How do you define risk? For those in the cybersecurity community, risk is usually defined by degree of exposure an organization might have to losses tied to breaches or system attacks.
But ask that same question of a hospital administrator struggling to treat COVID patients and the answer might be tied to the number of people they had to turn away due to lack of beds, or deaths resulting from too few personnel.
And now ask that question of a water treatment facility.
Before Monday, when the world learned that a hacker hijacked a remote access system and tried to manipulate the amount of lye in the water filtering from a plant in Florida, would an operator have defined risk by potential for a cyberattack? Would that even be the answer now, or would it instead be tied to access to skilled personnel – considering, after all, that an employee manning the controls ultimately prevented the poisoning from happening? Or maybe he or she would tie risk to protocols for the handling of toxic chemicals, or to aging equipment that could corrode and leak sewage if not addressed.
None of those answers would be wrong. And yet some are quick to judge Oldsmar, Florida for potential shortcomings in the security slice of the risk equation. Why enable remote access in the first place? Why connect these systems to a network at all? Where were the audits? Was there thorough pen testing? Couldn’t multi-factor authentication have prevented this from happening?
Those questions should get asked. But they are no better or worse than the dozens of other questions that no doubt filtered into the more comprehensive discussion about risk that inevitably took place, which of course ties directly to resources. Nor do they consider the more mundane risk considerations that come up on a near daily basis. (Consider that in 2015, Miami-Dade county water operators scrambled to prepare for Super Bowl Sunday, when they knew from past experience that a spike in water usage from bathroom visits would lead to a dramatic drop in water pressure.)
And would any water treatment facility judge the calculus differently – revert dollars from elsewhere perhaps – had they known such a cyber incident was coming? Even that is hard to say. We don't know what would be sacrificed by that trade-off.
In a discussion I had this morning with Michael Santarcangelo, founder of Security Catalyst, he likened this impossible dilemma to “the unholy trinity of friction, chaos and resistance, which meets daily with the tyranny of the urgent.”
Businesses must decide an acceptable level of risk, and as noted by Santarcangelo, “what’s acceptable to us in security might not match what’s acceptable to industry, to the company, to the society. That upsets us. ‘Why don’t they understand?’ But what if they do understand?”
Put differently, what if at least sometimes it’s those in the security community who don’t understand, who know too little to properly judge? Who, in fact, has enough expertise and knowledge to know just how to assess and respond to risk? Santarcangelo called that question a Zen koan – the Buddhist phrase for a paradoxical riddle that demonstrates the inadequacy of logical reasoning.
If that is just too philosophical, then consider this simple fact: what appeared to be an attempt to poison Florida drinking water failed, even if the cyberattack to gain remote access did not. From that alone, some might deem the events that occurred in Oldsmar, Florida a success story.