Interested in linking to "Do Firms Expect Too Much Cyber Threat Data?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
One other area where critical infrastructure companies can gather information they can use to convince senior executives to authorize the implementation of cybersecurity defenses is to examine real-world industrial incidents/accidents, and see if they can extrapolate a purely cyber scenario that results in the same consequences. For instance, most industrial accidents involve three legs, including a physical issue/problem,some form of human error, and a cyber issue, such as a cyber system not running, cyber system running, but on incorrect data, or a malicious cyber attack, which are currently rare.
For some industrial accidents, it is quite simple to extrapolate to a purely cyber vector to cause the same consequences as the original accident. However, this is normally done by considering two main assumptions. The first is that an electronic pathway exists from the targeted control system to the outside world. A disgruntled insider needs to be considered as well. The second assumption is that this electronic pathway is exploitable, and the likelihood of this is very high. You could simply assume a supply chain issue that allowed the adversary to implant his malicious access at an earlier stage.
I believe that by undertaking the above three efforts, any critical infrastructure company will have developed/acquired enough information to convince its senior executives that cybersecurity defenses must be implemented to ensure that the company can continue to carry out its mission safely, reliably and securely without needing tactical cyber threat information from the government before they are persuaded to act to adequately secure their control systems.
There is one arena where tactical actionable cyber threat information of a potential attack is needed prior to making decisions to implement basic cyber defense mechanisms. Mechanisms must be developed and deployed that allow information to be shared when an attack is occurring, which will allow companies not under attack to ramp up their defenses to prevent the current attack from succeeding. This assumes, however, that the companies have already implemented cybersecurity defense measures and have developed the plans and procedures to rapidly increase their cybersecurity defense posture.
Critical infrastructure companies should not depend on tactical cyber-threat information to deploy cybersecurity defense. Instead, they should consider that the cyber threat is "1," and focus on understanding their vulnerabilities and the consequences of a successful exploitation of them. Waiting for tactical cyber-threat information could delay critical them from examining their systems from a mission perspective and implementing appropriate defenses. The discussions concerning tactical cyber threats and the resulting expectations (and need for clearances for industry personnel) are primarily a distraction, and are being used to justify a lack of action for implementing cyber defenses. The government and the critical infrastructures need to get past this self-imposed roadblock.
Michael Peters is an energy infrastructure and cybersecurity advisor for the Federal Energy Regulatory Commission's Office of Electric Reliability. He specializes in analyzing cybersecurity issues, including those affecting control systems. This article is personal opinion and does not represent the opinion or position of the Federal Energy Regulatory Commission or the federal government.