By Brian Contos, VP & Chief Strategy Officer, Securonix
In a vote of 34 to 2, European Union rules regarding cyber security for critical services such as energy, finance, healthcare and even online services have been informally agreed on and are ready for endorsement by the Council and the full Parliament. The EU has the opportunity to learn from cyber security mistakes of the past and put in place controls that are capable of mitigating modern threats with solutions that integrate network, data, endpoint and user context for more rapid threat identification and mitigation.
Motivation for the vote
There is currently heavy fragmentation across the various national cyber security controls. This is an effort to (1) define which organizations are to be considered critical and thus require enhanced security controls and (2) define a set of criteria to ensure that these critical organizations can operate securely with adequate controls for incident prevention, detection and response. Stipulations for reporting on serious breaches to national authorities are also being listed as a requirement.
- Improve the security posture across essential EU services
- Increase cyber security awareness
- Better define which organizations need improved cyber security controls
- Outline various controls that can be leveraged to achieve enhanced security
- Introduce accountability and reporting which will in turn increase awareness, thus bringing the process full circle
Many of the organizations, especially in industries such as power, energy, transportation and sanitation, have a bifurcated approach to security in which one group is focused on cyber security as it relates to general IT operations and the other on industrial control systems where cyber security is often a secondary concern after physical security. While security across IT generally looks at CIA or confidentiality, integrity and availability; security across industrial control systems tend to focus primarily on availability, i.e. literarily keeping the lights on. Bridging the cyber security gap between these very disparate yet often connected organizational segments can be technically and politically challenging.
Years ago there was an airgap separating industrial control system networks operating SCADA systems, programmable logic controllers, and the like, from more traditional IT systems and external networks like the Internet. Process optimization, measurement, real-time trading and a number of other requirements have been integrating these environments more and more. Today, we find that industrial control systems are often highly connected with a mix of legacy and modern technologies. Consider a facility responsible for supplying electricity to millions of customers operating with the following:
- Multiple protocols like TCP/IP, Serial of Ethernet, DNP3 and Modbus
- Operating systems ranging from end-of-life builds like Windows NT 4.0 and proprietary, black box solutions to cutting edge commercially available installations
- Communication through wired Ethernet, wireless Ethernet, Bluetooth, modem dial-ups, and physical serial connections
- Many organizations delay updates to their cyber security solutions until their older technology’s end of life. Within the industrial control system environment, this means that a computer workstation that is tasked with managing a turbine, for example, may stay in operational use throughout the life of that turbine (which could be decades). This leaves the workstation out-of-date and vulnerable to the most rudimentary attacks.
- Proprietary systems with warranties that prevent operators from patching, upgrading or even installing basic security controls that mitigate malware, privilege abuse, rootkits and the like.
The net: these are highly connected, highly complex environments that are often more vulnerable to attack than your grandmother’s laptop.
The EU rules are a great step in the right direction. Operationalizing the rules to the point where cyber security controls are effective across all EU critical infrastructure will be challenging but it’s a challenge that must be confronted for safety and security of citizens, businesses and governments.
While preventative security controls will likely be a large part of the proposed cyber security posture, the EU must learn from mistakes of the past. While prevention is necessary, it simply doesn’t scale. Where you can’t prevent, you must be able to detect and respond. As such, an inclusive approach that stops known attacks while being able to identify and rapidly mitigate the unknowns is absolutely essential if we are to address the real risks inherent to today’s modern threat landscape.
The once myopic approach to cyber security that was predicated almost entirely on network security is simply outdated. Cyber security must be encompassing to integrate network controls with data, endpoint, physical and perhaps most critically: users. Understanding the “who” as it relates to threats, lateral movement, suspicious and malicious user behavior, data exfiltration conduits, application abuse, fraud, patterns and anomalies related to roles and other human-centric variables is the new ground zero for effective cyber security solutions. Without user context, cyber security teams will be fighting with their arms tied behind their backs and the EU rules will be nothing more than a good start.