In recent weeks, the US Department of Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) reported a breach in its own systems. CISA, in collaboration with the Australian Signals Directorate’s Cybersecurity Centre and the National Cyber Security Centres of the UK, Canada, and New Zealand, issued an advisory at the end of February. The breach occurred due to a remote access exploitation vulnerability in the Ivanti Connect Secure and Ivanti Policy Secure Gateways, systems designed to protect CISA.

Source: https://www.cisa.gov/news-events/news/cisa-us-and-international-partners-warn-ongoing-exploitation-multiple-ivanti-vulnerabilities

If the leading authorities in cybersecurity are vulnerable to breaches within their systems, what chance do the rest of us have? Considering the balance of probabilities, it seems almost certain (in risk terminology, read: inevitable) that a determined adversary can breach digital systems given sufficient time and motivation.

Our only hope lies in prevention, deterrence, early detection of breaches, and minimizing the impact of any potential breach.

In physical security, a break-in is often immediately apparent—either caught in the act by the noise and physical damage occurring or by the debris left behind. With observability, we can review security camera footage after an event to understand what happened. Active monitoring allows us to witness events in real-time and dispatch a response team accordingly.

Imagine if physical intruders cleaned up after themselves, repairing walls and replacing broken windows to leave no trace. While this scenario might seem absurd, it’s a stark reality for motivated nation-state attackers. The International Bar Association details the cleanup following the assassination of Jamal Khashoggi, showcasing the lengths to which a nation-state will go to conceal their actions.

Source: https://www.ibanet.org/article/D8B4629B-657C-41A8-ACC7-515A6BDBF7B5

The cyber realm shares similarities with the physical world but also has key differences. In cyberspace, even unsophisticated actors can erase indicators of a compromise, making it challenging to detect breaches based on the aftermath alone.

For our digital domains, we need both observability and vigilance to detect attempts or actual breaches, respond appropriately, and mobilize the necessary response. This task is more complex than merely monitoring screens and reacting.

Fortunately, many concepts from physical security can be adapted to enhance our cybersecurity posture, even for those not specialized in cyber.

The Security of Critical Infrastructure Act mandates that critical entities maintain and comply with a Critical Infrastructure Risk Management Plan by 18 August 2023 and achieve compliance with a designated Cybersecurity framework by 18 August 2024.

A common pitfall in achieving compliance with a cybersecurity framework is underestimating the time required to identify and assess the risk of our systems against the framework and recommend solutions to mitigate these risks. This initial assessment can take weeks to months, with gap closure often measured in years.

Many Cybersecurity frameworks include several hundred control checkpoints, nearly a thousand points to check to determine a system’s compliance state.

While the goal of achieving Cybersecurity compliance for critical infrastructure systems by 18 August 2024 is commendable, we may only begin to uncover the extent of our cybersecurity gaps by this date.

After all, if the leading authorities can’t fully secure their digital domains, what chance do the rest of us have, especially if we are new to this journey?

About the Author

Sean Finn
Head of Cyber Security
Risk 2 Solution Group

Cybersecurity Subject Matter Expert

Sean has deep experience in providing mission critical ICT in internet-facing ecommerce systems and operational technology systems for Mining, Defence and Aviation. Sean has acted as the final technical escalation point for incident response over a twenty-year period for these environments and has a deep passion for incident prevention and automating security into the software supply chain.

Since 2000 he has incubated, developed and sold multiple small ICT Technology firms from the ground up in Datacentres, Webhosting, ISP and Ecommerce and has extensive practical commercial experience alongside his technical expertise.

Sean is recognised as an Experienced Dev Ops Software Engineer, Solutions Architect, Internet Network Engineer, Commercial Hosting provider and a Mining and Defence Secure ICT Platform Engineer.