ICS Cyber Convergence

Arguably one of the most important aspects of cybersecurity is Threat Intelligence. Yet despite its importance, this particular discipline as part of a solid security posture is often underestimated in terms of importance.

The consulting company, Forrester, defines threat intelligence as the details of the motivations, intent and capabilities of internal and external threat actors. Forrester extends their definition of Threat Intelligence to include specifics on the tactics, techniques and procedures that hackers and Advanced Persistent Threats employ within their attacks. - Threat Intelligence Buyer’s Guide SANS CTI Summit, 10 February 2014.

At Lockheed Martin, we value Threat intelligence's primary purpose, which is to help the business better understand the risks and implications associated with threats in order to make better decisions regarding the safety of its customer, employees and intellectual property.

We also believe that by understanding the attributes of an APT, an organization can better build a proactive Security Operations Center (SOC). By proactivity we refer moving a SOC from a “set-it and forget-it mode” governed by reacting to threats to a predictive and agile infrastructure. This migration goes beyond blocking domains to using databases and intelligence gathered over years to understand attackers’ patterns of behavior. How do your attackers grow and change over time? What common tools do they use? What techniques do your attackers always employ after entering a network? An example of understanding the minutia concerning APT behavior includes knowing whether they send emails with a zip file on the bottom, or always start emails with “Dear Sir or Madam.” Do they always misspell a certain word or are they always asking for the same specific piece of information? Such intelligence makes future threats more identifiable and quickly categorized.

According to Forester and Lockheed Martin’s understanding of Threat Intelligence, another important aspect of this intelligence driven discipline is the sharing and collaboration of intelligence. Standardization within cybersecurity is a major challenge. The cybersecurity industry has reached a level where the sharing of information is readily available, however the struggle is now to determine and agree upon a set of standards as it relates to how we classify, validate and communicate intelligence.

In an ideal setting, the aggregation of valuable intelligence is filtered into a common set of standards and common nomenclatures, and fed to a group of trusted partners and sources.

With Threat Intelligence and Threat Intelligence sharing as core competencies, your organization can employ a centralized platform with Palisade®, which integrates into your present security infrastructures to deliver enterprise-wide visibility, awareness and alerting capability.

By focusing on Threat Intelligence and the collaboration behind such activities, your organization can go a long way to building a solid security posture where intelligence and actionable data is at the core of a proactive defense.

Read more

Recently, cybersecurity firm Darktrace announced an $18 million investment to hire new information security specialists in an effort to expand globally. According to Upstart Business Journal this investment represents a cash infusion in a woman-led cybersecurity company with a history of hiring female IT specialists. The result of this major infusion, according to the online journal, could “pave the way for a more equally representative industry.”

I have been a vocal advocate of increasing the presence of women and minorities within the cybersecurity industry throughout my career. Resources are scarce within this industry and the opportunity to tap within a market as robust, hard-working and well-educated as women and minorities highlights the potential to solve this huge resource challenge.

More importantly, cybersecurity is in large part about intelligence gathering and ingenuity. These two features blossom from a diverse infrastructure made up of varied backgrounds, educations, and cultures. It is my humble opinion that together as a heterogeneous workforce we are better equipped to solve the future challenges that APTs and hackers present.

In an industry like cybersecurity where only 11 percent of the information security workforce is female, there is plenty of room to grow. According to Virginia-based non-profit Women's Society of Cyberjutsu, 25 percent in the tech sector are women. The fact that only 11 percent are in cybersecurity presents a golden opportunity to grow this industry aggressively to meet the demands of future resources.

Make a Difference in Cybersecurity

One question that I commonly get asked in cybersecurity is, “how can we make a difference in cybersecurity and against cyber threats?” Supporting the education and hiring of women and minorities in cybersecurity is often my answer.

By flooding this sector with these groups of talented individuals, we can take larger strides as a society to bring better awareness of cyber-related issues such as insider threats, phishing campaigns, viruses, malware campaigns and denial of service attacks. All these issues require as much communication, awareness and training as we can provide. The dialog for supporting and advertising the education and hiring of women and minorities brings these cyber threats to the forefront in America, not only at the water coolers and coffee machines at work, but at the dinner tables at home, which is where this awareness of cybersecurity really needs to happen.

A common follow-up question to my answer is often “how can we make a difference in the education and hiring of women and minorities in cybersecurity?” The simplest answer is get involved.

Attend events like the National Women in Cybersecurity Conference (WiCyS) that took place in Atlanta, GA earlier this year. You can also become a member of their online community Women in Cybersecurity – WiCyS.

Another way to get involved is by working with your local high schools and universities to get cybersecurity further engrained with women and minorities in a STEM (Science, Technology, Engineering and Match) conversation. By vocally participating within these and other initiatives, you can make a big difference in thwarting the effects of cyber attacks while creating more opportunities for women and minorities within the cybersecurity field.

Read more

Ever get the feeling that your business-as-usual (BAU) mentality might get you into trouble? If you do and you’re in cybersecurity, you’re not alone. This feeling is not without good cause; organizations are not prepared to deal with severe and frequent cyber-attacks.

Lockheed Martin recently sponsored a Ponemon Institute survey of 678 US IT and IT security practitioners who are familiar with their organizations’ defense against cybersecurity attacks, and have responsibility in directing cybersecurity activities. When asked about the challenges to achieving a strong cyber defense, 75 percent of respondents say they see an increase in the severity of cyber attacks experienced by their organizations and 68 percent of respondents say they are more frequent. However, a smaller percentage of respondents (53 percent) say launching a strong offensive against hackers and other cyber criminals is very important to their organizations’ security strategy.

These survey results beckon the question that has evolved as the conversation has become within our organizations, are the investments we’re making in corporate America truly protecting us against today’s sophisticated adversaries? Another way to look at it is to ask “how can we be sure that the measures in place will protect us, or only provide a false sense of cybersecurity?”

In order to answer these questions, organizations need to avoid three common BAU-associated pitfalls.

#1: Alerts equal security:

“Things that go bing” is another way of phrasing this common pitfall. Security Operation Centers often seem packed with technology that are meant to alert us when bad things are happening. Traditionally organizations have bought (literally bought) into the idea that there is a mix of technologies that can be plugged into the network to find all the potential issues. So they invest heavily in tools “that go bing” to defend their network. This is what we call a vendor-driven response model.

To avoid this pitfall, understand that there’s no such thing as a silver bullet for cybersecurity, you can’t buy your way out of insecurity, and the traditional set-it-and-forget-it approach doesn’t work.

#2: Nightlight equals security

A short disclaimer: your staffing plan is up to you, and we’re not saying that you need 24x7 staffing. In fact, 24x7 staffing doesn’t always mean you’re covered. Often paying a person to stare at glass overnight can cause an organization to overestimate their security maturity. In avoiding this pitfall, ask yourself:

a) Do we have enough skilled cyber analysts to fill a 24x7 staffing plan?
b) Is the staff manning each shift equipped and qualified to react and mitigate threats, or are they serving as a manual escalation trigger to alert key staff?
c) Can technology be tuned and customized to alert and escalate when key events are detected?

#3: The pre-existing framework equals security

Some organizations believe that the process of reacting to alerts is a framework. Essentially they wait for something bad to happen and then react. So whether this is a planned strategy or just the reality of your current operations – not having an evolved, sustainable and scalable framework is a pitfall that plagues many organizations.

In mitigating this process, make sure you flesh out the processes behind how the technology and people aspect of your security will function. Map your tech environment, document roles and relationships, research and mirror other frameworks, and educate and train your staff to follow and understand your framework.

Most importantly, acknowledge that a framework in and of itself does not equate to security. It should be merely seen as a map that leads to a more secure posture. Your job should be to ensure that you’re map is as detailed and robust as possible so that you’re cybersecurity approach doesn’t get lost in the woods.

In many ways we can never fully avoid the feelings associated with a business-as-usual (BAU) mentality. But by following these tips, we can avoid three common pitfalls associated with BAU thinking and remove much of the threat of cyber-insecurity.

Read more

Advanced Persistent Threat (APT), as a term, is perhaps over-used in cybersecurity. Like the Boogie-Man that strikes fear into the minds and hearts of children at night, APTs work just as hard to ensure that CISOs and CIOs never rest easily. But just like the Boogie-Man, the trick to not being afraid of APTs is to understand them. Unfortunately, understanding APTs isn’t as simple as a bed time story.

The first signs of APTs came from targeted, socially-engineered emails dropping Trojans designed for exfiltration of sensitive information. They were identified by UK and US CIRT organizations in 2005. Although the name "APT" was not used, the attackers met the criteria that determines an APT. The term "advanced persistent threat" is cited as originating from the Air Force in 2006 with Colonel Greg Rattray.

Another complexity to understanding APTs are their definition and identifiable characteristics. The internet is filled with different definitions and varying character-traits that can often make this step confusing and ambiguous. One popular definition on the Internet of an APT sums up the definition of an APT nicely is:

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies and political activists. The use of the term APT seems to be growing with the rising number of APT-related attacks, which according to a PC World story from a couple of years ago, noted 81 percent increase from 2010 to 2011 of APT attacks.

In a book released a couple of years ago called Reverse Deception: Organized Cyber Threat Counter-Exploitation, the authors define the following APT criteria:

  • Objectives – The end goal of the threat, your adversary
  • Timeliness – The time spent probing and accessing your system 
  • Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point) 
  • Risk tolerance – The extent the threat will go to remain undetected 
  • Skills and methods – The tools and techniques used throughout the event 
  • Actions – The precise actions of a threat or numerous threats 
  • Attack origination points – The number of points where the event originated
  • Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
  • Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)

Even though Advanced Persistent Threats play a strong role in cybersecurity planning, especially for large organizations, a lot of the fear and feeling of uncertainty about them can be eliminated by a simple understanding of what they are and what their pattern of attack typically looks like. Although the solution to removing the fear is never as simple as checking your closet, or server, at night before leaving, understanding the threat and partnering with an organization like Lockheed Martin can make your networks more secure.

Read more

Cybersecurity is arguably the biggest challenge facing most companies today. We are undergoing a change in IT Security where it seems like every company is subjected to endless cyber-attacks. With the increase in Advanced Persistent Threats to traditionally consumer-oriented organizations, the adoption of cyber regulations within private companies is more prevalent than ever. Although compliance does not in itself guarantee security, it’s a good starting point, especially when combined with best practices and guidelines that regulate the industry.

Seeking to avoid having government regulations imposed on them to force IT security, a number of companies are moving towards adopting and complying to a general IT security regulation like the Federal Information Security Management Act of 2002 (FISMA). Their hope is that self-regulation will prevent government mandates.

According to David Lawson, Director, Risk Management and Compliance at Acumen Solutions, "More and more companies are getting requests for FISMA control assessments." FISMA, a regulation built for federal agencies, holds executives at those agencies responsible for the security of their data and accountable for implanting security controls that meet minimum security requirements.

A discussion on the virtues of FISMA couldn’t be more appropriate. It’s clear that businesses need to do more to fight cyber attacks and to better protect their businesses and customers, preventing huge losses in the process. A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail, for example, more than doubled from 2013 to an annual average of $8.6 million in 2014.

The Top Three Things to learn from FISMA

By following general FISMA guidelines, organizations can help bolster the security of their enterprise within the following areas:

Policies and Procedures:
FISMA can help organizations establish the policies and procedures designed to reduce information security risks in a cost-effective manner. This can often include building routines toward assessing cybersecurity that often bolsters an organization’s information security health throughout the year. Part of this proper regulatory planning includes periodic risk assessments that evaluate the potential damage and disruption caused by unauthorized access and procedures for detecting, reporting and responding to security incidents.

Training and Awareness:
Security awareness training for employees is a crucial element of proper enterprise security planning. Such topics covered should include security risks associated with day to day activities, and start with the basics such as the definition of the security roles and responsibilities, and users’ responsibility for complying with policies and procedures.

Testing and Evaluation:
FISMA does a good job at singling-out the need for an organization to perform effective analysis on information security policies, procedures, practices and controls. The frequency of these tests is up to the risk level of the organization, but most commonly are conducted annually.

Another best practice is to use technology for process automation and threat monitoring. Automation and centralized reporting tracking tools can increase the efficiency and quality of an organization's cybersecurity platform, not to mention the compliance efforts. This viewpoint on automation helps eliminate several manual reporting steps and leads to a reduction of redundancy.

Regulations are rapidly becoming an important part of cyber planning for organizations not traditionally impacted by compliancy, but which are very interested in becoming more secure. When used and understood properly, cyber regulations can help an organization new to cybersecurity build the foundation of a sound IT security platform that can help avoid headaches now and in the future.

Reference Links:

http://deloitte.wsj.com/cio/2013/06/03/fisma-takes-private-sector-by-surprise/

http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

http://www.bly.com/newsite/Pages/WP_FISMACompliance_062206.pdf

Read more

A necessary but relentless focus on regulatory compliance in the cybersecurity community may be shifting resources away from more complex threats. Although organizations focused on checking the compliance box are more likely to address the foundational solutions necessary in building a cybersecurity framework, this approach can also lead to a false sense of security.

The Ponemon Institute and Lockheed Martin recently surveyed 678 IT security leaders within the United States. The surveyed respondents were security practitioners familiar with their organizations’ defense against cybersecurity attacks and responsible for directing cybersecurity activities. (Download the Intelligence Driven Cyber Defense survey results.)

When asked about cybersecurity business priorities, compliance was rated the number one cybersecurity business priority (above confidentiality, interoperability, integrity and availability). The challenge with this common response is that compliance does not necessarily equal security. 

Achieving compliance provides organizations with a foundation to start becoming secure with. But there are ways they can be both compliant and remain vulnerable. For example, you can have a solid maintenance log to comply with a regulation or policy. However, how will that log be used to proactively defend infrastructure? Within the Utilities industry it’s one thing to comply with the NERC CIP requirement to map all networkable operational technology. However, what good does that do when protecting IP if you don’t actively monitor those devices for potential breaches?

A focus on compliance as a top priority may cause an unbalanced view of the controls and the vulnerabilities of a cybersecurity model. This, in turn, can prevent organizations from combating the most critical facet in risk management: the threats.

This unbalanced condition often results in a focus on incident response versus threat intelligence within the analyst realm. Threat intelligence is a critical element to an effective cybersecurity platform because attacks are ultimately caused by people, who are often unpredictable, non-constant and creative in their tactics. 

5 Tips on How to Achieve Compliance and Security

Compliance is an important aspect of cybersecurity and it should be a priority. The focus on protection, however, should be to measure compliance’s effectiveness rather than mere achievement of compliance. Below are five tips for achieving compliancy and security: 

  1. Map your environment Situational awareness is important, both inside and outside of the network. A common tenant for a majority of regulations is asset mapping. How much Operational Technology do you have? How much IT? Which assets are networked?

  2. Perform Due Diligence The comprehensive security analysis of many companies often ends at the door of the vendors and partners they work with. Yet vendors are often softer targets that attackers can exploit to gain access to your intellectual property (IP). Close this gap by working with your vendors to ensure that they remain not only compliant but also secure.

  3. Share, share and share Vigilance is the key to thwarting the most common threat to your network: the insider threat. A disgruntled employee or unauthorized person with some level of credentials looking to get behind the firewall and access your IP can be devastating. The key to stopping this is by sharing information outside the IT department and training employees on how they can help spot and stop cyberattacks.

  4. Eliminate redundancies Proper cybersecurity involves a lot of analysis. It’s easy to fall victim to analysis paralysis to generate redundant analytic results. Stop this by inventorying your reports, flagging redundancies and removing reports that take up space and add little value.

  5. Use compliance as a guide Compliance is a way to start building your cybersecurity footprint. It’s also a guide for maintaining a proactive cybersecurity approach. By adding the elements above with Intelligence Driven Defense®, your cybersecurity platform will grow beyond compliant and into the realm of the truly secure.

A functionally integrated cybersecurity platform places threats at the forefront. Architects, engineers and analysts adhere to a common methodology that incorporates threat analysis and threat intelligence across systems and processes. A threat-driven cybersecurity platform, tailored to fit with a compliant infrastructure is the combination that best ensures security in a strategic, tactical and operational manner.


Just In: Results of the Intelligence Driven Cyber Defense Survey

survey-ponemon-stylized
 

Get the survey >

 

Read more

Each year, the Internet of Things (IoT) makes strides towards transforming industries. IoT, or as it’s sometimes known as the Internet of Everything (IoE), are physical devices that placed on the Internet by installing wireless sensors on them. You see a lot of IoT in the consumer world, most commonly in home devices such as alarm systems, thermostats and electrical sockets to control lights remotely. Most of these devices are accessed by apps on your mobile device.

Within the last couple of years, IoT has slowly started to enter other markets. Sectors like healthcare and manufacturing are quickly learning about their potential value, particularly when combining IoT with business process management (BPM) programs. At face value, the benefits of this integration seem limitless. Real-time data analytics, immediate social and mobile capabilities to otherwise static and often hard to reach devices, and the ability to pair business-facing operations like inventory control and automated supply-chain capabilities with real-time consumer demand, creates a list of desired capabilities that is almost too appealing for any C level executive to resist.

But how safe are these devices? What can your organization do to protect itself from the danger associated with IoT? In past blogs you’ve heard us talk about the potential challenges between integrating Information Technology and Operational Technology. In many ways, this is very similar. On one hand you have a physical device, like an alarm system, which was built to interface with a live person, and therefore the device was designed from the ground up with accessibility as its core, data integrity as its next most important component, and confidentiality of data as the third priority. By integrating a sensor for wireless access, you’re now effectively opening the door to hackers by providing accessibility to a device that was not built primarily to protect the confidentiality of its data.

According to Earl Perkins, research vice president at Gartner,

The power of an Internet of Things device to change the state of environments and of itself will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities. IoT security needs will be driven by specific business use cases that are resistant to categorization, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.” Gartner

 The Gartner article continues to state a prediction that by 2020 the installed base of "things" that make up IoT, excluding PCs, tablets and smartphones, will grow to 26 billion. That’s a huge leap from the estimated 0.9 billion units in 2009.

Despite the prospective issues associated with IoT from a security standpoint, there are two major steps that your organization can take to mitigate the cyber threat of the technology.

1. Map and know your environment

One of the dangers with IoT is the idea that they will proliferate on networks to a great degree, which will make it difficult for organizations to keep track of them, even as they take on increasing responsibilities. Once you lose track of how many you have, then you have an issue. This is a similar problem with IT and OT integration, especially within the utilities industry, because organizations lose track of how many IT-OT enabled devices they have and spend a lot of time just mapping their environment and trying to catch up. Industrial Defender not only offers the capability for your organization to better map these technologies, but also provides a snapshot from a centralized dashboard and portal. You can't fix what you don't know about, so this mapping is a vital first step, as well as an ongoing one, before anything else can be accomplished.

2. Assess and Plug vulnerabilities

Once your environment is mapped, assessing which set of IoT devices are specifically dangerous and building an approach to plugging their vulnerability can go a long way in defending from potential future attacks.

IoT is here to stay, and its implication to business and CISCOs that are both good and bad are still being determined. What is known, however, is that by mapping, assessing and addressing known vulnerabilities, you can go a long way to protecting your network.

Read more

A discussion with Mel Greer, Senior Fellow and Chief Strategist at Lockheed Martin

In the last two years, IT security breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. With the New Year upon us it seems fitting to take a moment and assess the state of the cyber challenges ahead and potential strategies to surmount them.

For this post I turned to Lockheed Martin’s Senior Fellow and Chief Strategist, Melvin Greer (M) to discuss the high level statistics every CISO should be considering:


C: Describe the overall state of cyber security in the US.

M: This year has brought big news, significant changes and increased awareness of the evolving cyber-threat landscape. From a threat landscape perspective, we have seen some important developments.

Let’s start with the stark realities:

  • Credit and debit cards are among the most commonly breached credentials, together representing 62% of all information breaches
  • In healthcare industry, there were almost 2 million people affected by medical identity theft in 2012. They incurred about $12B in out of pocket cost due to these thefts.
  • In higher education, 50% of colleges and universities allow for the unencrypted transmission of sensitive information over email. 25% of these institutions actually advise applicants to send personal information via unencrypted email to admissions and financial offices
  • In the communications industry, less than half of all mobile device owners use security software on their devices. There are over 1M malicious and high risk apps on the market today that target the Android platform
  • Retail websites are the #1 target for hackers

C: What are the biggest threats?

M: Multiple new digital battlefields have emerged including critical infrastructures, Cloud Computing, Social Networks, Big Data and the Internet of Things.

9 out of 10 intrusions involve the following patterns:

  • POS Intrusions
  • Web App Attacks
  • Insider misuse
  • Physical Theft/Loss
  • Miscellaneous Errors
  • Crimeware
  • Card Skimmers
  • DoS Attacks
  • Cyber-espionage
(Also see Verizon 2014 Data Breach Investigations Report)

C: How can the enterprise protect themselves?

M: The evolution of cyber threats requires a new leadership approach, given that no matter what the security solution is to an existing problem, the problem itself will evolve and the leadership strategy driving the security solution must evolve with it.

Key first steps include:

C: What should individuals do to protect themselves?

M: Individuals actions and their subsequent education is directly tied to the strategy of the enterprise they are aligned with.  We know that threat sophistication has significantly changed; attack vectors, propagation methods, and even the ultimate objectives of the attacker have evolved.

It’s imperative that individuals become actively engaged in protecting their data.

  • Use personal anti-virus and firewall security on all personal devices
  • Always use strong passwords (greater than 8 characters, upper & lower case, number & symbol)
  • Do not click on links embedded in emails regarding financial transactions from banks, merchants or other sensitive parties.
  • Always go to the respective party's site by directly entering the URL in the browser in order to avoid phishing scams.
  • Employee awareness and training programs

In our experience most organizations find themselves woefully behind in implementing what they arguably know to be best practices. Perhaps the first step to take is collaboration. Talk with your peers and leading vendors in the space to get a more accurate picture of the threat facing your industry.

For more cyber security insights from Mel Greer register for his upcoming webinar on cloud security:

Understanding the Cloud Computing Threat Landscape

New Call-to-action

Read more

The “consumerization” of business technology is a relatively recent trend that continues to pick-up speed. Defined as the introduction of consumer technology within the corporate environment and for the use of work activities, the consumerization of business technology is best reflected in policies such as Bring Your Own Device (BYOD), which have become prevalent in most corporate environments.

mobile-devices-lowAs this trend continues to grow, the need to plan and deal with BYOD from the level of Chief Information Security Officer (CISO) and even Chief Information Officer (CIO) has been augmented to include home or personalized applications. Now, Bring Your Own Application (BYOA) is becoming a focal point in the IT security planning of many organizations.

These trends are natural. In many ways, our place of work is much like our home. We personalize our office spaces and socialize with our colleagues, and in recent years the corporate infrastructure has been changing to reflect this consumerization. BYOD and BYOA have become natural parts of the consumerization ecosystem, from the introduction of social media within organizations to improve collaboration to the migration toward cloud for business services—including an emphasis on accessible and consumer-like product and service tracking.

At the end of the day, all of these services and all of this consumer integration are focused around one greater need—the ability to provide end-users with mobility. Tech-agnostic computing, or the ability to work from any device at any time, is here today and not going away any time soon. So how should organizations react?

If your company is going to permit BYOD and BYOA, and allow teams of employees to integrate their own personal applications with corporate data, it becomes important to set expectations, produce procedures and rules, and explain those policies and regulations to your employees. This approach to protecting your enterprise must start with answering some basic questions:

  • How do we detect when people are conducting nefarious activities?
  • Do we have the proper monitoring currently on our network?
  • Do I have the controls in place?
  • Do my employees have proper authentication and application protection around BYOD?

These questions are important to answer before addressing the Mobile Device Management policies of your organization. Whether you have smartphones, tablets, or laptops in the workplace, you have an organized approach toward deploying, securing, monitoring, integrating and managing these mobile devices.

It’s also critical to answer these and other questions when addressing information management policies around the use and protection of intellectual property. This includes examining application security and control.

When these policies and procedures are established, it then becomes important to address user and device authentication. At this point, you begin to ask additional questions: How will a user authenticate on premise versus remotely? Can we track when they’re local versus remote? How will mobility impact the security?

Finally, data loss prevention becomes a crucial element in determining if sensitive data is on a mobile device. Once that capability is determined, you can begin to explore how to continue to protect it.

Mobility and the disruptive technologies fueling this trend, such as BYOD and BYOA, can be daunting from a CISO and CIO level. We know it’s here to stay. We also know that new mobile technologies continue to proliferate at alarming rates. Answering these seemingly basic “block and tackle” questions first can give your company a solid footing that will enable you to weather any BYOD or mobility-related storm.

Read more

Last week, we looked at the second of three oil and gas deep dives when we examined the role that operational technology and information technology play within this sector.

Specifically, we addressed the challenges in protecting IP in oil and gas since accessibility of data is such a crucial element within this industry. IP provides the competitive advantage that sets each company apart from others in a highly integrated industry. It also helps oil and gas companies better understand the current environment to deliver better future results.

The challenge with IP in the oil and gas sector is determining how to best keep the IP safe, yet accessible to those that need it. Industrial Defender and Lockheed Martin, its parent company, have approached this challenge by successfully combining the IT and OT landscapes. The result is a robust solution towards IT and OT security that includes people (e.g. training), the processes (e.g. policy and procedures) and the technology to address modern security challenges.

However, there’s more that the oil and gas industry can do to improve their cyber maturity and cyber capabilities.  One suggestion is to examine whether oil and gas companies can take an approach towards oil and gas that in some ways mirrors their Health, Safety and Environment (HSE) policies. To better explain what I mean, let’s take a brief look at HSE.

The oil and gas industry always carries the dangers associated with dealing with a combustible element in extreme and often remote conditions. Add to those dangers the often unpredictable nature of sociopolitical events with the often inclement weather of drilling locations, and the very nature of finding, transporting and refining oil and natural gas becomes daunting.

Losing money by drilling into a dry well, while damaging to the revenue stream, appears less drastic when compared to the damages incurred on any one of the major disasters that occurred over the last 30 years. If something goes wrong in this industry it puts lives, local habitats and even global economies at risk.

That’s one of the key reasons why this industry has led the implementation of HSE as an organizational pillar that is universal in this sector. Few industries triage and escalate prospective HSE near misses for the purpose of predicting incidents with the same thoroughness as oil and gas companies. Fewer private sector companies promote the value of such seemingly innocuous acts as holding the handrails when climbing or descending stairs, or making sure to start each presentation with a safety slide describing the precautions or actions attendees must know about in the event of an emergency.

In oil and gas, cyber attacks have the risk of slowing, if not outright stopping, production. But because they also have the potential to become critical safety issues, cyber security should be addressed within this industry in a similar way as HSE. The ability to record, monitor, track and forecast cyber incidents and IT near-misses, regardless of how benign or innocuous sounding they are, should be tracked universally within this industry.

Only then can oil and gas companies begin to forecast their potential security issues and gaps, mitigating cyber attacks that do occur, and stopping others well before they can do any damage.


How can the Oil & Gas industry translate their disciplined approach to health, safety, and the environment (HSE) to cybersecurity?

wp-cybersecurity-oil-gasFind out how an integrated and intelligent approach to energy industry cybersecurity can help your organization move towards a more stringent application of cybersecurity.

Download the whitepaper Cybersecurity in the Oil and Gas Industry

New Call-to-Action

 

Read more