COVID-19 Lessons for Industrial Cybersecurity: Act Tactically, Think Strategically

Author photo: Sid Snitkin
BySid Snitkin
Category:
Industry Trends

Coronavirus is creating additional challenges for the CISOs of industrial companies. The rush to give stay-at-home workers access to critical corporate apps is increasing the risks of serious cyber incidents.   Opportunistic cybercriminals are increasing efforts to compromise corporate websites and supply chain communications, inject ransomware, and expand spear-phishing attacks.  Managing these threats is topmost on every CISO agenda.   But once these tactical challenges subside, CISOs need to consider how this experience can inform cybersecurity strategy decisions.  This should consider problems in dealing with the new security demands and lessons that can be gleaned from how countries managed the coronavirus epidemic itself.

As we noted in a previous blog, there are many parallels between managing epidemics and cybersecurity.  Differences in the way countries have responded to and been affected by COVID-19 demonstrate the importance of being prepared with certain critical capabilities.  Relating these to cybersecurity can help identify and justify needed improvements to cybersecurity programs.  

Coronavirus Lessons for Cybersecurity
The Johns Hopkins Coronavirus Map

 

Black Swans Really Exist and They Can be Ugly

No one could have anticipated the COVID-19 epidemic and its devastating impact on countries around the world.  In just a couple of months, it has viciously propagated into over 150 countries, infecting over 1.6 million people, and causing over 96,000 deaths.  The lethality and rapid spread of a seemingly isolated problem surprised governments on every continent and created enormous economic losses.  

COVID-19 is a “black swan”, something with extremely low probability but devastating impact.  We haven’t seen this black swan before, but we have seen others.  Health organizations have also warned us to be prepared for a global epidemic, but most countries were still unprepared for COVID-19.  Countries need to experience their own black swan event before they are willing to invest in the necessary defenses.  Apparently, experience with the 2015 MERS outbreak was a key reason why South Korea was better prepared than others to manage COVID-19.   

Efforts to fund cybersecurity face similar black swan challenges.  Companies with sophisticated cyber risk analysis still discount the need to address black swan cyber events.  It’s hard for them to imagine how rapidly a cyber-attack can propagate and wreak havoc in operations around the world.  But they the impact of COVID-19 on company operations could be a good surrogate for the costs of a major cyber incident.   COVID-19 also highlights the critical cyber capabilities that companies need to manage a cyber black swan event - early detection, rapid isolation, and quick remediation.

Early Detection Reduces Proliferation and Impact 

Testing has proven to be an essential tool in fighting the COVID-19 epidemic.  Infection proliferation through pre-symptomatic and asymptomatic people has caused geometric growth of cases and overwhelmed health care systems around the world.  Early testing could have slowed the case growth rate and enabled earlier use of therapeutics to reduce the severity of individual cases.  Lower case levels and death rate percentages in countries that used early detection demonstrate its effectiveness in managing major outbreaks.

Rapid identification of compromised assets offers analogous benefits in managing major cyber-attacks.  It gives defenders time to block lateral spread and constrain the damage an attacker can cause.  Like COVID-19 testing, the effectiveness of early detection is directly related to how quickly problems are uncovered.  In the best case, attacks can be stopped before malware has a chance to communicate with command and control sites.  Cost-effective technology is readily available for companies to detect malware and suspicious system behavior before it results in major damage, so there is no reason for companies to accept the risks of a cyber black swan propagating through their IT and OT systems.

Rapid Isolation Limits Spread

Lacking a cure, healthcare professionals have resorted to isolation as the only way to deal with confirmed COVID-19 cases.  Lack of testing has forced countries to extend quarantines and social distancing to entire populations.  These efforts have saved lives, but they have also created enormous financial losses for countries.  Efforts to manage these impacts are now creating moral dilemmas for leaders.   

Isolation has analogies in the management of major cyber-attacks.   Defenders need a means to rapidly block lateral movement while they identify and deal with compromised assets.  Like COVID-19, the isolation that impacts large groups of assets can significantly disrupt operations.  Companies need network technology that enables granular isolation to minimize these problems.   Security zone segmentation helps in protecting critical equipment, but it is too coarse is to avoid significant operational disruptions.  Upgrading to SDN technology with micro-segmentation provides a more resilient environment that can avoid trade-offs between good security and a company’s ability to operate.  

Effective Remediation Requires People with the Right Tools

COVID-19 demonstrates the importance of having adequate resources and equipment in place before an outbreak occurs.  Overwhelmed medical staff extend the time patients need to wait for treatment.  Lack of ventilators and other vital equipment lead to more serious cases and higher death rates.  Shortages of personal protection equipment (PPE) increases risks to medical staff and patients.  Exhausted doctors and nurses make errors that further increase their chances of infection.  

Cybersecurity isn’t a life-threatening profession, but most companies operate with a serious shortage of cybersecurity expertise.   Staff size and training decisions are based on security hygiene requirements, not active threat management.  Companies justify this with risk analysis showing the “expected” costs of a cyber compromise are less than the costs of more resources.  While this is rational when one considers untargeted attacks floating around the internet, it underestimates the enormous costs of a sophisticated attack or ransomware that locks up every device on a corporate network.   Where more resources cannot be funded, companies can still consider how they can improve the efficiency and effectiveness of their cyber resources through investments in modern cybersecurity management technology.

Managing Black Swans Requires Teamwork and Collaboration

No group can be fully prepared for an event as devastating as COVID-19.   The costs of so many resources are simply too high.  But the dire situation in New York shows how resources can be shared and marshaled towards the most critical areas.  Unfortunately, time was wasted in getting agencies and states to embrace this idea and actively share their resources.  

Collaboration and resource sharing are also essential in managing major cyber-attacks.  The global shortage and high costs of skilled cybersecurity professionals prevent companies from maintaining the level of resources needed to deal with such an event.  CISOs need to anticipate the need for external resources and take actions to ensure timely support from third parties, like suppliers, MSSPs, and government agencies.    These actions should also include a review of security processes and technology platforms to ensure that remote support can be effectively delivered. 

Crises Create Opportunities

Isolation efforts have reduced the growth rate of COVID-19 cases around the world and many countries are taking actions to minimize the economic impact.  But life won’t return to normal until a cure is found.    Hopefully, governments and companies are extracting lessons from this devastating epidemic to be prepared for the next black swan.  

Cybersecurity professionals need to do the same thing when the urgency of tactical issues subside.  As the following quotes illustrate, crises can provide valuable opportunities to drive needed improvements:     

"Close scrutiny will show that most 'crisis situations' are opportunities to either advance or stay where you are." Maxwell Maltz

"Crises and deadlocks when they occur have at least this advantage, that they force us to think." Jawaharlal Nehru

"Don't wait until you're in a crisis to come up with a crisis plan." Phil McGraw

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients