We’ve always said that there’s two kinds of organizations, those that have been hacked, and those that don’t know they’ve been hacked. Yet security teams are still having problems getting resources and attention from our business stakeholders, particularly in industrial companies that consider IT and technology a back office problem.
Over my career I’ve worked in manufacturing, energy, utilities, oil and gas, and other similar industries. One thing they all have in common is a focus on accident avoidance and safety – that is, how to fail gracefully. That’s why they have a safety briefing before every meeting on where to evacuate to in case of a fire, or a safety minute with a thought of the day, or even those ubiquitous signs about ‘100 days since our last injury’. The constant focus on safety has had amazing results: business can now do dangerous things with much lower risk. Yet many CISO’s in those industries are challenged in having cyber security made a high priority.
Often the OT folks won’t let IT touch the environment, which is unfortunate because it’s often riddled with insecure IOT devices, outdated and unpatched machines, and even modems still hanging off industrial equipment running PC Anywhere for dial-up maintenance by third party providers. Discussions of hacking and cyber risk just don’t resonate much with someone running an offshore platform, or a manufacturing line. So how do we get their attention? Change our vocabulary.
We need to talk not about cyber security, but rather cyber safety. To speak in the industrial language and talk about risk, not as ransomware or data exfiltration, but as plant downtime, risk to life and safety, generator outages, line stoppages, and so forth. It’s getting traction, and in the process, we’re learning from our peers. For example, we were talking with a line operator about the risk of someone hacking in and changing the computer to speed up the line (theoretical risk) in an attempt to crash it. He shared that there are multiple control points (aka defense in depth) against it, including a purely mechanical control that will rate govern the equipment to get an operator time to intervene manually.
Then he turned and asked me why we didn’t have a rate governor around our critical data (e.g. on the database itself), so if someone does hack in, they can’t get the information out all at once…to give the SOC time to intervene.
Hmmmm. He’s on the cutting edge with that – there’s some early stage architecture work being done but it’s hardly widespread. Yet to him, it’s pretty obvious.
Because a system isn’t safe unless it can fail gracefully. That’s just one example of where the safety mindset can help our security programs, as much as we can help theirs. We just need to start speaking the same language. Cyber Safety has a nice ring to it.