#ISC2CongressEMEA: Combined Mitigation for Cyber and Physical Attacks

Written by

At the (ISC)2 Congress EMEA in Dublin on October 18 2016, Barrie Millett drew upon his experience from the military and his resilience roles at E.ON and GE to advise on combined mitigation for cyber and physical attacks.

In his most recent role at Cyber Rescue Alliance, Millett advises boards on developing and maintaining a resilient organization, with a recent focus on critical national infrastructures.  It’s his job to help chief executives respond to inevitable cyber breaches and build resilient organizations and teams to reduce the impact of cyber-attack.

Much of his advice around cybersecurity defense comes from his learnings and experience in physical security. For example, “You can’t be effective in silos – you need a big team approach. You have to test, test and test. Don’t try to wing it,” he said, noting the advice is equally true of the physical and cyber world.

“Always think the unthinkable – be imaginative in understanding the threats and how they can morph.” All too often, he said, chief executives are shocked to learn that their networks have been compromised. “They have a poor understanding of what’s critical, what’s outsourced, and how to access that information when needed.”

There’s no excuse for such ignorance, according to Millett, who referenced the brilliant research and statistics produced by highly talented analysts. “There’s so much brilliant information, and we’re not using it,” which is absurd, he said, when you consider that “we have to lucky all of the time, but those who seek to do us harm only have to be lucky once.”

No Longer the Unthinkable

“My biggest concern is when the methodologies used by state actors and criminals morph into terrorist organizations – either as the main attack method or as a facilitator. Fiction is now reality – but often we’re ignoring it.”

Government and society understandably want assurance that we have control of this – they want positive action, and the key is understanding the threats, preparation, and working together as a team.

“What I’ve learnt from events I’ve managed in the physical world over the years is that those who wish us harm will continue to reinvent themselves and use all the technology and resources they can get their hands on.” Understanding the dynamics of those emerging threats is thus crucial, Millett said.

“We have to take the big team approach and work with law enforcement, talk their language, link to their command structures, and educate them on our challenges whilst also understanding theirs and engaging with operational teams.”

His experience with attack prevention and approaches in hostile reconnaissance has taught him that success is only possible when his team understand the threats, think the unthinkable, and work together as one team.

“We can’t do this in isolation. Our people are bright and we don’t utilize their capabilities enough. We need to get into our organizations and understand and engage them as individuals, feel their pain, and ask how we can help.” 

Those who wish us harm will continue to reinvent themselves and use all the technology and resources they can get their hands on

Test, Test and Test

Learning from other sectors is crucial, said Millett. “Take Hurricane Sandy – they prepared as a big team, moved people out of the path of storm, and got responders in place. They ticked the boxes for anticipating, working together and testing, testing, testing. “Awful lessons will always be learnt along the way but the best possible chance for success is by working together.”

Plans and strategic approaches must be linked to delivery, said Millett, who advised working with CEOs to make sure they know what to do at all stages of an attack: before, during and after.

“Test your plans, because incomplete planning will seriously limit your capabilities and increase costs.”

In conclusion, he reinforced that challenges cannot be addressed individually. “We must work together and connect our government and industry thinking, resources, and activities. The physical and cyber worlds are connected, that’s a reality, and the price of failing to connect them is too great.” 

What’s hot on Infosecurity Magazine?