Many organizations are struggling with how to assess the broad set of risks stemming from cyber-attacks against the nation’s critical infrastructure. Roughly 85% of the critical infrastructure in the US is managed and operated by private organizations, and if ours is one of these firms you have the primary responsibility for assessing specific vulnerabilities and managing cybersecurity risk to your own networks.
However, public officials have a deep interest not only in the specific vulnerabilities and risk of particular entities, but also in how specific attacks on those organizations affect the movement of containers moving from railyards to ports, the movement of crude oil from field to refinery, or even how caustic chemicals are transported to manufacturers.
The US Department of Homeland Security (DHS) is tasked with assessing overall strategic risk. Each of the 16 critical infrastructures laid out in the related DHS directive presents a challenge to policymakers. They have to understand both the unique interdependencies of the infrastructures they are analyzing and the specific vulnerabilities and hacker-induced effects to the devices and networks in each organization in that system.
For example, the ground movement of containers from one part of the nation to another is a highly choreographed operation involving trucking companies, rail lines, and ocean-going vessels. The firms involved in these operations use their own networks and often interact with public networks to communicate and access shipping manifests at port terminals.
An analyst who wants to understand the inherent risk to container shipping would need to assess risk by accounting for the specific interdependencies of firms and their critical operations with one another. So, for example, if the control and management systems at a specific rail ramp were disrupted to the point where containers were unable to move, that would affect the logistic supply chain.
Typically, the risk assessment process is left to local operators, since they are the ones who deeply understand their networks and associated vulnerabilities. Yet while the direct effect of the hack is tied to that specific rail ramp operation, there exists a larger strategic effect on society—one that governments need to assess and manage.
The interdependencies of firms, with all their networks, processes, and vulnerabilities, mix together into a large, complex system. So how do you begin to think about creating an approach for assessing the strategic effect, and the likelihood of risk?
Here are three things your team needs to consider.
[ Understand what’s driving the next-generation SOC with TechBeacon’s guide. Plus: Download ESG’s report on the state of cloud-based security analytics and operations ]
1. Concern yourself with the most important hacks
While the media often highlight examples of cyber-attacks on a range of targets as growing evidence of the inherent strategic vulnerability hackers can create for countries, most attacks are more of a nuisance than a public concern.
For example, an SQL injection attack against a poorly defended customer database, while problematic, is not as criticl as an event that shuts down rail operations. If you are interested in assessing strategic cyber effects and risk of specific cyber-attacks against a critical sector, you should start with a more precise set of definitions of what the intended end effect will be on the target.
At the University of Maryland, my team has developed a taxonomy of end effects that facilitates risk assessment. It allows us to be more precise in our discussions surrounding the primary, secondary, and societal (second-order) impacts of cyber-attacks.
2. Understand the critical pieces of your infrastructure
You must understand both the specific cyber effects that are truly of strategic concern to the operation of critical infrastructure, and which devices and portions of networks support the firm’s operational functions.
Not all devices in a marine terminal’s operations are directly tied to the port’s operations. There might be human resources computers used to process payroll that, if impacted, would not directly stop the processing of containers into the yard.
For example, perhaps only 20 devices in a specific VLAN are directly tied to the ability of the fictional port terminal to ingest, process, and move containers from railcars to ocean-going vessels. If one of those devices is disrupted through, say, a ransomware attack, there might be an effect on the operations in the terminal.
3. Know your interdependencies
Finally, you need to understand in detail the interdependencies between firms that must work together. These dependencies need to be specific in regards both to the firms’ functions (e.g., rail ramp) and to its geography (e.g., Chambersburg, Virginia).
Draw and associate those interconnections with volumes; this allows you to understand both the importance of each organization in the system and the volume or product/service involving each entity in the sector.
You’ll then be able to answer important questions, including:
- If an attack takes down the operations of the rail ramp in Chambersburg, does that disrupt the flow other containers?
- If so, what percentage of all flows in the geography are affected?
Assess integrated risk intelligently
By associating the direct effects of a cyber-attack with your firm’s ability to conduct its essential operations, and how that effect cascades in you integrated system, you can begin to tie attacks on specific devices to their potentially larger effects.
I will be sharing more insights on this topic during my session, “Assessing Integrated Risk Intelligently,” at the Infosecurity ISACA North America Expo and Conference, to take place November 20-21, 2019, in New York.
[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]