Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 17 of 59

18 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. COVER STORY violence, active shooter, data breach, and so on. To illustrate the very real nature of this risk, in 2013 Tar- get – a highly-rated Fortune 500 company – was the victim of a cyber-attack in which the hackers entered the network through a vulnerability in the HVAC sys- tem and stole data from 40 million credit and debit cards of shoppers. The breach cost Target $202 mil- lion, along with damage to the company 's public image and trust. Ultimately, the CEO was fired. Security Assessments – The Other Puzzle Piece for Risk and Liability Whereas traditional risk assessments have been managed by professional services companies, security assessments have been handled by security-specific consulting companies. These con- sultancies typically do not look at the business risks discussed above but limit their oversight to IT, OT and physical security practices. Exacerbating this disconnect, completely differ- ent providers with differing specialties generally assess the three disciplines (IT, OT and physical security) separately. See figure 2. Management in each of the three disciplines develops their own strategies to protect the enter- prise by preventing incidents that relate to their systems. For example, IT management will run penetration testing exercises to find and eliminate vulnerabilities in their networks. Physical security management will deploy surveillance cameras with advanced video analytics to detect potential problems such as a backpack left in a hallway, or to help identify criminals after an incident. OT sys- tems, originally designed to be standalone but now usually connected to the network in order to ensure their continued stability, are typically exceptionally robust and can last for well over 25 years with little more than routine maintenance. Double Trouble and Catastrophic Consequences As described above, the model for identifying risk and potential liability is doubly broken. The first gap is within the security piece, as there is nor- mally little-to-no connection between the silos of IT, OT and physical security; the second is beyond security, as there is typically no correlation with the risk profiles presented by business operations and governance. With multiple areas of business functions each being evaluated by different entities, the organiza- tion cannot be fully and properly assessed with regard to risk. Putting together the two halves of the funnel illustrates the way in which liability blooms at the junction between security and business. To visualize this in the context of an actual inci- dent, imagine this potential " kill chain". A large office building is connected to a manufacturing plant where electronic products are assembled. With a single day, there are three separate events: OT sees an unexplained rise in temperature in one section of the manufacturing facility, physi- cal security is alerted that a terminated employee has attempted to use expired credentials to enter the office, and a data storage server is compro- mised. Each of these incidents triggers some sort of response; however, the responders do not commu- nicate with one another and there is no recognition or understanding that these events are all related. FIGURE 2: In this image, we see the Security Risk funnel, with IT, OT, IoT and Physical Security silos, is separate from the Enterprise Risk funnel. The security silos install and maintain a physical infrastructure (security entrances, locks, cameras, access control systems, life safety, etc.) As the infrastructure reduces risk, the funnel narrows at the top. However, a concerted "kill chain" attack that impacts different silos can be perceived as "separate" incidents and can permeate the infrastructure and exact real and devastating liability to the enterprise.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018