It's OK for Some Things to be Hard

(This was authored by Spearpoint and is cross-posted at Energy Central)

Let me start with the best part in case you don’t have time to read on: 

There is business value in difficulty. If you can add extreme difficulty for an attacker and only minor inconvenience to yourself, that’s a good thing. Utilities should focus on leveraging network architecture to add attacker difficulty while maximizing uptime and controlling costs.

I can practically hear peoples’ eyes rolling when talking about basic cyber hygiene. They tire of the inconveniences they experience throughout any given day: changing passwords too often, two-factor authentication codes, VPNs, screen locks, etc.

I get it. Sometimes it gets to me too, but my perspective reminds me it’s worth it.

I’d like to alter your paradigm by highlighting the value of difficulty.

start with a story

Imagine yourself in this situation: It’s raining. You get home with a double-armload of groceries to carry in. Hurrying to the door, you forgot to get out your key, so you dig for it. You find it while juggling the groceries. Just as you’re getting your key, a glass jar and several other items crash to the ground. Soaked, you finally get the key and unlock the door. You sop inside, frustrated with the whole process.

 

The Alternative

Imagine this: It’s raining and you get home with the same groceries. But this time, getting inside is no sweat since you left the door unlocked to make it easy to get in and out. You hurry inside, barely wet, and put away your groceries, patting yourself on the back for how convenient you’ve made your life.

 

What if...

If you got home to find your front door open, what would you feel in the pit of your stomach? Imagine that feeling and spend a moment going through the scenario: Would you call the police? Go inside? Stay out? What would you feel and what would you do?

 

Either way...

Let’s face it, we keep our homes and cars locked even though it might cause us to get stuck in the rain or locked out if we lose our keys. Using a key is acceptable because we see the value of the difficulty of bypassing locks, despite the extra effort required. If a slight inconvenience to you adds significant difficulty for an attacker, the appropriate course of action should be apparent.

 

For Utilities

What else does new technology have access to? If you add AMI or other IoT devices, are they properly segmented? Can you do micro-segmentation to isolate them from one another?

 

How to measure security value

In a nutshell, the added difficulty for an attacker minus the added difficulty for you equals the value of a given security measure. 

Oversimplified: an attacker’s difficulty (10) minus your difficulty (2) equals security value (8). Budgetary prudence also applies... obviously, posting armed guards around my garden is a mismatch. So strike a balance between security value and monetary value/cost, but you get the idea by now.

 

Where you can start

Get help: A 3rd party security/risk assessment will uncover key issues and provide essential guidance. It’s common to discover security, compliance, and even reliability issues with existing network architecture.

My favorite line about IoT (Internet of Things) is: 

In “IoT”, the “S” stands for “security.”

If your network has “smart” anything on it, you need a 3rd party network architecture review to ensure you’ve added sufficient difficulty for attackers.

Contact us today for an architecture and security review.

 In my work, what I have come to find is AMI, IoT, and smart-whatevers mostly don’t create new problems — they highlight existing problems, or reveal existing security architecture inadequacy. We’ve been able to identify and address underlying issues by running an assessment, then leveraging SD-WAN as a master solution.