Worst-case consequences of compromise determine government and societal policies, so consequences matter, especially for critical infrastructure policy. Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks joins us to look at threats, consequences, and policies for critical infrastructure security.
Listen now or Download for later
THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS
Danielle got started as a policy analyst for the security of nuclear weapons and grew from there into a leading voice in the industrial security community. She argues that worst-case consequences of compromise should drive cybersecurity policy decisions for critical infrastructures, not what we imagine are attack likelihoods, or what we imagine are the motives of our adversaries, whoever they might be. Motives are notoriously unreliable guides for critical infrastructure policy – in this Danielle echoes Mark Fabro’s episode on risk some years ago.
Informing Critical Infrastructure Policy
More specifically, Danielle argues that data should inform policy decisions, both in the public and private sectors. Information on consequences, attacks and threats needs to be standardized, so that it can be consolidated and compared across industries, businesses, and government agencies. Information on the strength of security postures in different organizations and sites needs to be standardized as well, so that different stakeholders can compare their strength of security to their peers. Critical infrastructure policy is most effective when such policy is driven by real data.
In the episode, Danielle focuses on a different kind of consequence classification than previous guests have described – she points out four dimensions of consequence:
- Safety vs business – threats to worker or public safety business consequences that are readily covered by cyber insurance,
- Scale – threats to small operations vs. very large and very consequential operations,
- Ability to respond – serious consequences that emergency responders are poorly equipped to react to are a different problem than consequences such responders are well-practiced for, and
- Public panic – Danielle echoed previous episodes in pointing out that cyber attacks that trigger public panic can be very destructive.
Industroyer / Pipedream Alert AA22-103A from CISA:
APT Cyber Tools Targeting ICS/SCADA Devices
Danielle also explored lessons to be drawn from the Industroyer2 malware discovered a year ago. The discovery of the malware and widespread sharing of its characteristics arguably averted a number of very serious cyber incidents. This is an example of information sharing done right – the whole world profited from access to information about the malware, its capabilities and its characteristics.
Listen in to the episode for all these insights and more.