In the sweltering summer of 1863, the city of Vicksburg, Mississippi, became the focal point of the American Civil War. Encircled by the Union forces under Major General Ulysses S. Grant, the Confederate stronghold braced itself for a siege. The Union’s strategy was clear – a war of attrition aimed at depleting the defenders’ resources over time.
As the siege began, the city transformed into a fortress under siege. Ramparts were manned, supplies were rationed, and every able-bodied man was called to defend the city. Though outnumbered and outgunned, the Confederate forces were determined to hold their ground. Yet, with each passing day, the reality of their situation became more apparent – they were a city cut off, with dwindling resources and an enemy at their gates.
This is not unlike how some modern-day cybersecurity attacks are carried out. You might feel under siege wondering if your defensive positions will hold but one thing that is even more important and from my experience sometimes overlooked in critical infrastructure is the ability to detect and respond over time.
Security Posture
You can define a security posture in many ways. Some come from standards and many have a lot of detail but I normally just about it in the three different aspects Protect, Detect, and Respond. I can promise you can no matter what standard or definition you look at you will find those three parts or steps.
It is almost given from the part names what they are all about but just to give a few examples I would put it like this:
- Protect – Tech. Things like Firewalls, Backup solutions, Intrusion Detection, VPNs
- Detect – Tech and People. Monitoring, Intrusion Detection, Threat Hunting, SIEM
- Respond – People and Time. BCP:s, Patch Mgmt., Breach Containment
Obviously, there are a lot of details in this but to keep this short I just want to summarize where you should put your investment not in what, and especially in the OT world.
When building a Security Posture for critical infrastructure, independent if you just going about it yourself or basing it on a standard, which I recommend, (e.g., ISO27001, IEC62443, NIS CSF) my experience talking to hundreds of customers is that there is way to much focus on Protect, the technology, and way to little in Detect and Respond.
There is more focus on buying the firewall and initially setting it up rather than on how it should be used over time. Who actually looks at what is blocked, what is let through and invests in the knowledge and people to actually do it.
There are countless examples of attacks where backups have been compromised and lost. Or attacks where it was after the fact discovered that the attackers were present in the network for a long time before they actually attacked. Many things can go wrong with the Protect part of your posture. You need to be able to sustain the long run which is only possible through investment in knowledge, updates, and people over time. My advice is as follows:
- Do not overinvest in Protective measures, divide investments so you can sustain a posture over time
- Competence is expensive but in my experience vital when you have an incident
- Do NOT forget to test your BCPs and backups regularly
- Threat model on a periodic basis.
- Maintaining a Security Posture over time requires a lot of planning. Make sure that your storerooms are full (competence, backups, diesel generators etc.)
Intersection Security 
Leave a comment