At the Aspen Security Forum, Intel Security released the report entitled Holding the Line[i]; Critical Infrastructure Readiness report. The report was based on a survey of information technology and security professionals with an average 12 years of security experience, representing 625 critical infrastructure organizations across the United States, UK, Germany and France.
One thing that was not immediately distinguished was their particular role, and whether they worked within the IT environment or that of Operational Technology. This of course becomes relevant because the loss of availability of a system within an IT environment whilst important is not really critical. However, the emphasis of this distinction begins to become irrelevant when we consider the types of attacks that we have seen recently, and moreover with the reluctant acceptance that our once segmented environments have forever been either inadvertently connected.
In the last 12 months we have seen confidentiality based attacks (Dragonfly) against the OT environment, as well as confidentiality based attacks to the IT infrastructure that could have a detrimental impact on OT. In other words the connectivity of these environments has increased at such an exponential rate that attacks today are able to laterally move between previously isolated environments with relative ease.
The survey therefore identifies some rather worrying findings;
Finding 1: Overconfidence: Those surveyed were asked about their own organization’s defenses, only 27 percent of respondents reported feeling very or extremely vulnerable today compared with 50 percent three years ago.
Finding 2: Respondents reported close to 20 attacks per year. Of these attacks, more than 33 percent resulted in service disruption, and more than 25 percent resulted in data compromise.
There were of course more than two key findings. However, the above two certainly beg the question that if these organizations are identifying 20 attacks per year, of which one in three results in the loss of availability, and a quarter a confidentiality breach, then why is the perception that their own defenses are better?
The headline for this finding was put under the title of overconfidence, and whilst this may be appropriate for an organization to not consider the threat of data compromise a significant issue (certainly in comparison to availability). We have to consider the long-term ramifications of these losses. For example, Dragonfly showed that confidentiality attacks do occur but to what end? Once the data is delivered to the party potentially paying the attackers, what will they do with it?
Reducing critical infrastructure risk is a global strategic challenge, but as with almost any risk management framework identifying the risk is the first step. If we have an environment that incorrectly calculates their own risk, what is the impact not only to them but for the rest of society dependent on the services they provide?
What questions do you have?