Mitigating cyber risk is a crucial part of maintaining operations on a plant floor. By limiting your attack surface and any potential entry points, there is a higher chance of thwarting a cyberattack.
Recently, The Wall Street Journal held a webinar, “Mitigating Cyber Risk,” to discuss best practices. Ari Schwartz, managing director of cybersecurity services at Venable and former senior director of cybersecurity on the White House National Security Council, kicked things off by walking attendees through some principles of cybersecurity.
Foundational elements of mitigating cyber risk
According to Schwartz, it’s important to know how to measure and manage a company’s present security measures. Because every sector of the cybersecurity industry is different, measurements for progress will vary from business to business. Once the current securities are benchmarked, the company can then take further steps to improve cyber cleanliness and habits.
Schwartz also highlighted the importance of getting C-suite buy-in for cybersecurity efforts. A company can use their established baselines and measurements to help the C-suite understand where the vulnerabilities lie in their industrial space. The top executives are usually worried about dollars and cents, potentially viewing any investment in something preventive like a sunk cost. Showing the value of cybersecurity to them is much better than being hit by a cyberattack and learning the hard way.
According to Schwartz, the C-suite uses the same risk-management philosophies for financial decisions and issues. Because of that, the cybersecurity team — hopefully composed of information technology (IT) and operational technology (OT) people — needs to speak in their language and use the same philosophy. What is good for security is also good for business.
The most vulnerable sectors
Schwartz said that hospitals are some of the most at-risk areas. Hospitals are more connected than ever, with so many networked devices. This, combined with hospitals being a big piece of critical infrastructure, makes them a target of cyberattacks. All the new entry points widen the attack surface, making hospitals more susceptible to suffering an attack from a threat actor.
An example of this happened in 2020 at Parkview Medical Center in Colorado. Their IT systems were hit, and patient data was encrypted in a ransomware attack. To make matters worse, this occurred during the height of the COVID-19 pandemic. OT systems remained unaffected, but patient data and documents were (and continue to be) an integral piece of information. The hospital needed to resort to pen-and-paper methods of tracking patient information while the attack was being investigated by a third party.
Threat actors usually fall into two categories: cyber criminals and nation-state actors. Schwartz says criminals are typically looking to make a quick buck. They will hit multiple companies, hoping that one sticks. If they are met with cyber resistance, they tend to move on. The other type of threat actor — typically a state actor — is one that works around the clock, trying to dismantle cybersecurity protocols to get in. These are targeted attacks. State actors are more determined to exploit the vulnerabilities of a system, making a strong cybersecurity presence a necessity.
Schwartz also mentioned the role that the government plays in setting a standard for the cybersecurity industry. However, federal regulations are less about setting high standards and more about “raising all boats,” which is part of establishing a baseline.
Establishing cybersecurity best practices
At the end of the keynote, Thor Wallace, CIO of Netscout, discussed several best practices for businesses to follow to ensure cyber success. Wallace said that cyber risk is both internal AND external, and hardening at the edge is an important part of mitigating external threats. He suggested reducing your public IP, implementing monitoring packages and services, using a key that blocks traffic and denial-of-service (DoS) attacks, and being more proactive than reactive.
Incorporating proper cybersecurity measures doesn’t happen all at once — it’s a process that takes time and hopefully snowballs. Further, there isn’t a finish line where you get to sit back and say, “That’s enough cybersecurity. We’re done.” It’s a continuous journey of improvement to ensure that your business and industrial space is safe from threat actors and cyberattacks.