Like many things in life, taking a holistic approach is often the best way to yield greater performance and reach, and cyber security makes no exception – in the pursuit of improved performance by reduced risk. But how do you take a holistic approach to cyber? This week’s insight explores.
Cyber security is a collective term used to describe the measures put in place to reduce the risk associated with cyber-attacks. It has been around for about half a century since the advent of computers and the invention of the internet. Initially focused on the protection of Information Technology (IT), cyber security has evolved to embrace Operational Technology (OT) as digitalised industrial automation and control systems have become prevalent.
Over the years considerable effort has been taken in managing cyber threat through key design measures, such as air gaps and firewalls, but with the ever-changing landscape of cyber-threats, which are evidently able to infiltrate IT and OT, it is essential to widen the focus if we are to effectively manage the risk.
The holistic approach incorporates the three complementary cyber security risk reduction enablers illustrated below, namely design, management systems and culture, applied throughout the IT or OT lifecycle; and integrates with physical aspects of security.
SECURITY BY DESIGN
Design is arguably the most effective of the three enablers. It is best considered alongside a cyber security hierarchy of controls to help prioritise possible cyber security measures.
The preferred option during design is to eliminate the potential for a cyber-attack (e.g. design analogue or passive OT systems) or eliminate paths for cyber-attacks (e.g. system not connected to the internet or other IT systems). Next, consideration must be given to reducing cyber-attack paths in the design of the system (e.g. reduced number of logical entry points).
Design robustness is crucial. It includes the design of a defensive system architecture as well as software programming measures to ensure system confidentiality, integrity and availability. A cyber security risk assessment (CSRA) of the system design against a broad range of threat actors and sources, including blended cyber and physical attacks, will identify the need for any additional requirements.
These may lead to active systems (e.g. system monitoring) and/or control measures (e.g. procedural security measures or applying the principle of least privilege) and/ or physical security measures (e.g. hardened cabinet for digital equipment or physical port blockers for connection points).
STRENGTH VIA MANAGEMENT SYSTEMS
Effective cyber security requires cyber security processes and procedures to complement the design measures. These need to be in place and followed not only during the use of the OT/ IT system but throughout its entire lifecycle, from initial concept, design and manufacture, right through to operation, upgrade and eventual removal.
Effective management system procedures need to be embedded not just within the organisation operating the system but throughout the associated supply chain.
Why? Well, during the system design or build, a latent cyber threat introduced into the system by a supplier may remain undetected and can be exploited years later as the basis for a cyber-attack during operations. During maintenance or upgrade, portable devices used to upgrade software can also provide a convenient path for a cyber-attack on systems that have been air-gapped from the internet, so it’s important to have a full 360 view on operations.
CHAMPIONING A PROACTIVE CULTURE
Last but certainly not least is the nurturing and cultivation of a proactive security culture. Ultimately, the effectiveness of a robust system design and management system in reducing the risk of cyber-attacks can be compromised by the actions of people interfacing with the system, whether intentional or not. This could include inadvertently opening up a phishing email or connecting an infected USB stick to an IT or OT system, or simply not adhering to logical access control procedures.
A proactive security culture will drive the desired behaviours within the operating organisation and associated supply chain.
Effective security requires motivating people to comply with well-defined procedures. Crucial to success here is the visible commitment of leaders to security, as well as providing cyber security awareness and regular refresher training for all individuals involved with the organisation from employees to stakeholders and supply chain.
Developing a mature security culture does not happen overnight; and it can be painstaking in parts. It takes time and continual dedication, but is as important as the other elements of the holistic approach. Something we at Juberi are well versed in being able to assist your company with.
To effectively reduce the risks of today, a holistic approach to cyber security must consider the three risk reduction enablers of design, management systems and culture throughout the different stages of the system lifecycle and its reach must go far beyond the organisation itself.
If you’d like to find out more about how we can assist you in the design and development of a robust cyber security strategy then please contact us.