – sought to improve efficiencies and profits. Yet, since the onset of coronavirus, social distancing directives have accelerated the use of automation in a majority of industries, helping to keep both workers and consumers safe while enabling companies to continue manufacturing, processing, and delivering. Automation forces a re-examination of long-held firm principles or beliefs about where to conduct work and the ecosystems that support those activities. Automation can help spot attacks before they begin and save IT staff members’ time, enabling them to focus on other tasks. However, the potential downside of automation is that a one-size-fits-all approach to cyber security crowds out human judgment and control.
“We are using artificial intelligence, machine learning, RPA and IoT to automate processes to gain insights and deliver new products and services. Yet for us, cyber risk management professionals, these emerging technologies pose multiple challenges by increasing our attack surfaces and forcing us to need new compliance and requirements.” -Elizabeth Sampson, SVP and Chief Information Officer, TerraForm Power.
For hospitals, changing and evolving the delivery of care is under the spotlight. The caregivers are changing and striving to use alternative tools that had not previously been allowed per security policies, forcing cybersecurity teams to quickly review their controls and their regulatory capabilities to detect, protect, and respond. One of the lessons learned was that many of these processes and technologies that were changing needed to be documented. CISOs in healthcare recognize that at the end of the COVID-19 pandemic, they will need to return to more standard care processes. To maintain this transition in their risk governance and compliance area, healthcare CISOs can begin a “COVID-19 risk register” section to track all of the changed processes, tools, and technologies where they can document what was changed and why, and what controls were put in place as a response. This special risk register can serve as a timeline for teams to go back and figure out the deltas, and bring back the infrastructure to what can become more appropriate compliant tools and processes.
“We began the processes to transform care several years ago so 70 percent of our clinicians have the ability to deliver care from home. But to deliver at 100 percent of the time, stretched the perimeters of firewalls.” – Karl West, Chief Information Security Officer, Intermountain Healthcare.
With an understanding of their individual risk tolerance, organizations can prioritize cyber security activities, enabling them to make informed decisions about cyber security expenditures. Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cyber security programs. Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. Cyber security frameworks like NIST use risk management processes to enable organizations to inform and prioritize decisions regarding cyber security. Cyber risk teams can manage their cyber risk and compliance with the MetricStream Cybersecurity Management Solution, and build a cadence of recurring risk assessments and validation of business drivers to help organizations select target states for cyber security activities that reflect desired outcomes.
Effective cyber security is about constantly assessing risks and taking appropriate steps to mitigate those threats. It’s about working with the right people, using the right products, taking advantage of the appropriate technology and implementing (and adhering to) the correct policies. By keeping these in mind, and cyber security in focus, you can be in better position to protect your critical site and its assets. To achieve cyber resilience today, enterprises need a proactive and continuous approach to cyber risk management. It means embedding risk management across business processes and across external organizations to make customers, partners and third party vendors full-time stakeholders in cyber resilience.
Hrishikesh Choudhari (Rishi) is an Architect at MetricStream's Solution Engineering group.