With all the emphasis on cybersecurity frameworks over the last couple years, it probably shouldn’t surprise anyone that a lot of organizations find themselves working off checklists of cybersecurity controls that they assume will give them better security. What is often missed is that these controls need to work together as an integrated system. For thousands of years, we’ve understood this in the realm of physical security. From the most ancient castles, security was built to initially keep intruders from entering using some sort of barrier like a lock or a moat. However, castles were also built with high towers with sentries posted around the clock to see the enemy coming because we knew that simple barriers would never be enough for a determined adversary. Finally, armies were at the ready to repel invaders if the sentries determined that the barriers would not be sufficient. Even today for most basic security for our homes, we understand the difference between a basic control and a security system. If we asked a builder for a security system and his response was that there were locks on the doors, we wouldn’t be satisfied. Most of us know that when we say security system, it means a combination of controls working together. At minimum, we would expect locks, sensors on all exterior doors and first floor windows connected to a central panel with an audio alarm, and the ability to automatically notify a watch center operating at all times that could notify us and/or the police to respond.
So, why don’t we expect that for cybersecurity within large companies with a lot more assets at stake? Well, the simple answer is that there is a lot more to protect. However, nearly every computer has tons of preventive controls built in and the ability to log hundreds of security events and even forward those events to a centralized source with little effort. Moreover, nearly every corporate desktop and laptop computer has some anti-virus protection that can also alert a centralized source. Yet many never use those features. It’s the equivalent of saying that if someone is breaking in through the front door, it’s the front door’s problem. Neither the homeowner nor the police need to know about it. And while a human being may be sitting in front of most computers, end users are often in no better position to diagnose and report security problems than front doors.
In the area of critical infrastructure the problem is often worse, as everything seems as though it’s a one-off. There is often little centralized oversight, either because control networks are isolated or the organization is isolated. While air gaps and firewalls can be good, their value diminishes significantly if no one is watching. Moreover, control systems often are the province of control system vendors who often don’t know or don’t care what the rest of the network looks like. That ends up being a recipe for finger pointing and weaker security. That’s why a holistic view is needed. While control system vendors can support their piece, more effort needs to be made to aggregate the data across both the control networks and the enterprise. Control networks are predictable and usually lower volume, making detection of anomalies and potential security risks an easier job. Enterprise networks are noisy, unpredictable and often overwhelming, but we often have more mature tools to work with. Together we can reduce those risks.
So the next time you deploy a new server, security device, process controller, or even desktop, ask whether the security on the device can work with your existing security ecosystem to forward security events to a central source that is capable of effectively analyzing that event and triggering the appropriate response. It may not be as simple as adding a sensor to the front door, but it will get your organization thinking in the right direction.