A recent cyberattack targeting the world’s largest meat processor, JBS, points to a disturbing new reality: our nations’ critical infrastructures and supply chains are being targeted because they are not identifying the cyber risks that matter most to their operations.
Coming so soon after the ransomware attack against Colonial Pipeline where its perpetrators got away with $4 million in ransom money, it is becoming clearer by the day that there is an urgent need for critical infrastructure owners to adopt a risk-led cybersecurity programme. Despite the increase in these high-profile attacks, major firms are still not having the proper risk conversations between their cybersecurity experts and their business executives.
Identify, Understand, Prioritise and Remediate
It is vital that the businesses that own and operate our nation’s critical supply chains start quantifying and prioritising their risks, leveraging threat intelligence, and automating and orchestrating their responses. And they must shift to this approach immediately.
One of the primary reasons critical infrastructure enterprises remain vulnerable is the lack of structure that has existed around enterprise cyber risk quantification. Last year’s release of an interagency report by the National Institute of Standards and Technology (NIST) titled, Integrating Cybersecurity and Enterprise Risk Management, identified significant shortfalls in enterprise cyber risk quantification efforts. “Most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways,” the report states. “Methods such as quantifying cybersecurity risk in monetary terms and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigour as methods for quantifying other types of risk within the enterprise.”
The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritise and remediate the most critical cyber risks facing one’s organisation.
The Risk – Threat – Response Paradigm
The Risk – Threat – Response paradigm enables business leaders to be better equipped in understanding and prioritising resource allocation. Keeping up with the threats and challenges that matter most to organisations requires a focus on cyber threat intelligence. By developing a cyber threat intelligence programme (CTI) organisations will be able to constantly reassess and process knowledge about cyber threat actors and will discover and understand the who, where, how and when of the challenges you face now and in the future.
Organisations today tend to be in a constant state of reacting to threats, vulnerabilities and incidents. Now is the time to become proactive, through a cyber threat intelligence programme that helps inform an organisation of its risk, aligning with the business as a whole to threats that matter most based on primary response and secondary loss – the damage that comes to the business as a result of the breach.
Bridging the gap between cybersecurity and business remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space. In a world of highly sophisticated cyber criminals, our critical infrastructures need to adopt a risk-led cybersecurity programme to help organisations not only prioritise and focus on the risks that matter most, but also will enable them to leverage threat intelligence to drive orchestrated response.