Connectivity at What Cost? — The Balance of Security and Innovation in Critical Systems
The DDoS event that hit Dyn’s networks a couple weeks ago was just the first example of what could come next.
An outage of mostly social media sites, mostly isolated to the East Coast, and for just a few hours is not quite a catastrophe. But one can’t help imagine if instead of Twitter and Pinterest the target was something a lot more consequential, like a hospital or a power plant or a water treatment facility.
These recent events have called into question whether or not every device that can be connected to the Internet should be, and if doing so erodes the trust between a company and its customers.
Customers do not get a say in which third-party vendors a manufacturer uses, but they are nonetheless effected when one is involved in a security breach. This was the case in the massive Target breach, and with the recent Mirai botnet attacks. Both involved customers or users who ended up on the brunt side of trusting relationships gone sour.
Edna Conway, chief security officer for Cisco’s global value chain, said in an interview that every company involved, third-party or manufacturer or supplier or vendor, needs to enter a covenant with one another, a commitment to maintaining secure products. This is especially true for “critical systems,” those responsible for sustaining modern life as we know it. To be resilient to the inevitable cyber attacks that are part of a connected world, all must be diligent and committed to cybersecurity.
Conway, who spoke at George Washington University’s National Cybersecurity Awareness Month keystone event on Oct. 31, is tasked with developing and overseeing Cisco’s strategy to assess, monitor and continuously improve the security and resiliency of its global value chain.
[caption id=”attachment_697" align=”aligncenter” width=”736"]
Source: Value Chain Security Infographic[/caption]
She explained the concept of a value chain in the setting of a bakery. “In order to think about your business model and your value chain, you first need to understand–number one — who is touching [your products and your operations],” Conway said. “Sometimes, you don’t even know.”
If you were a baker, for example, your value chain would include the flour vendor, the egg supplier, the cocoa supplier, “and I would argue it would include the manufacturing partner who would make the ovens, and the company that would transport those raw materials,” Conway said.
The value chain is a concern in nearly every industry, she said. Whether it is a government and the product is a social security check, or a hospital that supplies healthcare. The third-parties that provide the components that make the whole are what makes a vendor’s value chain.
In an industry like IoT, the components of the value chain have heretofore not been a top priority. Making IoT products like smart TVs or internet-connected cameras, like those used in the Mirai botnet, has largely been a process of economy. Security in such a model is basically an afterthought, if considered at all.
Companies that operate critical systems Conway said, really need to evaluate closely if the connectivity of the Internet is essential. “Cyber resilience in a digital environment requires asking the question: is the connectivity providing something that substantially enhances the value of my offering? And at what security cost?”
Some of the companies who are evaluating this balance between security and connectivity, Conway said, interpret this to mean that they need to only worry about information security, which is wrong. “Information security is facilitated in a number of ways,” she said. And human beings play a large part. “For example, how secure would you feel if the Pentagon had fantastic information security, but no guards so anyone could walk into the building?”
To be truly cyber resilient in a connected world, she continued, “you need to remember that cyber is but one element.” Companies should really consider what is the right investment in technology for the desired productivity gains.
