Only three days into our shiny new decade and we saw the takedown of a political strongman in Iran, an uptick in nation-state cyber (and other political) activity, and then a brief stand down from heightened alert warnings. And now Iranian leadership is blaming the US for Iran’s launch of a surface-to-air missile that downed a Ukrainian Air Lines jet with 176 non-combat people on board on January 12. It feels to me as though we are stuck in a tragic time loop, a non-comedic parallel to the 1993 movie, Groundhog Day, in which the main character relives events until he slowly grasps the inevitability of consequences and takes remediatory (redemptive?) action.
We often fall into a similar, circular behavior pattern with cybersecurity program implementation, taking a wait-and-see approach, looking for shadows and signs to determine whether we really, really need to adopt basic recommended security controls. Will the groundhog see its shadow and go back in the hole for another six weeks? Will DFARS 7012 compliance be based largely on the 110 NIST SP 800-171 security requirements, even when the final version of DoD’s Cybersecurity Maturity Model Certification details are published? All signs point to yes. And the recent DHS cyber warnings, triggered by concerns about Iranian retaliation and cyber saber-rattling, also point to a “yes” for implementing a solid system security plan (SSP), corrective plan of action and milestones (POAM), and incident response and recovery plan (IRP).
Iran has a highly sophisticated cadre of cyber professionals, some of whom have reverse-engineered the Stuxnet malware that compromised some 1,000 centrifuges in Iran’s Natanz nuclear enrichment facility in 2010. The original malware gave the world a disturbing look into the power of digital tools to disrupt critical infrastructure managed by industrial control systems. Learning from the Stuxnet malware contributed to the development of Triton malware (used against a Saudi Arabian target in December 2017), which targets industrial control systems (ICS) in production equipment and, more specifically, the automated safety mechanisms that protect human machine operators against physical injury and even death.[i] Concern that Iran could deploy some form of cyber retaliation against US manufacturing assets follows logically.
Manufacturers have to balance investment in cybersecurity controls against investment in plant equipment and personnel. More information about how to protect ICS devices is available in NIST SP 800-82 Rev. 2.[ii] NISTIR 8228, published by NIST in June 2019, is a higher-level look at managing the Internet of Things (IoT) and is the first of a planned series of documents that focus on how to manage internet-enabled devices across a range of environments.[iii] The key objectives cited in the latter document are the following:
- Protect device security (so it cannot be misused to launch DDoS or other attacks, nor sabotaged to endanger human physical safety).
- Protect data security (so that confidentiality, integrity, and availability are supported).
- Protect an individual’s privacy (as is more relevant in home and office environments).
Key control measures for protecting IoT and IIoT (industrial internet of things) devices include familiar next steps:
Define perimeter security. Establish protected boundaries around the organization through the use of well-tuned firewalls, hardened wireless access points (e.g., a corporate wireless network for pre-registered devices), and physical access controls.
Build a layered network architecture. Segment organizational networks so that functionally distinct components (e.g., operational technology devices versus information technology devices) cannot interconnect.
Implement multifactor authentication. Identify and authorize individual persons, devices, and systems that have a valid need to access a protected device and the data it contains by using a robust combination of at least two of the following three access control mechanisms: something you know (e.g., strong password of 12-plus characters, something you have (e.g., security token), or something you are (e.g., biometrics).
Perform—and validate—regular data backups. Scheduling regular data backups is imperative as a counter to potential ransomware threats, extended power disruption, equipment failure, and so forth. And remember to validate that backups were successful and usable! During a recent panel discussion hosted by a Colorado ISSA chapter, CISOs warned that attackers are looking to compromise backup files. Make sure what you keep is what you want!
Check environmental controls. The possibility of a cyberattack against critical infrastructure suggests that the security of physical environments should be validated. Protect high-impact business assets against power surges. (Alas, I failed to follow this one for my MacBook Pro and a power surge fried its circuit board; not good).
Work through the NIST SP 800-171 security requirements. A solid system security plan (SSP), plan of action and milestones (POAM) to address control gaps, and incident response and recovery plan (IRP) show evidence of organizational due diligence with respect to practicing reasonable cybersecurity.
Does this look and sound familiar? There is a sense of déjà vu—been there, done that; ring in the old and ring in the [not so] new. It’s time to shield ourselves from anxiety caused by cyber saber-rattling. My personal resolution is to work through the above in time for this year’s numerically palindromic Groundhog Day: 02.02.2020.
What’s your 2020 cybersecurity resolution?