Lessons in Cybersecurity Planning in the Wake of an Attack
The bad news is, cyberattackers continue to grow more sophisticated, with many improving their tactics faster than security teams can thwart them.
Today’s most dangerous threats, however, do not only come from rogue nations or professional hackers. They also come from disgruntled employees with the potential to exploit their insider access to infect or take control of a network.
But there is encouraging news, too.
Organizations are getting better at identifying breaches. According to M-Trends’ 2017 report of global security breaches and cyberattacks, the median time it took to discover a breach dropped from 146 days in 2015 to 99 days in 2016, the most recent figures available.
Thanks to better cybersecurity planning, utilities are also making it tougher for outsiders to breach their networks. Newer, proactive approaches might not always block intruders from a system, but they might be able to detect the malicious traffic and keep it away from the inside shell, where it could do the greatest damage.
Yes, even the best-laid cybersecurity plans are not fail-safe. That’s why smart utilities prepare for attacks by developing incident response plans and training staff on how to use them.
When an attack occurs, these utilities perform an incident response by analyzing the system and identifying what happened. Depending on the severity of the breach, many also retain a third party like Burns & McDonnell to conduct a full investigation. Law enforcement may also be called.
If a system has been compromised, the next step is to limit the damage by isolating the affected systems. Once the damage is contained, investigators can begin searching for the root cause of the incident and remove the affected components from the network.
Work then commences on fixing the breach and restoring the system’s integrity, neither of which happens overnight. It might require additional steps to keep the work running, while also monitoring the system and planning upgrades to eliminate any dormant risks.
Perhaps the most important part of any cyberattack is the lessons learned from it. While security can never be perfect, we can learn from experience to reduce the attack surface available to those who wish to do harm.
The best advice I can give any utility is to know its systems, environment and functions, including the criticality of each one. It should then pour the most security dollars into its most critical assets.
A culture of compliance and security is a utility’s best defense.