In response to the flood of messages that have hit my inbox over the past few hours regarding the rumored JBS SA hack: Were we just cut off from our meat supply? Will prices skyrocket? How long will we feel this pinch? Are gas prices back to normal yet?
“The first report is usually wrong.”
Memory toys with the mind; and the grizzled Marine instructor’s name eludes me. He was discussing the fog of war, and how rumors spread. It was the spring or summer of 2009. Virginia? Arizona? Perhaps San Diego. I was sleep deprived. Some kind of a live exercise. Simunitions were involved. It was cold.
The lesson remained with me in the White House, seven years later. Our cyber team on the National Security Council Staff regularly received reports of cyber-attacks, at all hours. Some proven real, others ephemeral. First reports were rarely accurate, though usually well intentioned. Someone once declared “we lost [an entire State]!” I would ask for data. Hours later, the claim was quietly modified.
Three things worth considering.
The full JBS SA story won’t likely be known for a while, but we can use the event as a call to action for those responsible for safeguarding these critical systems. Here are some high-level thoughts for those wrestling with this new world:
First: Cyber attacks impacting industrial systems are here to stay.
The past six months have illustrated that the threat of cyber attacks against industrial control systems is not “emerging,” it’s here. To the best of my knowledge, recent ransomware attacks have targeted information technology (“IT”) networks, but the future is likely to see cyber-attacks directly targeting operational technology (“OT”) like building management systems, gas turbines, and more. In slightly more technical terms: today we are experiencing attacks that result in “loss-of-visibility.” It’s time to start thinking about attacks that intend to create “loss-of-control.”
Second: The basics matter now, more than ever.
Attackers need to get into a network, and the easiest way remains the traditional routes that have vexed parties responsible for the security of information technology systems for the past decade or more. Phishing, port-scanning, “n-day” vulnerabilities, and the like. Now is the time to double down on best practices like patching and upgrading, while talking with senior executives and boards of directors to look at making long-term investments into endpoint and network security for both IT and OT networks over the next 18-36 months.
Third: It’s up to you to ask the hard questions.
If you’re a COO, CTO, CISO, or simply the person who volunteered to own the ICS cybersecurity mission at your company, now is probably a good time to start asking hard questions. Modern industrial control systems are increasingly connected, either to IT networks, or even to the internet, by default. Be skeptical when you are told the systems are “air-gapped.” Considering digging a bit deeper. Do the original equipment manufacturers or the system integrators have remote access? How frequently is the software/firmware updated? Are there are other points of connectivity between ICS and your company’s information technology (“IT”) networks?
Conclusion: Now what?
Just like in the military, good training and basic planning can pay real dividends when the inevitable happens. Try running a table-top exercise with executives, management, and operators. Spend a half day with a few critical stakeholders and think through your threat models. Brainstorm five worst-case scenarios and build a simple ten-step playbook for each, printing them out for key members of your team, and critical company leadership. And remember, there are plenty of great free resources available.
Good luck out there.
N.B. Years of working in highly contested and potentially litigious environments compel me to caveat what you’ve just read as my own opinion, and not in any way shape or form any kind of advice about how you should go about securing the things you care about from hackers that are probably pretty smart, and highly motivated.