Pressure On CISOs Coming From The Top
In response to growing threats and the recent large-scale breaches, company boards are going to drive the need to elevate the CISO role. Over the last few years, there has been an elevated awareness among the media and executives about malware and ransomware incidents that have brought companies to their knees. Boards at critical infrastructure industry providers see the brand and cost impacts of these events and are pushing forward the need for an information security leader with strong decision-making authority. It pushes CISOs to stay on top of the latest threats while maintaining an agile and robust security strategy that aligns with the business’ revenue and growth targets.
There’s also a shift in reporting structures, with the CISO moving out from being under the CIO or the COO. In the future, they’ll report to the CEO, CFO or the board of directors. CISOs need to have fluency in the current threats. If they have board reporting responsibilities, they need a security strategy that demonstrates how a cybersecurity program is both critical function and threat aware. CISOs need to shift the typical model from focusing just on risks and vulnerabilities to a broader track where they are critical function aware. A 2021 Gartner report supports the high-level attention on cybersecurity, stating, “By 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.”
Increase In Skilled Adversary Attacks And Nation-State Involvement
Over the past decade, there’s been an increase in cyber-sabotage against critical infrastructure and companies’ critical functions. These attacks come through both nation-state actors and nonstate actors. Nation-state actors seek to push forward geopolitical actions and disruption and avoid attribution whenever possible to disguise their efforts. Nonstate actors often seek notoriety for their exploits and seek monetary gains. These two groups combine to form an ecosystem of brokers that provide information access and financial channels for those who are willing to pay.
These cyberthreats will continue into 2022. Another factor driving such attacks on critical infrastructure is that there are many more nation-states that will ramp up their activities. Adversarial nations see that Russia is a “safe harbor” for ransomware attacks, and countries like North Korea, China and Iran see this dynamic and will expand their ransomware and malware efforts in the coming years.
For a real-world example, the last few years have seen malware like Petya and NotPetya, which had catastrophic consequences for critical infrastructure companies like Maersk. These types of malware and ransomware have also been linked to infamous attacks.
A significant portion of these attacks come from Russia, whether they are considered direct acts of the state or whether they are state-sponsored through various affiliates.
This presents a considerable challenge for cybersecurity service providers, especially as other nation-states like China, Iran and North Korea emulate the way Russia’s acting. On the protection side, we’ll have to do attributions where there are enough signatures and signals that allow cybersecurity teams to pinpoint where the attacks come from.
An Evolution Toward Mitigation
The global cybersecurity talent shortage reached an estimated 3.5 million workers in 2021, and the shortage of skilled practitioners presents an extraordinary risk for critical infrastructure organizations. It coincides with the evolving threats which damage private industries and the U.S. economy. To combat these threats, organizations in 2022 and ahead will prioritize cybersecurity as a core principle. Firms need robust awareness training to prevent human-based access points and a broader evolution of cybersecurity capabilities that outpaces those of the threat actors. This isn’t happening yet and is often increasing due to accelerating digitization which increases attack points and vulnerabilities. And the bad actors have ready access to qualified people and capital resources as well as a steady slate of exploitable vulnerabilities.
It’s time for critical infrastructure providers and cybersecurity pros to recognize that the current methods aren’t working. They implement safeguards at every substation and plant, patch systems and perform other tasks continually. Despite these efforts, boards, CEOs and CISOs still see a determined adversary can break a company’s defenses and hold them for ransom.
Developed by Idaho National Laboratory to create a new approach, consequence-driven, cyber-informed engineering, or CCE, presents a different way to mitigate risk. It’s the approach taken by third-party firms, like 1898 & Co., who use strategies purpose-built for critical infrastructure. CCE requires accepting that attackers will succeed, especially when they’re determined and well-funded. It’s a philosophy that risks are inherent in human-developed systems, and there are always imperfections.
CCE builds roadblocks, so if there are undetected vulnerabilities in a power company’s infrastructure, an attack won’t cause grid failure. CCE practitioners get organizations to think like their foes, to rank the most vital systems, and then consider how those systems are best shielded from a hacker’s attack. While digitization offers value for customers and shareholders, it’s often enacted without cybersecurity considerations. CCE enables OT cybersecurity teams to prioritize consequences, collect data about systematic interdependencies, find the attack pathways that will achieve the highest impacts and then disrupt these paths if possible.
These trends all point to a broader need for an OT-centered approach, more resources directed toward cybersecurity, OT-focused managed services offerings and the usage of CCE to reshape threat recognition and mitigation.