In 2023 the US SEC adopted rules requiring disclosure about cyber security practices and outcomes, on the basis that this material affects stock price and risk understanding. Today Krispy Kreme fessed up to becoming a victim to some ne’er do well, affecting online activites and operations in a material fashion. They are in good company, according to SecurityScorecard, 97% of the top 100 US retailers experienced a third-party break in 2024. This reminds me of a joke, when I owe the bank $100K, I have a problem. When I owe it $100M, the bank has a problem (attributed to J. Paul Getty). When we are talking about 100% of the top 20 and 97 of the top 100, its now the new normal.
How could we get to nearly 100% hit rate? Well, the combination of a large attack surface (many locations, many online systems, many vendors supporting, many people) and value (if you ran a thousand+ retail locations and were faced with any time outage, you would pay a ransom and have the means to do it).
How do you reduce the risk? Adopt a defence in depth strategy, limit the blast radius, slow the attacker, increase the visibility. Recognise that the number of interconnected systems, API’s, cloud, etc is only going to increase, so ‘all-in-one’ firewall/VPN/bastion security will not work. Adopt identity (of the user, of the system, strongly authenticated via multi-factor) as part of the authorisation logic (user X can do Y on system Z). Remove all VPN, all shared passwords. When working with external vendors, ensure that each person uses their native single-sign-on (yes, that means userA@vendor, not contractor-A@me) for identity. Implement the advice I give in Advice Avalanche:
Evergreen Tactics: Simple, Effective Security
Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps
The government’s eight key recommendations for securing water systems boil down to:
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup Operational Technology AND Information Technology Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cyber security Awareness Training
And, most importantly, let’s talk about implementing Zero Trust. Its not hard to get started, and getting started reduces risk.