In the past few months, as a side effect of the covid-19 pandemic that accelerated the adoption of teleworking, the number of cyber attacks, data thefts and amounts committed by organizations to mitigate the problems resulting from these invasions has increased. With the almost ubiquitous technologies that now connect the physical and digital worlds, to some extent unprecedented, there is new potential for individual attacks to devastate critical business and operational processes.
Prevention remains a much more effective remedy than cure. But how do you ensure adequate protection for an industry's assets? Thiago Branquinho, CTO of TI Safe, explains that cyber security should not be seen individually, but rather understood as a process of continuous improvement of controls. The practices, according to Thiago, range from raising users' awareness and establishing network security to protecting critical data and systems with strict access controls.
In assessing the CTO, in order to obtain a better cost-benefit ratio in the implementation of these practices, the first step is to carry out a risk analysis with a very well defined scope. “Considering industrial systems, the approaches range from an analysis focused only on the control centers to the most complex ones, covering the entire production process. The next step is to list the assets to be valued. Computers, PLCs, network equipment, servers, and even people make the list. The types of threats surrounding these assets, their weaknesses and the impact that may occur on the operation in the event of incidents should be listed, ”he explains.
Thiago explains that people, for example, are susceptible to social engineering attacks like phishing, pretexting etc. Servers with older operating systems can be easily hacked through the use of hacking downloaded from the internet.
The risk is therefore composed of a set of threats that can exploit the vulnerabilities in an asset. The level of this risk must be measured by the probability of occurrence and the impact caused. Once the risks are understood, the implementation of controls becomes more objective.
Another approach to determining controls is to verify compliance (compliance), that is, the degree of adoption of norms and standards adopted by the analyzed company. “The ISO 27001 standards are widely used, for example, in ICT environments and ISA / IEC 62443 in industrial automation environments,” says Thiago.
TI Safe adopts a hybrid assessment approach, combining static and dynamic verification. In the static process, TI Safe specialists observe aspects of risks and compliance based on on-the-spot assessments and interviews. In dynamic, network resident threats and asset vulnerabilities are detected through passive monitoring tools. At the end, the two analyzes are merged. According to Thiago, based on this result, risk management planning is carried out, which must be oriented towards compliance with standards and based on the main protection needs of each company.
In the next edition, TI Safe News will detail what the steps are for effective risk management: how to improve monitoring and response capabilities, what is the role of training people in risk prevention and much more.