Coronavirus Lessons for Industrial Cybersecurity: Quarantines

The surge in countries implementing quarantines is demonstrating the seriousness of the Coronavirus epidemic.  Hopefully, these actions will slow down the proliferation of infections enough for health care professionals to deal with every life-threatening case.  The economic effects of Coronavirus are already enormous.  Financial markets are suffering major declines and financial analysts are predicting recessions in many countries.  Quarantines and travel restrictions are cited as a major cause of economic challenges.

Early Intervention Avoids Draconian Measures

The Coronavirus situation shows how difficult it is to control an epidemic once it gets a foothold within a country.  It also shows the importance of early intervention, like testing, restricting mass gatherings and social distancing, before cases start to rise.  Symptoms take days to appear, allowing contagious people to spread the infection to family, friends, and associates.  This increases the number of cases that need to be managed and the rate of spread.   Countries that adopted a wait and see approach are now facing health care system crises and the need to institute complete quarantines of neighborhoods.    

Cybersecurity Has Had Coronavirus Events As Well

As our previous coronavirus lessons for industrial cybersecurity blog highlighted, cybersecurity and epidemics have many similarities, including the need for quarantines when situations get out of control.    The 2012 Shamoon attack on Saudi Aramco spread to 35,000 computers before it was detected and stopped.  While critical control systems were unaffected, The event disrupted operations for almost five months and restoration cost millions.   This event also increased system isolation at a time when companies need more connectivity to improve operations.  

Maersk faced a similar runaway situation when one of their offices was compromised by NotPetya.  The malware propagated to 49,000 laptops and the company lost its main booking website in only seven minutes.   Physically disconnecting systems from company networks were the only way to stop the destruction.   It took over a month to reestablish normal operations and direct costs of the incident exceeded $300M.  The company also suffered indirect impacts on its reputation that affected its subsequent revenues. 

Lessons for Cybersecurity Professionals

These examples demonstrate the importance of avoiding situations that demand draconian measures.  The costs of such situations dwarf the costs of implementing measures that would have constrained, or ideally blocked, the proliferation of infections and malware.  And, as we noted in our previous blog, these measures are well-known: 

• Use DMZs, Firewalls, zero-trust access control, anti-malware software, awareness training, and security hygiene to reduce the likelihood of an initial compromise; 
• Use segmentation and zone firewalls to limit opportunities for lateral movement; 
• Continuously monitor devices and network messages to rapidly detect compromises, use micro-segmentation to isolate infected elements, and enable rapid response from defenders, SOCs, and third-party cybersecurity experts; 
• Strengthen defenses to prevent future attacks using the same tools and tradecraft.  

The problem is not knowing what to do, it’s having the foresight to invest in the people, processes, and technology that is needed to properly implement these measures.  

Coronavirus Shows the Impact of Ignoring Preparations for Black Swan Events

Justifying cybersecurity investments for “black swan” events, like the ones discussed above, can be difficult.   Often companies need to experience a major incident before they appreciate the need to protect facilities against calamitous attacks like Shamoon and NotPetya.   Extremely low likelihoods make it seem rational for managers to “accept” the risks, just like some countries “accepted” the risks of ignoring Coronavirus and delaying interventions.  Managers can also underestimate the impact of such events on their company’s entire business.  Hopefully, they will learn something from the devastating, unforeseen economic impacts of Coronavirus and recognize that something similar could occur if the organization is hit by a major attack like Saudi Aramco and Maersk.