Risk Management

Risk Management
What’s the biggest threat to the industrial internet of things (IIoT) space?

Top Answer: A native industrial cyber attack has truly yet to happen. Most of the cyber attacks that have touched industrial environments have been IT-level attacks, like ransomware, or breaking in through enterprise remote access protocols. But for example, the world has yet to see a legitimate massive DNP3 attack, which is an industrial protocol, or a Modbus/TCP denial-of-service attack. When that starts to happen, it will be a game changer, because most security initiatives and products focus on protecting the IT side. The thinking is that those attack vectors are the only ones that will be relevant to the industrial side, but that is an incorrect way of looking at this space. That's an outside-in approach. If you look at it from the inside out, you’ll see that there are so many different attack surfaces on the inside of these networks, which is why native-level protection is important.  The challenge is that native-level protection is difficult. It requires an in-depth understanding of the network, protocols, devices and the settings of those devices. If you consider Stuxnet, the fanciest part of that attack, from the ICS perspective, was a settings change on the centrifuge controllers. That change took the target out of its normal range of operation in terms of a numerical value. There was nothing on the network that could prevent that numerical value from surpassing an acceptable threshold. And that led to physical damage.

Related Tags
Was the need for security in the industrial internet of things (IIoT) underestimated?

Top Answer: Early on in the IIoT space, none of the technologies underlying those devices had changed in 30 years. But the business opportunity turned out to be far more challenging than anybody foresaw at the outset. Back then I would deal with SCADA operators who would tell me, "I've been sitting here for 30 years clicking this button. I know that when I click this button, this happens over there, and that's all I care about. We don't get attacked. I don't care about security. Leave me alone." So how do you sell security to somebody with that mindset? It was challenging, but everything's changing. I see our federal government's involvement in critical infrastructure protection and cybersecurity reporting, which is wonderful. That forces people to do something as opposed to hiding behind the belief that if something isn’t broken, you shouldn’t touch it.

Related Tags
Password Management 2022Password Management 2022

With cybersecurity threats on the rise, how does your team approach password security? Benchmark against your peers.

Related Tags
If you are a current SAP customer, when do you plan to migrate to SAP S/4HANA?

Top Answer: No plan to migrate soon.

Related Tags
People & Leadership
Strategy & Architecture
End-User Services & Collaboration
Applications & Platforms
Governance, Risk & Compliance
Data & Analytics
Business Intelligence
Disruptive & Emerging Technologies
Team & Organizational Design
Security Strategy & Roadmap
IT Strategy & Roadmap
Outsourcing & Managed Services
Backup & Disaster Recovery
Public Cloud
Hybrid Cloud
Contact Center & Telecom
Data Center
Device Management
End-User Devices
Productivity Tools
Collaboration Solutions
Document Management
Business Applications
Human Resources (HRIS)
Technical Product Management
Software Development
Quality Assurance
Continuous Integration/Continuous Deployment (CI/CD)
Enterprise & IT Service Management (ITSM)
Availability & Capacity Management
KPIs, Metrics & Reporting
Financial Management
Vendor Management
Service Desk
Management Tools
Risk Management
Data Privacy
Artificial Intelligence & Machine Learning (AI/ML)
Data Warehouse
Security & GRC
Identity & Access Management (IAM)
Peer Insights
Vendor/Product Recommendation
Business Continuity & Disaster Recovery
Crisis Management
Customer Engagement
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Business Relationships
Talent Management & Performance
Portfolio, Program & Project Management
Data Management
Big Data
Vendor/Product Assessment
Process Management
Asset & Configuration Management
Operations Management
Mobile Development
Is a native-level attack an immediate threat to industrial internet of things (IIoT) devices?

Top Answer: A native-level attack in the immediate future is very plausible. Considering some of the APT modes of operation that I've encountered, the bad actors that would launch an attack like that have already infiltrated their target. They just haven't had the right motivation to kick things off. And that's disturbing. For instance, if you look at the Mirai botnet, the attackers owned thousands of devices and just had them sitting idle until they decided to turn it on. The breached devices went about their normal day-to-day operations until someone upset the owner, or customer, of the botnet. And all of a sudden, the internet as we know it got impacted on a mass scale. The heat maps of Mirai’s impact show how powerful it was. Imagine a native attack on that level happening to our critical infrastructure. That's never happened before, but no one can tell me that the code is not out there. We were able to write some of that offensive code as a Proof of Concept (PoC) when I was at Bayshore Networks, so I know bad actors are able to do the same. 10 years ago, the argument was that nefarious actors don't understand the ICS protocols, therefore they don't think that way. But it’s a mistake to think they haven't learned in 10 years. I'm convinced they have and that's why I'm concerned about the IoT space.

Related Tags
If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Top Answer: Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.


What is the current state of ransomware attacks? What level of defense and preparedness do companies have from their backup support?

What do you think of organizations’ responses to the potential for cyber threats due to the Russia-Ukraine conflict?

Top Answer: When the Russia-Ukraine conflict came to a head earlier this year, our company offered small and medium enterprises our product for free, to help with the impact. We made the offer via LinkedIn and got upwards of 1,600 views within 24 hours, but nobody responded. I'm not sure why, but the early feedback I received from several peers was that the offer hadn’t moved the needle for them because this conflict was seen as a formidable global opponent, which has been found to be not worth the effort. The estimates were overblown and there hasn’t been much impact. A lot of the nation-state teams that I read from continue to predict that we have yet to see the best of what’s to come. So my question is: What's the benefit of holding back your punch? I sense that there is another piece that has yet to fall into place. We're only seeing the early steps towards something. 

Cybersecurity Risk Management in 2021Cybersecurity Risk Management in 2021

A high-level look at approaches to cybersecurity risk in 2021. How do you compare to these peer benchmarks?

What do you hope the lasting impact of Log4j will be?

Top Answer: I hope the lasting conversation is around the supply chain itself. We keep forgetting that the internet is not inherently secure because it's open source. It's written by people in the same way that bespoke code is, so it's just as likely to be vulnerable. And that’s underpinning most of what we've built at this point — what are we doing about that? That is where the narrative has shifted. Talking to CISOs is like talking to policymakers. We’re seeing stuff come out of DC around how to legislate open source being secure, which is absurd, but it’s the right conversation to have. The focus has moved away from that specific vulnerability to why that happened, and how we can get better at preventing that from happening again. We need to realize that the internet is just a stack of turtles that are supported by one and a half people in North Dakota, because that's the truth of it. We rely on a lot of different software packages and systems that look a lot like Log4j. So it's not just about this particular piece of code and what it can do. It's about all the other stuff around it. How are we thinking about that from a risk management standpoint? It's an interesting time to be having that conversation because the pandemic has revealed to the average person how supply chains work and what they look like when they’re broken. This is not that different. It's conceptually a bit more abstract for non-technologists to get their head around, but it's quite similar.

Are people still looking at Log4j code, or has everyone moved on from it?

Top Answer: I'm surprised that the roar over Log4j has dulled and gone quiet. I expected it to go on much longer than it did, and thought I would have seen a lot of security bug folks looking at the code even closer and finding a lot more issues than what’s been published. It’s almost like an afterthought now.

What are organizations lacking in their cybersecurity posture?

Top Answer: I view cybersecurity as an 80/20 problem overall. 80% of it is hygiene and things that we've seen before — things that we can automate, in cases where automation is a viable and economic solution. It’s within the remaining 20% that the bad stuff happens. So how do you address both at the same time? It's always been interesting to have this conversation in the context of Bugcrowd, because people assume that I'm all about humans coming in to solve everything. But that's not true. There's always going to be a gap that's created by the innovation of the adversary, which only has human creativity and human adoption of process as its solution. But you should automate wherever you can. The companies that we work for weren't started just to fight Russia or China, so this is not our main game.