During a recent ThreatConnect Podcast, Tim Grieveson, Chief Information Security Officer (CISO) at AVEVA, gave his insights and thoughts on cyber risk management issues facing our nation’s critical infrastructures.
The recent surge in cyberattacks targeting critical infrastructure companies demonstrates the urgent need for critical infrastructure owners and operators to adopt a risk-led cybersecurity program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cybersecurity experts and the business executives.
ThreatConnect: What is your view of what’s happening in critical infrastructure sectors today? Do you think that they are adequately quantifying their risk and focusing their resources, being able to prioritize what risks matter most to those infrastructures?
Tim Grieveson: No, and I don’t think that it is just critical national infrastructure. I think it’s IT in general. So one of the things that I’m really keen to do is thinking about our posture and thinking of it very much like our credit score. You’d be very disappointed if your credit score was affected, think of your cyber hygiene in the same way and use that data that you have to quantify the risk burn down. What are the things that I can put in place to materially change my risk posture over time? You can’t clearly do everything, because you do have the tsunami of vulnerabilities coming at you. But are there things that you can do in the short, medium, and long term? Can you move your people around to work and think differently? So IT is very, very good at availability, very good at capacity.
It’s often not as good at how to do things in a secure and controlled manner. But I also think that it’s really important to focus not on just the policies and the processes, but actually to focus on the people element. Making sure that the people have the appropriate skills. It’s about learning from those mistakes. It’s about using that data that you have to then reprioritize. But delivering business outcomes, rather than delivering for IT sake. I often see security people talking about speeds and feeds and widgets, but actually, the business doesn’t necessarily understand that. They want to know about EBIT, about the brand, and about risk.
So using your external posture, the feedback that you have from your telemetry, using the information that you have on your cloud, on your digital solutions, on your applications, to converge a view of your organization, and then use that to prioritize the things that you can materially change an impact quicker is where you should be tasking. So vulnerability management is absolutely key. Understand the vulnerabilities that you have, but don’t chase all of them. Chase the ones that are actually exploitable today, because otherwise, we’re going to be chasing shadows often. If it’s not being exploited today, doesn’t mean it won’t be, but focus on the things that are actively being exploited now. And then move your way through the others to eventually get to a posture that is accessible and a risk to your business.
Security shouldn’t be an afterthought. It should be an expectation. It should be baked into what we do, and citizens expect it. They’re becoming much more highly aware. The media has done a really good job of talking about the bad actors and the bad stuff. We as a security practice should do a much better job of sharing our knowledge like the bad actors do.
And from a security standpoint, I’m seeing the wrong training occurring. We’re seeing people being trained in reactiveness. And if you remember earlier when I talked about being more proactive, we should make the assumption that the compromise has already occurred. And actually start threat hunting, looking for those threats. So training the IT and the business colleagues.
ThreatConnect: So from your perspective, what have been some of the pitfalls or challenges that critical infrastructures have failed to address in the past decade or so?
Tim Grieveson: I think one of the challenges in order for security to be effective is it really needs to encompass the entire company. So security policies must be proactive and holistic across the entire organization. But at the same time, I think there needs to be a balance between identification and mitigation of risk enabling new business.
We tend to go very strongly into building new business, faster, smarter, cheaper, but often we forget about building and baking that security in. So I think one of the key areas that have been missed I think is the engineering function. It’s vital that an organization’s security approach needs to be a cultural and organizational shift.
There’s a tsunami of bad actors out there who are commoditizing and trying to attack our organizations and our infrastructure for political gain, for monetary gain, and if we don’t look at IT and OT holistically, we’re really missing the gap. So for me, it’s making sure that we change the ecosystem and the culture, but also making sure that we get the right best of breed partners involved.
ThreatConnect: What is different about critical infrastructure companies as opposed to your typical technology enterprise today? Do they have any challenges in terms of modernizing and ensuring that state-of-the-art security is built into their processes?
Tim Grieveson: For an enterprise that’s moving at a vast pace it’s much easier to build and bake security in, but if we look at it differently, and we actually go back to the basics, what about training? Have we got the right people thinking in a secure manner? Have we got the right technology streams? Are we baking security into the design? So IOT systems at critical national infrastructure is always requiring maintenance. Why don’t we build maintenance and security into the same pot? So that when you’re replacing a piece of equipment, you actually put a new piece of equipment in that is secure by design rather than trying to bolt it on afterwards.
Unless we really think about building security into the way that we operate and really challenging the vendors, nothing will change. They will continue to provide things faster, smarter, cheaper, always connected. And critical national infrastructure can’t afford to have a failure.
ThreatConnect: What advice would you have for critical infrastructure owner-operators as these industries look to upgrade and modernize their facilities from a security perspective? What should they be looking out for when adding automation and other digital modernization initiatives?
Tim Grieveson: I think the thing they should look out for is security by design, security by itself was an expectation but also looking at what things we need to connect. There’s a drive to make everything connected and everything monitored and everything viewed, but is that actually appropriate?
As they modernize, I think it should be behavioral. So instead of it being something has broken, it should actually be, have we seen an increase in the data? Is it giving some peaks and some spikes that we haven’t seen before? Have we seen a different destination point? Have we seen information being collected that wasn’t normally collected? So it’s being proactive rather than reactive. I think it’s making sure that the devices are appropriate to connect. And I think that the big thing is that cultural perspective. The organizations you do business with have to be organizations that really take security into account.
Hear more from Tim Grieveson and two other world-class experts who spoke with us about cyber risk management and critical infrastructure in our most recent ThreatConnect Podcast episode – “Mitigating Cyber Risk In Critical Infrastructure”. Listen to it here!