By Gregory Hale
Cyber security permeates every part of your company and it is a must that it is on everybody’s agenda.
That was the message that came from Gregory Touhill, Air Force Brig Gen (ret), CISSP and Deputy Assistant Secretary for Cybersecurity Operations and Programs at the Department of Homeland Security during his keynote address at the ARC Industry Forum 2015 in Orlando, FL, Tuesday.
As he started off his keynote with a “Happy Patch Tuesday morning,” Touhill continued by saying the industry is just facing more attacks then every before and it doesn’t look like it will let up any time soon.
Chinese Hacking: Ineptitude, Confusion
Solar Companies Under Attack
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Sony: Risk Management in Real Time
“Cyber security is misunderstood by many folks,” he said. “People think it is a technology issue. I say it is a risk management issue for companies and individuals. Risk management is something we all need to look at as we conduct business on a daily basis.”
He likened his job to being the captain of the neighborhood cyber watch for the entire country.
Some of the duties of the neighborhood watch include:
• Share information about bad actors
• Do things about attribution. We anonymize data
“There is a myth out there that we are all knowing and all seeing. That is a myth. We are as transparent as we can be. We are the champion of declassification. We are dedicated to maintain privacy, civil rights and civil liberties.
Touhill said the threat environment continues to grow and there are three types of attackers out there:
• Nation state actors who are very capable adversaries
• People trying to get a competitive advantage and steal your IP to gain as much information as possible
• Hacktivists, who are people that don’t agree with your company’s activities
And then the final threat environment Touhill said was on his personal list but not the official DHS stance and that is people being “just plain stupid. Your IT staff is not stupid, but sometimes they do stupid things. They miss things.”
Security, he said, remains more than just a technology issue; it is also a people and physical issue.
“If we just look at technology security will fail. We also have to look at the physical side.” He mentioned the substation in California that ended up attacked a year or so ago by bad guys who shot out the facility and then took off.
Looking at the cyber security environment, Touhill knows the origin of control systems and why they are vulnerable to attack.
“As we look at industrial control systems, they are not designed with security in mind,” he said. “They are old and security is bolted on. Sometimes we find owners and operators have decided to take the risk and not pay for security. As we go out into the sector, we have to bake in security.”
Touhill said there are five key best practices to think about when it comes to an attack:
• ID what you have
• Protect it
• Detect it
• Be able to recover
“I contend there are very few companies doing that,” he said. “They are not doing asset valuation. It is important to protect appropriately. Identify what you have and make sure you protect the proper things in the most appropriate way.”
Vigilance remains a key aspect because as he said, the average time from penetration to detection is 240 days.
“That is unacceptable,” Touhill said. “I want to know when they are coming through the gate and have a response plan in place.”
“Cyber security permeates every part of your company,” he said. “It has to be a part of everybody’s agenda. Each one of us in this room has a responsibility to cyber security. We all have a stake in cyber security.”