The severe shortage of appropriately skilled practitioners is presenting extraordinary risk as well as having debilitating effects on critical infrastructure organizations. Organizations continue to find that they are unable to find people to fill the slots they need to achieve the objectives they’ve set, or they are being asked to implement by external agencies. According to Cybersecurity Ventures, the single biggest barrier to OT cybersecurity is a lack of resources and talent. It is estimated that the talent gap stands at a 3.5-million-person shortage in 2021.
All the while, the consequences attributable to evolving threats continue to escalate to an all-time high. Attacks against FireEye, SolarWinds, the Oldsmar Florida water facility, Colonial Pipelines, and JBS Foods, just to name a few, have had a devastating impact on both private companies, as well as the broader U.S. economy.
The impacts of the Colonial Pipeline attack were felt across 17 states and Washington, D.C., all of which declared a state of emergency due to massive supply chain impacts. JBS Foods and Colonial Pipelines paid ransoms of $10 million USD and more than $4 million USD, respectively. There were long lines at the fuel pumps, closed service stations, and fuel costs soared for consumers all the way up the eastern seaboard. Particularly in the case of Colonial Pipelines, the ransom adversaries sought could have been significantly higher. At a typical daily throughput of 2.3 million barrels, and the average price of roughly $70/barrel, the actual consequences of the Colonial Pipeline attack were far greater, likely approaching $1 billion dollars after being shut down for six days.
After witnessing a steady escalation of attacks by, among others, nation states over the last 12 months, it’s time that critical infrastructure companies realize:
A company’s defense is only as strong as its weakest link.
Critical infrastructure organizations must prioritize cybersecurity as a core business principle to protect their most critical assets and quickly fend off attacks that could cause devastating physical and financial losses. Organizations with heavily defended perimeters, but porous insider protections are just as weak as an organization with some level of mitigations and controls. Minimal security awareness training for their workforce could easily lead to an entry point for would-be attackers. The bottom line is that an organization’s cybersecurity capabilities must grow and evolve at roughly the same rate, if not a slightly higher rate, than the adversaries. At the moment, that is demonstrably not happening.
As a result of rapid and expansive digitalization, companies’ blind spots are increasing.
Company networks are more distributed and interconnected than ever before, leaving organizations to defend their assets in the dark. The reality is that adversaries are infinitely better resources both in terms of numbers (of human resources) and capital ($’s), and there is a constant array of vulnerabilities from which to exploit.
Given this grim new reality, a decision point has arrived for critical infrastructure organizations.
How can we protect our most mission critical assets?
For years, organizations have been told to implement safeguard after safeguard (all 20 of the SANS/CIS Top 20 Controls) at each factory, plant, or substation. Implement your patching regimes, and perform these tasks over and over and over, as close to flawlessly as possible. CISOs, CEOs, and boards are left questioning — how could it be that we implement all these safeguards, yet a skilled, determined, and resourceful adversary can still effectively bring the company to its knees? Several years ago, the Idaho National Labs (INL) began a mission to come up with an engineering discipline that is truly a novel approach, using engineering safeguards to compensate for potential cyber sabotage.
That approach is known as consequence-driven, cyber-informed engineering or CCE, and INL has been implementing this approach with strong results over the last few years, mostly across the public sector (US government). 1898 & Co. Security, a part of Burns & McDonnell, has licensed and been certified in the CCE approach. 1898 & Co. Security is now engaging both public and private sector clients, leveraging the 8,000 engineer Burns & McDonnell workforce at our back. Having spent the last 26 years in cybersecurity, the CCE approach is likely the most impactful approach I’ve seen to mitigate risk, and I highly recommend it for any critical infrastructure organization.
Is there a way we can access resources and expertise to further defend their systems?
For the reasons cited earlier, organizations are finding it increasingly difficult to retain their own cyber defense team, so many are looking to leverage trusted third-party firms for additional depth and breadth of coverage. For others, this even includes managed security services, such as 1898 & Co.’s Managed Threat Detection & Response, purpose-built by practitioners for critical infrastructure companies.
As organizations grapple with these decisions on where to place their bets to maximize risk reduction while optimizing capital spend, organizations like 1898 & Co. Security continue to grow exponentially to help critical infrastructure organizations mitigate risk and achieve their mission. We offer experienced practitioners, providing a range of services to meet clients where they are on their customer journey, and we uniquely offer the ability to leverage the novel approach developed by Idaho National Labs (INL) known as Consequence-driven, Cyber-informed Engineering or CCE, to counter cyber-sabotage and help companies protect what matters most.