By Jason Taule, Chief Information Security Officer & Vice President of Standards
What do you do for a living? We all get asked this question. “I’m in cyber” is the typical answer I offer, figuring most people are just making polite conversation and don’t really want me to go into detail. What’s interesting is how the reaction this answer begets has changed over time. Most people respond with “wow” or “ooh, that must be exciting.” Having been in this business for more than 35 years, it’s rewarding to know that the CISO job now has universal recognition. Had I told someone at a cocktail party 30 years ago that I was in cyber, they would have had no idea what I was talking about or might have thought I was talking about robots. Now, however, people presume that my job is filled with endless excitement – I assure them that it’s rarely like that.
Of course, like any profession, being a CISO definitely has its moments. But for most CISOs, it’s a never-ending struggle to keep an otherwise well-intentioned workforce from letting their guard down combined with a constant battle to remain current with technological advancements, changes in business paradigms, and the emergence of new and advanced threats. The thought may have already occurred to some of you that this presumes, of course, that we’ve already taken care of the basics, which I agree is something we cannot overlook and brings me to the point of this blog. The events that took place earlier this month at a small, U.S.-based water treatment plant are just the latest in a series of computer hacks, systems break-ins, and data breaches that can be prevented by diligence with respect to the basics.
Remember the “Club” anti-car theft device? That device wasn’t designed to make it so that cars couldn’t be stolen (professional thieves knew how to defeat it). However, it was an effective deterrent to theft because it meant it would take the thief longer to steal a car with the Club than one without it. The same thing goes with cybercrime. Doing the basics is like putting a Club on your systems, networks, and data. And worse yet, not doing the basics of information protection is the equivalent of leaving your car unlocked with packages in view and the keys in the ignition. If any of us did that and had our car broken into, packages taken, or our vehicle is stolen, we would have no one to blame but ourselves (and most of us would be quite embarrassed when filing a police report).
So, I then question whether we should be surprised at the water treatment plant break-in? Reportedly1, the organization was operating an outdated version of Windows, had a weak network design without a firewall, and allowed remote access passwords to be shared. Those fluent in technology understand how basic these mistakes are; but for the uninitiated, please let me explain that these practices are inconsistent with what is considered reasonable and appropriate, are out of alignment with any of the leading information protection and compliance frameworks (including the HITRUST CSF), and leave the organization open to possible charges of negligence. Here’s why:
- Outdated Software – When you read in the news that an organization was found to be running outdated software, what that means is that the vendor who made that software has publicly announced that they are no longer maintaining their product. That means they are no longer evaluating their software for weaknesses and are no longer developing patches for the flaws that bad actors uncover and exploit in an attempt to compromise systems and data. Running software that is likely to have holes in it for which the vendor is not producing fixes means that organizations are not protecting themselves against reasonably anticipated threats, which is so important that in some sectors, regulations have actually been passed against this behavior. This is why updating and only running supported software is considered a basic practice.
- Weak Network Security – Having a firewall is as basic a security control as they come. This isn’t like driving a car without seatbelts; this is like driving a car without brakes. An organization that connects its internal computer network directly to the public network (i.e., internet) without a firewall is all but guaranteed to be compromised. In the 1990s researchers conducted an exercise known as “The San Diego Experiment” in which they put a server directly on the internet to measure how long it would take for it to be found, attacked, and compromised. Those early results were measured in weeks and months. Similar experiments have been repeated since and recent results now measure “time-to-own” in hours and minutes. If you need to leave your house with the front door unlocked, that might be an acceptable risk; but leaving the house without a door at all, that’s quite another thing.
- Shared Passwords – Most of us participate in some scenario in which passwords are shared. Often this is normal and even encouraged by the application provider. Families using a shared Amazon, Netflix, or Spotify account are scenarios that immediately come to mind. But in this case, the fact that we all know and use the same password is acceptable because there is no sensitive data being put at risk. However, having members of your workforce all use the same shared password to gain remote access to your network may be convenient, but it is a very bad idea. In fact, it is prohibited by many security frameworks, is outlawed by various rules and regulations, and is otherwise inexcusable as it limits the ability to attribute actions to a single individual, meaning that organizations cannot hold anyone accountable. Worse yet, a shared password makes it geometrically less likely that the password will remain secret. And when organizations rely on passwords as the single mechanism by which they govern access to their sensitive facilities, systems, networks, and data, the likelihood of compromise increases to unacceptable levels.
Now I know that some of you may be saying, wait a minute, the systems used by utilities like a water treatment plant are different. Yes, specialty purpose systems such as SCADA are used to control plants or equipment in industrial applications within the energy, water, waste control, and like sectors, and they do differ. However, most of these systems now incorporate and use Internet Protocol (IP)-based technologies and are being connected to the internet, which means that in doing so, organizations expose themselves to the very same risks that must be managed on data networks. And let’s not forget that Water and Wastewater Systems are one of our nation’s critical infrastructure sectors, meaning that the risk decisions made when these systems were originally developed are no longer valid. Risk is a constantly evolving measure for which organizations must continually evaluate and adjust their course accordingly.
I want to point out that leaders and security professionals at municipal utilities needn’t take the blame for breach situations themselves. Instead, they should look at their role as one responsible for calling attention to a matter of risk and stimulating public conversation. In the end, utilities must make do with limited funding, and when it is not enough to protect what we all agree is a critical resource, they need to calmly and directly make the case for additional funding. Security doesn’t need to be perfect, but it does need to at least cover the basics. In the end, if a community chooses not to provide adequate funding, then no one can later assert that these decisions were made in a vacuum.
Additionally, not being one to call attention to a problem without also offering a solution, let me share how HITRUST can help. First, HITRUST has identified and grouped together a set of Core controls. This set is a small extract from more than 2,000 control requirements in our framework that represents lean essential good hygiene practices applicable to all organizations. Organizations can and should take advantage of HITRUST’s many scoping and regulatory factors that will help them identify how to manage the full range of risks to which they are exposed. However, by starting with and focusing on just the Core set of HITRUST CSF controls, organizations in all sectors can ensure that they are not being negligent, are doing what is reasonable and expected, are providing assurances to leadership and trading partners, and in doing so will go a long way in earning and keeping their customer’s trust.
A second major way in which organizations can leverage the HITRUST Approach to address threats like this that will continue to plague all operations that rely on the public network is to leverage the HITRUST Threat Catalogue. This tool enumerates and presents an exhaustive catalogue of threats that organizations can reasonably anticipate. Detailed mappings are then provided to the HITRUST CSF controls, whose objectives are designed to enable organizations to safeguard their information against these threats. In fact, this catalogue identifies controls specifically related to threats of an intentional, adversarial, and logical nature like those that recently affected the water treatment plan in question. So, whether it’s by leveraging the HITRUST Approach or another solution, do the basics and you will be able to answer the question about what you do for a living proudly!