- The poor security practices (no firewall, same password on all computers, end-of-life software, etc.) were not really mitigated by compensating controls. From the news-reports, it appears that it was happenstance that a remote supervisor saw the chemical levels were being tampered with. The experts are quoted as having said "they got lucky", and "equivalent of walking through an unlocked front door." There is no mention of additional continuous monitoring and alarms or testing to detect high levels of sodium hydroxide in the water. Luck is not a mitigating control.
Vulnerability, as FAIR terminology, does not mean "a weakness that can be exploited". It means "the probability a threat agent's action will result in loss". From the publicly available accounts, this probability was high. - It is not clear that one can deduce the Threat Event Frequency from past attacks. It all depends on how much you buy argument is that waterworks have been available as a target for a long time, so the fact of no/few attempted attacks is a good indicator of low Threat Event Frequency. Every category of cyberattack has had a first instance, and in some cases, e.g., ransomware, the subsequent growth in attacks has been spectacular.
- The analyst in the blog post is analyzing risk from the perspective of the management of the waterworks, e.g.,
Management actually would have a defense against claims of negligence by regulators or litigious stakeholders: They had recently completed a risk and resilience review for the EPA and have till the end of 2021 to implement any findings.
The FAIR methodology says that if your primary stakeholder is different, you need to conduct a second analysis. If we take the perspective of the water-consuming public, I don't think the management having legal defenses against claims would be of any comfort to anyone hurt by high sodium hydroxide levels in the water. (The news reports say that death or serious illness was unlikely, more likely was skin irritations and rashes).
FAIR likely provides a good framework within which to reason about and even quantify risk - I'm just learning about all this, and so it is a mildly informed opinion only.
About black swans - I think the methodology can accommodate rare, large loss events by setting the maximum magnitude of loss appropriately. Of course, there is the question of whether the Monte Carlo will catch the rare events in the long-tailed probability distribution, perhaps one needs to run the simulation long enough to catch a few maximum magnitude events.
About grey rhinos - highly probable, high impact yet neglected threats, the attack on waterworks might turn out to be one such. FAIR methodology, if properly used, should make grey rhinos pop out immediately.
No comments:
Post a Comment