Welcome to the second Cloud CISO Perspectives for October 2024. Today, Anton Chuvakin, senior security consultant for our Office of the CISO, offers 10 leading indicators to improve cyber-physical systems, guided by our analysis of the White House’s new PCAST report.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
--Phil Venables, VP, TI Security & CISO, Google Cloud
10 leading indicators to make cyber-physical systems more resilient
By Anton Chuvakin, senior security consultant, Office of the CISO, Google Cloud
When gauging the success of security and resilience efforts, organizations too often turn to lagging indicators to measure their accomplishments. These indicators can provide valuable insights into past performance, but rarely do they help prevent future incidents or guide proactive improvements.
Meanwhile, leading indicators rely on predictive factors and proactive measures that can help identify potential risks and vulnerabilities before they are exploited. Using leading indicators can help organizations adopt a more proactive approach to security and resilience, and enable them to anticipate and mitigate threats more effectively.
Robust software development practices, such as those outlined in NIST’s Secure Software Development Framework (SSDF), can significantly enhance the overall security posture of an organization — and are a good example of a leading indicator.
Security and business leaders who want to shift to leading indicators should read the recent President’s Council of Advisors on Science and Technology (PCAST) report on cyber-physical resilience and fortifying critical infrastructure. It provides in-depth guidance on how to identify leading indicators that organizations can start analyzing today. However, the report is 51 pages long, and at Google Cloud’s Office of the CISO, we want to be sure that this important advice receives more attention.
We believe that making cyber-physical systems more resilient will require a collective effort that spans government agencies, private sector organizations, and individuals. The goal is to build a future where these systems are secure, adaptable, and capable of recovering quickly from disruptions.
To that end, we’ve reviewed the 10 “leading indicators” presented in the PCAST report to better help organizations develop their cyber-physical resilience.
- Hard-restart recovery time is the duration it takes to rebuild a system from scratch, intended to assess an organization's ability to remove circular dependencies during a restart, to assure backups can survive fully destructive shutdowns and attacks, and verify that software and data can be restored to service.
Start by inventorying all your hardware, software, and configuration settings that would be required for a hard restart of critical systems. Then begin resilience testing on a small scale and build up, incorporating lessons learned along the way.
- Cyber-physical modularity describes the design of systems where interconnected physical and digital components are organized into well-defined modules, with limited dependencies on each other, and the mean operational capability after system-wide, single points of failure.
Start by creating a visual representation (such as a diagram) of your cyber-physical systems, especially their dependencies that clearly identify components and connections.
- Internet denial and communications resilience is a notable point of failure, with its own unique impacts. These include degraded service and evaluating disruptions versus operational continuity in the face of internet disconnection.
Start by mapping your organization's critical dependencies on internet connectivity. This becomes the foundation for your resilience planning.
- Manual operations play an important role in fail-over preparations for internet-connected operational technology. Business and security leaders should prepare for situations where automation is lost by answering questions including: What is the degree of local manual control that can sustain a minimum viable operational delivery objective? How frequently is manual control practiced so that the organization knows how to use it when the time comes?
Start by conducting an audit of your critical physically-actuated systems, mapping their reliance on automation, and identifying where manual takeover potential exists.
- Control-pressure index helps measure the extent to which defense-in-depth has been applied by evaluating how much of a critical security or resilience objective is carried by a single control, the failure of which would put the whole system at risk.
Start by choosing a critical security or resilience objective, such as protecting confidential data. List all the controls in your organization that contribute to fulfilling that objective.
- Software reproducibility examines the extent to which software in a particular system can be repeatedly and continuously built and distributed while maintaining conformance with NIST’s SSDF requirements, including disclosing software bills of materials (SBOM) and supply chain levels for software artifacts (SLSA).
Start by assessing your current software development process. Identify areas where you can improve reproducibility, such as source code management and build automation.
- Preventative maintenance levels are the percentage of the overall cost of systems operations devoted to upgrades, security patching, reducing technical debt, and other preventive maintenance.
Start by creating an inventory of all critical equipment and systems in your organization that require regular maintenance.
- Inventory completeness is the full extent of an organization's operations — including information technology, operations technology, and supply chain — encapsulated in a validated and managed inventory or asset register.
Start by determining who in your organization should maintain the asset register, which will provide a clear point of accountability.
- Stress-testing vibrancy, also known as red teaming, subjects your environment to an extreme offensive, adversarial security test to probe defenses against reliable operation.
Start by conducting a basic security assessment of your systems to identify potential targets for red teaming exercises.
- Common-mode failures and dependencies can help identify organizations (and their supply chain) that would represent significant harm to a whole sector in the event of failure. It’s vital to find and eliminate circular dependencies.
Start by identifying critical external providers, including utilities, software vendors, and key suppliers, whose failure would dramatically impact your operations.
We believe that making cyber-physical systems more resilient will require a collective effort that spans government agencies, private sector organizations, and individuals. The goal is to build a future where these systems are secure, adaptable, and capable of recovering quickly from disruptions.
You can read our full analysis of the PCAST report’s 10 leading indicators here. For more leadership guidance from Google Cloud experts, please see our CISO Insights hub.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- Cyber risk top 5: What every board should know: Boards should learn about security and digital transformation to better manage their organizations. Here’s five top risks they need to know. Read more.
- Google Cloud launches new Vulnerability Rewards Program: We are pleased to announce the launch of the Google Cloud Vulnerability Reward Program, dedicated to products and services that are part of Google Cloud. Read more.
- SAIF Risk Assessment: A new tool to help secure AI systems across industry: The SAIF Risk Assessment is an interactive tool for AI developers and organizations to take stock of their security posture, assess risks and implement stronger security practices. Read more.
- Announcing expanded Google Cloud Security support for the public sector: Google Cloud Security is committed to helping government agencies and organizations strengthen their defenses. Here’s how we can help. Read more.
- 7 ways we’re incorporating security by design into our products and services: Here’s how we implement our Secure by Design Pledge, including steps such as default passwords, multi-factor authentication, and developing new techniques to reduce entire classes of security threats. Read more.
- Check out Chrome Enterprise Premium's latest innovations: Chrome Enterprise, the most trusted enterprise browser, recently introduced powerful new capabilities that can enhance security, threat detection, and usability. Let’s check them out. Read more.
- We tested Intel’s AMX CPU accelerator for AI. Here’s what we learned: Confidential VMs are now available with built-in CPU acceleration with Intel AMX. Which one is suited for AI? Check out our test results. Read more.
- Now read this: The 2024 DORA report: Key takeaways from the 2024 Google Cloud DORA report that focused on the last decade of DORA, AI, platform engineering, and developer experience. Read more.
Please visit the Google Cloud blog for more security stories published this month.
Threat Intelligence news
- Russian hybrid campaign aims to compromise Ukrainian military recruits: Google Threat Intelligence Group has discovered a new, suspected Russian espionage and influence operation that uses Telegram for malware delivery, and delivers narratives intended to undermine support for Ukraine's mobilization efforts. Read more.
- Investigating FortiManager zero-day exploitation: Mandiant collaborated with Fortinet this month to investigate the mass exploitation of FortiManager appliances across more than 50 potentially compromised FortiManager devices used by organizations in various industries. We observed exploitation as early as June 2024, and provided security recommendations to mitigate the threat. Read more.
- How low can you go? An analysis of 2023 time-to-exploit trends: Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. We saw an even larger discrepancy grow between zero-day and n-day exploitation, likely driven by a recent increase in zero-day usage. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Google Cloud Security and Mandiant podcasts
- What happens when two intelligences meet: One of the hardest problems in operationalizing threat intelligence has been getting organizations to convert threat knowledge into effective security measures. Vijay Ganti, director, product management, Google Cloud Security, explores with host Anton Chuvakin how artificial intelligence can make threat intelligence easier and more effective to use. Listen here.
- Security showdown: Containers versus VMs: Guest hosts Kaslin Fields and Abdel Sghiouar, co-hosts at Kubernetes Podcast, join Anton in debating the security merits of containers versus virtual machines with Michele Chubirka, Google Cloud security advocate. Listen here.
- Take a closer look at ADR: What is Application Detection and Response? How does it correlate cloud, container, and application contexts to provide a better view of threats? Daniel Shechter, co-founder and CEO, Miggo Security, explains all things ADR with Anton. Listen here.
- How to run an effective tabletop exercise: Mandiant Senior Consultant Alishia Hui joins host Luke McNamara to discuss all things tabletop exercise related. Alishia walks through the elements of a tabletop exercise, important preparatory steps, the success factors for a good exercise, and how organizations can implement lessons learned. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.
Posted in