A true cybersecurity assessment will let you know where your gaps are and prioritize how to remedy them with clear action points. Anything short of these three takeaways means you wasted your money. Don’t waste your money. Allow me to share insights I’ve gained from cyber assessments I’ve conducted over the past 30 years and especially more recently.
What are signs of good cyber posture and maturity level in utility companies?
When a CISO or CTO tells me they’re conducting frequent cyber assessments to maintain strong cyber sturdiness, invariably I ask, “How frequently?” If their answer is anything but “Every day,” then there is room for improvement.
Companies, especially in critical infrastructure, must have a tool in place to conduct continuous cyber assessments. A once-a-month assessment seems like a good frequency level. But a monthly report will only provide a snapshot risk assessment, and by the time the data is presented, it’s already history.
You need to be able to continuously follow internal and external changes to determine threats quickly and respond quickly. Do you have a tool in place to provide this?
What are the most common and consistent cyber security vulnerabilities?
From company to company, I consistently hear several cyber security vulnerabilities, and I’ll share one: unfamiliarity with all the data streams.
Data streams use communication paths using wireless, copper, and fiber to move information. Manual devices can also be part of the path. As data streams travel to their destination, they can pass various intermediate “stations.”
OT and IT systems are becoming increasingly complicated, heterogenous, and interconnected. This leads to endless variations and combinations of possible communication paths, or "stations," used by the data streams. In my experience, most companies are unaware of all the data streams running in their systems.
So what?
So approximately 97% of cyber attacks use data streams as the vehicle to penetrate and move laterally towards the desired attack target once inside the system. Hackers bank on using these uncontrolled, unprotected pathways to fulfill their mission. So it’s very important for critical infrastructure companies to plan, map, and continually monitor and control their company’s data streams. (We can help with all of this.)
Even siloed, isolated departments are not secure.
From time to time, a vendor of one of the components of the OT system needs to update its software or firmware. Even though the component is not connected to a communication network, the update is sent on a physical memory device and installed directly on the target component using a direct connection system. If any element or process in this data stream is not protected, it’s prone to be used by a hacker.
Here is another example. Let’s look at systems that run a power plant. Until recently, they were isolated from the outside world. Now there are procumers. These are people who produce and consume energy. If you install solar panels on your home, you are a procumer.
Procumers break the wall of isolation and add complexity to the once-controlled data streams hackers now use to complete their attacks.
By the time a monthly cyber assessment recognizes an intruder, it could be too late.
What are some often-overlooked penetration vectors?
External workers, cleaning crews and food suppliers (as well as general suppliers) often fly under the radar. While these helpful folks are welcome visitors inside an organization, this is what makes them dangerous. Hackers who do a bit of homework can use the cleaning person or a technician to penetrate systems from the inside. Like you’d expect to see in a movie!
Here is a true story. The air conditioning stopped working in a critical section of a power station (ironic enough). The employees were very happy when the HVAC technician arrived to fix the problem. The technician had a side job as a hacker, but nobody realized this. An employee escorted the technician/hacker to the air conditioning unit and let him go to work. Part of his “work” was transmitting data outside the power station.
Everybody needs to be aware because hackers will find ways to penetrate, sometimes through people we trust.
Will a monthly cyber assessment pick up this criminal activity? No.
Weed out Infighting
Some companies want to manage cybersecurity globally, but their IT and OT network teams at home might not be functioning as a single unit. Sometimes, these two teams may even work against each other!
More and more CISOs are heading both IT and OT teams, but even so, 80% of organizations are still siloed, and I think we need to foster IT-OT cooperation.
Cyber does not differentiate between your organizational structure. A hacker looks at your organization as a whole and will find any way to penetrate, whether it be through some farmer’s solar panel, the delivery person bringing lunch, or an HMI—they will exploit any opportunity to get what they want.
It seems a new best practice will be for one person to manage the OT-IT cyber defense, serving as head to both departments. In the meantime, this has to be monitored.
Customized Cyber Assessment
CybergymIEC’s Rapid Cyber Maturity Assessment (RCMA) enables you to do all of the above.
- RCMA is customized to your specific environment
- It helps you balance operational needs, risk, and cyber investments
- It analyzes select data according to hundreds of control indicators
- It alerts you to cyber gaps and how to remedy them with a prioritized remediation plan, recommending clear action points for you to implement
- Provides measurable KPIs and a tool for continuous monitoring
You might think to carry out a full, initial cyber assessment like this would take six months. We conduct the RCMA in 7-12 weeks. Your KPIs are based on industry best practices – including NIST, NERC, ISO, ANSI.
Learn more about our Rapid Cyber Maturity Assessment.