Threat Modeling Process Is Key When Deploying Technologies
Deploying new technologies without careful consideration can lead to unintended consequences.
A recent reminder of that fact is the Iowa caucus chaos, which delayed the release of presidential primary election results. The event also served as a reminder of how digital technology can sometimes complicate a seemingly straightforward task — in this case, tallying votes. A segment of the public speculated that a foreign adversary targeted Iowa’s voting infrastructure. In reality, election officials acknowledged that a faulty smartphone sabotaged the results.
The Iowa caucus misfire underscores the importance of quantifying risk that includes but transcends cybersecurity, according to Andrew Jamieson, director, security and technology at UL and his colleague Anura S. Fernando, UL chief innovation architect in the organization’s medical systems security division. When deploying any technology for a critical function, it’s key to thoroughly analyze potential problems, whether the system is a smartphone in an election or an Internet of Things technology in a factory or medical device.
“Risk is a tough thing to quantify, objectively,” Jamieson said, which is why the threat modeling process is so important. It enables organizations to detail and understand “the threats that may exist in your environment and implementation,” he added.
Another consideration is the continued use of older equipment and technology. Aging systems are often difficult to patch and update to protect against vulnerabilities. “The problem is, of course, that no company can patch and maintain systems indefinitely,” Jamieson said. At some point, maintaining legacy products securely is no longer an option.
Determining when to upgrade aging technology requires understanding your organization’s risk of exposure while also analyzing security liabilities new technologies may pose.
Understanding potential operational problems begins by asking simple questions. “What is your goal — technical or business — at the highest level? Everything you do, and everything you implement, then needs to be informed by that understanding of your goal,” Jamieson said.
Identifying operational goals may require more complex answers, though.. “The real answer is often more nuanced than that, involving the needs of your customers, your employees, social needs of the areas in which you work and so on,” Jamieson said.
Once your organization understands risk related to its core operational goals, it is necessary to do a thorough study of potential vulnerabilities across your organization. “Nothing can really replace the need for a complete and thorough audit of your systems to determine exactly what systems you do have and what their current exposure is,” Jamieson said. “This can be daunting for many organizations . . .and it really is an essential first step.”
While the results of a security audit inform threat modeling, some organizations attempt to short-circuit the process by focusing on potential threats first. “You can’t model threats to your environment when you don’t understand your environment,” Jamieson said.
Organizations that need to understand potential liabilities in their environment should consider standards and best practices, Fernando counseled. The Healthcare Sector Coordinating Council for example, released documents to help medical device makers and users enlist a maturity model to improve their cybersecurity posture. Those documents include the Health Industry Cybersecurity Practices (HICP) and the Joint Security Plan (JSP).
Similar guidance exists for other areas, ranging from the Department of Homeland Security’s guidelines for securing voting infrastructure to the ISA/IEC 62443 and ISO/IEC 25063 standards for industrial control system security and software quality, respectively.
Still, a thorough risk analysis can be daunting and expensive, especially if no significant problems have occurred. “It’s easy to say, retroactively, that companies can find [for cybersecurity initiatives] once there is a breach – but the difficulty of managing a large IT deployment these days can be extraordinarily complex,” Jamieson said.
An asset discovery and threat modeling process can also help organizations “prioritize what has to be done and where,” Fernando said. “Often, the complexity can be overwhelming, so by prioritizing systems, it can help with a structured approach that brings order to that complexity.”
Prioritization begins by identifying the highest-risk areas. “Which systems are most easily accessible or could cause the most damage — actual or reputational — if compromised?” asked Jamieson. “Look to implement both protective and detective measures,” he said. “No patching methodology is going to be perfect and having solutions to detect where potential compromise or attacks may be occurring, along with plans on how to mitigate these, is equally important in any complex environment.”