February 08, 2022
Cyber Risk

How to protect your crown jewels: Quantifying risk within Critical Infrastructure

We haven’t seen the equivalent of a nuclear disaster in cybersecurity… yet. When it happens, bet your money that it’ll hit critical infrastructure. It’s the jackpot hack for any APT group: arguably the equivalent to a successful heist on the crown jewels. Why? Attacks on our industrial control systems, healthcare centers, telecommunication providers, global financial markets, power plants have the potential to cripple national security and international trade. So why are we holding back on cybersecurity and mitigating such catastrophic risk?

Technological advancement and the rapid rate of digitalization outpaces the ability to counteract risk across critical infrastructure providers, yet security teams are not always heard when they take this risk to the table. The result? Unmitigated and often undiscovered vulnerabilities that expose systems to exploitation. Is there a solution?

A lack of visibility is clouding cybersecurity.

Increasing complexity in systems inevitably leads to the greater complexity of risk, making it harder to visualize, understand, and mitigate. A poignant event was the attack on SWIFT messaging infrastructure back in 2015 when Banco Del Austro (BDA) lost $12.2m. BDA filed a lawsuit against Wells Fargo for failing to flag fraudulent transactions as suspicious, whereas Wells Fargo blamed the security policies of BDA. All of this whilst a senior spokesperson for SWIFT announced to the press that SWIFT wasn’t actually made aware of the attack.

A more recent example in another sector is the Colonial Pipeline ransomware attack. Catastrophic in its repercussions, it extended beyond a couple of hours because there was limited understanding of how extensive the breach was, forcing them to shut down their operations to assess more thoroughly. Cybersecurity experts note that Colonial Pipeline would never have had to shut down if it had more confidence in the separation between its business network and pipeline operations.

APTs seek to take advantage of flaws and vulnerabilities across the enterprise and attempt to maximize impact with relatively little effort through ‘one-to-many’ database compromises. Cloud computing has opened up a new realm of possibilities for exploitation as companies are moving away from the use of physically isolated servers secured with lock and key, to being hosted virtually and accessible via cloud access. The Internet of Everything has had a direct impact across all enterprises replacing physical doors with virtual ones - increasing the complexity of visualizing security risk.

An article by BBC reports, "Today we want to do analytics and predictive maintenance in our power plants, but the proliferation of smart devices and sensors and IoT is increasing our cyber-exposure to attack. In many cases, organizations don't even know what is connected to the internet and what hackers can access."

Threat actors are taking full advantage of this with vast and devious TTPs:

  1. Employee social media reconnaissance
  2. Purchasing ransomware toolkits from the deep and dark web
  3. Leveraging cloud misconfigurations to move laterally within connected systems and networks
  4. Targeting efforts towards the most vulnerable vendors

… nothing is off the table.

This is why visibility is key to keeping attackers at bay. Without it, it’s only a matter of time before an incident is the next big headline breach.

What visibility looks like

To gain true visibility of risk across an enterprise, Critical Infrastructure companies need to look beyond physical and on-premise risk. Key vectors to monitor and manage include:

  1. Employee workforce risk
  2. Third, fourth, and nth parties (not just your vendors, but their vendors, too)
  3. The native technology stack
  4. Any compliance or regulatory frameworks
  5. Internal policies and processes

Modern cyber risk management is point-in-time, siloed, and creates more noise than provides solutions. Douglas Hubbard, inventor of the Applied Information Economics method and Safe Security’s advisory board member, comments, “While there is a slew of new products emerging to help security and risk management leaders better understand their organization’s cyber risk, many are still based on disproven methods.”

This begs the question every CISO needs to answer: Which cybersecurity risk is the most threatening, be mitigated using the most suitable resources, and how urgently?

The light at the end of the tunnel: Move beyond a mindset of detection to a mindset of prediction

Detection and response only kick in once an incident is well underway. This has seen the advent of threat prevention and threat hunting, which only moves us so close to the solution. What organizations can take solace in is that they’re already collecting the data they need to help build their best defense.

Moving to a mindset of prediction means moving from collecting and analyzing risk, to quantifying risk. In practice, this means being able to visualize and understand the level of risk associated with five key vectors across the enterprise - people, process, technology, third (nth) party, and cybersecurity products. Once you have identified the risk, you can prioritize the risk. The result? You’re removing guesswork and allocating your time, talent, technology - your budget - to the risks that could result in the most damage to your organization.

Cyber risk quantification is perfectly positioned to provide both public and private entities with the proactive knowledge to make the right move. It is also unique amongst other cyber risk management practices as it defines cyber risk in financial terms by providing the dollar value impact of a potential breach. It helps leaders determine the level of risk they are able to absorb/accept, reduce, or transfer. When a business is aware of the risk, it can make more intelligent choices on security.

Adopt Cyber Risk Quantification for a safer digital future

    There has never been a better time to adopt cyber risk quantification. We have a wealth of key resources to help you learn how to measure, manage, and mitigate cyber risk in real-time.

    1. Find out how we helped Molina Healthcare, a Fortune 500 healthcare provider, to protect their digital assets and patients’ personal health information.
    2. Get your 25-point checklist for effective third party risk management and find out exactly how your vendors affect your cybersecurity posture.
    3. Get your copy of our report on how cyber risk quantification can help your financial services organization avoid data breaches.