So what’s the path forward? As a former CISO in a critical infrastructure sector, here are a few things that can help:
1. Lead by example. Successfully evolving culture is dependent on your organization's leadership lifestyle choice. It’s no different than your personal health. You can eat right, exercise and do the hard work in the right areas and you will change your out come by living a low risk life. Or you can keep doing what you are doing, ignore the warning signs and roll the dice. The choice is yours to either be a change agent or not. IT and OT groups need to have a very professional and frank conversation about doing what needs to be done for the sake of lowering their risk.
2. Use an intelligence driven defense. Intelligence helps you make decisions and take action. You cannot defend yourself properly unless you know what your risks are. An intelligence driven defense must be a part of your enterprise risk program. It takes effort, but it’s possible to spin up a capability in months, not years. The key is to make yourself and your organization defendable to malicious actors, defendable in court, defendable to regulatory action and defendable to your brand, both personal and organizational.
3. Manage your Vendors. A conversation needs to be had between IT, OT and organizational counsel. Vendors tend to react to the market place, and if more ICS sectors begin placing sound cyber security contractual language in their solicitations, the vendors will move in the right direction. However, be prepared for the reality that your costs may go up because you are asking them to do more. Either your vendor needs to take action via a contract line item or you do so upon delivery. The bottom line is we are vulnerable, in part, because we deploy vulnerable systems. It’s time to start changing that outcome.
4. Compartmentalize. Yes, this is an area that takes a significant amount of effort but it must be done. Any breach will be significantly less damaging if you compartmentalize your vital infrastructure from your non vital and remove significant avenues of approach that actors are utilizing. In ICS, one suggestion is the implementation of data diodes for compartmentalization.
Intelligence can drive ICS critical infrastructure to make decision and take action, and it serves as the foundation of information that will change outcomes. In the case of the Ukrainian power grid attack, it could have prevented so many people from losing something so important.
Sign up for Computerworld eNewsletters.