Modeling cyber-probes, -intrusions and -attacks can help users develop more effective defenses. However, they must include input from players, disciplines and departments on all sides to make them authentic enough to be useful.
“There’s lots of chatter about holistic cybersecurity, but the reality is most of these remain individual point solutions sold as a panacea. Firewalls, network segmentation, intrusion detection and certification, security information and event management (SIEM) and other components are continually rebranded (AI, anyone?). However, without context of the environment, they often fail to deliver on promised results” says Bryan Singer, principal director of Accenture’s cybersecurity resilience practice and leader of global operations technology (OT) incident response services on its Cyber Investigations and Forensic Response (CIFR) team. “The question ‘are we secure?’ comes up, usually in response to incidents in the news, and the answer nearly always is evaluated against benchmarks such as industry standards or ‘best’ practices. However, they usually can’t keep up with changes in the cybersecurity landscape, especially when they’re accelerated by geopolitical turmoil such as the wars in Ukraine or most recently in Israel and the Gaza Strip.”
To better cope with these and other shifts impacting cybersecurity, Singer reports that users need to model advanced persistent threats (APT) and tailor their responses. “This comes from testing and retesting to develop a dynamic risk posture, and then testing against an evolved threat-scape,” explains Singer. “There’s a fog of war around cybersecurity that doesn’t need to be there. It can be dispelled with the right people, processes and technologies, such as benchmarking people’s skills, and training them how to deal with recurrent threats. They should also be drilled using tabletop exercises, so they can practice their responses. In the same way, incident-response plans and procedures need to become part of each company’s business plan.”
Even more proactive than testing against possible cyber-threats, Singer adds that users can develop adversary simulations and participate in threat hunts. This involves examining known cyber-threats and actors, and devising responses to those specific profiles. “This is more than penetration testing,” says Singer. “A threat hunt uses the tactics, techniques and procedures (TRP) of known threat-actors to test cybersecurity controls and evaluate current architectures for indicators of compromise (IoC).”
OT and IT together—or else
Many updated tools can help with cybersecurity, such as Nozomi Networks’ modules and firmware and Claroty’s network detection software. However, Singer cautions they must be applied correctly and consistently, or users will be flying blind. Perhaps most importantly, Singer reports that effective cybersecurity depends on operations technology (OT) and information technology (IT) personnel working together to implement their security operations center (SoC).
“The number of cybersecurity issues in OT might not seem like a lot to IT, which is used to a higher rate of incidents with lower consequences for each,” explains Singer. “However, because risk still equals the likely rate of incidents occurring times their consequences and severity, IT must reimagine and rebalance this equation for OT, where the rate of incidents may be lower, but the consequences are far higher. This is difficult because the human brain is trained to ignore incidents that don’t happen as often, even if the results are more severe. This is why training and awareness are crucial, and it’s why companies and their managers must take them seriously before they experience an incident.”
Singer adds that one way to instill cybersecurity policies and procedures proactively is to move them into an organization’s dynamic test control process. For example, this would let users perform cyber-threat modeling and hunts using the same procedure for checking that sensors and other devices are installed and running properly. “This would allow users to take a closer look at their cybersecurity tools, avoid using buzzwords, and let OT and IT staffers in the SoC talk to each other,” adds Singer. “It would also let them train, drill and modernize their skills. Accenture can help users evaluate their skill levels, determine if they have enough people with the right capabilities, and get them to the next level.”