When one hears the word “program”, it is often in context of computer programs, a collection of coded instructions that is executed by a computer to perform specific tasks or actions.
From the earliest examples of coded instructions used to program looms using punch cards, Turing machines developed to decipher cryptographic code, to modern day cloud computing, the computer program has enabled society to progress and prosper.
In the modern world, computers and programs are everywhere; in our homes and offices as PCs and servers (IT), in our power stations and water treatment plants as PLCs and HMIs (ICS), and increasingly in our vehicles, on our wrists and in our household appliances as the Internet of Things (IoT). The importance of the “program” and how it enables the modern world is taken for granted.
In the cybersecurity world, the importance of a different type of “programme” cannot be taken for granted. A security programme can be defined as an organized collection of people, activities and outcomes that aims to systematically defend an organization against cyber threats. A successful programme should allow businesses, as a minimum, to clearly understand:
- Roles and responsibilities: Internally and externally, who has responsibilities for cybersecurity, and are they suitably trained and briefed to perform them?
- Digital assets identification: What are they, what functions do they perform, and what is their configuration?
- Risks: What security risks are you exposed to, and what can you do to reduce them?
- Context: What is your business doing now, what it is trying to achieve and what is the roadmap for doing so?
For organizations with ICS and IoT – often referred to as Operational Technology (OT) – developing and establishing an effective cybersecurity programme may be more challenging, particularly as roles and responsibilities for OT have not traditionally included security.
The NIST framework provides some widely accepted and useful advice on how to defend against cyber threats, based around the concepts of identify, protect, detect, respond and recover. The element of “protect” is usually the easiest to understand. The use of firewalls, passwords and locked cabinets have been used as cyber protection for decades and, even in most legacy OT environments which didn’t originally consider cybersecurity, there are usually some protective functions present, or some easily achievable protection solutions. However, evolving threats to OT today require much more than protection alone, but a combination of protection, detection and response functions.
There are now many ICS specific detection products available, such as Nozomi’s SCADAGuardian, and Claroty’s Continuous Threat Detection. These tools enable asset owners to detect potentially malicious activity on their OT networks, as well as assist in identifying digital assets. Once the anomalous behavior is detected, action can be taken to respond to, and recover from, the events on their OT networks. However, this is only possible if the right response plans are in place with the right people ready to take action.
Respond and recover
Cyber defense exercises can range from table top paper based scenarios lasting for a couple of hours through to multinational, multimillion scenarios held in dedicated facilities lasting weeks. At the Cyber UK conference in Glasgow back in April, the UK’s National Cyber Security Centre launched an online tool called “exercise in a box”, allowing organizations “to find out how resilient they are to cyber attacks and practice their response in a safe environment”. This a great example of enabling a key element of a comprehensive cybersecurity programme, so that organizations of all sizes can practice their response to incidents, and to learn and improve from them as a team.
Programmes for all
An effective security programme cannot be lifted off a shelf. It has to be crafted and developed to ensure it is fit for purpose for the organization in the context of what it is trying to achieve. Developing one is like any other project; it will need stakeholder buy-in, planning, identification of objectives and appropriately skilled resource. NTT Security’s OT team can assist organizations in developing these programmes, particularly where there is a shortage of OT security skilled staff.
Putting all the right elements of a programme together will take time and effort. But by doing so, an organization will be able to test and measure the effectiveness of their capability, and be best placed to enable the business to achieve success, using all of the digital technology available today. As a digital society, we must work hard to ensure that comprehensive and effective security programmes are as common as the computer programs being continually processed around us.