I recently attended a presentation on “Risk-based Cybersecurity”. I’ll admit I was skeptical before I even sat down - the title sounded like it was going to be a way to paper over ‘doing nothing’ to fix InfoSec issues (I was wrong, but not by much).
The presentation was given by a “security professional” who recommended a long and laborious process of describing and documenting all connected sub-systems and appliances in your system, consisting of hundreds to thousands of such sub-systems. Then, create a “fault tree”-like diagram (minus the logic symbols) showing the relationship between these sub-systems and the normal communications occurring between these sub-systems. Then, as a mitigation, divide your network up into segments based upon the fault tree.
Most remarkable was the presenter’s expectation that all this work would be performed by the end user!
Now, how the end user was supposed to know what was being communicated wasn’t really presented.
How the end user was supposed to know the vulnerabilities present in each of the sub-systems, likewise wasn’t addressed.
It was furthermore assumed that the end user was an expert in the current state of InfoSec threats and their impact on a given attack surface.
Somehow, the end user was expected to create this assessment and then parse out the network into individual pieces, definitively separating IT segments from operational control segments with even finer levels of granularity within those major divisions.
I wanted to ask, “Have you ever seen how even a medium sized business operates, let alone a huge company?” It would sure be nice to live in a ‘fool’s paradise’ and assume that network segments described on paper at the end of this process would remain static going forward, but at the end of the day, a company needs to accomplish whatever their primary service or product requires. If that means blind-bridging across segments to get the job done, then that is what is going to happen. Bridges are going to be built, cables are going to be run, and security mistakes are going to be made.
Placing the burden of securing a complex system on the end user can’t and won’t work. The end user wants to employ commercial and proprietary systems to improve their own products and services, not to perform thousands of hours of documentation and analysis based on little knowledge about how the system / sub-system actually works, its vulnerabilities, and current threats.
So who is responsible? The only group that can be: the original equipment manufacturer (OEM). They are the only entity capable of assessing their own sub-system’s vulnerabilities, the effectiveness of mitigations utilized, and the potential impacts of connecting into other systems. They should also have the InfoSec expertise on-staff or readily available to perform these activities to the level needed by the nature of the sub-system. This results in deliverables that can be shared with the end user, so that the end user can make purchasing decisions based on their level of risk.
Fortunately, this is the path that the most advanced InfoSec groups seem to be taking, such as the vulnerability disclosure and scoring effort undertaken by the members of NH-ISAC (https://nhisac.org/).
These and similar practices allow manufacturers to use security as a ‘competitive advantage’ in their marketplace - without having to make public statements about how secure they are. (Those types of proclamations just invite additional attacks upon your products, and most manufacturers are correct to shy away from making them).
The end user’s ongoing, post-market relationship with these OEMs is critically important, too. As vulnerabilities and threats are discovered by an OEM, the end user needs to be informed of such risks, how they apply to your business, and if need be, how they can be mitigated.
It’s a win-win for everyone: the security-conscious manufacturer gets a leg up in the market, and the end user gets expert insight into the security of a sub-system before and after they integrate it into their system.
Whenever any part of a security function or mitigation requires significant assessment activity by the end user, it is not a good solution. Don’t burden end users with this. Instead, develop in a diligent, forward-looking security posture. Device security is too important for OEMs to push their responsibility onto end users.