Recent Posts

Change is a risk in #industrialoperations, but at least on the security side of things, rapid change is the order of the day when connecting an acquisition to a new owner’s infrastructures. Anthony Morrone and Marianne Swarter of LeveL5Cyber join us to look at issues and solutions for mergers, acquisitions and divestitures of industrial operations.

Listen now >> https://hubs.li/H0-w8nx0

Come see one of our industry veterans and Cyber Risk experts as he presents at the Secure Delaware cybersecurity workshop on October 28th!

Anthony Morrone will be presenting on “Building an Adaptable Security Strategy” followed by advice on applying that methodology to your Third-Party Risk Management (TPRM) strategy.
This hybrid event (in-person and live streamed) will take place in Wilmington, DE at the Chase Center on the Riverfront. If you haven’t already registered for the event, get registered now at the link below!
Members of the L5C team will also be in attendance and we look forward to seeing all of you that can make this exciting event!

https://digiknow.dti.delaware.gov/…/2021/secureDelaware/

#level5cyber #SecureDelaware #cybersecurity

With another slew of recent industrial control system (ICS) advisories released by Siemens and Schneider Electric last month, most organizations can not immediately apply the released patches. While patching is essential to reduce risk, it is one of the many mitigation efforts that can be applied.

For most, immediate patching of OT assets is not feasible. As a result, a layered defense is even more important, and starts with the OT architecture. As industrial IoT becomes increasingly prevalent, air gapping the OT network is no longer a realistic option in many cases. Network segmentation, if done properly, provides a stop gap measure to reduce risk while the organization takes the necessary steps to get patches before applying them.

Network design will vary by industry and organization, but there are best practices and frameworks that can be followed to prioritize safety and availability. Talk with one of our experts today to find out how our decades of experience can help reduce risk to your organization!

#networksegmentation #level5cyber #cybersecurity

When developing a security strategy, understanding threats, capabilities, controls and risks are all critical to a successful plan. A leader may choose from many standards to help them on this journey; but where do they begin? A mature, industry-accepted framework is a good place to start, and the NIST Cybersecurity Framework (CSF) meets those requirements. The good news is that many of the standards bodies are cross referenced, so mapping to another standard is possible. The NIST CSF standard provides a seven-step process which addresses: defining the scope, control maturity, assessing risks and developing a plan of actions. Keep in mind that defining the right scope is integral to successful and meaningful results. If this is the first time executing a NIST CSF, start small and meaningful, possibly with a finance system or company website. Far too often, security leaders are pressured into expansive scopes for their first alignment efforts, which tends to lead to unexpected hurdles.

Now that you have aligned on a framework, the next step is to determine what standard will be used to assess your environment. For example, if assessing Operational Technology (OT), ISA/IEC 62443 is an appropriate standard, whereas NIST SP 800-53 is suited for Information Technology (IT) environments. Each standard can be situationally applied to the environment being assessed. This step can be the most challenging for beginners, especially if this is a self-assessment. This step requires scheduling time with the various subject matter experts and the ability to properly interview the experts. Be honest when assessing a control, if it is “in the works,” this is not fully deployed in the scope of systems. Once completed, the security plan can be leveraged in other assessments.

Once the maturity of the controls is understood, how do you determine what to work on? To answer this, there needs to be a clear understanding of the risks facing the company and scope of systems assessed. This is the risk assessment step of the NIST CSF process, where the threats are analyzed for likelihood, probability, and impact. For example, the threats of a standalone scheduling application are different from an online banking application. As such, the risks and compensating controls are also different. Like the previous step, there are multiple standards and methods of performing a risk assessment. NIST SP 800-30 is one risk assessment methodology and Factor Analysis of Information Risk (FAIR) is another. FAIR has the benefit of communicating risk in financial terms and NIST SP 800-30 provides a straightforward process to quantify risk. Alternatively, adding financial impact to NIST SP 800-30 achieves both. Once the risks are assessed, there will be a clear picture of what threats may need to be addressed in adherence to the risk tolerance of the company. This list is the Plan of Actions and Milestones, or POAM. POAMs are a great way to formally track the aspects of correcting cybersecurity related issues, so that different levels of interested stakeholders can understand that there is a plan with identified actions to take and milestones with which to measure the progress.

Having a solid assessment framework, effective control standards, and a risk assessment methodology are all required to effectively develop a defensible security strategy. There are many other uses for these tools. A new security leader could use these methods to understand the capabilities of their new team, whereas a seasoned CISO may use the framework to objectively measure the progress towards execution of an existing strategy. It is also common for CISOs to use the framework to communicate cyber maturity to their Board of Directors. Taking the results of the assessment alone can be enlightening, but when compared to peers or other companies in the same vertical, they can be very useful for selling a message.

How else can your identified and selected frameworks and assessment methodologies be used to advance a security organization? The organizationally adopted frameworks and methodologies can be used in concert with other referenceable works, such as the MITRE ATT&CK framework, to better understand the ability of specific attacks. Additionally, they can be used to potentially answer the questions around ransomware readiness or even the development of a data protection strategy. Overall, these powerful enablers can assist the security leader in many different aspects of the organization and other lines of business.

The bottom line in business is change, and with that change comes new risks. One of the greatest catalysts of change are mergers and acquisitions. In one day, a company can double the number of users, computers, vendors, applications, and sites. The often-overlooked change is to a company’s threat landscape. While this sound daunting, mergers, acquisitions, divestitures and joint ventures are a critical part of many companies’ business strategies. There are several drivers to engage in portfolio changes, such as pressures from shareholders, changes in business strategies and the global market.

It is important to keep in mind that all portfolio changes present risks to each company. The unique threats introduced by a merger or acquisition, a divestiture, or a joint venture are all significant and impact a company’s threat landscape.

So, let us look at some of the challenges introduced by such activities. Not fully understanding the risk introduced with a new IT ecosystem post-merger/acquisition can lead to increased risk of malware attacks like ransomware, business email compromise and other cyber-attacks. One risk area often overlooked is Data Loss. Change can be stressful to employees and may lead to intentional and accidental data loss. Not to mention, acquisitions often include intellectual property (IP), which may have driven a premium in the cost. Misunderstanding and not addressing the risks to the IP could lead to significant and rapid loss of value in the acquisition. A comprehensive understanding what IP exists and the controls in place are critical to a successful acquisition. One of the common understated risks of acquisitions is the potential for technical debt in the acquired company. An early and extensive understanding of the IT landscape will allow for appropriate funding and staffing expectations to mitigate the risk of unmanageable systems. If all this was not enough, mergers and acquisitions often come with an expectation to shareholders that significant cost savings and synergies can be achieved. This can drive an acceptance of risk which could have been avoided.

LeveL5Cyber’s M&A Security Guidance and Risk assessment process provides security oversight throughout the acquisition lifecycle. This is accomplished through early engagement at the Valuation Analysis stage to understand the security profile of the company being acquired. The next phase of the assessment begins at Due Diligence, where an interview process is used to validate the security posture and gain deeper insight into potential synergy opportunities or technical debt issues. L5C will use these details to assist the acquirer in developing the Integration Strategy and potential cost to achieve the desired security posture. Once the deal is closed, L5C can perform a deeper interview and tool-based assessment to provide a comprehensive security risk assessment to further support the integration strategy. Our team’s experience with developing standardized architectures and controls used to support portfolio changes can be leveraged, resulting in a cost savings, improved efficiencies and potential reduction in resources and transition service agreements.

Companies of all sizes use third-party vendors. These relationships can bring a host of benefits to an organization, but they also raise concerns, especially around data, risk, and security. Attacks originating from insecure third parties heighten security concerns, yet most companies fail to address this source of vulnerability.
What are some of the challenges that organizations face?

1. Data silos: Many corporate teams believe that Third-Party Risk Management and data security is the responsibility of the Information Security organization alone. Vendor risk impacts several functions across the organization, from procurement and legal to finance and executive management. With lingering data silos, it can be difficult to make progress towards a long-term Third-Party Risk Management strategy.
2. Shadow IT: Unknown vendors introduce multiple risks.
3. One size does not fit all when it comes to risk assessments. Assessments need to be scalable to meet varying degrees of risk.
4. Time management to sustain it: Addressing future risks takes less time and fewer resources.
5. On-going monitoring: Utilize continuous monitoring to assess third parties beyond point-in-time assessments.

During a time when third-party risks are at an increased level due to risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents, having a well-planned Third-Party Risk Management program in place is crucial. Corporate leaders need to adopt new approaches to managing vendor risk in response to growing business, information security concerns, and new regulatory frameworks for managing risks related to third-party business relationships. A strong Third-Party Risk Management program should include a governance framework, a vendor selection and inventory process, due diligence and continued oversight, a vendor risk assessment and ongoing vendor monitoring.

Building these essential steps into your program can contribute significantly toward mitigating a cyberattack, security breach, or other security incidents associated with outsourcing tasks and services. It can also save thousands of dollars in fines and penalties.