In the beginning of March on Linkedin there was some discussion of FUD and some advice for vendors and consultants.
I quote:
„FUD is not helpful.
1) Avoid words & phrases like “Sophisticated Attack”
or “Nation-State” if you are a vendor / consultant trying to build a business case with asset owners.
2) Please double check the security knowledge level of the audience/attendees before spouting any jargon – XDR, SIEM/SOAR, SOC, ZT etc.“ – unquote.
The first time I read the advice I started to nod my head, but soon said to myself, „wait a minute“. Ok, I can agree with checking the knowledge of the audience in advance before explaining something. I have been making presentations on Industrial Cybersecurity for the last 13 years and always make a point of asking the organisers for a list of attendees and where they come from to help me tailor the presentation for that particular audience.
However, in speaking to asset owners about cyber threats I would not avoid the words „sophisticated attack“ and most of all I would not shy away from mentioning the threats that come from nation states, especially those that target critical infrastructure. The word „sophisticated“ is a bit vague, a more appropriate term is Advanced Persitent Threat. The APT is another way of describing a nation-state supported threat actor. One that has the skillsets needed to attack the target, the resources of finance and intel to prepare and carry out an attack and patience. Most telling characteristic is the ability to deny it all and go on uninhibited to improve on the next strike. If one follows the events of the past 13 years 3 APT‘s of nation states first come to mind (there are many others): one took away from the operator the view and control of a nuclear enrichment facility causing physical damage to centrifuges[1], another took away the view and control of a power grid from the operator putting a ¼ million customers in blackout[2], and the 3rd is notorious for cyber espionage and famous for breaking into networks and stealing military industrial secrets and intellectual property[3].
Why should these terms APT and nation-state be used by the vendor or consultant? Very simple for by considering the APT threat, it will inform the work required to improve safety and reliability of the technologies used to monitor and control processes governed by the laws of physics and chemistry. Those that result in vital services to the economy, national security and well being of society. I have in mind those that come from power grids, fuel pipelines, heating, water supply and transportation systems. If we do not know the skill sets that are out there we can make serious mistakes if we only think ransomware and poisoned email attachments are what to defend against. We must not limit ourselves to defending against cybercrime and ransomware in the office IT and network environment. Nor, should we only be developing, unless one is selling or consulting to a school or office, products and giving advice applicable to only that environment. If we do then we will be leaving some industiral clients to experience big surprises. There was no cybercrime or ransomware involved when the safety systems of a petrochemical plant in the Middle East tripped twice causing expensive emergency plant shutdowns. Neither the manufacturer of the safety system nor the asset owner‘s IT department had any clue that their plant was compromised months earlier by a cyber intruder[4]. I often refer to this problem of evaluating threats and mitigating measures by referring to the children‘s story of the „3 Little Pigs“ who were faced with the same questions. Pig 1 and 2 decided that the threats came from the wind and the rain respectively and built their homes accordingly. However it was only the 3rd pig that correctly evalauted the possbile threats and included the possibility of the wolf which was mitigated by a house built with brick.
Vendors, consultants and asset owners should understand that a vendor’s solution is no substitute for an asset owners cybersecurity program. One that includes an understanding of what needs to be protected and an estimation of the kinds of threats (not just cybercrime and ransomware) that need to be evaluated. Once the asset owner has done this homework they are ready to implement the “how” solution with an informed decision on what vendor product or service is required for the program. It also helps if both the vendor, consultant and asset owner share the awareness of all relevant threats in their cyberspace environment. Team building leading to productive and effective collaboration becomes possible.
Yes, FUD is a real problem that can divert attention from where it is needed and like the story of „Chicken Little“[5] result in a potentially fatal dropping of ones gaurd to what can hurt us. It should not be used by a vendor or consultant as a quick and easy way to make money. In the end this behavior will hurt the industry and community by diverting work from where it is needed and in adding another dissilusioned customer who may not take cyber concerns seriously again.
The biggest problem we face however, in my opinion, is avoiding what is called a Cyberg. There is a web site which provides several definitions of the term which is derived from the words „cyber“ and „iceberg“[6]. I like the 4th definition: „A cyber-related condition whereby a threat, or warning of a possible threat, results in either the misinterpretation or misunderstanding of a given situation, resulting in a decision in which no corrective action is taken.”[7] This comes from the example of the crew of the Titanic who on that ill fated night in April 111 years ago chose to ignore reports from other ships that there were icebergs in the area[8]. Since 2010 we have been warned several times of these APT threats that are targetting physical processes found in critical infrastructure. Unfortunately these reports do not get the attention that a ransomeware attack on the IT department of an asset owner will get. Let us learn from earlier mistakes, become aware of what is going on in cyberspace and take the right action. In the end we will have the best chance to improve the safety, reliability and resilence of those technologies our societies and each of us depends on everyday.
Thanks.
[1] https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
[2] https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01
[3] https://www.mandiant.com/resources/reports/apt1-exposing-one-chinas-cyber-espionage-units
[4] See Julian Gutmanis, Triton – A Report From The Trenches https://www.youtube.com/watch?v=XwSJ8hloGvY
[5] https://interestingliterature.com/2022/02/chicken-little-folk-tale-summary-analysis/
[6] http://cyberg.us/
[7] Ibid.
[8] https://www.nationalgeographic.co.uk/history-and-civilisation/2022/04/despite-the-warning-iceberg-right-ahead-the-titanic-was-doomed
Source of the discussion. Thanks to Vivek Ponnada for starting an intriguing discussion. https://www.linkedin.com/posts/1ot_fud-is-not-helpful-1-avoid-words-phrases-activity-7036774393796067328-HJsc?utm_source=share&utm_medium=member_desktop
