24 June 2017

Walking the Talk: Asymmetric Lessons Learned...

Operational Risk Management (ORM) is about "Walking the Talk." What are you advocating in your solutions or services and advice to clients or within your own organization? When you "Walk the Talk", this means that you believe in and demonstrate first to yourself and your own organization that you execute and comply with what you say is policy and is a key factor in your own Continuity of Business Operations.

You carry out in a demonstrable form the rule-sets, best practices, ethics and behaviors that you are asking your own customers and your suppliers to follow. Your failure to do so, can have tremendous ramifications.  Nicholas Weaver explains:
The payload of CrashOverride is rather elegant in its simplicity; in a way it’s reminiscent of how a toddler might sabotage the lights at home. Once CrashOverride is running on a control system, it begins by mapping out all the circuit breakers. Once the payload knows where all the switches are, it can launch the primary malicious attack, either by turning off all the switches or—potentially more catastrophically—by repeatedly flipping them on and off until the substation in question is isolated.
Asymmetric Warfare is about an indirect strategy and the ability to compromise your target through non-traditional methods.  You and your organization might just be a pawn in a more sophisticated, planned and smart attack on a much more worthy adversary. Whether the intended target is a Critical Infrastructure organization in the financial, energy or defense industrial base (DIB) doesn't really matter.

Supply Chain Risk Management (SCRM) is not just about validating where and how embedded circuits, EPROMs or other systems software are ensured for quality and without tampering. SCRM is about your vendors themselves being compliant within their own enterprise with the manufacturing of their own products or the operational environment of their solution ecosystem.

The trust and confidence of your extended partners, clients, contractors and key suppliers is ultimately about "Walking the Talk." 
Malicious and trusted insiders pose a range of challenges in terms of counterintelligence risks and physical threats, and experts say policy needs to catch up quickly to the new technologies available to help mitigate the problem.  Mackenzie Weinger is a national security reporter at The Cipher Brief
If you are a prudent CSO or CISO of a critical infrastructure product or services organization, beware. You may just be what the enemy needs to perpetuate their asymmetric operations on the Homeland. Beyond your own reputation being at stake, so too is the trust, safety and security of the entire economic infrastructure of the United States.

No comments:

Post a Comment