With the frequency of cyberattacks only increasing, strong cybersecurity practices are more important than ever. However, there still seems to be a lack of understanding as to the importance of cybersecurity, as well as the role that cybersecurity insurance should be playing in the landscape.
CFE Media and Technology brought several industry experts together to discuss IT/OT convergence and why it is such an important part of cybersecurity. Joining Gary Cohen are David Masson, Sam May and Bryan Bennett. Bennett is the vice president and practice leader of cybersecurity at ESD, Masson is the director of enterprise security at Darktrace and May is the senior compliance advisor at Steel Root.
This discussion has been edited for clarity.
ICS Pulse: Many cyberattacks enter through information technology (IT) systems, but when attacks start hitting operational technology (OT), we’re talking about human safety and even national security. You’ve all mentioned that the world needs to notice this stuff. It needs to make headlines for people like when Colonial Pipeline or Oldsmar happened. The scary thing to me is what might make the headlines is a massive OT breach on critical national infrastructure that does have ramifications for human safety.
Bryan Bennett: It’s not going to be a big deal for most of the public until it affects them. When you have a lot of near misses, or things like the Colonial Pipeline that don’t affect individuals but more companies and larger enterprises, everyone’s like “Oh, that sucks for them.” Then they just let it go. But when it’s you, and it hurts you or impacts you, now it becomes important. And most of the people will say, “I don’t want the government involved in my life.”
If there was something that could have been blamed on the government for lack of something they should have done, all the fingers are pointing at them. There’s a lot of factors to this, and it’s not one entity. Everybody must look out for themselves. The water treatment plant should have looked out for itself. It might be a municipal or a local government facility, but it’s not a federal facility.
It’s not the federal government’s organization. It’s that municipality’s responsibility to make sure that they are safe. But, again, why we’re even talking is because a lot of OT and industrial control system (ICS) cybersecurity haven’t been put in place.
Sam May: Hedge rows to precipices, that the federal government should be providing a hedge row to the precipice of us all just drinking sewage out of the tap. There should be some requirement from the federal government that says if you’re going to operate a water treatment plant, you must follow these rules.
That’s where I think if you look the FAR clause, it just says, “If you want to play in this space, then these are the rules that you’ll have to follow,” and then things get more specific. When you look at the specific government customers, what this regulation allows for is your contracting officer to say, “You’re going to follow these rules to play on this contract.” Some of them are easy, like you just must do a NIST 800-171, but I’ve seen Navy contracts where they’re going to blue team your systems because it’s not good enough for them that you simply have a certification.
They must prove that we’re not going to do the F-35 again and have that nightmare situation where you have teenagers hacking the planes from their cars in the parking lot. We’re going to provide an actual secure infrastructure, so we’re going to go about this in a much more heavy-handed way. But the federal government’s job is to say that there are data security rules around operating OT and critical infrastructure in these environments. The state has to say, “If we’re going to allow the town of ABC to operate its own water treatment plant, it’s incumbent upon us to make sure they’re doing it in such a way that provides availability but security, as well.”
You look at any regulatory compliance that corporations have put upon themselves, and you see that these things function. They function because the credit card industry has a vested interest in having certain guidelines around using its systems and providing these services. [Are we] to say that critical infrastructure must be red teamed once a year, and that there is some benchmark that you have to meet, there is some minimum line that you have to meet?
I shouldn’t be able to just walk into a transfer station off the street because I have a hard hat and a white van and do whatever I want in there for an hour and then leave without having anybody question it. The locks should be of a certain grade. The physical security should be a certain grade. There should be certain access controls. The networking should be of a certain grade. It’s going to be hard for legislation to get this granular because of what the rulemaking process is.
All it takes is one change, and the technology and the entire rulemaking process must start again. It’s too cumbersome. The industry has to say, “Federal government, this is the standard by which we want to be held. We’re going to update this standard with the best practices every year, every quarter, or every month or every week. You’re going to say, follow this standard, or don’t play in this space.”
If you’re going to offer it, then you have to follow this industry standard, and the industry has been much more dynamic and agile. We can then create these efficiencies that the federal customer or even the state customer can’t.
David Masson: I used to work for two national governments, and it’s been known for a long time that if you want to cause some real damage, you attack critical national infrastructure and attack the OT. It’s always been known about that. It only really comes to the public floor once the public starts to experience one of those attacks. With Colonial Pipeline, it was an IT attack, and they never actually got anywhere near the OT, but there was a fright, and they actually switched the whole thing off.
That’s not a long-term solution to attacks. Too often, you’ll see businesses in the national infrastructure sphere — especially when there’s relapse of OT and ICS — they’ll realize they’ve got a problem, get a group together and they’ll think about it. They’ll discuss that the actual mitigations are too expensive or their technology is too old. What they’ll opt to do is just shut it down when things go wrong.
Sure enough, if something goes wrong, usually in their IT, then their option is to shut it down and perhaps rely on their cyber insurance as part of their risk mitigation plan. Cyber insurance is going to be a scarce beast. In Canada, they’re handing out three to five bucks for every buck they’re bring. That’s not going to be really around for too much longer.
ICSP: What should the role of cybersecurity insurance be?
Bryan Bennett: When you talk about cybersecurity insurance, I don’t know what’s going to happen because with the mandates going out of you can’t pay somebody any ransom, then what’s the point of having the insurance? They can’t pay either, and then you’re in trouble. If you don’t have insurance while it’s still allowed, I think people or organizations are more comfortable saying, “Well, we can look at that later. If anything happens, we still have insurance.”
That’s never a good answer. That’s like saying, “I’m going to go wreck my car because it’s insured, and I’m going to go get another one.” That’s not how things go. I don’t know how this is going to go with the new discussions around how entities in America cannot pay ransom if they get attacked and hacked.
Sam May: That’s not how things go for normal, well-adjusted adults. I think in some cases, that’s going to be some portion of industry no matter what. There are going to be people out there who think that if they go get a cybersecurity insurance policy, they’re covered.
What I think cybersecurity insurance in the United States is going to be if you can’t pay ransom is that your environment gets encrypted. Your employee clicks on the link even though you’ve told them a thousand times, “Don’t click on the link!” but they’re going to click on the link. The PEBCAC (problem exists between chair and computer) is going to kill you, and then your entire infrastructure is bricked. So you call up your insurance agent, and you’re like, “Hey, it happened finally, and everything is shut down, and we’re not allowed to pay the ransom, so we’re going to throw all this infrastructure away, and you’re going to come in and you’re going to give us $35 million to replace it all.”
Insurance companies are going to think that’s asinine, and what they’re trying to do is say there are certain requirements we want your company to be able to demonstrate before we insure your company. And if they’re leaning toward yes, then we’re probably not going to do it. Can you evidence to us that you can provide fundamental cybersecurity so that we’re not just going to be hemorrhaging out $35 million every time one of your employees clicks on the link?
What bothers me is when I talk to clients and they say, “We don’t have to worry about this because we have insurance.” Instead of paying for resources to secure their infrastructure, they are paying insurance premiums and not caring. They have their IT staff who’s doing their best to try to keep these systems running and to keep uptime up, and they have basically forgotten about security because they pay to provide insurance in case something bad happens.
This is where you start getting into dangerous realms, because maybe what your insurance company can provide you as far as their insurance product can help you or maybe it can’t. Maybe this is something you can buy your way out of, but maybe it isn’t. Insurance isn’t going to be able to get your data back. They’re going to write a check. You may not even be able to do that. Even if you’re going to break all the laws and write a check to the person who put the ransomware on your system to begin with, there’s no guarantee the key works for anything and unlocks anything, or you get your data back in a useful way.
You might unlock it, and the encryption could have screwed the data up. There’s a place for cyber insurance, but it’s not cybersecurity. If I was running a cyber division or department or even a one-man shop, and I heard, “Well, we’re going to get cyber insurance,” I’d be like, “This company is not going to take it seriously, and we don’t understand it.” To say that we have all these protections in place, we have cybersecurity insurance in case the worst happens, that doesn’t do anything for you or your business.