A quick look at the headlines, and it’s clear there have been a significant number of cyberattacks crippling today’s enterprises, including a growing number of manufacturers. However, the reality is that the number of attacks that surface pales in comparison to the actual number of cybersecurity incidents.
In some instances, companies have no clue their operations have been breached. After all, it’s not uncommon for weeks, months or even a year to pass with the hacker completely under the radar. Unfortunately, this is not always the case after all no business wants to admit that their systems have fallen victim to an incredulous attack. The brand damage alone can seem impossible to reverse.
The anticipated cybersecurity executive order has hopes of adding a new level of transparency while also creating a governmental entity resembling the National Transportation Safety Board. The new agency, coined as the Cyber NTSB, would investigate incidents much on the same level as the NTSB investigates major crashes.
What does all this mean to the security industry and manufacturers?
With the SolarWinds cyber assault estimated to have started in October 2019 and impacting several global companies like Microsoft and FireEye, there must be a reckoning in the cybersecurity industry – and the sooner, the better, Ralph Pisani, president of Exabeam tells IndustryWeek, “If we have plenty of security solutions, innovations and tools available, why are we allowing breaches of this scope and magnitude to continue? To me, the answer is simple: the problem is not only the lack of knowledge about technology, it’s also about the lack of refined processes needed to find a breach. Rather than focusing on a product, teams must shift the fundamental, organizational priorities for securing the enterprise to be more process-focused.”
“As an industry, we must help organizations evolve with the changing threat landscape and adapt to create greater operational efficiency. For instance, most available detection solutions are focused on known threat response, when they should really be focused on identifying behavioral signs of network infiltration. We must also embrace the idea that identity is the new perimeter. Of course, having visibility into the credential usage at The Department of Treasury would not have prevented the SolarWinds attack, but it would have identified and contained it more rapidly,” says Pisani. “Last but not least, we’ve seen the enemy run the same game over and over, so the defense starts with: detection, triage, investigation, and response. While there’s increasing focus on addressing the two ends of detection and response, most companies struggle or overlook the middle pieces without realizing the smokescreen this provides for attackers.”
Pisani continues, “That tells me that there is a psychological metamorphosis needed in security. This executive order could serve as a positive push in that direction. With this extra layer of accountability for vendors with government customers, SOC teams will be motivated to shift their focus away from the idea that machines will draw conclusions for them and take those extra process steps to protect their own enterprise and their customers.”
According to Neil Jones, cybersecurity evangelist with Egnyte, cybersecurity supply chain attacks, like the SolarWinds hack, are stark reminders for the need to modernize the collective approach to cybersecurity. “The attacks are now designed to target specific, higher-profile organizations in the public and private sectors. Whether driven by nation-states or cybercriminals, the primary objective of the attacks remains the same: to obtain users’ sensitive data,” says Jones. “With data in hand, attackers can exploit it for espionage purposes, competitive advantage, and/or for monetary gain, as we have experienced with many recent hacks.”
Jones adds, “If we hope to protect our critical infrastructure and government entities, requirements need to be stronger, with more stringent certifications required to work on federal contracts. In addition, there should be a stronger emphasis on adopting a data-centric security strategy that properly secures and governs sensitive information (especially for supply chain relationships), which currently represents the soft underbelly for cyberthreats. Finally, we can anticipate that successful techniques attackers employ on larger organizations will be adapted for use on smaller organizations, which generally have smaller security teams and less advanced security protocols.”
Alex Pezold, CEO of TokenEx, tells IndustryWeek, “Today, many organizations use a combination of vendors and technologies to assist with their digital operations, causing a need for transparency and responsible information-sharing to ensure that intrusions and other malicious activities are promptly identified and addressed. Regardless of whether such transparency is required by law, we believe it is a best practice for privacy and security.”
According to Stel Valavanis, CEO of onShore Security, the security sector has been unanimously begging for increased regulation, particularly in breach disclosure. Some states have acted, and the Cybersecurity Tech Accord, has come forward as well. “As for the preventative measures there is less agreement because they are more complex, but we all know that the federal government has been unresolved on this for much too long. This needed government agencies to be threatened for action to be taken, and the security sector is immediately able to oblige,” says Valavanis.
A software bill of materials (anticipated in the Executive Order) will provide support and ideally enforcement, of much needed visibility into critical use software and establishes a higher level of vendor accountability, explains Edgard Capdevielle, CEO of Nozomi Networks. “It should make it easier for agencies who are purchasing software to see the difference between well-built products, designed with security in mind, and those that aren’t,” he says. “This new level of accountability should benefit manufacturers as well. At the same time, the devil is in the details. The concept of BOM has worked fairly well for hardware, but software and software abstractions are very different, and many software vulnerabilities may only occur in specific scenarios. An effective software BOM model must take that into consideration.“
Of course, manufacturers will have to change their ways and increase their budgets, explains Valavanis. “None of the work to be done is unreasonable and, in fact, will also improve their business processes in general,” he says. “They’re used to operational standards and really should applaud these requirements if only just to create an even playing field. This is where regulation is good.” Such executive actions are often precursors to a future permanent set of regulations. “But that doesn’t only come from government. If the impact was redirected to the source, it could very well be industry if not market forces that provide accountability,” says Valavanis. “Let’s not ignore that these are crimes we are talking about so, ultimately, we want to move the impact all the way to them, and that’s where the Cyber NTSB could provide the needed attribution and maybe more law enforcement involvement.”
Capdevielle adds that addressing these issues across government agencies is just the start, and will naturally lead to higher levels of security standards and visibility in the private sector as well. “Manufacturers should look to learn from and adopt any new guidelines which will give them better defense against supply chain and nation state cyberattacks,” he says. “New legislation like the National Risk Management Act would help establish a more permanent process for continually assessing and addressing risk to the resilience of critical infrastructure and manufacturing. And other public-private efforts, like today’s IST-led push for an aggressive and comprehensive whole-of-government assault on ransomware, are all examples of action in process that will make manufacturing and other industrial infrastructure safe.“
This story will be updated when the executive order becomes official.