The recent article “Defining the threat in the energy sector,” (CSO Online, 12 April 2016) makes an excellent point about the analysis of threat, that we at Butchko have hammered on for as long as we can remember. Threat must to be relevant, or it is not a threat. How do you determine relevancy? Simple: ASK WHY. As the article notes, “understanding the reason for the threat allows us to make near-future predictions about the relative dangers presented to the energy sector ICS environment. Should we worry? On what should we focus…and why?”
For starters, the assessment of threat can often be the Achilles heel of an otherwise good security practice, when performing a risk assessment. A facility’s security measures can be hardened ad infinitum against cyber attacks, bullets, RPG’s, VBIED’s, IED’s, a swarm of black-clad Ninja’s toting AK-47’s or even an EMP-tipped ICBM. Hate to say it, but well-meaning practitioners – unfamiliar with the many facets of good threat assessment – fall back on answering the “WHAT” of threat…What is out there in terms of bad actors, and answering the “HOW” of threat…How much, How many, How lethal, How menacing, etc. WHAT and HOW produce lovely measurable statistics and “metrics” that can inform great designs. When it comes to asking the most important question, however, the WHY…crickets. In fact, asking why a threat actor would commit violence against your facility, your electrical grid, or your hotel is the very first question that should be asked in the threat assessment. The answer to that question is at the heart of the issue of threat, around which the question of whether one invests millions of dollars in security upgrades revolves.
Answering the question of why requires looking at threat through a different facet – through the eyes of the adversary. The precursor requirement to a full 70% of cyber threats today is still physical access, either through surreptitious entry, social engineering, or via a co-opted insider. The question of Why requires a determination of available logistics, undetected access, favorable environment, geographical proximity, and whether the threat actor has even indicated the desire to attack one’s facility (or one like it). The question of why means engaging vulnerability with threat – one attracts the other. A disgruntled, low morale workforce produces more opportunities for recruitment of an insider. Answer these questions first in the threat assessment, and you will get a good indication of which threats are relevant to your analysis. Then ask WHAT and HOW, in order to know what to measure against.
If you ask the question of “WHY” to a professional, get a blank stare or a dismissive reply, then it’s time to get a new security professional to do your assessment work. Otherwise, you could end up with an expensive security system designed to protect against the wrong risks, or a non-existent risk…much like the Maginot Line did in France after World War I. Just ask the French taxpayers who had to endure the German occupation in WWII what they thought of those impenetrable defensive measures on their border.