When it comes to drawing up a proactive plan to secure infrastructure, a threat assessment drive can go a long way. In addition to helping understand the sources and gravity of individual threats, it can also sensitize all stakeholders on various security aspects and help organizations understand and address specific and generic threats. However, due to some inherent deficiencies, the full value of an institutional cyber threat assessment program is not realized by many enterprises who chose to conduct such an assessment program. What are these deficiencies and how can they be addressed, read on to find out.
Deficiency one: wrong or outdated cyber threat assessment model
In our interactions with CISOs across manufacturing, utilities, maritime, oil and gas, and financial services sectors, we found that many businesses were relying on models that were primate and not suited to the emergent threats that are now dominating the threat landscape. These models were often borrowed from their peers in the industry and have been passed down from one generation of cybersecurity leaders to another across decades in some instances.
Remedy: work with a vendor or internal security operations team to prepare a model that is specific to your business.
Deficiency two: lack of unit-level assessment
Even today, many businesses conduct threat assessment at an infrastructure/enterprise level rather than go a few notches lower to assess threats at an equipment or transaction level. Based on the family of devices, communication protocols, supply chain characteristics, device profile, digital footprint, and many other parameters, each device could face a multitude of threats. Further, networks face a series of threats that could be unique to various network characteristics. Without taking these into account, an IoT, IT, or OT threat assessment exercise will not present sufficient actionable data that can reduce your risk exposure.
Remedy: prepare an inventory of all devices and networks before embarking on a threat assessment exercise. This is especially true for OT-based infrastructures where device inventories are often outdated or do not exist.
Deficiency three: low frequency of assessment
In IoT and OT environments connected with critical infrastructure, threat assessments should be conducted at least once a month to identify and track new risks and threats and plug any vulnerabilities or security posture-related gaps that may arise.
Remedy: calendarize and conduct threat assessments as frequently as possible.
Deficiency four: compliance-driven threat assessment agenda
Often businesses conduct threat assessment drives due to external factors such as audits, compliance needs, or pressure from the board or senior leadership. Sometimes threat assessments are conducted as a knee-jerk reaction to an advisory from a regulator as well. This leads to the threat assessment exercise being treated as an ad-hoc effort with no long-term view or focus.
Remedy: conduct threat assessments as a calendarized activity. The agenda should be specific to the risk exposure management needs of the business that is conducting it.
Compliance Kit: IoT and OT cybersecurity self-assessment tool using NIST CSF
Deficiency five: lack of skilled cybersecurity threat assessment experts
As threat assessment is often not seen as a core activity, the work is assigned to team members who have to learn on the job. No additional training is imparted and such team members are often made to handle threat assessments along with their other responsibilities.
Remedy: allocate specific threat assessment responsibilities to team members and train them to do it professionally with diligence. Such members should also be made to undergo threat assessment certifications and act independently while making honest threat assessment recommendations.
Deficiency six: lack of integration (or synergy) with the overall cybersecurity roadmap
Since most businesses conduct a threat assessment exercise in an ad hoc manner, its findings or frequency, or even the objectives are not synchronized with the institutional risk management priorities. This leaves a wide gap in implementing the findings of the threat assessment exercise which are sometimes not even implemented.
Remedy: integrate the threat assessment exercise with the overall risk management program using incremental steps. Never conduct a threat assessment exercise in isolation as that will simply erode the benefits that your institution could gain from such an effort
Wish to know how to turbocharge your threat assessment programs to improve your institutional threat hunting and cyber risk management efforts? Talk to Sectrio. We have assisted businesses across verticals such as manufacturing, oil and gas, maritime, banking, supply chain, and pharmaceutical manufacturing to evolve and run comprehensive and beneficial threat assessment programs. Talk to us now.
Wish to talk to our threat assessment specialists for more information? Share your details here.
Try our threat intelligence feeds for free for 15 days to see what your threat hunting program is missing here: Sign up for FREE threat intelligence feeds
Learn more about our threat assessment methodology here: OT and IoT Threat Assessment
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.