The Secure by Design Pareto Principle

In the pursuit of Secure by Design initiatives, organizations have a difficult choice to make. While immediate, tactical measures are essential to mitigate the most glaring vulnerabilities, they are seen as a band-aid solution if not coupled with strategic, long-term planning. We will explore the necessity of a dual approach in critical infrastructure resilience, balancing the urgency of immediate actions with the foresight of systemic changes.

Immediate Actions for Immediate Threats

‍

Organizations cannot afford to wait years for the long-term return on major strategic initiatives such as CISA Secure by Design or Cyber Informed Engineering (CIE). In the short term, organizations must prioritize the immediate security of their systems. After all, there are immediate consequences of not doing so. Many industry pundits would argue that the 80/20 rule demands that these short-term gains be prioritized, as this is where most of the risk lies.

This means ensuring secure default configurations to prevent easy exploits. Often, software and hardware come with default settings that prioritize ease of use over security, leaving them vulnerable to attacks. Adjusting these settings to a 'secure by default' configuration is a crucial first step and many of us look to product OEMs to facilitate this type of default security posture.

Additionally, security controls are often implemented insecurely, and in many instances may be simply a checkbox. For instance, in many of my security audits, firewalls that should be blocking traffic, are configured in such a way that they are essentially a router, with a default allow rule near the top of the list instead of more specific rules only allowing traffic that is required for operations. Or security measures are disabled by the integrator because it was easier for them to provision large deployments that way.

Certainly, addressing this low-hanging fruit is a great starting point. But we should also consider the relative maturity of the cybersecurity program and what comes next. There’s a tradeoff in the consulting world that I have commonly communicated when prioritizing security investments that is the nexus of risk reduction and level of effort. Focusing on what provides the best risk reduction for the least effort makes a lot of sense. Until you start looking at what comes next, the long-term strategic efforts that are largely process change or large capital expenditures. These things take time.

The Looming Horizon of Security Investment

However, tactical solutions are sometimes temporary fixes to deeper issues. Understanding why these issues cropped up in the first place is important, because fixing them may just result in a later relaxation, or loosening, of the control you just implemented. For lasting security, organizations must adopt a strategic approach that embeds security into the very fabric of their business processes.

This involves a shift towards 'security by design', where security considerations are integral to the development and procurement oftechnology. By doing so, security becomes a foundational element rather than an afterthought, ensuring a more resilient posture against future threats. This is where approaches such as Cyber Informed Engineering come into the picture.

 The problem is this requires a large amount of investment that will likely span multiple fiscal years, where the return may not be felt for a long time to come. The lack of faith in such programs is borne of skepticism, and the reality that such change brings with it a not insignificant amount of cultural friction. Humans do not like change, and it has been my experience that without an overabundance of evidence, humans will always gravitate to the lowest friction solutions, even if they do not solve root causes. They will also favor solutions that reduce their own personal pain or enhance their personal career trajectory instead of large organizational level concerns. The way we measure success in many organizations plays a large part in this conundrum.

Transforming Procurement

A critical aspect of this strategic shift is transforming how organizations acquire technology. Procurement processes must prioritize security features and demand transparency from vendors regarding the security measures of their products. This shift not only encourages a market where security is a competitive advantage but also ensures that organizations are not unwittingly introducing vulnerabilities into their systems. By holding vendors to higher security standards, businesses can drive the industry towards more secure product offerings.

But it remains to be seen if this is what asset owners want from their vendors. We all say that it is time for this change, but history has shown us this has not always been the case, and operational teams may instead prefer the older or less secure products because it makes their lives easier. The market signaling is just not there, but it is clear to anyone paying attention that procurement, and supply chain security in general, plays a key role in ensuring we can achieve secure by default in our technology implementations.

Along these lines is the need to define what secure means for the organization. Standards such as ISA/IEC 62443 have proposed models such as the Security Levels that define target security objectives as well as achieved security capabilities in the products we acquire and implement in industrial automation. Architectural models have evolved to identify not only the traditional north/south security context endemic in traditional network segmentation, but microsegmentation models and the east/west isolation found in the 62443 zones and conduits approaches.

We all demand better vulnerability handling and software transparency. Attestations providing assurance of technology provenance and software security practices such as use of memory safe languages pervade the discussion as we seek to shame our vendors into doing the right things. Yet still, procurement marches on for these unfunded and costly initiatives.

But if these security controls only exist in the minds of security practitioners and are never translated to contractual requirements, OEMs and integrators will continue to do what they have always done. Deliver what they were paid to deliver. Our band-aid security projects, while extremely important, will still be required redundantly time and time again, wasting security investment. A never-ending hamster wheel of pain.

Embedding Security in Organizational DNA

At the core of all of this, there's a need for a cultural shift within critical infrastructure organizations. This involves fostering a security-first mindset among all employees, from executives to front-line staff, much the way safety has been ingrained into the culture. Training and awareness programs are important, ensuring that every member of the organization understands their role in maintaining security.

But this may not be sufficient to drive cultural awareness. Continual reinforcement that security is a foundational pillar of organizational culture must be communicated in performance review, established as a functional requirement in engineering projects, socialized within engineering, legal, procurement, operational and management teams and supported with the appropriate resources needed to move beyond lip service to an unrealized ideology. When security becomes a shared responsibility, it strengthens the organization's overall defense mechanisms and sends the market signals crucial to transform security culture across an entire industry.

The 80/20 for that firewall optimization project makes a ton of sense when you are just getting started. But as your program’s maturity evolves, the diminishing returns will be starkly contrasted against the need to do more. And can you afford to wait to get started?