By Chris Gausden and Lawrie Abercrombie
The Australian Government has been quite forward leaning in its approach to cyber security in general and has just published a Consultation Paper titled Protecting Critical Infrastructure and Systems of National Significance as an addendum to its 2020 Cyber Security Strategy. In addition to expanding the range of CNI operators outside that used in the UK, it takes a different view of how response to an attack should be handled.
The UK CNI Competent Authorities’ approach has, on pain of some rather large financial penalties under the NIS Regulations, been to direct the CNI Operators of Essential Services (OES) to protect themselves as per the NCSC’s Cyber Assessment Framework (CAF) and then leave them to get on with it. In the event of an attack, NCSC would of course be available to offer advice but that’s pretty much as far as it goes.
It seems Australia has a rather more interventionist attitude in that it will provide “Government assistance to entities in response to significant cyber-attacks on Australian systems” and could ultimately take full control of the OES’ defence.
This is much more like the US approach as reflected in one of the US military’s Cyber Command (CYBERCOM) three mission areas “defending the nation against cyber threats through support to the Department of Homeland Security and others when directed to do so by the President or Secretary of Defense.”
Several of the Arcanum team did some work on this approach when they were working alongside CYBERCOM while still serving in the Army. The biggest issue we found was where all of these skilled cyber defenders were going to come from. On a cyber exercise we simulated defending a network against a concerted attack by a skilled opponent, actually a couple of our best people. We found it took a team of nearly 30 people to provide round the clock 24/7 defence over a two-week period. That’s 30 people to protect one network against 2 attackers. There are at least 100 different OES in the UK so let’s suppose the bad guys, whoever they are, have 30 people of their own and are competent enough for each pair to alternate attacks on several targets over a day. That’s 30 people to protect each target. And if they were to include military or HMG systems in their attacks at the same time?
With things like CNI, most of the advantages are with the attackers. A minimal amount of research will identify targets, most of who are heavily reliant on outdated and relatively un-protected ICS systems. The attackers can choose when and where to attack and can change their focus at any time. They only have to be lucky once. Whereas the defenders are usually under-resourced, have to protect everything and be permanently on-guard and have to be lucky every time.
As a defender, we can make things easier for ourselves even when resources are scarce. The very least we should do is update, patch and monitor our systems and prepare for the worst-case scenario with effective incident response, disaster recovery and business continuity planning.
Once you can go beyond those very basic steps, use tech and AI / Machine Learning sensibly and centralise your limited resources. As an example taking vulnerability management and patching, which are primarily a protect function and fairly effective against some cyber threats, as one enterprise risk mitigation service, firstly establish responsibility for routine patching and a cadence for the activity i.e. a written policy/guide that can be mandated and effectiveness monitored. Then for assurance and more urgent tactical patching / updates in response to vulnerabilities, deploy a standard enterprise vulnerability management toolset such as Tenable IO / Rapid 7 etc to all parts of your environment, including endpoints, and run regular automated scans against CVE vulnerabilities.
Using a centralised dashboard and allocated asset “owners”, you can automate patching / update tasks via a good service management toolset. Once this is up and running you can get clever and use the same toolset to start looking at consistency of builds and vulnerabilities in configuration . It just needs a single intelligent body with the authority to set it up, analyse the results and issue remediation tasks. Do this and you can maintain an accurate picture of where you are still vulnerable and why. When that attack does come, and it will, you can now concentrate your limited defences on those areas that are vulnerable.
Lawrie Abercrombie and Chris Gausden are both Principal Consultants with Arcanum, an NCSC Certified Cyber Security Consultancy. Together they have more years dealing with Cyber Defence and CNI than all of our gap-year students have been alive ………
If what they have written about in this piece strikes a chord and you’d like to develop what they’ve said to protect your systems, give us a call and we’d be more than happy to talk.