In cybersecurity what is good enough? CISOs struggle to provide cybersecurity for their organizations with the budget and resources provided. All cybersecurity efforts have their limit, but the question remains, is it good enough?
In a sense, the 90% security solution isn’t much better than the 10% security solution. This is the nature of the asymmetric threat that cyberattack presents. The attackers, as is often remarked, have the advantage in that they only need to find one opening, while the defenders need to ensure a seamless defense posture. In this light, good enough amounts to doing everything possible to protect your system from cyberattack. The attackers have shown that they will eventually penetrate systems that do not possess comprehensive cybersecurity, as is evidenced by the endless series of highly publicised breaches such as we’ve seen recently at Equifax and now at Deloitte.
A key principle of cybersecurity is that it must be designed and built in from the beginning of a system development. The alternative, the course which most organizations have taken, is to make incremental improvements in the cybersecurity of their systems by adding external cybersecurity systems such as firewalls, IDSs, and anomaly detection, and by attempting to bolt-on security elements such as cryptography to their existing systems via plug-ins and modules.
The problem is that by its very nature, this incremental approach will always be behind in the race to secure systems, and always leave systems vulnerable to yet another cyberattack. These systems are locked in an endless, tit-for-tat cycle of vulnerability discovered, exploit created, and patch released... rinse and repeat. Only by breaking that cycle will we ever have any confidence in the cybersecurity of our systems.
Now, control systems are also becoming a target for cyberattack as they are increasingly being attached to the Internet. The threat for these systems is far greater than for IT/Data systems as the consequences of a successful cyberattack is far more dire. Control systems operate machinery, factories, chemical plants, etc., which if successfully attacked could lead to millions of dollars in losses, downtime of weeks or months, and the injuries and deaths of personnel.
Fortunately, we have a better method for controls applications. These systems are highly constrained and specialized. So, that we can properly delimit the bounds of the system and formulate a proper, scientifically defensible, engineered solution that provides the comprehensive cybersecurity that is so desperately needed by these systems.
At Cognoscenti Systems we have applied the above principles in designing our ControlMQTM secure communications product for controls in order to achieve unmatched network security for control applications. Find out more at: www.cognoscentisystems.com