August 10, 2021
By Nir Sasson, Network Security Consultant, Avnet, a Rockwell Automation company
In cyber risk management, there are two important corner stones:
- 1. To conceive the scenarios.
- 2. To find a way to minimize the damage in each scenario.
When no one thinks to plan for what to do in the worst-case scenario, trouble strikes. What if you only think of avoiding the “unthinkable” and not what to do if it does happen?
I like to consider what happened to the Titanic.
Risk management is more than avoiding the worst
At the time of the Titanic, one would assume that avoiding a collision with an iceberg was the standard procedure. Therefore, the crew created scenarios and defensive measures were planned and implemented.
The ship’s captain followed the procedure: placed two skilled lookouts at the horizon to provide the expected 20 minutes warning. But, because of low visibility, they were only able to give a minute of warning. With so little time, the collision was unavoidable.
No one had prepared for this scenario. There was no “collision with an iceberg procedure,” only “avoid collision with iceberg procedure”. And so, the story goes; we all know what happened to the Titanic.
The power of risk mitigation
In cybersecurity risk management, the goal is to be prepared for the unthinkable scenario and find the optimal defense measure to minimize the damage. Essentially, to know what to do when you can’t avoid the iceberg.
Let’s look at an example. A cyberattack approaches the organizational IT/OT systems. The CISO faces a choice: repel the cyberattack or adopt a more elaborate way of managing the risk.
Step one is figuring out what we call the “starting conditions”. Can the attack be avoided? Or does it have to be mitigated?
Prevailing over cyberattacks requires intelligence methodologies of deception (heard of honeypots?) and many more. But maybe it is better to lure the cyberattack to “penetrate” the cyber perimeter defenses and let the attacker be deceived and think his attack commences as he planned. Then defend from inside the organization. In that case, it would be best to assume that the “starting condition” is that the attack is inevitable – the attacker is getting through the firewall.
In this case, it would be best to perform the procedure planned for mitigation, not avoidance. Let the cyberattack commence and try to minimize the impact.
It is not a trivial way of thinking. The initial instinct is to make it stop, especially if your whole business is on the line. That is why it is so important to have a risk management expert or team experienced in mapping out scenarios and next steps. This requires people who can think on the fly, ask the right questions and problem solve.
Given the vastness of today’s threat landscape, no single security product, technology or methodology will suffice at blocking the unthinkable from happening.
A security assessment should be the starting point for any security policy implementation. It will help you understand your current security posture regarding your software, networks, control system, policies, procedures and employee behaviors. It also will identify the mitigation techniques needed to bring your operation to an acceptable risk state.
Rockwell Automation works with companies to provide the expertise and skills needed to identify cybersecurity risks.