In late July, the U.S. Department of Homeland Security announced the establishment of a new National Risk Management Center to “provide a centralized home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure.” The announcement underscores the need for greater focus and attention on disciplined risk management in defending critical infrastructure against an increasingly adaptive set of security threats.
Coincidentally, this year marks the twentieth anniversary of Presidential Decision Directive 63 (PDD-63), the foundational executive branch guidance document on securing critical infrastructure. In a hopeful spirit, PDD-63 provided in part that “no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation's critical infrastructures from intentional acts that would significantly diminish the abilities of … the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.”
And significant thought and investment has taken place since 1998 on how to secure critical infrastructure. As early as 1999, the Gramm–Leach–Bliley Act defined security expectations for protecting consumer banking information, and afforded banking regulators enforcement options if financial institutions do not establish and maintain adequate information security programs. That same year, the Financial Services Information Sharing and Analysis Center was founded. By 2009, the SANS Institute, working with the National Security Agency and NIST, identified an offense-informed-defense list of 20 Critical Security Controls for Effective Cyber Defense based on insights from actual attacks. In 2014, NIST released its Framework for Improving Critical Infrastructure Cybersecurity.
And yet, two decades later, despite significant policy attention, critical infrastructure risk has only grown. Last year, a number of major global companies were impacted by notPetya, a ransomware campaign that originated in Ukraine in June 2017 and has since been attributed to Russia. Companies impacted by notPetya included pharmaceutical giant Merck, FedEx and Danish shipping giant Maersk – each to the tune of hundreds of millions of dollars.
Today, senior executives across all industries are asking questions along the lines of: “I see peer organizations with seemingly well-resourced and audited programs experiencing significant security incidents. What’s going wrong there, and what should I do to stop the same thing from happening to me? How do I know if I have an effective security program?”
Understanding effectiveness can be elusive, but it starts with a continuous cycle of enterprise-level security assessment, mitigation and monitoring of security risks. Put another way, an effective security risk management strategy should, at a high level, (a) identify key risks (particularly to high-value assets) based on threat, vulnerability and potential consequence, (b) ensure that risk-based countermeasures – including people, process and technology – are designed and implemented to address those risks, and (c) measure and report on the effectiveness of these countermeasures. These basic principles are embodied in successive versions of the National Infrastructure Protection Plan, the National Preparedness Goal, NIST Risk Management Framework and the NIST Cybersecurity Framework.
Put another way, there is no shortage of guidance on how best to manage cyber risk, and yet many organizations struggle with both how to prioritize in the context of limited resources and changing risks, and how to measure progress. As clients build security risk management programs, we have found they trip up in six key areas:
- Limitations in understanding inherent risk (and its adaptive nature)
- Challenges in planning and preparedness
- Operational overwhelm (i.e. large numbers of false positives)
- Unaccounted-for IT dependencies in program
- Lack of business stakeholder alignment in program execution
- Lack of transparency on whether controls are working effectively
Addressing these pitfalls early helps build an effective security program.
- Understanding Inherent Risk
A starting point for managing security risk is understanding business complexity, and how an organization’s business model aligns to threat actor capabilities and intent. In other words, security programs must factor the changing nature of inherent risk – i.e. adaptations in business strategy, technology architecture, threat, customer expectations and regulatory mandates – into their programs on a recurrent basis.
- Business & Technology Complexity. New product offerings, entry into new markets as well as merger and acquisition activity all entail risk implications for security programs, as do changes in foundational mechanisms for conducting business (e.g., evolving payments mechanisms). It is vital that businesses have a process in place to assess risks associated with any major technology adaptation or change – such as cloud adoption. In fact, the Uber breach disclosed last year highlights this risk. In 2016, external intruders obtained unauthorized access to personal information for 57 million Uber customers around the world, but they did so without ever breaching Uber’s corporate systems or infrastructure. Rather, they found a credential “contained within code on a private repository for Uber engineers on GitHub” (a cloud-site that allows people to collaborate on code) and used that credential to “obtain access to certain archived copies of Uber databases and files located on Uber’s private cloud data storage environment on Amazon Web Services” (another cloud site).
- Threat. Likewise, threat assessment is a foundational aspect of risk management – i.e. how to categorize business assets from the perspective of target attractiveness to an adversary. As part of this analysis, organizations must increasingly consider not just their own critical data and processes, but also related technologies (e.g., websites, email, software code) that an adversary could use as a stepping stone to the organization’s customers. Indeed, a key focus area for the Department of Homeland Security’s new National Risk Management Center will be to focus attention on underlying systems on which many sectors rely.
For example, U.S. government reporting has highlighted how state actors are targeting “multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” by first compromising staging targets (i.e. peripheral organizations such as trusted third-party suppliers with less secure networks). The threat actors used the staging targets’ networks “as pivot points and malware repositories when targeting their final intended victims.”
As seen during the 2017 notPetya attacks, adversaries are using third-party software as a viable entry vector to deploy malware on targeted systems because security controls can be bypassed through the subversion of trusted third-party software. Malicious actors were able to infiltrate at the source of a supply chain, compromise the third-party software in question, and then leverage this compromise to inject malware into victim computer systems (via a built-in auto-update process), which then spread laterally through those systems. It is thus critical that organizations achieve strong visibility and management over software being developed, used and shared inside their IT environments and with customers. Changing customer and regulatory drivers (e.g., European Union General Data Protection Regulation breach reporting timelines) also merit careful and continuous consideration.
- Planning Process
Even where inherent risk is identified, programs may not succeed in prioritizing risk reduction capabilities appropriately. Ineffective implementation sequencing can result in missed opportunities and meager security returns.
- Threat Pathways Analysis. Best practice for security planning depends in part on the implementation of a “threat pathways” planning approach. Using this approach, organizations can map out the lifecycle of an attack and align countermeasures to detect and block as early on in the lifecycle as possible. This approach was embodied in a “kill chain” approach articulated by Lockheed Martin a decade ago. More recently, the MITRE Corporation has significantly built out this approach through the MITRE ATT&CK model.
- Insider Risk. Ideally, security planning should not just reflect threats from external actors but also address insider threats. Failure to identify and mitigate insider risk can have significant consequences on an organization’s customers, employees, business operations, legal exposure, reputation and bottom line. Moreover, security programs in many organizations are often bifurcated between physical and information assets rather than threat. These stovepipes can obscure the detection of potentially important insider risk indicators. Likewise, insider threats by definition have some level of authorized access. Detecting the misuse of authorized access involves a more nuanced capability set than detecting bright-line cases of unauthorized access, and thus requires focused planning.
- Resiliency. Since there is no such thing as risk elimination, resiliency (the ability to withstand and recover from an attack) becomes critical. Therefore, it is imperative for management to have a firm view and understanding of the effectiveness of preparedness, as well as, response and recovery capabilities, for two reasons. First, being prepared helps limit the extent of actual harm to the company – consider how ransomware can cause massive damage if not rapidly contained.
Second, management’s ability to effectively manage a crisis – cyber or otherwise – serves as a proxy for its broader management capabilities and thus can influence a brand’s reputation. Years ago, in its 2012 Reputation Review Report, Oxford Metrica analyzed long-term market value impacts of major corporate crises (cyber and non-cyber) and found that “[a]t times of crisis, substantially more information is forthcoming on a company and, in particular, on its management, than is usually available. This new information is used by investors and other stakeholders to re-assess their expectations of future behavior and performance.” The report went on to conclude: “It is in the first few days following an event that the market makes its judgement on whether a company is going to emerge as a Winner or a Loser.”
In addition to the above factors – four other issues often trip up organizations:
- Operational Overwhelm
As operational capabilities to defend the organization are implemented, these capabilities can quickly become overwhelmed by the sheer volume of data on potential threats and vulnerabilities. Effective use of these tools is heavily dependent on risk-based prioritization – e.g., based both on the inherent risk of the asset in question and severity of threat.
- Technology Dependencies
Cutting edge security tools are of limited use without increasing maturity in management of the underlying technology environment. Conversely, effective technology management can help meaningfully reduce operational alerting through (1) security-conscious development processes, (2) strong visibility into devices, code and accounts active inside the organization’s technology environment, as well as (3) compliance with secure baseline standards.
5. Stakeholder Alignment
Business leaders play a key role in advancing a security program. IT organizations often depend on line-of-business leaders to provide necessary funding and address customer-related impacts associated with new security controls. It is thus critical that line-of-business leaders understand and prioritize security risks and resources into their business plans. Business leaders also need to be prepared for their crucial role when addressing customers and the general public during a crisis situation.
Indeed, major 2017 cyber incidents not only caused operational disruption, but also led to customer flight. Equifax’s 2017 earnings report noted that: “Certain of our customers have determined to defer or cancel new contracts or projects and others could consider such actions unless and until we can provide assurances regarding our ability to prevent unauthorized access to our systems and the data we maintain.”
Thus, to be successful, a security program should – as a foundational matter – articulate how it protects the customer against adaptive threats. This articulation represents a key opportunity for senior management and the board to align business, security and technology executives on the vision for the enterprise-wide security program.
- Monitoring for Effectiveness
Controls without meaningful evaluation can decay over time, all-the-while affording a false sense of security. Likewise, a program must ultimately be measurable in some form to be managed. And yet such metrics can be confusing to management (e.g., what are the latest vulnerability management statistics telling us about our residual risk?). In our experience, it can be helpful to view programs through several lenses including basic levels of visibility, risk-based hardening and vulnerability management trends, effectiveness against defined threat tactics, techniques and procedures, and business-centric security maturity.
Engagement with the U.S. Government
These factors all suggest the need for more active private sector engagement in defining how the U.S. government will support and defend the private sector. Of the above-cited private sector examples, all but one (Uber) have been either explicitly (Merck, FedEx) or implicitly (Equifax) tied to a hostile state actor. The U.S. Director of National Intelligence’s 2018 Annual Worldwide Threat Assessment recently warned that “[t]he risk is growing that some adversaries will conduct cyber-attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war.” Moreover, the notPetya attack reportedly leveraged exploits used for offensive purposes by the U.S. National Security Agency that subsequently leaked.
It’s tempting to say that defenses against state actors should simply be left to the U.S. government, but this ignores the very real operational business disruption that can occur in these attacks. We have seen a similar dynamic in the context of terrorism, whereby airlines, entertainment companies and other private-sector firms are basically pawns targeted by terrorist groups to achieve geopolitical objectives.
There are several steps the U.S. government can take, perhaps in part through the auspices of the Department of Homeland Security’s Risk Management Center, including timely sharing of actionable threat information, more actively disclosing vulnerabilities, advancing research and development efforts and imposing meaningful consequences on those actors to whom it can attribute malicious cyber activity.
Moreover, while there is no such thing as risk elimination, the federal government can provide incentives to bolster defenses. One such incentive is the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which was passed by Congress to encourage the development of anti-terrorism “technologies” — this term has been interpreted to include products, services and programs — by limiting liability related to the deployment of capabilities that could pass a meaningful government vetting process. The SAFETY Act vetting process at the Department of Homeland Security is real: applicants must prove to the SAFETY Act office that the security capability in question offers substantial utility and effectiveness and is immediately available for use, among other factors.
Over the years, proposals have been made to extend the SAFETY Act beyond terrorism to cyber incidents, most recently by Sen. Steve Daines (R-Mont.). We need investment from private-sector organizations in defending their own systems against these sorts of attacks. Amending the SAFETY Act to cover state actor-initiated cyber attacks would be a key mechanism for incentivizing that investment.
Notwithstanding a rapidly increasing level of business, technology, threat and regulatory complexity, building an effective security program is both possible and necessary. Doing so requires continuous, disciplined private sector planning, enterprise-level alignment and focused effectiveness monitoring. Given the nature of the threat facing critical infrastructure, it is also imperative that the U.S. government provide meaningful capabilities and incentives to support private sector security risk management.
 Likewise, in the physical security domain, the benefits of globalization of travel, finance and communications also armed terrorist organizations with a more global reach for recruitment, financing and the operationalization of actual attacks. Airlines, entertainment companies and other private-sector firms are basically pawns targeted by terrorist groups to achieve geopolitical objectives.
6 See Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc., Senate Commerce Committee, Feb. 8, 2018, available athttps://www.commerce.senate.gov/public/_cache/files/7d70e53e-73e9-4336-a100-67b233084f12/75728554E990488D71625DFA69B05494.uber---john-flynn---testimony.pdf
7See US CERT Alert TA18-074A, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” March 15, 2018, available at https://www.us-cert.gov/ncas/alerts/TA18-074A
8 Four key factors inform security planning priorities: (1) actual risk reduction value, (2) ease of implementation, (3) efficiency gains, and (4) regulatory/legal drivers.
2 See Id.
About the author: Adam Isles is a Principal with The Chertoff Group, a Washington D.C.-based risk consulting firm. Isles is tasked with leading and managing security risk management engagements, and oversee development of firm's security risk management methodology.