Consequences Matter | Episode #96

Picture of Waterfall team

Waterfall team

Apple Podcasts Google Podcasts Spotify RSS Icon

Worst-case consequences of compromise determine government and societal policies, so consequences matter, especially for critical infrastructure policy. Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks joins us to look at threats, consequences, and policies for critical infrastructure security.

Listen now or Download for later

 


https://youtu.be/DbvVgvlQhmw

SUBSCRIBE

THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS​

Go To The Podcast Channel ️

Danielle got started as a policy analyst for the security of nuclear weapons and grew from there into a leading voice in the industrial security community. She argues that worst-case consequences of compromise should drive cybersecurity policy decisions for critical infrastructures, not what we imagine are attack likelihoods, or what we imagine are the motives of our adversaries, whoever they might be. Motives are notoriously unreliable guides for critical infrastructure policy – in this Danielle echoes Mark Fabro’s episode on risk some years ago.

Informing Critical Infrastructure Policy

More specifically, Danielle argues that data should inform policy decisions, both in the public and private sectors. Information on consequences, attacks and threats needs to be standardized, so that it can be consolidated and compared across industries, businesses, and government agencies. Information on the strength of security postures in different organizations and sites needs to be standardized as well, so that different stakeholders can compare their strength of security to their peers. Critical infrastructure policy is most effective when such policy is driven by real data.


Danielle Jablanski's profile photo - talks about consequences and critical infrastructure policy
Danielle Jablanski – OT Cybersecurity Strategist
at Nozomi Networks

In the episode, Danielle focuses on a different kind of consequence classification than previous guests have described – she points out four dimensions of consequence:

  • Safety vs business – threats to worker or public safety business consequences that are readily covered by cyber insurance,
  • Scale – threats to small operations vs. very large and very consequential operations,
  • Ability to respond – serious consequences that emergency responders are poorly equipped to react to are a different problem than consequences such responders are well-practiced for, and
  • Public panic – Danielle echoed previous episodes in pointing out that cyber attacks that trigger public panic can be very destructive.

CISA logo for Danielle Jablanski podcast #96 and critical infrastructure policy

Industroyer / Pipedream Alert AA22-103A from CISA:
APT Cyber Tools Targeting ICS/SCADA Devices

Industroyer2

Danielle also explored lessons to be drawn from the Industroyer2 malware discovered a year ago. The discovery of the malware and widespread sharing of its characteristics arguably averted a number of very serious cyber incidents. This is an example of information sharing done right – the whole world profited from access to information about the malware, its capabilities and its characteristics.

Listen in to the episode for all these insights and more.

Previous episodes

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox