You’ve all seen the sign — 217 Days Without a Lost Time Accident. It’s a staple of any manufacturing plant. Running a safe facility lowers insurance costs, keeps production humming and, most importantly, sends employees home to their families when the work is done.
But what about network security? Gregory Touhill, deputy assistant secretary, cybersecurity operations and programs, U.S. Department of Homeland Security, believes factories should post a sign declaring how many days it’s gone without a security breach, too. The retired brigadier general spoke in February at ARC Forum in Orlando, Florida, about the threat of cybersecurity and how Homeland Security figures into the equation.
In his role, Touhill looks at the development and implementation of programs that are designed to protect government networks and critical infrastructure systems. He retired from the U.S. Air Force in July 2013 and co-authored "Commercialization of Innovative Technologies, Bringing Good Ideas to the Marketplace," as well as the upcoming "Cybersecurity for Executives, A Practical Guide."
Touhill transitioned from a 30-year career in the U.S. Air Force. “There’s a change in uniform,” he explained. “But the biggest adaptation for me has been to transition to wearing glasses.”
Touhill noted that the day of his presentation was the second Tuesday of February, pointing out that individuals involved with a facility’s IT and network management would refer to the day as “Patch Tuesday,” when patches come out each month. “It’s an important part of cyber hygiene,” he explained. “Cybersecurity is risk management. I’m the captain of the cyber neighborhood watch for the United States.” The National Cybersecurity and CommunicationsIntegrationCenter processes about 300 incidents per day, said Touhill.
“Your IT staff is not stupid, but sometimes they do stupid things,” he explained. “Sometimes all it takes is a crack in the door. Within the Department of Homeland Security, we address those for America’s private and public sectors. It’s all about risks. We also look at the physical aspects of homeland security. As we take a look at industrial control systems, many of them were not designed for cybersecurity systems. And some have since added capabilities for remote management or monitoring. Instead of providing the safeguards for cybersecurity, they’ve opted to manage the risk.”
Touhill’s organization encourages the industrial control sector to help companies to upgrade their security with available products. “There are a lot of industrial control systems out there that continue to remain exposed,” he warned. “How can the feds help? First, I want you to help yourself. We all have a stake in cybersecurity. The first thing you can do is put it on your agenda. It’s part of managing risk. Cybersecurity permeates every part of your company.”
The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers five continuous elements for effective cybersecurity: identify, protect, detect, respond and recover.
1. Identify what you have. Do an asset evaluation of your information (IP, data) on your balance sheet. Most companies don’t do that valuation, but next to people it’s the most valuable asset in an organization. That information in those data banks is not all equal, but we treat it as equal. We may be spending too much money defending information that isn’t valuable at all and not even defending the crown jewels.
2. Protect what you have.
3. Detect when you’re under attack. You need to know when you’re under attack. The average time in the commercial sector that an infiltrator is finally detected is 230 days after the attack. That’s unacceptable.
4. Be able to respond appropriately. The time to generate a response plan to a hack is not the moment of the attack or the moment a microphone is shoved in your face about the breach.
5. Finally, be able to recover.