Things change when you stop seeing the world simply in black and white. “It’s not just good guys and bad guys, but nature, accidents—all manner of threats. The goal is to keep the system alive,” said Ian Schmertzler, president and CFO of Dispel, in introducing his VTScadaFest presentation “A Crash Course in Cyber Resilience.”
A first shift in perspective needed to be more cyber resilient in the face of today’s cybersecurity threats is from static to moving defenses. Instead of stationary castle walls, think submarines that roam the ocean. And stop focusing quite so much on message encryption, Schmertzler said. “Most cyber attackers don’t care what’s in the messages you send to and receive from a mission-critical system,” he said. Rather, 90% of their effort is spent on reconnaissance: finding out “where,” in cyber terms, you or the system are located. And if they do, the odds of successful breach on a cyber-stationary target greatly favor a persistent attacker.
In theory, a jump server should work, but more than once the need for human administrative interventions has proven sufficiently time-consuming—and resulted in a series of highly publicized workaround failures—that a much more efficient user experience was needed, Schmertzler said.
Rather, organizations with mission-critical systems are increasingly moving to automated, zero-trust systems that leverage “disposable” intermediate connections that are automatically created when a communications session is initiated, then dissolved when the session concludes. “Access should just be access because people want one experience,” Schmertzler added. And, to make traceability even more difficult, those intermediate connections materialize and vaporize on public cloud environments, “making the battlefield even bigger.”
Perhaps most importantly, this sort of moving cyber defense is consistent with the U.S. Dept. of Defense DFARS 252.204.7008 and 7012 requirements of critical infrastructure providers. “You should already have been following these,” Schmertzler noted, to the room populated with more than a few water utility representatives.
And while adopting new cybersecurity technologies and work practices represents a significant undertaking, it’s relatively straightforward and—in the case of infrastructure providers like U.S. water utilities—the estimated $25,000 to $30,000 for a typical water treatment plant—is covered by federal funding, Schmertzler said. But the hardest first step toward implementing this sort of solution is building group consensus among the organization’s key stakeholders.
“Find champions—those most likely to succeed, to get the ball over the line,” Schmertzler said. “To gain consensus, start with a fact: The way we are looking at the world has changed—it did in 2011.”