Though device manufacturers have worked to improve the cybersecurity of their medical devices, there is still a long way to go. Improvements aside, there are distinct steps the IT information security department can take to reduce risk and improve cybersecurity for medical devices.
Some notable improvements in cybersecurity for medical devices in recent years include:
1. US Food & Drug Administration (FDA) guidance to manufacturers that operating system updates, especially to patch vulnerabilities, do not require the manufacturer to go back through the entire FDA approval process.
In the past, medical device manufacturers often claimed that they could not update or patch the operating system due to FDA requirements. Some vendors legitimately believed this, while others may have used it as a convenient excuse to avoid the hard work of updating and testing medical device operating systems.
2. Medical device manufacturers have become better able to allow anti-virus (AV) software to run on medical devices or systems.
Many medical device systems previously could not run anti-virus software for a variety of reasons. Often, the AV software misinterpreted the actions of the medical device software and would sometimes interrupt the operation of the device. In some cases, this could cause serious patient harm. Device manufacturers have been working to ensure their systems could run with anti-virus software without impacting the functionality of the device.
3. Newer medical devices use modern operating systems and some support virtualization of certain functions.
Using modern operating systems (i.e., still supported by manufacturers such as Microsoft) ensures these systems can be updated and patched, especially for updates that address new and emerging operating system vulnerabilities. In addition, being able to transition to virtual the server functions for many medical devices allows the systems to be managed using modern tools and techniques. These reduce cybersecurity risks.
While these developments are excellent, they do not address the millions of existing devices in healthcare environments today that were deployed prior to these changes being made. In every hospital and clinic today, there are thousands of devices running older operating systems that cannot be patched and that cannot be run with an anti-virus or anti-malware solution. Information security professionals need to address these devices using tried-and-true methods.
1. Segment medical devices on VLANs.
By putting all medical devices on restricted VLANs, you can ensure that only devices you specifically provide access are able to communicate across the network. While this does not protect the network from malicious control of those medical devices, it restricts the exposure of those devices.
2. Implement firewalls to secure systems that cannot be protected with other methods.
Firewalling off those devices is another important aspect of securing medical devices. When operating systems cannot be updated or patched, putting them behind firewalls with very restricted and defined access can reduce risk significantly.
3. Educate your IT staff about the importance of managing these devices (network and server) securely.
Often IT staff are responsible for managing and maintaining all servers, including those for medical devices and systems such as patient monitoring, OR systems, or Cath Lab systems. Modern systems often support virtualization so updating and maintaining these systems often falls to the IT staff. It’s critical that these staff understand the unique cybersecurity risks of these systems and are able to identify potential malicious activity quickly. Additionally, these staff need to clearly understand the operational impact of server maintenance on clinical operations to prevent potential patient harm (i.e., don’t take the OR server down while cases are underway).
4. Educate your biomedical and diagnostic imaging staff about cybersecurity, especially as it pertains to medical devices.
Your biomedical equipment technician (BMET) and diagnostic imaging staff need to be educated both on basic cybersecurity and the specific vulnerabilities of the systems they support. They don’t need to become cybersecurity experts, but they need to understand the work they do and how it impacts (and is impacted by) cybersecurity. For example, they need to understand how to securely connect devices to the network or update anti-virus software (if permissible), or to restrict access to administrator accounts on these systems. Working with your IT cybersecurity staff is a great way to cross-train both teams on this critical knowledge.
5. Educate your end users on the basics of cybersecurity and teach them potential warning signs to look for on their medical devices.
Your end users of medical devices are typically nurses and patient care techs and specialty techs (such as radiology technicians). These are the people who work with these medical devices daily, and they should be aware of basic cybersecurity risks of the equipment as well as best practices in handling these devices. Perhaps most importantly, they should understand what potential malicious behavior would look like on those devices and have a fast, easy method for reporting potential issues so that cybersecurity experts can examine and contain any potential malicious activity.
Malware on medical devices can create patient harm, including death. It can also infect the wider network and potentially take down critical systems like the Electronic Medical Record (EMR) software or business systems such as payroll or HR. Working to expand your cybersecurity team to include BMET, DI and end user staff will help reduce medical device cyber risk.
Traditionally, an organization’s Chief Information Security Officer (CISO) and Chief Marketing Officer (CMO) haven’t had significant overlap when it comes to day-to-day roles and responsibilities. The CMO focuses efforts on brand growth and marketing strategy. The CISO, on the other hand, has been more focused on architectural efficiency, reliability and security.
Today, data is the lifeblood of business. Businesses have access to copious amounts of consumer data that can be leveraged to gain a better understanding of their market and customer base. To the CMO, this is a gold mine – more detailed insight into the wants, needs, habits and activities of their target demographics. These can result in initiatives with large scopes and larger budgets. On the flip side, the CISO sees the red flags and vulnerabilities that come along with this information. Privacy and security threats, technological limitations, and reputational risk are all on the radar. Commonly their response is to reel the scope back in to reduce risk and budget. As you may expect, this can result in internal friction as to who is truly responsible for the management of this data, making it more important than ever for the CISO and CMO to establish an effective working relationship.
In order for your organization to best capitalize on the benefits of big data, the CISO and CMO must work together cohesively. This can be a challenge initially, as the two not only have different objectives when it comes to the use of data, but also in their ability to effectively communicate and understand the other’s perspective. In an effort to establish this relationship effectively, there are critical steps that should be taken to avoid setbacks or breakdowns in communication:
Establish Common Short- and Long-Term Goals
This one may seem obvious, but it’s likely the most critical aspect of the relationship’s foundation. Each side will have objectives they are looking to meet, and those objectives likely steer in opposite directions (especially when it comes to the budget). Where the CMO will be looking for more data points and more access, the CISO will be looking for stronger protections and stricter access control. Rarely, if ever, are the two sides going to have aligned perspectives on what should be prioritized. To avoid issues and breakdowns in the relationship, establish long-term business goals and intermediary milestones to ensure that both sides are working toward a common goal.
Break Down the Communication Barrier
Anyone working within the IT realm has seen it. You start explaining the details of an issue or a project. You try to keep it simple, avoiding technical terms and acronyms as much as possible, but then you notice glazed-over eyes and nodding responses. You could be using completely made-up terminology for all they know. If others are going to be expected to understand your perspective on things, they will need to understand the language, especially when it comes to security. The same goes for those within IT trying to understand marketing jargon and methodologies. Breaking down these barriers by educating the other team(s) on the basic terminology and approaches can go a long way to increasing the effectiveness of the relationship.
In addition to simply breaking down the language barrier, having a better understanding of mindsets and concerns will result in bringing better proposals to the table. Identifying beforehand the information and reasoning that will be valuable to the discussion for outside groups will result in conversations that are more open and productive. What is a security framework? Why does working in a cloud environment present different risks and challenges? Why are these data points relevant to marketing? Things that may seem simple and obvious to you may not be so clear-cut to others.
This may mean that an intermediary party with a better understanding of both sides is needed to facilitate the conversations. Establishing common ground and ensuring that there is nothing lost in translation is an important part of creating a functional and effective relationship.
Establish a Communication Plan
As with any relationship, communication is key. Establishing a recurring sit-down or planning session together will help to ensure that any new ideas or needs are on the radar and the appropriate considerations can be given from both sides. The frequency should be determined based on the volume of work being performed together or upcoming goals and milestones that are expected to be met. If an intermediary is brought into the fold, they should be part of these sessions as well. These sessions should serve as a chance for each side to better understand the wants, needs and challenges the other is facing.
As the business world continues to shift, the lines within the traditional organizational charts will continue to blur. Establishing effective relationships between all departments and layers of an organization is critical. Taking steps to ensure that those relationships are open and reciprocal will help to generate success not only for those parties, but for the organization as a whole.
A series of cyber-attacks involving the SWIFT banking network have come to light in recent years. The first public report of these attacks came from the Bangladesh Central Bank, and we have also seen attacks at State Bank of Mauritius, Cosmos Bank (India) and City Union Bank (India).
To strengthen security, Indian regulator Reserve Bank of India (RBI) issued several communications in this regard, and even imposed penalties on 36 banks in March for non-compliance on SWIFT operations. SWIFT also came forward with a revised Customer Security Programme (CSP), wherein it has released a security baseline for the entire community that must be implemented by all users on its local SWIFT infrastructure.
The controls in the CSP revolves around three objectives:
- Secure your environment
- Know and limit access
- Detect and respond
There are several actions that banks should take to Strengthen the SWIFT infrastructure and operations, including:
- Isolate the general IT environment from SWIFT Infrastructure.
- Disable USB, email and internet from SWIFT workstations.
- Restrict the gateway timings as per their business requirement and integrate the same with SIEM for proper monitoring and reporting anomaly detection.
- Patch the servers and endpoints regularly.
- Monitor the user logon activity through SIEM and report any anomaly detection.
- Regularly review the existing RMA (Relationship Management Application) and remove the obsolete RMAs.
- RBI has asked all banks to integrate the SWIFT with CBS (Core Banking Solution) for both financial and non-financial messages. However, many banks have not implemented STP (Straight Through Processing) for non-financial messages. So, banks should integrate SWIFT with SIEM, and any direct message created in SWIFT should be reported immediately.
- Regularly reconcile the NOSTRO account.
- If any Bank is using middleware applications between SWIFT and CBS, they should do online reconciliation using any recon tool for messages generated in middleware and SWIFT.
- Ensure SoD (Segregation of Duties) in letter and spirit.
- Monitor the activities of privileged users in the SWIFT system using any Privileged Identity Management tool.
- Carry out vulnerability assessments periodically.
- Implement multi-factor authentication in both CBS and SWIFT.
- Logs of SWIFT infrastructure should be sent to SIEM, and the SOC should monitor integrity for both software and database.
- Create, publish and test an incident response procedure and conduct a tabletop exercise frequently.
- Lastly, security awareness should be mandatorily imparted to all users, as security is a shared responsibility.
Chatting with a colleague recently about local economic issues, she made a remark which I found profoundly interesting at the time.
She said that the reason why economic policies are sometimes ineffective is because policymakers are failing to identify their root causes. “We cannot get the right answers if we are not asking the right questions,” she summarized.
I recalled that remark as I reflected on the widely reported shortage across multiple industries of people with the needed information security skills, a recurring challenge showing no signs of abating.
The Scale of the Problem
Security risks continue to gain board-level attention in many industries. After all, high-profile and publicly acknowledged breaches have a strange way of focusing the minds of senior executives on addressing security gaps.
However, the perennial skills shortage of technically proficient professionals means that organizations are finding it difficult to address security threats to their organizations at the same pace at which they occur.
A recent EY survey predicts a global shortfall of about 1.8 million security professionals within five years. That same study notes that 56 percent of respondents acknowledge currently having skills shortages. A separate study suggests that on average, it is taking enterprises longer to find and hire qualified professionals – sometimes taking up to six months before open cybersecurity positions are filled.
With digital transformation firmly on the agenda for many organizations and cyber-attacks on the rise, business leaders appear set to continue to struggle to resource strategic business initiatives with the appropriate security skills.
Asking the Right Questions
With reports that the global skills shortage appears to be getting worse, existing approaches to finding and hiring are worth challenging. Below, I list five questions that attempt to look at this problem from different perspectives.
#1: Are Hiring Managers Getting the Right Support?
I recall being presented with many dysfunctional job descriptions over the years when I have been a candidate for various positions. I have, for example, seen security analyst roles being erroneously presented as governance and compliance roles and SOC job descriptions requesting qualifications that appear unrealistic for the level of experience demanded. While it is true that every organization has different requirements, I can’t help but think that hiring managers are being let down by their recruitment service providers.
Job analysis – reviewing the qualifications and requirements of a particular position – prior to engaging in recruitment and selection is such an important first step for tackling false assumptions about a role.
The more accurate the job description, the more effective the interview questions and screening tools could be. The job analysis should cover everything from technical to soft skills and other details such as work location, remuneration and key performance indicators.
By challenging the way they develop job requirements, organizations could increase their chances of attracting and retaining the right talent.
#2: Are Security Roles Attractive to More Women?
The tech workforce gender disparity and discrimination against minorities in the industry remain hot topics of discussion at many industry conferences. Specifically, women remain globally underrepresented in the security industry.
It would be premature for an organization to conclude that merely having a diversity program is sufficient for addressing gender imbalance and the marginalization of minorities in the workplace.
Rather than using them merely to satisfy corporate KPIs, organizations need to challenge their goals and objectives for such programs in the first place. Are existing initiatives designed to create a more inclusive workplace, provide mentorship opportunities and address inequalities in pay and career progression for women? Problem areas such as hiring to fill technology and information security roles deserve special attention.
#3: Are Recruiters Trying Non-Traditional Approaches?
Specialist information security degrees and partnerships between higher education institutions and professional certification organizations such as ISACA and (ISC)2 have offered paths into the industry for individuals coming from academia. However, those individuals typically come from science, technology, engineering and math (STEM) backgrounds, where the body of knowledge tends to align closely with the capabilities required to operate in technical security roles.
Challenging the way recruiters traditionally search for security talent could open up vacant roles to a wider pool of candidates. Mentoring, capture-the-flag competitions, hackathons, and bug bounty programs are some examples of alternative ways to find security talent.
These non-traditional methods could improve the way hiring organizations spot traits such as natural curiosity, risk aptitude, analytical thinking and detailed reporting, all of which are foundational attributes required to operate in many domains within information security.
#4: Are Organizations Sufficiently Incentivizing Existing Talent?
With some exceptions, most professionals are already thinking about their next career move. Finding security talent is one thing. Retaining existing talent is quite another.
Why do good people leave? Career stagnation is often cited by security professionals as one reason for changing jobs. Therefore, it is worth paying attention to the root causes of staff attrition.
Prioritizing funding for security program areas is a constant challenge for many CISOs. This unfortunately often results in security education, training and personal development falling lower in the pecking order when faced with competing priorities. Ring-fencing budget allocation for research, training and development demonstrates leadership’s commitment to attracting and retaining the best talent.
Additionally, infosec leaders and human resources could come up with innovative ways to identify existing talent within their organizations that might sit outside the core security function.
Existing employees who demonstrate sufficient interest and technical ability could become internal hires, saving the business time and money spent on external recruitment while preserving much-needed institutional knowledge.
#5: Could Increased Automation Help?
Perhaps the answer to offsetting skills shortages is to reduce the dependency on humans altogether.
Indeed, many organizations already are exploring robotic process automation to streamline and standardize repetitive processes. This trend is set to continue, especially in the area of DevSecOps.
The desired state for many CISOs would be to free up skilled professionals to be more creative and innovative, and to focus on the optimization of the security function.
Getting the Right Answers
In May 2019, the UK government put out a call for views on a National Cyber Security Strategy.
The call for views recognized that “cybersecurity is central not only to our national security but also fundamental to becoming the world’s best digital economy.” Consultations are ongoing and a final strategy document is expected to be published by the end of 2019.
Some of the questions I put forward in this article have been included in an Initial National Cyber Security Skills Strategy. Asking the right questions should hopefully lead to getting the right answers for remediating the infosec skills gap problem.
Addressing this skills shortage requires fresh thinking and stronger collaboration between government, industry and public/private partnerships.
Editor’s note: For more ISACA insights during Cybersecurity Awareness Month in October, visit ISACA's Cybersecurity Resource Center.
The information security challenges faced by enterprises are dependent on the unique characteristics of the business. This means there is no one “right” answer for where the CISO sits on the org chart. The strategic goals, risk management strategy, and maturity of your organization are all key factors in determining the most effective reporting structure. So, without a defined best practice, how do you evaluate who your CISO reports to?
Know where you’re starting: Understanding your organization’s current culture and information security challenges is key to positioning your CISO for success. Does your organization grasp that security is not just an IT thing? Are your business leaders collaborative and actively working to include the security team in strategic and operational discussions?
It is also important to understand how information security interacts with your strategic objectives. If information security is viewed as a hindrance or obstacle, having your CISO report to a C-Suite executive could result in biased security decisions. However, if information security is perceived as a key piece of meeting strategic objectives, having your CISO report to a C-Suite executive could be an effective structure.
Outline your information security goals: Knowing where your organization wants to be regarding information security in three to five years will help you evaluate the best reporting lines for your CISO. If your organization looks to the CISO for leadership in aligning the information security goals with business objectives, placing your CISO near the CEO will provide him or her with the insights and collaboration to help fulfill expectations.
Perhaps your organization relies on the CISO to help business leaders solve problems in alignment with the information security goals. This would require the CISO to be more hands-on with the details of day-to-day business and aligns more closely with the CISO reporting to the CIO, CRO, or COO.
Define success: What does security success look like for your organization? While all companies would like to remain incident-free, the world we live in asks when, not if, our first/next security incident will take place. When the next incident occurs, how will you evaluate your CISO’s success? If success means the CISO and his or her team efficiently manage the incident from an enterprise-wide standpoint, you need to ensure the CISO is in a seat that provides the needed authority and influence.
Timing matters: If your organization is struggling to make information security a cultural priority, moving the CISO may help provide a kick-start for change. By positioning the CISO higher in the organization you can demonstrate information security is an organizational concern, not just an IT concern, and increase visibility of the connection between the organization’s strategic objectives and information security objectives.
Maybe your organization has successfully made information security an organizational priority but has determined a move would help enable the CISO to better meet your information security goals. Having a clear communication plan that instills confidence in current performance while also describing the expected benefits of moving the function can give your organization a renewed energy.
There is not a “one-size-fits-all” answer for who your CISO should report to. The key to successfully placing your CISO is a detailed analysis of your culture, your information security goals, and the definition of success.
Editor’s note: For more resources on this topic, download ISACA’s State of Cybersecurity 2019 report.
The massive cyber breach of Capital One, reported in late July, quickly brought a chorus of condemnation of the company from a wide circle of pundits, concerned customers, competitors and potential investors. Lost in the media fray was Capital One’s exceptional incident response.
The facts are impressive when compared to other cyber incidents. Capital One’s cybersecurity team detected the incident within days (as opposed to the industry average of over 100 days before detection.) Critically, the company alerted law enforcement, and collected and analyzed the logs and data that led to an unprecedented rapid identification and apprehension of the perpetrator by law enforcement personnel.
Senior leadership messaging to the public regarding the incident was quick, transparent, and sincere. YouTube watchers even got to “ride shotgun” with reporters as they accompanied law enforcement personnel to arrest the alleged hacker and secure the purloined data. Such streaming content of law enforcement arresting suspected cyber criminals in a timely manner bolsters confidence in law enforcement’s capabilities to thwart cyber criminals while providing an unprecedented deterrent in the age of cyber crime.
With nation-state actors, hackers, and other criminal organizations increasing in their boldness and cyber capabilities, corporate entities face significant cyber risk, and the odds of a cyber breach or reputation-damaging cyber incident are high. Boards and business leaders at all levels should recognize that their organization is a target and that they need to be prepared to respond fast and well in times of crisis. They should fine-tune their incident response procedures using lessons learned from the Capital One breach, implement measures to protect the weaknesses exposed in this attack, and practice what they should do if their enterprise encounters their own “really bad day.”
While boards and business leaders rightfully should pay attention to the circumstances leading to the breach itself, there are numerous lessons learned from this breach that organizations of all sizes should pay close attention to – and nearly all are positive.
Given the many instances of email security compromises, it has become vital to provide additional security to emails from the domain administrator level. Security protocols such as Domain-Based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Brand Indicators for Message Identification (BIMI) to prevent address spoofing are considered below.
Before getting into the security protocols, spoofing needs to be understood. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, websites, IP address, etc. In email spoofing, an email header is forged so that the message appears to have originated from someone or somewhere other than the actual source. The objective is to get recipients to open/respond to the emails. There are many email spoofing portals from which emails can be sent to the recipient as if they originated from the real domain; such spoofing is called direct domain spoofing. DMARC, DKIM, SPF and BIMI can be used as an authentication and validation tool in many of these instances.
DMARC is an email authentication policy and reporting protocol. It determines whether the sender uses DKIM/SPF, handles recipients for authentication failure as per policies, and improves and monitors domain security from fraudulent email. It detects such emails and discards or blocks, depending on the configuration upon receiving. DMARC addresses owners and receivers in the following ways:
- Informs usage of email authentication DKIM, SPF
- Collects feedback about email messages using their domain – authentic or not
- Sets policy to report, quarantine or reject the message
- Ensures the email domain uses email authentication
- Continuously evaluates SPF and DKIM along with what recipients see in their inboxes
- Ascertains domain owners’ preference of report, quarantine or reject the messages that do not pass authentication checks
- Provides email owner feedback about messages using their domain
DKIM validates the identity of the email domain through cryptographic authentication by attaching a new domain identifier. It differentiates domains used by the known organization and domains used by others through Signing Domain Identifier (SDID). Figure 1 shows the DKIM model in which the process of the message validation is depicted. DKIM service provides a responsible identifier to the assessor, which assesses the identifier and assessment database and provides input to handling the filter. This filter uses various factors such as ancillary information from DKIM validation to provide input to the recipient.
SPF is a type of Domain Name Service (DNS) TXT record that identifies which servers are permitted to send email on behalf of your domain. The purpose of SPF record is to detect and prevent spammers from sending messages on behalf of your domain.
BIMI is a centralized method across multiple email providers to display the brand’s logo along with email messages. It helps to identify legitimate senders and reduce the number of fraudulent messages being opened or read. This protocol has been adopted by more than 81 leading email sending domains.
These protocols will be effective only when the email domain administrator enables in DNS using TXT records or enables an email host provider’s admin console. This is done to verify whether a particular email came from the specific domain from which it claims to be sent.
The above options are not perfect solutions for email security due to the fact that compromised email can be sent within the domain, a domain that uses DKIM and SPF can be set, and many commercial email hosts may not consider the senders’ domain settings. These protocols may provide enhanced security but are not 100 percent fool-proof. There are also cloud solutions in the market for preventing email security compromises that provide promising results.
Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.
However, it seems progress is being made on the cyber staffing shortfall, at least anecdotally. At the 10th Annual Billington Cybersecurity Summit conducted 4-5 September in Washington DC, the theme of cyber workforce development was discussed in several sessions. Specifically, a number of speakers employed at various US agencies commented on the progress the US government has made in using creative and innovative approaches to hiring individuals for cybersecurity roles.
The Office of Management and Budget (OMB), for example, is piloting a cybersecurity reskilling effort according to Grant Schneider, federal CISO at the OMB. As part of the Federal Cyber Reskilling Academy, US federal employees are offered an opportunity to be trained in cybersecurity.
The Federal Bureau of Investigation (FBI) asks new hires to take an aptitude test to gauge their potential ability to perform cyber tasks. Thus, for example, if an individual is hired to be an analyst (perhaps because of language or data skills) but scores high for cyber on the aptitude test, the FBI will encourage the individual to pursue employment within the Bureau in cybersecurity.
A number of speakers from several US agencies stressed that the government has shifted its hiring practices to focus on aptitude versus requiring specific degrees or skills (and in many instances have eliminated the degree requirement). In one example, government-employed cyber professionals worked very closely with government recruiters to vet candidates and help establish aptitude for cyber roles.
The US government has also had recent successes in hiring industry experts at its agencies. Often these employees started in government, left public service to work in the private sector, and are now returning to the public sector, sometimes via a partnership arrangement with industry. Often individuals want to work for the government, fulfilling a need to give back or serve the public. As Katherine Arrington, chief information security officer, Office Undersecretary of Defense for Acquisition, noted, “We need to reduce the bureaucracy to facilitate that. We’re moving in the right direction.”
As ISACA’s State of Cybersecurity reports note, retention of qualified cyber professionals can be challenging. This is especially true in government, where public sector cybersecurity jobs often don’t pay as well those in the private sector. The government, however, has had recent successes with hiring cyber professionals at a higher pay grade than in the past (particularly for civilian employees) and increasing renumeration via bonuses (for military personnel) according to Jack Wilmer, deputy CIO for cybersecurity and senior information security officer, Department of Defense.
It’s encouraging to see the progress the US government is making in tackling the cybersecurity workforce shortage. The private sector should take note and consider adopting some of these successful tactics.
Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage. These grave threats, of course, are in addition to the financial, reputational and compliance impacts of cyber incidents that affect all industries. Given the high stakes, it is time for the CISO to step up, learn about the unique characteristics of ICS and OT, and collaborate with the industrial control engineers, in order to take proper responsibility over ICS and OT cybersecurity.
I have gained experience in this area through my work on a project I conducted for the Israel National Cyber Directorate (INCD), in which we worked to provide the Israeli ICS sector with a practical tool allowing enterprises to conduct a cyber risk assessment of their ICS network. In working to develop the tool, we met with a range of OT engineers and cybersecurity professionals to draw upon their expertise and insights. Through those interactions, a concerning pain point was identified – ineffective working relations and processes between the two groups, leading to poor cyber resilience for ICS networks.
Clearly, there is a leadership vacuum that needs to be filled. Among many in the industry, there is a debate about who should assume ultimate responsibility over ICS security – the CISO or OT engineers. I believe that the CISO is best-suited to do so, given the CISO’s grounding in risk management practices and controls for cyber risk mitigation. But to properly oversee this area, CISOs must address their blind spot regarding risks in the OT environment. Since CISOs generally do not possess much knowledge of OT processes and systems as well as their sensitivity to change, they tend to overlook potential consequences if something goes wrong. Conversely, business executives might have familiarity with OT processes, but they tend to have less understanding of cyber risk, focusing instead on productivity and process reliability.
ICS and OT systems, such as Building Management Systems (BMS) and surveillance cameras, can be found in most modern organizations. ICS is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in critical infrastructure – areas such as the manufacturing, transportation, energy, and water treatment industries, which are essential to the health, safety, security and economic well-being of governments and society as a whole. OT systems, meanwhile, include the hardware and software systems that monitor and control physical devices in the field, such as devices that monitor temperature in industrial environments.
The convergence of IT and OT provides enterprises greater integration and visibility of the supply chain, including critical assets, logistics, plans, and operation processes. Having a thorough view of the supply chain can help organizations improve strategic planning and remain competitive. On the other hand, however, the convergence of IT and OT expands attack vectors for cybercriminals, allowing them to take advantage of poorly protected OT infrastructure.
This is part of the challenge for CISOs, who have several places to turn for guidance in shoring up this common blind spot. CISOs and others interested to learn more about reducing ICS security risk would be well-served to explore NIST’s Cybersecurity Framework Manufacturing Profile. Additionally, the ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. And on the certification front, ISACA’s CISM credential can help CISOs develop a risk-based approach to managing security challenges that may arise on the ICS and OT landscape.
Editor’s note: Weisberg will present additional insights on “Illuminating the CISO’s ICS Blind Spot” at Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, USA.
About 10 years ago, when I was deciding on my major in university, I was very anxious about where my decision would lead me. I eventually chose Management of Information Systems, and fast forward 10 years later, I’m working as an information security consultant at a Big 4 firm.
Settling on a career that aligns with your interests, personality and educational background has proven to be quite the challenge for many young professionals of this generation. Apart from aiming to stay relevant and make money – which is usually a hidden aspect of several neatly typed-out CVs – young professionals also seek growth capable of propelling them to extraordinary heights.
Pursuing a career in information security is as extraordinary as the word gets. Reports of data security breaches have become commonplace in our daily lives. Organizations from various industries face myriad threats and require information security professionals to help them address this compounding issue. Despite the vast array of opportunity seemingly laid out on a silver platter for prospective security practitioners, the paradox is there remains a huge skills gap, so there is an ever-increasing demand for information security-related job roles. According to the Global Information Security Workforce Study, there will be 1.8 million unfilled cybersecurity job roles by 2022. This situation presents young professionals with both an opportunity and a challenge.
Here are a few reasons young professionals should consider careers in information security:
The cyber and information security, audit and risk professions are remarkably multifaceted. As a young professional, it is vital that you learn about regulatory and industry changes in your country, and even globally, to better inform your choices for a job role. For example, in my country, Ghana, the Central Bank issued the Cyber and Information Security Directive in October 2018, which requires all financial institutions under its supervision to comply with relevant minimum security standards. This very significant regulatory change has opened up numerous opportunities for information security practitioners in Ghana. There already has been a ripple effect in the financial services industry as banks and other financial institutions require their partners to maintain minimum security standards. It is likely that these partners would also require their affiliates to adhere to security best practices, so the cycle goes on and on. These organizations will need professionals (in-house or outsourced) to help them implement and maintain security standards. The opportunities are endless.
Organizations around the world owe a duty of care to their employees, clients and partners to secure their systems and data. They need the right talent to do this and are actively trying to fill the gap in the educational system by honing skills through mentorship and graduate programs for students and recent graduates. With regulation, advanced persistent threats and industry expectations breathing down the necks of organizations, enterprise leaders are looking for individuals who they can invest in and train to effectively handle the growing volume and sophistication of cyber-attacks. For example, Cisco invested $10 million in a cybersecurity scholarship program that sought to increase the pool of cybersecurity professionals to close the security skills gap and enable individuals (starting from the age of 18) to develop cybersecurity proficiency at the early stages of their careers. There is also the Cyber Security Talent Initiative, which is a partnership of leading companies and universities encouraging students to pursue careers in cybersecurity by offering loans of up to about $75,000.
You Don’t Need to Be a Computer Science Major
Several potential job candidates assume that they require a degree in computer science to pursue a career in information security. This is a myth that needs to be debunked. I have met several computer science majors who ended up practicing accounting, finance, HR and even hospitality. On the other hand, I have met accounting, science, history and literature majors who eventually pursued careers in information security, IT audit and risk. Your degree should not be a limitation, especially in cases where you wish to make a career change. Just like any other professional field, information security requires you to have the tenacity, hard work and the right dose of curiosity to succeed.
Furthermore, acquiring soft skills is equally as important as building technical competencies. Learning how to network with other professionals and write compelling reports is a skill that needs to be developed. Imagine being the senior penetration tester or an SOC analyst in an organization that cannot properly communicate the impact of a vulnerability or make a business case for a solution that is required to management.
There is Room for Growth
From my experience in information security roles so far, I have realized there is always something new to learn. The rate of change in the technology field and the spate of cyber-attacks leaves us all falling in a bottomless pit – in a good way. You can’t afford to be stale, and for me, this has been the exciting yet challenging aspect of my work. News story after news story about seemingly sophisticated and mature organizations left devastated by cyber criminals leaves us wondering if we can ever combat cybercrime. But the nature of data breaches being experienced today is gradually paving the way for tomorrow’s job roles. The reality is that opportunity will come looking for you, hence, you will need to be ready to self-learn and obtain the right certifications to position yourself for the next opportunity that finds its way to you.
To sum this all up, I encourage all young professionals to consider pursuing a career in information security. Also, prior to landing a job role, look for opportunities to volunteer with organizations such as ISACA and (ISC)². Sometimes, you learn the most about networking and soft skills through volunteer roles. Who knows? You might even meet your next employer.
And remember – curiosity and being indomitable will take you to great heights in your professional life.
Editor’s note: For more resources for young professionals, visit www.isaca.org/young-professionals.