The warnings went out after the US bombing of the Iranian nuclear facilities. Be prepared for an increased likelihood of an Iranian cyber attack. Shields Up!
This is reasonable, perhaps even responsible to give this warning. The problem is there is no real guidance on what to do. What does Shields Up mean?
This isn’t fair or completely accurate. CISA has a Shields Up web page, and this Alert yesterday, with a list of suggested security controls and actions an organization should take to raise the shields. The problem is these are common, well known good practices that should be in place at all times. Not just in a time of enhanced threat.
I asked CISA Director Jen Easterly, shortly after the first Shields Up campaign began, when the shields can come down. The answer was never, but perhaps we could return to a Shields Normal. I don’t remember CISA ever saying set the shields back to normal. I can’t imagine CISA saying the threat has subsided; it’s no longer necessary to do any of those recommendations. (See the video clip below)
When Do The Shields Come Down?
Viewed as a marketing campaign to raise security awareness in the non-security community, the initial Shields Up was effective (although a metric to show this would have been better). I’m less confident the second or third time Shields Up is declared will have a similar impact.
Let’s look past what Shields Up means as defined today. What should it mean? Assume you are a company that is implementing the CISA suggested security controls and others you’ve determined are necessary. What should you do in a temporarily heightened threat environment?
The US Government has specific actions that are taken at the various DEFCON levels. We should see similar recommendations for Shields Up instances. We don’t need security controls for five levels of threat, but we could benefit from a set of enhanced security recommendations for Shields Up times that will end when we return to Shields Normal.
There have been a few instances of this in history, with Y2K being the most compelling. A lot of things were turned off or not performing their usual important actions when the new year arrived.
A true Shields Up would cost a company money in additional resources or lost productivity over normal operations. It could be:
- Increased security staffing to monitor systems.
- Increased engineer and technician staffing to run some processes manually, reduce or monitor automation, respond more quickly to any issues …
- Less connectivity. Many companies have a disconnect OT formal or informal policy when they believe there is an incident. Maybe you have a heightened threat security perimeter ruleset or remote access policy.
- Your ideas here!
Shields Up is a good idea, and CISA, ISA, various sector groups, and others could provide some guidance in this area. The key is whatever you recommend for this category must be temporary. Activated when the threat is viewed as temporarily higher.
Of course each company will decide whether and when the Shields go Up and Down. They can take input from others, but it is a business decision.