In this inaugural episode of The SecurityANGLE, our webcast focusing on all things cybersecurity, I’m joined by a member of our Cube Collective family of analysts, Jo Peterson. Jo is an engineer, an analyst, and a brilliant mind — and I’m so glad to be collaborating with her.
In this series, you can expect interesting, insightful, and timely discussions on all things cybersecurity, including cybersecurity security news, security management strategies, security technology, and coverage of what the major vendors in the space are doing on the cybersecurity solutions front. We’ll cover a handful of topics each week and feature an occasional guest. We are always interested in your coverage suggestions. If you’re watching or listening, don’t hesitate to send your ideas our way.
In this episode, we cover cybersecurity and the rise in attacks on critical infrastructure, the reality that cybersecurity security is a boardroom issue, and thoughts on the new SEC regulations on cybersecurity.
Cybersecurity and the Rise in Attacks on Critical Infrastructure
We kick off the show by discussing challenges in protecting critical infrastructure and exploring the cyberattack on the Water Authority near Pittsburgh last week.
Three members of Congress have asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation’s top cyber defense agency (CISA) to warn other water and sewage-treatment utilities that they might also be vulnerable.
What’s significant here is that the private sector owns the vast majority of the nation’s infrastructure and key resources — roughly 85 percent.
While largely privately owned, critical infrastructure provides the essential functions––such as supplying water, generating energy, and producing food — that underpin American society. Protecting this infrastructure is a national cybersecurity priority, yet the government has only so much control over private sector organizations.
Here’s where it gets concerning for the government and critical infrastructure. The Government Accountability Office (GAO) has made 106 public recommendations in this area since 2010. And yet, nearly 57% of those recommendations have not yet been implemented throughout the last decade-plus as of December 2022.
In 2022, Waterfall Security reported a 140% increase in cyberattacks against industrial operations that resulted in more than 150 incidents. Equally alarming, the researchers also warned that at this growth rate, they expect cyberattacks to shut down 15,000 industrial sites by 2027. Even more concerning, 17% of the attacks experienced in 2022 had no identifiable motive. They were largely a move to disrupt critical infrastructure, services, utilities, and transportation, and state-affiliated actors have led some 60% of these attacks.
Another report showed that 39% of attacks focus on the energy sector, with another 11% on critical manufacturing and another 10% on transportation.
These industrial ops cyber attacks included attacks on airlines, power grids, manufacturing plants, pipelines, water and wastewater treatment plants, and more.
The chart below was prepared by Axios based on IEA data and provides a compelling glimpse into just how much of a spike we’ve seen in cyberattacks across industries.
Image credit: Axios
Black Hat Europe and Thoughts on Self-Regulation in the Cybersecurity Space
Next in our cybersecurity coverage, we touched on Black Hat Europe, which took place in London last week. During his keynote, Black Hat founder Jeff Moss predicted that governments will be forced to impose greater levels of cybersecurity regulation because it’s pretty clear that organizations themselves aren’t doing a good enough job to protect against/prevent breaches from happening. “Self-regulation isn’t working” is what Moss said described the situation, and he’s not wrong.
Jo and I took a deep dive into why cybersecurity self-regulation isn’t working. In a nutshell, it’s a boardroom issue. We share some stats about a dearth of cybersecurity knowledge and expertise across S&P 500 boardrooms, and it’s no surprise why cybersecurity and “self-regulation” are challenging for most organizations. Here are some quick stats:
- In a study done by VC firm NightDragon and the Dililgent Institute, a research/think tank arm of software developer Diligent in late September, an analysis of board composition in the S&P 500 index companies found that a whopping 88% had no directors with cybersecurity expertise. Only seven had a current or former CISO on the board, and in some cases (out of those seven), two were the same person.
- The study also showed that only about 52% of companies had a board director with some tech experience adjacent to cybersecurity.
- A recent Harvard Business Review survey of 600 boardrooms showed that only 47% of board members regularly interact with company CISOs.
And we wonder why cybersecurity is problematic.
What’s the solution? Making cybersecurity a company-wide focus, not just an IT focus. And it is not something that’s really a choice, the mindset of regulators seems to be that if you’re not going to do it on your own, there will be consequences.
Newly Adopted SEC Rules on Cybersecurity Go into Effect in December
In July of this year, the SEC adopted rules on cybersecurity designed to address cyber risk management, security, governance, and incident disclosure by public companies.
The Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies require the disclosure of cybersecurity incidents experienced. They also require that organizations disclose on an annual basis ‘material information’ about their cyber risk management, strategy, and governance.
These newly adopted SEC rules go into effect in December, which we see as both good and terrible. Most companies will be required to start reporting attacks on December 18th by way of an 8-K form. We encourage you to read the rules in their entirety, as there are reporting requirements that are important to follow.
The demanding disclosure rules from the SEC require publicly traded companies to report cyberattacks through regulatory filings no less than four days after determining the attack will ‘have a material impact’ on their operations.
Merritt Baer, security provider Lacework’s field CISO (and former FCC cyber official) shared that “[t]he SEC is really asking for reasonable efforts to be responsible,” as these rules are designed to more closely connect CISOs and their IT teams and corporate boards. That’s a very good thing!
While critics say that a four-day requirement is asking too much, Baer says that she feels four days should be plenty of time for organizations to make at least a preliminary decision on the materiality of the breach and its impact on the business.
These are definitely topics about which there are many nuances.
Watch or stream the conversation here to get all the details:
and while you’re there, be sure and hit the “subscribe” link — so that you won’t miss an episode.
Find Shelly on LinkedIn and X (Twitter) here.
Find Jo on LinkedIn and X (Twitter) here.
