I recently stumbled upon a McKinsey article from October 2019 that more elegantly, in McKinsey speak, made the argument against “cyber hygiene” than I do.
Over the past three years I’ve seen many asset owners go through the same process:
- Board or C-levels discover there is likely ICS cyber risk they have not been aware of because Operations has not raised it or said everything is fine.
- Board / C-level hires consulting firm, often the same large one they use for IT, to assess the ICS and OT environment. Assessment compares current posture to IT good security practices with the expected large gaps revealed.
- Applying IT good security practices, especially patching, across all OT cyber assets is prioritized and tracked. Risk is only considered in terms of risk of compromise of the OT cyber asset, not financial impact, safety impact, customer impact, etc.
This repeated process has resulted in the top recommendation across all sectors being to apply cyber hygiene. It’s difficult to argue against cyber hygiene. The term itself is brilliant from a marketing standpoint. Who could be against hygiene? And one can’t say the good practice security controls are wrong. In a world with unlimited resources, they would all be implemented.
However we know that asset owners have limited resources and a lot to do in rapidly changing OT. Which has led me to include this line in almost every presentation:
It is not a competition to see who can deploy and maintain the most good practice security controls. The goal is to manage risk, to reduce risk to an acceptable level.
If an objectively good practice security control requires a large effort and only offers trivial risk reduction, it should not be done. Security patching of insecure by design ICS is a great example of this, see ICS-Patch: What To Patch When.
I was pleased to see the respected McKinsey & Company come to the same conclusion. In the article they list four phases of the cybersecurity journey.
- No Security – There are still a large number of ICS asset owners here.
- Maturity-Based Approach – This is the cyber hygiene approach and most ICS asset owners are somewhere in their journey through the maturity-based approach.
- Risk-Based Approach – “Identify, prioritize, deliver, manage, and measure security and privacy controls in line with the enterprise-risk framework”.
- Proactive Cybersecurity – Proper use of the ICS detection and response tools would fall into this phase of the journey.
The responsible OT world lags the IT world by 5 to 10 years (the install and “run to failure” maintenance mode is more like 20 years behind). In technology there is sometimes a benefit to being far behind, in that you can leapfrog a moving to obsolescence system and move straight to where the market is heading.
Most ICS asset owners are in this position. They have not yet effectively implemented cyber hygiene or gotten anywhere near their goal in a maturity-based approach. They are ramping up their cyber hygiene efforts with minimal thought to risk. It’s not too late for most of you to stop this and move straight to a risk-based approach.
The measuring stick, until we are ready for phase 4: proactive cybersecurity, is Efficient Risk Reduction. Where will you get the most risk reduction for the next dollar or hour spent on ICS cyber related risk. Risk reduction based on the asset owner’s risk matrix categories, not reduction of vulnerabilities in a cyber asset.
One last point on these four phases. We are seeing a leapfrogging by many from phase 1 or 2 straight to phase 4 with the installation of the ICS detection and response products. I’m less sanguine about this jump. While the jump past maturity-based to risk-based reduces inefficient effort and allows limited resources to be placed on high impact security controls or consequence reduction, the jump to proactive cybersecurity requires a skill set and significant commitment that is difficult to achieve without having the grounding in the phase 3 risk-based approach. I’m a huge proponent of the detection and incident response solutions that support proactive cybersecurity, and they need to be introduced at the right time in an asset owner’s OT cybersecurity program.