Guest author Michael Assante is President and CEO of NBISE, an organization focused on improving the cybersecurity workforce. Michael’s career has included ICS security roles with an asset owner, national lab and as the CSO for NERC.
I enjoyed reading your post and offer my thoughts on the topic of technology vs. people (it is a worthwhile discussion/debate):
I agree that one of the largest problems we face is the lack of security in the design and development of Industrial Control System technology. Project Basecamp and national testing efforts has confirmed that security was not a basic requirement for legacy systems and progress has not matched the pace nor breadth at which the world is deploying automation.
People are currently at a distinct disadvantage when trying to protect and defend these systems. I would agree with you that when comparing the security challenge of ICS to other types of technology applications the norm of insecure found in the design is “the immediate problem”. I also see people as the answer in trying to compensate for this difficult circumstance in both the short-term and to prioritize security in the long-term.
It is becoming clearer that necessary security technologies have enabled adequate performance against less directed horizontal threats. Technology will continue to be an important tool for defenders, but it will not dominate our efforts, in the struggle to counter emerging cyber attacks that are highly directed or targeted. Our focus needs to include enhancing the competencies of defenders and changing the behaviors of how people interact with and through technology.
It is as you stated, progress is required on all three fronts (technology, process, and people), but realize that humans will fail to implement technology properly, execute practices reliably, and can always find ways around even the best technology. The amount and extent of which they fail is something that we should be able to influence in the positive direction. As for the attacker’s role I offer that people have a propensity for creativity and a knack for filing in the holes of another person’s imagination.
While I agree on the importance of practices/procedures, I would argue that they are situational in their relevance and will need to be adjusted and changed often. The nature of the cybersecurity problem is a dynamic one. How a system is compromised and attacked has evolved and optimized for success with the least expenditure of effort and energy.
I would also contend that if we were able to change the security nature of ICS technology (an important step to strive for and achieve) that it is but a single dimension measurement. One can assess technology, it has its place and importance, but it cannot be the only assessment. I would argue we are inclined to reduce the challenge of cybersecurity to an assessment of technology. These assessments do not provide the entire picture as the role of people can be undervalued or abstracted. Attackers are people after all (although we might not like them much), and they are co-adaptive in nature, that is to say, they will compensate and adapt to the technology and practices they are facing.
While I can’t and won’t argue with the critical role technology plays in the current problem facing ICS security. I will suggest people do matter and ask that we collectively consider how to optimize this important leg of the cyber stool. For all technology begins as an idea in the minds of innovators and the building of it passes through the minds of developers. I want to echo your notion that executives need to understand cyber and go further to suggest people are important in the following ways:
- Users and administrators introduce vulnerabilities and are capable of circumventing the best security technology implemented. People’s understanding of “why” they are doing something always matters.
- Managers are instrumental in understanding the need to invest in security technologies, practices, and people (we both agree here)
- If you study attacks you realize the important role played by the attacker and the defender’s ability to tune and apply technology to detect and respond to attacks
- People design technology from a system designer, programmer to architect. The more they understand security the better they can define the requirements, follow practices, implement security, and test for it.
- There is too great of a difference between outcomes involving similar technology and involving people with different levels of competency. How a cyber attack effects an organization’s mission, over time, has a lot to do with the level of understanding and skill possessed by the defenders.
- System and process owners need to understand cyber enough to apply it to their work. In the ICS world it means asking ourselves what an operate needs to be aware of and determine how they should react to an event involving a cyber threat? Or what a system engineer should know to make better engineering decisions that account for the new found reality of cyber threats.
Divorcing humans from their role as a viable attack surface and as system defenders is a mistake. Calling for a better understanding of security and greater influence on ICS design and development is a must (again, we are in violent agreement). We should seek every opportunity to push on both the people and technology front as one shapes the other.
Image by USACE Europe District