Voices

Is it time to let go of the frameworks?Moving away from controls-based cybersecurity

Moving away from controls-based cybersecurity

By Rob Labbé

April 29, 2024

Courtesy of Rob Labbé

Part 3 of a four-part series on cyber resilience in the mining and metals industry. Read the series here.

In the last column, we started digging into the three components of cyber resilience with a discussion of how to build a cyber-resilient operation—one that can continue operations in the event of a technology outage—be it caused by error, failure or a cyber incident. In this column, I will discuss the building of a resilient cybersecurity program, regardless of the size and budget available to your organization.

A resilient cybersecurity program places the business and its employees at the centre of the program design and implements controls that protect the business and the users. This contrasts to a traditional, controls-based program that places controls and control frameworks at the centre of the design and deploys the controls based on those security frameworks to the users.

Controls-based cybersecurity

Controls-based cybersecurity is the model that we have used for over 25 years. To support controls-based security, the industry has developed several frameworks. And at first glance, there are a number of advantages that come from adherence to controls-based frameworks, such as their conceptual simplicity, ease of measurement and audit, and supportability by vendors. These advantages have given rise to a huge network of managed services providers, security software vendors, cybersecurity assessment organizations and consultants to help support the selection, deployment and maturity of control frameworks in organizations of all types.

Of course, IT and security teams love these frameworks. In addition to robust best practices and guidance for security controls, frameworks reduce the effort needed to assess and design security controls. They also make product and vendor selection easy since security vendors provide matrices showing the areas of these frameworks their products cover, and many services are available to rate security products and services against those frameworks. Adherence to a framework also allows the team and its leaders to easily set and measure goals, such as “increase security maturity to 4.6 in the next 12 months” or “be in the top quartile of mining organizations for security maturity.”

The challenge of the blind application of security frameworks is that they lack nuance and recognition of the context, the specific risks and the threat profile under which the business operates. Due to their intended purpose of applying security frameworks to all organizations and industries, they are designed to cover all risks and attacker techniques and behaviours. The base assumption is that all organizations can and should similarly deploy those controls to protect their organization.

Unfortunately, like most universal “best practices,” this lack of nuance becomes the fatal flaw. In practice, controls-based frameworks are most likely to either serve as a convenience function for the security team, making their jobs easier, or a method to transfer responsibility for an incident from the security team to the business.

To illustrate, most security frameworks will list multi-factor authentication as a critical control. To be sure, multi-factor authentication is a very useful control to protect against identity-based attacks; however, mining presents unique challenges. Typically, multi-factor authentication can be successfully deployed in the corporate business units and offices.

When the deployment moves to the operation, however, it falls flat. Obstacles such as a lack of mobile phone access due to a combination of no cell service at remote locations or health and safety rules that prohibit employees from carrying phones on-site mean phones are often not available to act as multi-factor authentication devices, while legacy equipment prevents the use of USB-based multi-factor authentication devices. What is the result? The security team requires the business to sign some form of risk acceptance for the lack of multi-factor authentication at the site, absolving them of responsibility and leaving that part of the business vulnerable (conveniently not negatively affecting the maturity ranking reported as often the maturity ranking is net of signed risk acceptance).

Resilient, business- and user-based cybersecurity

Rather than starting from a control framework, resilient security programs look at the business and user context first, engineering security risk out of the business and then deploying controls that work with the needs of the company. Instead of seeing a signed risk acceptance as a necessary transfer of accountability, a resilient cybersecurity program will see that as a failure to recognize and adjust to the needs of the business.

To transition your cybersecurity program from controls-based to a resilient program, the security team must build a deep understanding of how the business operates, the data flows and how its users work. In other words, “How do we do things around here?” From that point, an appropriate number of security or other controls can be deployed. Taking the example above, how would a resilient cybersecurity program deal with the multi-factor authentication problem?

First off, a resilient cybersecurity program would not start with a need to deploy multi-factor authentication for all users in the offices and the operations; rather, thanks to good threat intelligence, it would recognize that misused identity is a major risk factor for the organization and has a high probability of being a vector of successful compromise. Armed with that knowledge, the team can utilize their existing knowledge of how the business functions to implement a mobile app-based multi-factor authentication for the most likely stolen accounts — the corporate accounts that staff use to answer email and browse the web. For operational technology systems, rather than focusing on figuring out how to make multi-factor authentication work, the security team instead focuses on the goal of preventing stolen or misused credentials from being used in operational technology (OT) through separation of corporate accounts and operational ones. In doing so, it has identified that by not permitting corporate credentials to be used in sensitive OT systems and ensuring that stolen OT credentials, in turn, cannot be used on the accessible corporate network—in other words, implementing identity segmentation, supported by monitoring, brings the risk of OT network credential misuse down to an acceptable level.

With that minor adjustment in approach, the challenges around a failed control deployment are now avoided, the mess around risk acceptance is avoided, and we have a focus on risk mitigation that supports the operation rather than hinders it.

Moving to resilient cybersecurity

The organization needs a leader responsible for the new security program. This should not be a technical leader or technician but a business-focused cybersecurity leader or chief information security officer (CISO). For a smaller company, hiring a CISO may not make a lot of sense; however, fractional or virtual CISO capability is available, be it through a member-based organization such as MM-ISAC or from a security services vendor. It is critical that the CISO understands the industry, is positioned appropriately in the organization to have access to corporate business unit executives and operational general managers and that they are kept informed of company strategy, direction and key business decisions.

From there, industry threat intelligence, acquired through MM-ISAC or other sources, is combined with the business process knowledge to develop evidence-based ways to reduce cyber risk to an acceptable level for the organization.

In order to ensure the program that is developed helps to meet the objectives of the organization, the following success metrics should be implemented:

Cost: Most security programs measure costs based on the capital and operational costs of the program itself, as well as the costs of the tools and solutions purchased by the program. However, many forget the business impact costs of security controls.

The impact and costs on the rest of the business are missing from this analysis. Most planned or implemented controls will impact how employees do their work and may add time to tasks, require the vendors to work differently, add additional costs, and require more frequent hardware/software updates than can be supported by pure business use cases. Resilient cyber programs capture these costs even though they live outside the IT or security budget and actively work to manage them.

Residual risk: Most organizations report risk on a one-to-10 scale or some form of “High, Medium, Low” scale. The challenge with these measures is twofold: first, risk inflation causes all risks to slowly migrate towards “High,” and second, once many risks get there, it is difficult to prioritize, so many controls get deployed to address those risks.

In contrast, a resilient cyber program measures risk using a standard, supportable quantitative methodology, such as the factor analysis of information risk (FAIR) model. This exercise focuses the security program on activities that will limit the scope, impact or probability of an incident in your operational context. The security program should have defined targets for risk and be measured on their success in meeting them.

Control effectiveness testing: In a controls-based program, often audits are done to establish the presence and maturity of a given control. In other words, is the control present, with all processes and procedures documented, and is a control test performed to ensure the control is working within the documented procedures?

Resilient security makes use of empirical testing of security controls, using automated tools combined with manual testing and tabletop exercises to actually simulate the attacker’s behaviours and measure the resultant effectiveness of your controls.

These measures are far more robust than a simple maturity score and give the board and executive team an easy-to-understand view not only of the strengths and opportunities of the security function but also of the impact those have on what is really important—the business of producing the key materials needed to support the company, our economies and the societal changes the world is counting on the mining industry to supply the materials for.

In the next issue, we will look at the final component of the cyber resilience triad—communications.

Rob Labbé is the CEO and CISO (chief information security officer)-in-Residence at MM-ISAC.

More Voices

The Dome School of Mines

Kelsey Rolfe

On the eve of the closure of the Dome mine, CIM Magazine spoke with current and former employees about its place in mining history

Women of Innovation

Anne Millar and Mary Wells

Women of Innovation recounts the stories of 20 inspiring and innovative women engineers in Canada