Do you have a dirty cyber secret?
I suspect most of us do. Not the kind of secret sin-of-commission-or-intention like Ashley Madison subscribers (what a mother lode for gossip columnists, divorce lawyers, and hopeful heirs!) but, rather, the secret sin-of-omission in our cyber security hygiene practices. These are just some of the omissions, the secrets, we don’t talk about voluntarily:
- Passwords reused for multiple accounts
- Accepted-but-not-read user license agreements (ULAs)
- Emergency use of a public WIFI router (Just this once!)
- Lax data and system backup practices (Do you know where your backup files are? Are they readable?)
- Unread security logs
- Device-sharing with others
- Suspected or actual information hacks, exploits, or compromises
Third-party performance of a gap analysis on organizational (or personal) cyber security practices can feel like an invasion of privacy: a hunt for what is not being done well rather than discovery of what is being done well. It’s uncomfortable. If our peer companies are not experiencing issues, perhaps it’s better not to look too deeply: plausible deniability. But is plausible deniability a defensible stance? Increasingly, it appears that being able to show evidence of reasonable security efforts will relieve organizations from severe liability for breakdowns in information protection. Developing and implementing a coherent plan is preferable to doing nothing—or procrastinating.
Risk Analysis: Cyber Security as the 21st Century Industrial Safety “Secret Shame”
In his keynote talk about cyber security as the 21st Century equivalent of industrial safety silences in the pre-OSHA era, Travis Hessman (Editor-in-Chief, Industry Week) commented on the enormous gaps in reporting by industry spokespersons about the cost and frequency of cyber security attacks actually experienced—at least within non-IT and nonregulated industries. Headlines appear regularly about information breaches in medical, government, financial, and retail services sectors. But manufacturing? Not so much. It’s little wonder that, for manufacturers, calculating the risk of action versus inaction does not always drive forward the decision to invest in security. The textbook formula for calculating risk is:
Risk = (Impact x Probability) ÷ Cost
The impact, or effect on the organization should a particular risk event occur, is multidimensional and varies depending on the industry subsector, business mission/strategy, and client need. The types of possible impact include reputation damage, work order termination, false claims liability, intellectual property (IP) loss, production line shutdown fines, and so forth. Probability refers to the likelihood of an event’s occurrence within a certain timeframe. It may be assessed as high, medium, low (H, M, L) and assigned a numerical value. In quality terms, it’s similar to spoilage or defect rate—but often more of a guesstimate than an evidence-based number. It could be calculated based on historical data (as in the loosely qualified “500-year storm” probability factor). Ideally, it could be based on information shared within the industry, but more on this later. The cost, of course, is the amount of resources (time, money, opportunity) that need to be diverted to mitigate, control, transfer, or reduce the risk to a reasonable, acceptable limit. Residual risk is what an organization or individual is willing to accept. (The cost to eliminate all risk is, in effective, infinite.)
Within the context of industrial safety, OSHA-mandated incident reporting altered the understanding of the current state dramatically. According to Hessman, “disabling injuries” were counted only voluntarily by the 1930s, and the 1936 Walsh-Healey Act was inconsistently enforced. By 1969—still pre-OSHA—only 2,9292 of 75,000 manufacturing worksites (just 4%) had been inspected, 34 complaints filed, and two companies punished. The post-OSHA numbers are markedly different: Workplace deaths in 1970 were reported to be about 14,000; the rate of serious injuries were reported as 11 out of 100 workers. By 2016, those numbers had changed significantly: workplace deaths in 2016 were reported as 5,190 (a 63% drop), and the rate of serious injuries were reported as 2.9 per 100 workers (a 74% drop). Of course, diligent tracking and reporting were needed first so that the baseline could be understood.
That baseline is what we need with respect to manufacturing and cyber security. So, what dirty cyber secrets are manufacturers and other organizations willing to share?
Risk Management: Identify, Protect, Detect, Respond, Recover
From my experience, few hands are raised in workshops when the introductory question is posed: “Has your business information been hacked, exploited, or compromised?” But as the discussion continues and in one-on-one conversations, experiences are shared. Does a structure exist to encourage manufacturing (and other) companies to report the security incidents they’ve experienced? This would increase our collective knowledge about which assets are most vulnerable and valuable (identify), how to control asset risks cost-effectively (protect), where to look for indications of compromise (detect), how to contain and report compromise (respond), and what actions are needed to continue business operations (recover).
The anecdotal, informally collected evidence is that a majority of manufacturing companies have been targeted by a bad actor. During the September 11 Northern Colorado Manufacturing Partnership (NOCO) Lunch and Learn, secrets shared by participants included a ransomware attack, a bogus tech support call from Microsoft (with an urgent request to give the caller desktop access), and a few business email compromise (BEC) phishing efforts. In one case I heard, the CFO of an organization received an email request for a $125K wire fund transfer. The email appeared to be from the CEO (believable tone and language) who was traveling at the time, and the transfer was made. The CFO approved the transfer, later asked the CEO in person whether the funds had been received, and was fired on the spot. Manufacturer’s Edge staff received an email message on a Sunday, allegedly from our CEO/President Tom Bugnitz who was driving to the NIST MEP Best Practices Conference. The message started as follows:
[STAFFER NAME], I’ll need you to run a task ASAP . . .
and went on to say that he was not available via phone. No suspicions raised, since everyone knew he was traveling—but the email address was weird (although not immediately apparent if viewed from a small, cell phone screen). Those who opened the full email read that Tom apparently needed them to go out and buy $500 worth of [VENDOR] gift cards and send the codes to him. No one believed that request was legitimate, but the customized greeting showed a certain amount of research on the part of the bad actor.
And the stories continue to be told about organizational disruptions due to cyber incidents, substantiating the observation that 55% of SMBs have experienced a data breach or cyber attack—and that 60% of those affected are left severely impaired.
On 12 September 2018, Denver-based Colorado Timberline sent an announcement that it had closed operations due to a ransomware attack. The announcement was also posted on the locked front door in both English and Spanish. Since the case is under investigation, few details are available at present, but the impact to the 100 or so employees of the five-year-old company is clear.
So, what can actual and potential members of the #HACKEDMETOO community do?
Example of WHAT NOT TO DO:
Pay hush money to hackers.
After the October 2016 hack of personal information of 57 million customers and drivers, which included the latter’s driver’s license numbers (personally identifiable information, reportable per various state privacy laws), the then-CISO and his team paid the hackers $100,000 to delete the stolen information and say nothing. More than a year later the attack and payoff were publicized, and public shaming followed. (At least Uber didn’t offer one year of free credit monitoring by Equifax.)
Examples of WHAT TO DO:
Implement learning from the 6 September 2018 NIST MEP webinar.
Pat Toth and I delivered a webinar for Modern Machine Shop Magazine on “5 Steps to Reduce Your Company’s Risk of Cyber Attacks.” Recommendations included employee training, machine cleaning, mobile device configuration, regular backups, and robust access control. Source here.
Learn from the mistakes/omissions of others.
No responsible business owner wants to make a decision like Colorado Timberline’s. The Colorado Rocky Mountain Chapter of the Association of Continuity Professionals https://www.crmc-acp.org is a good resource for implementing recommendations contained in this article on Colorado Timberline: establish a business continuity plan, create a good backup plan, and use multilayered security.
Consider registering with an Information Sharing and Analysis Organization (ISAO) or an Information Sharing and Analysis Center (ISAC).
US Department of Homeland Security (DHS) defines an ISAO as “a group created to gather, analyze, and disseminate cyber threat information. Unlike ISACs, ISAOs are not directly tied to critical infrastructure sectors, as outlined in Presidential Policy Directive 21. Instead, ISAOs offer a more flexible approach to self-organized information sharing activities amongst communities of interest such as small businesses across sectors: legal, accounting, and consulting firms that support cross-sector clients, etc.” The SMB ISAO has a security operations center (SOC) at its cyber support center located in Colorado Springs. Membership in an ISAO may be used as evidence of following “reasonable security practices.”
The State of Colorado is a member of a multistate ISAC (MS-ISAC) and has listed 10 critical infrastructures http://www.oit.state.co.us/ois/ms-isac). More information on ISACs for specific critical industry sectors is available here.
Report spam calls to your service provider and advocate for assistance.
Although my mobile phone number is on the Do Not Call registry and I’m a frequent complaint-filer, this past week I’d been receiving multiple robocalls from New Jersey-based phone numbers with offers for health care services and alleged connection to well-known providers. I’d block a number and another would appear in Whack-A-Mole manner. I called Verizon to ask about blocking area code 201 and was told such blocking was not possible (although an Internet search seemed to indicate it was doable). I’ve not received a 201-robocall since. (I hope I didn’t just jinx myself!)
Clean up your dirty cyber secrets.
Develop and deploy system security and incident response plan as required under Colorado HB 1128. Take the first steps toward squelching your dirty cyber secrets and commit to a plan of action and milestones (POAM) for being more secure tomorrow than you are today.
I’m working on mine!
©2018 Manufacturer’s Edge