Whose job is it to protect ICSs against APT attackers?!
In previous posts (here, here, here és here), we have discussed the executive order, of 12 May and the CSIS event on it. The guest was Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.
The issue is topical given the dynamic increase in the number and severity of operations by likely APT (Advanced Persistent Threat) attackers (see recent cases such as SolarWinds/Orion or MS Exchange).
There is a routine, logical answer to the title question:
in the spirit of security awareness, it is the duty of every user to protect themselves against any threat or attack from cyberspace.
However, there are views that
state-level attacks must be defended against at state level, with the means and resources of the state.
The latter view is undoubtedly not illogically based on the fact that the state background of APT attackers provides them with resources that the target non-state organisations and companies do not even remotely possess, i.e. they are inherently unable to build up an adequate level of protection.
The controversy between these two views is currently coming to a head in the US. Due to cyber threats to the power system supply chain, the Presidential Executive Order (E.O. 13920, hereafter EO) issued on May 1, 2020, imposes serious obligations on power system owners, builders and operators. The EO has already triggered a number of questions and criticisms from stakeholders. However, after recent attacks on the supply chain – most notably the SolarWinds/Orion incident – it is not excluded that the EO could even be tightened.
Under the EO, there could even be a mandatory replacement of existing equipment – but deemed risky. The dilemma is becoming increasingly acute, for example, in connection with the horrendous costs of this.
As we wrote in the previous post
given the size of the US, the EO will inevitably have an impact on global supply chains, and may sooner or later have domestic effects.
In the case of public interests, the situation is clear, as all the work and costs of any future replacement and increased protection will clearly be borne by the state.
The situation is less clear for non-state interests. Who should bear the burden and the costs of possible replacements, but especially of cyber defence, which is relevant to our topic and needs to be continuously and significantly strengthened? Obviously, it is ultimately the consumers, all of us, but it is not all the same when and how…
And to make the question even more exciting, it is even possible that the two answers will not be true either way, but AND.
it is even possible that the two answers will not be true OR, but AND.
For example, as the World Economic Forum website olvashat, “…the threat of cyber-attacks is too big for either governments or businesses to tackle alone.”
What do you think?
Szívesen vesszük a fentiekkel akár egyetértő, akár azokkal vitatkozó üzeneteket. Ezekre pl. újabb posztban reagálva akár érdemi szakmai eszmecsere is megindulhat.
Translated by DeepL