“In order to know what’s going on in an enterprise you need to do a study that takes 6 months and costs $250,000,” said Fred Cohen (@FearlessSecurity) of Fearless Security in conversation with Chris Blask (@ICSISAC), Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), at the 2014 RSA Conference in San Francisco.
That kind of time and money is simply not feasible for the hundreds of thousands of critical infrastructure elements in the United States and the millions across the world, said Cohen.
Cohen’s answer is to develop an assessment methodology or tool that takes ten days and only $25,000. His group has already created specific models where they ask questions and force participants to make decisions specific to your sector. He’s hoping that by studying certain verticals, such as water, his group can learn enough so they can get the cost and complexity down to just half a day and $5,000.
He’s just trying to change the equation so the millions of people who need to be served can be served.
The entire open source project is available for download. Their first success is building a standard of practice for archives and records management so that public records can be more trustworthy.
By creating more and more of these verticals they feel they can drop the cost and the complexity down to the point where it’s more or less prescriptive, said Cohen.
How far can they go and how soon can the critical infrastructure problem be solved is another issue. You can’t just go replacing infrastructure, realizes Cohen as most infrastructure rolls over every 20 to 40 years so you can expect it’s going to take that long to get there.
But that doesn’t mean we have to wait that long. Many of the biggest problems can be solved with architecture, said Cohen who realizes that small changes to architecture can change the equation making the infrastructure harder to attack and easier to defend.
“Reduce the aggregation of risk so massive failures don’t happen,” said Cohen. “Make it so that when there are failures they don’t last as long and that the people running those systems know how to deal with them.”
- SCADA and Me: A Children’s Book for Security Policy Makers
- NERC CIP: It Gets Worse Before it Gets Better
- Introducing the Complete NERC Solution Suite
- Preparing for NERC CIP v4 and v5
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock