Every connection represents a potential attack vector or threat source
Published on : Tuesday 30-11--0001
The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
Every connection to a system represents a potential attack vector or threat source. Minimising this type of threat is referred to as ‘reducing the attack surface’. All connections must be reviewed and approved only after completion of a detailed risk assessment that considers not only the nature and probability of the threat, but the potential severity of the consequence.
How can organisations address the issues of cyber attacks and IT Security in the age of connected plants?
See the previous comment. The key here is to conduct assessments and make decisions based on a solid understanding and confirmation of the business value associated with any configuration decision, which then must be balanced with potential risk (i.e., threat, vulnerability and consequence). Although addition of connections is often sold based on an argument of lower cost or increased productivity, each also comes with an ongoing cost of monitoring and maintenance. The benefits must exceed the costs.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
The best response here is a well-formulated technical architecture that provides principles, models and standards that are used to make decisions about if and where to connect such devices. Available standards and practices provide considerable guidance in this area, representing ‘prove and effective engineering practice’.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
The short answer is No. Although the risks associated with such devices are well known in the security and systems community, there is still much to be done to sensitise users and provide them with adequate training, awareness and guidance on safer alternatives. Many companies have placed severe restrictions on the use of such devices with critical operational systems.
Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
Of course. This is the essence of risk management. If a company has the necessary (accurate) information about threats, vulnerabilities and potential consequences they are free to make a determination about the level of risk that they choose to accept. Since there is no such thing as “zero risk” it follows that such acceptance will decrease security beyond a certain baseline. When there is a conscious decision to accept a level of potential risk it is essential for the asset owner to have appropriate contingencies and responses in place to increase the resilience of the system in case of a successful compromise.
Is there an ideal solution that reaches a fine balance?
Perhaps for certain very narrowly defined use cases, but not in a broad of general sense. Every situation is different, which is why it is so critical to conduct thorough risk assessment, document the results and commit to follow-up actions.
Eric Cosman provides advisory and consulting services to ARC analysts and clients in all aspects of operations and project management.
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)