Thursday, April 17, 2014

Two Views of Today's Cyber Risks

This week I've had the chance to view two reports that gave me -- and I expect others -- a powerful view of the cyber challenges we face.  One report was a global view our reliance on the Web and the "...increasing danger of global shocks initiated and amplified by the interconnected nature of the internet."

The second article was a survey done by Control Engineering magazine on the global views of cyber security of the industrial controls domain.  The survey revealed that almost 50% of the respondents perceive the control system threat in their organizations to be at a moderate level, but 25% cite a "high" or "severe" threat level in their systems.

So, rather than provide detailed reviews of each document, let me help aim you to the appropriate links with some summary notes added:

Risk Nexus - Beyond Data Breaches: Global Interconnections of Cyber Risk -- Zurich and Atlantic Council

This well-written report (30 pages) consistently raises the bar of the global risk relative to our reliance on the Internet and ecommerce in a manner similar to the annual World Economic Forum's Risk Reports.  Perhaps we are so closely connected to the Internet that we put our selves in harm's way relative to our economic -- and maybe even mental well being (?).

One quote that I find especially telling is:

"The internet of tomorrow will both initiate and amplify global shocks in ways for which risk managers, corporate executives, board directors, and government officials may not be adequately prepared."

Finally, take a look at Page 8 of the report...they include 7 aggregations of cyber risk that certainly made me think:

  1. Internal IT enterprise (hardware, software, servers, and related people and processes)
  2. Counterparties and partners (relationship between competing/cooperating entities, etc.)
  3. Outsourced and contract (IT and cloud providers, contract manufacturing)
  4. Supply chain (Exposure to a single country, counterfeit or tampered products, risks of disrupted supply chain)
  5. Disruptive technologies (internet of things, smart grid, embedded medical devices, driverless cars...)
  6. Upstream infrastructure (submarine cables, internet governance and operation)
  7. External shocks (major international conflicts, malware pandemics)

At a minimum I'd suggest you pass this report to your Board of Directors and Executive Management so they get a sense of another view of risks that need to be addressed and mitigated.

Control Engineering Cyber Security Study - April 2014 (Registration Required)

Compliments to the Director of Research for Control Engineering, Ms. Amanda McLeman and her colleague Mark Hoske for this summary report.  The report is based on a survey of about 190 respondents from February 7 to March 2, 2014.  So the data is fairly contemporary.

This summary report is a collection of graphs showing the demographics of the respondents as well as the summary results of the questions.

A good summary graph of the Threats considered by the respondents is below:

If you cannot adequately read the graphic above the top three system components the respondents are most concerned about are:

  1. Computer assets that are running commercial operating systems
  2. Connections to other internal systems
  3. Network devices
Finally a summary of key "bullets" from the report include:
  • 24% of respondents said they had NEVER performed a systems security vulnerability test
  • 25% of those surveyed indicated their computer emergency response team appears well trained and capable
  • 41% agreed having industry-required standards without government involvement would improve or enable their efforts to implement proper control system cybersecurity.  (So, maybe the NIST Cyber Security Framework has some hope?)
Thanks for taking the time to read my comments and have a good week!