Better Reasoning For High-Consequence Cyber Attacks
Andrew Ginter
The #1 most widely-read author in the industrial security space | VP Industrial Security | Podcast Host | Author| MS, CISSP, ISP, ITCP
Cyber attacks with the potential to kill dozens of workers demand very different defenses and analyses than do attacks that encrypt only a laptop or three each. Why? Low-impact high-frequency (LIHF) attacks are mostly random, because human error - clicking on a bad link or opening a bad attachment - are very often part of the attack, and human error is reasonably random. Sophisticated attacks most often eliminate randomness through persistence. Hit enough people with a phishing attack and sooner or later one of them will click on the link or attachment. Describing sophisticated attacks with LIHF "likelihood' language can lead to errors in judgement. Such errors are serious problems when we are talking about attacks with the potential for worker casualties, threats to public safety, or other unacceptable consequences.
"Likelihood" in IEC 62443
In an up-coming webinar I argue that the use of the word "likelihood" in the current IEC 62443-3-2 risk assessment standard is suitable for LIHF threats, and is very confusing for high-impact, low-frequency (HILF) attacks. For sophisticated HILF attacks, we generally have no frequency or likelihood data. Despite this, cyber defenders have a legal obligation of "due care" - an obligation to make reasonable decisions about threats and defenses when serious consequences are at stake. To make reasonable decisions, we must exercise judgement. The language of the current standard does little to explain the role of judgement in our decisions.
领英推荐
Defining a Credible Threat
In the webinar, I argue that when consequences are unacceptable, security program designers generally must deploy defenses that defeat all credible threats with a high degree of confidence. And if there are credible threats we do not? defeat this way, then we should probably document the situation and why it is reasonable not to deploy such defenses, in case the consequence is ever realized despite our analyses, and we must defend our decisions in court. I propose to define a credible threat as one that it is reasonable to believe may impact the affected site at some point in the next several years. I propose to replace almost all instances of the word "likelihood" with "credibility," and the remainder with "frequency."
'Credibility' vs 'Likelihood'
We need the language of our guidance and standards to reflect our legal obligations to society. The current near-universal use of the word "likelihood" clouds high-impact decision making in favor of low-impact decisions. We need the language of our guidance and standards to focus on our most difficult decisions, not our simplest.
I invite you to join me on the call to explore this topic in depth, at 12 noon New York Time, Wednesday February 26. Click here to register for the webinar
Learn about the consequences of OT cyber attacks from our very own Andrew Ginter
The #1 most widely-read author in the industrial security space | VP Industrial Security | Podcast Host | Author| MS, CISSP, ISP, ITCP
1 周Thanks for the insights Neil - I suggest that the question of "likelihood" only applies when consequences are the result of random events. Human error is arguably random and so high-frequency low-impact events that are primarily the result of human error (clicking on a bad link, etc.) can be modelled as random. Deliberate attacks eliminate that random factor with repetition. Sophisticated threat actors do not choose their targets randomly, but repeatedly hit the same target until they achieve their objective - again not random. The outcome of these sophisticated attacks tends not to be random either - an attack that breaches a site once, if repeated against the same, unchanged site, will almost certainly breach it again. The question for high end attacks is not likelihood but credibility. Is it reasonable to believe that we, or a site very similar to us, will suffer a serious consequence due to this or that kind of attack in the next several years. If so, we have a legal obligation to deploy reasonable measures to protect worker safety, public safety, the environment and national infrastructure. And sometimes shareholder value as well.
Account Manager @ Waterfall Security Solutions || OT/IT Cybersecurity Specialist ???
1 周OT attacks go beyond data—they have the potential to endanger lives and critical infrastructure.
CEng FIET, CISSP, ISA/IEC62443 CS Expert, CFSE; Industrial Control and Safety System / OT Cyber Security leader with strong process safety background
2 周One final thought - as critical infrastructure becomes more regulated, national regulators are also setting minimum requirements. I believe that in the UK attack vectors with a major consequence must be considered as credible, but I think with SL2 maximum.
CEng FIET, CISSP, ISA/IEC62443 CS Expert, CFSE; Industrial Control and Safety System / OT Cyber Security leader with strong process safety background
2 周So how do we deal with such unacceptable consequences? I don’t favour the approach of saying “what could happen will happen” as deploying huge resources for what remains a low risk (due to very low likelihood) doesn’t make sense. Many companies hold risk registers for such major attacks which of them selves require additional attention to the scenarios. Assigning SL4 to these events is in my view too much. I personally favour setting higher Security Levels for these low frequency/high consequence events. Where we might have put SL1 in the box, put SL2 for example. Of course continuous reassessment of risk is importsnt, and sadly the geopolitical situation is heading in a bad direction, so this is important. Looking forward to Andrew’s webinar.