Should Cybersecurity Drive Business Decisions?
Cyberattacks are often seen as an IT issue, but the intelligence gained during the development of an effective cybersecurity protocol may serve a broader role as a business driver for energy. What should companies look for in assessing threats?
Cybersecurity is often thought of as an IT matter, since it involves the protection of network infrastructure, programs, and the data stored within them, but would companies benefit from rethinking its role in their operations? A global intelligence advisor at BP recently argued that the consequences of cyberattacks make them general business issues more than IT issues, and the intelligence gathered in developing cybersecurity protocols can act as a business driver.
At a workshop co-hosted by Siemens and the International Society of Automation on the role of artificial intelligence in combatting cyberattacks, Sean Plankey said intelligence is a prevention function, and a well-executed intelligence-gathering operation should help inform proper security protocols. Adversaries often deploy a series of capabilities to move across external and internal infrastructure, so detecting an individual event within a network does not always give a company the greatest understanding of the nature of the threats they may face.
“I think that a good way to look at intelligence is defining what our adversaries are trying to do against us,” Plankey said. “If we took intelligence and thought it was just pulling malware apart, identifying a piece of malware, we’d only be looking at one corner of the attack. We have to look at it holistically.”
Intelligence Gathering With a Purpose
Plankey said that to develop sufficient security protocol for their networks, companies must understand the nature of the threats they face and the types of intelligence they receive.
Strategic intelligence helps inform the decisions of senior leadership. It is rarely technical, but it usually involves the analysis of several external business and political variables, such as the state of the global oil market, diplomatic developments between nations, and general IT/OT issues that could affect a company. One example Plankey gave was a hypothetical issue in which Chinese actors implanted chips into company motherboards built by a specific vendor to steal information from its clients. Developing a protocol for such a situation would require strategic-level conversations, Plankey said, because that protocol may require management to redefine its procurement process.
Operational intelligence is related to specific attacks, and usually involves specific tactical actions that companies can drive within their operations. Technical intelligence comes from physical indicators like automated sharing programs, indicators of compromise, or even intelligence from government agencies like the US Department of Homeland Security.
Plankey defined a threat as the determination of an actor to inflict harm on something or someone, and the establishment of a baseline threat to a company’s operations will help that company eliminate the uncertainty that comes from intelligence gathering. Companies should use intelligence to inform their business: As the baseline threat changes, so should its security posture.
“Without a baseline, we’re in constant panic mode,” he said. “That goes from the lowest level of the organization to the top. Cyberattacks become ‘act of God’ events without a baseline threat: ‘Let’s just do nothing because we could be hit at any time.’ That’s not a good stance to have.”
Assessing the Bad Actors
Firewalls, endpoint protection, and security information and event management (SIEM) systems are the baseline controls needed to stop random attacks and careless employees who allow hackers to access a network through phishing scams and other mechanisms. Plankey said establishing a baseline threat requires the assessment of the actors that could be interested in a company’s operations and why they are interested; the capabilities those actors have in carrying out an attack; and the areas they have attacked in the past. The type of actor initiating a threat depends to some degree on the business that company conducts—offshore operations may draw different interest than mergers and acquisitions, and different types of proprietary information may draw different interest from different actors.
Plankey also said companies should look into the resources threatening actors have at their disposal, along with the crimes they have committed in the past.
“We could take this into the criminal aspect as well. What financial transactions have these guys conducted? Are they fraudulent? Where has personal information popped up in the past? What’s their capability, and where have they done it? Have they only done website-based attacks, getting in through websites and moving laterally across your servers, were USB sticks plugged into your system, or was it phishing?”