Quick pot-stirring question for you today. I was on a call the other day with a whole pile of IT/Security types as well as a bunch of governement and physical security types and one of the comments made me pause. The person speaking is a known critic of government in so far as their ability (or inability) to communicate in a timely and effective manner. Or, more succinctly, if they were even doing the right thing. His point was simply that the current effort to monitor real time threats as a means to preventing them seems to be misguided and have little chance of success. He suggested that perhaps the true efforts of the countless organizations, agencies, etc should be focused on containment and recovery of incidents when they do happen.
Now I know this, in and of itself, is not at all a surprise to ‘proper’ security minded people. After all we all *should* know that security is not about making your systems bullet proof because there is no such thing. In fact an effective security program is intended to detect, react, stop, recover, learn, move on from incidents. Because they will happen. But what if you took this suggestion to the extreme? I mean what if we truly took the mentality to hear that we are going to have problems/hackers/viruses, etc? I mean truly turn on your inner pessimist/fatalist? I know of one company that *sort of* did this when they tried treating all portable electronic equipment (laptops and handhelds) as compromised and untrusted. Made for much less ownership and management of the end systems and added overhead/obstacles to those who travelled trying to get to corporate resources.
Well how about if we instead looked at what exactly we could lose and portion it up? It is the same concept as squirrelling away portions of my life savings in a dozen or more safe hiding places such as the mattress, the attic, behind pictures, etc. Basically accept something is going to happen but I am only going to let you have a small portion of my goods. Can we take cyber security of critical infrastructure into this sort of concept? How would you start? Logically and physically segment your specific units from a network perspective? Is a unit too big and complex? Perhaps individual DCS lines or sub networks? How about user access? Multiple admins for multiple domains and never shall they cross over? How do you conceivably segment or minimize damage to a percentage of your assets in order to follow this principle?
I can see the concept working if you could actually separate out risk. Like sending multiple ‘important people’ (government, business, whatever) on separate travel routes and mechanisms to ensure a single accident doesnt decimate the organization or leadership. However we cant really split up the risk/value of a catalytic cracker now can we? How about a nuclear reactor?
In my opinion we need to view the subject of industrial cyber security as similar to that of a boat trying to navigate an icy ocean. We can’t avoid at all costs any and all floating debris or ice so we need to work on building an ice-breaking, double (triple?) hull boat AND keep an eye on the icebergs but let the flotsam and jetsam bounce away.
In other words neither extreme is plausible. Cant be bulletproof and we certainly cant parcel into tiny, inconsequential portions. In the end we need the government (or whomever) to keep watch in the tower and alert us of the icebergs AND we need to build our own detect, recover, repair and move on approaches for the ones that get through. But that is just my opinion. What do you think?