For many years, cyber security in both Department of Defense (DoD) and civilian industries has been a compliance driven process. Respective organizations define rules or best practices that direct their Information Technology (IT) systems to comply to. Success is often measured by how well these static rules are followed, and how many security incidents have been discovered compared to historical data. There is a multitude of problems associated with this simplistic approach. First, cyber threats are constantly evolving; it was previously estimated that as many as 400,000 new malware are being introduced each day. Most of these threats are specifically targeting a given system and/or designed to succeed in certain attack vector. Adapting a cookie-cutting, one-size-fits-all cyber security policy that only gets reviewed/updated periodically might not be adequate. From the technical standpoint, even the best commercial-off-the-shelf (COTS) anti-virus/anti-malware software relies on regular database updates of known threats. Hence, by definition, these forms of protection can only provide remediation for existing threats; systems are basically defenseless against specific zero-day threats that are specifically designed to attack these systems. A more comprehensive approach toward cyber security should be adapted to defend against these evolving threats. With the pervasive nature of the Internet, previously disparate industries are now more interwoven together than ever before. In the United States, if a cyber attack is to happen in the power grid infrastructure, it is conceivable the impacts could be spread to public safety, health, national defense, banking and finance sectors. Not only might impacts be felt across industries, but the threat profiles of these attacks may hold similarities as well due to common vulnerabilities across IT and Operation Technology (OT) systems. Hence, it is crucial to determine how different industries are addressing the cyber security challenges they are each facing. This paper will provide a brief survey of best practices in cyber security in several industries, including DoD, oil/gas industries and banking/financial institutions. There are many similarities in the way these industries are each approaching the cyber security challenges. At the same time, there are significant differences in the specific threats they are facing. For example, the DoD is beginning to shift its focus from generic penetration tests and risk management framework evaluations to using cyber range testing and simulation-based threat assessment that systematically evaluate military systems and platforms under a variety of operational conditions. The oil/gas energy companies are also starting to identify their most vulnerable systems and subsystem components. For example, they work with industrial control system (ICS) vendors and suppliers to improve their products' cyber security performance - both at the individual unit level as well as the network protocol layer. The banking and financial institutions are facing cyber attackers with different motivations than those targeting the DoD systems. Instead of crippling or destroying the targeted systems, the cyber criminals in the banking/financial industries are often more focusing on deception and data exfiltration, even though they also use similar tactics, techniques, procedures (TTP) such as phishing, waterhole attack, etc. like the cyber attackers in other industries. Although the aforementioned industries are facing cyber attackers with different motivations, many of the threat vectors and methodologies are actually very similar. Hence, it would be beneficial if cyber experts in these industries could share threat information, and collaborate to define cyber best practices. A complementary approach is to establish a cyber simulation environment that allows individual organizations to provide their threat models, and that these models can be shared across multiple industrie
展开▼
