What's Your Cyber Narrative?
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
I first heard the term "Cyber Narrative" while interviewing Jennifer Dulles, APR , a media relations and crisis communications expert, on the S4x24 Main Stage. It's worth your time to develop a cyber narrative, especially given the often poor public statements we hear from asset owners post incident.
Jennifer defined a Cyber Narrative as "a story about what threats exist, your preparedness, and your teams, and what you do daily to protect from that (cyber attacks)". (see the clip below for 2 minutes on this).
I'd add that your Cyber Narrative should also include what you have done to prevent high consequence events and your ability to recover from a cyber attack. Engineers and OT Security Pro's could work together to provide your media and investor relations with something in advance of a cyber incident affecting Operations such as:
While we have a proactive cybersecurity program to prevent cyber incidents, we know it’s not possible to stop all attacks. We have a tested plan in place to meet our commitments to our customers and the community in the event of a cyber incident.
We have non-cyber safety systems in place so that contaminated xxx won't be delivered to our customers even if an attacker has compromised our computers and networks. One of the recovery scenarios we have designed and tested is to restore services to our customers within yyy hours after a successful cyber attack, and we strive to recover faster than that.
You can work with your media and investor relations, as well as with appropriate executives, so they understand the measures behind these statements. They may want to include more detail, provide some buffers on recovery estimates, or want more information on a consequence you haven't thought of.
What's your cyber narrative?
OT Digitalization Evangelist at Remuscon Oy / Domain Specialist for Cybersort
2moIn your Operations part, Dale Peterson what do you mean with "non-cyber safety systems" as most of the safety systems are anyway cyber-physical, sometimes part of the control systems, sometimes separate programmable logic systems. Operating all sensors and actuators manually is quite impossible - and they contain cyber also. Would you recommend having gauges and manual valves as reserves? What about motors.
Threat Intelligence & Critical Infrastructure Security Leader
2moThis idea definitely needs to be expanded upon because the "narrative" idea aligns with how humans want to think - in stories where there are protagonists, antagonists, and objectives (even a possible telos, leading to a host of issues). "We" want to think in terms of "Actor A took Action X against Victim B to achieve Objective Y" because it aligns with our way of thinking, making long-running campaigns with indeterminate outcomes (think VT or going further back, Berserk Bear) difficult to adequately assess in terms of risk and concern. The ability to tell cogent, complete stories around security events and risk is really key in communicating these items to wider audiences.
Designing communication programs that solve business challenges, grow brands, and enhance reputation.
2moThanks, Dale, for a great dialogue and discussion. And yes, this approach is clearly becoming more imperative. It’s my sincere hope organizations take the time to do this work — and well ahead of when it’s needed. Warm regards.