Tuesday, September 10, 2013

Rule #1 -- Protect the Data

In today's Utility Intelligence email newsletter there is an article by Mr. Russel Van Tuyl entitled "Cybersecurity rule #1: Know your network."

His article for energy/utility executives notes that the new NIST cybersecurity framework and even the Department of Energy  Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) can be used to argue that the first thing you need to know is your network so you can better defend it.

I will not argue that knowing your network architecture is important; however, what I will argue is that the first and foremost thing you need to know is where your data is and where your control systems are and how they are protected.

Knowing a network architecture will not help prevent a breach when your CEO loses a USB drive with critical corporate information.  Also, knowing your network presumes that your "perimeter" will protect you.  

Sadly, the perimeter and "castle and moat" methods of cyber security defense are not the most effective in protecting systems and data in today's "perimeterless" networks.