When Cybersecurity Regulation Becomes Mandatory
Sunday, June 27th, marked the 30-day vulnerability assessment report deadline prescribed in late May by the Transportation Security Administration (TSA). In direct response to the Colonial Pipeline cyber-attack that shut down operations for a week and under a cloud of ongoing, increasingly bold, and sophisticated cyber-attacks, the U.S government has taken steps to make a concerted effort to bolster critical infrastructure cybersecurity.
Operations across critical infrastructure industries must address cybersecurity. But at the same time, sectors and practitioners are pondering what the future will look like for cybersecurity. What role will the government play? And will there be increased mandatory regulations?
Cyber threats for critical infrastructure: How did we get here?
Especially in the IT realm, cybersecurity isn’t new; it’s required to adopt efficiency-creating technologies while minimizing risks to the business. But when it comes to critical infrastructure, and especially in the industrial control system (ICS) or operational technology (OT) arenas, technology was adopted before security was an issue. Because, at that time, air-gapping was still widely used and effective – which is not the case today. In our assessments, we often find that customers are much more exposed and less air gaped than they believed themselves to be.
As critical infrastructure industries adopted new technologies, from IT to field sensors, they inadvertently converged and connected operational physical processes to the digital world. And in doing so, organizations became exposed to a host of new cyber threats that IT teams and operators were ill-prepared to combat.
In simplistic terms, that is what happened to Colonial Pipeline. An IT vulnerability became a full operation shut down out of an abundance of caution and to “contain the threat.” That is, once infiltrated, there was little control, protection, or confidence that the threat could be contained without shutting down (Read more...)
*** This is a Security Bloggers Network syndicated blog from The Mission Secure Blog authored by Paul Robertson. Read the original post at: https://www.missionsecure.com/blog/when-cybersecurity-regulation-becomes-mandatory