Since the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018, organizations and even private citizens have globally begun to re-assess what it means to ‘take security seriously’ and to better understand the massive difference between security and privacy. What you may not be familiar with is the Network and Information Systems Directive (NIS Directive), which is a part of the EU standard for some Critical National Infrastructure (CNI). Whilst not all CNI are required to be compliant with this directive, (These industries include financial firms due to their existing compliance regulations being judged as sufficient.) the NIS Directive is a great starting point for organizations to review their security measures. Even if you are not required to align with NIS Directive, this directive covers the foundations of security that can be applicable to a variety of situations. Best of all, it consists of publicly available information, including the UK National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).
How many terms and conditions or privacy policies have you read and truly felt like you understood each element afterward? I often consider frameworks in a similar mindset. Referencing security principles, that might be even further unfamiliar territory. On more than one occasion, my role as the security specialist was to go through a framework with teams and put the different requirements into plain language by offering almost a translation. The benefit? Following our collaboration, not only did each team/department feel empowered to make the required alterations, but also the negative connotations had been removed, thus allowing each of them to take action. Simply put, we created a secure culture that allowed members to build better solutions.
Leveraging existing knowledge effectively
Let’s look at the Centre for Internet Security, or CIS controls, for example. Not only has it designed toolkits that help organizations to effectively prioritize the top 20 controls, but they have also developed an Implementation Guide for ICS which defines the applicability of each control to ICS and provides useful considerations. There are many other frameworks focused on ICS, including the NIST Framework and NIST Special Publication Guide to ICS Security, among many more. Touching again on the United Kingdom’s NCSC’s CAF guide, let’s discuss a few examples of the knowledge shared. https://twitter.com/hacks4pancakes/status/1202247166804340737 https://twitter.com/hacks4pancakes/status/1202243966323843072 Consider the point that Lesley (@Hacks4Pancakes) makes regarding the redundancy of networks and controls; it can include not just redundant hardware but also processes. CAF B.5 Redundant Networks and Systems talks to this point, stating how “...preventing the use of these [devices and interfaces that are used for administration, with privileged access] accounts for routine activities such as email and web browsing significantly limit[ing] the ability for a hacker to compromise them” due to the high level of threat against these, constitutes a form of redundancy control you might not initially consider. Another point here that’s worth highlighting is how a “definition of your most critical resources and an understanding of the order of actions needed to restore service” can save valuable time during your response to an incident. Once you know what systems and/or services are vital to your operations, you can design appropriate segregation measures to protect and limit disruption in the event of other incidents. https://twitter.com/_ta0/status/1201887085612937216 Whilst funny, this statement by March (@_ta0) is fair, oftentimes systems that are purpose-built and/or not expected to be connected online are vulnerable to being overwhelmed. Careful management of resources, segregation and additional limitations will assist in achieving a more stable environment for these systems.
“Limitations of networks and information systems, or external services or resources, such as network bandwidth, processing capability, or data storage capacity, should be understood and managed with suitable mitigations to avoid disruption through resource overload.” CAF B.5
Diversity can do many things. Not only will it benefit your organization’s human structure, as it’s proven to grow net profits by 6% at firms with more women above the C-suite level. A diversity of controls and systems will also enhance your security structure. Consider the NotPetya ransomware infection at Maersk and how the shipping giant was saved due to an unrelated power outage at a data center in Ghana. In my experience, a diversity of people, process, and systems has made the difference between something that just works and something that flourishes. Often times, when working with a variety of persons, you can feel an overwhelming sense of opinions and priorities, and without a decision-making party, it can be difficult to actually make decisions through this noise. It is therefore vital that you have an expert within the team who has the authority to make the final decision and even guide the discussions. https://twitter.com/dicty_dave/status/1201493404808560641 In the end, no matter what frameworks, technology, and persons you have in place to protect your systems, a vital piece of any security program is understanding what you are protecting. Know your assets, what they are, what they do, why they’re needed, their priority, and what the likely threats are against them. Asset management might not sound like the sexiest part of a security program, but without knowledge of your existing system, you have little for which you can build effective protections. If you’re interested in learning more regarding additional frameworks, check out Tripwire’s Navigating Industrial Cybersecurity a Field Guide here.
Further reading in this series by Zoë Rose: Navigating ICS Security: The Threat Landscape Navigating ICS Security: Best Practices for ICS Decision-Makers Navigating ICS Security: Having your Action Plan Ready Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.