What’s the real Problem with COVID-19 and Cyber Security?

What’s the real Problem with COVID-19 and Cyber Security?

April 2, 2020


While you are reading this, you are more than likely working from home because of COVID-19. During the last three weeks, I have read many stories about the virus and to me, the big question was always the same: What’s the real problem?

Some people may think the SARS-CoV-2 virus is a conspiracy; others find the countermeasures exaggerated while there is also a group who is living in constant fear. Irrespective of what people think, we are all on the same boat or planet to be more exact. On this boat, there are separate compartments; or countries for this analogy.

The current situation in the Netherlands

I am living in the Netherlands and I am satisfied with how our government responds to the crisis. Initially, we were sceptical towards the government due to a lack of information and no proper plan. For this reason, it was difficult for me to understand the real problem and for the same reason, many of us didn’t follow the guidelines from the government.

It was only until three weeks ago when our prime minister explained the actual problem with the COVID-19 virus on television, that we, society began to appreciate the problem and potential solutions. Employing simple wording he explained what the COVID-19 virus is, how it impacts our lives and what options we have as a society. The following two options were explained by our prime minister:

  • Option 1: We do nothing, many people get ill until there is enough herd immunity to stop the virus. In other words, when enough people are immune to the virus, there will be a natural barrier in the group to infect others. As long as there is not enough immunity in our society, the burden on our medical health system will be so high that ultimately people will die because we can’t take care of them. If we choose this option, we accept that many people will die until there is a cure or enough herd immunity.
  • Option 2: We control the spreading of the virus to alleviate pressure on our health care system. The spreading can be controlled through “social distance” in other words we reduce social interactions, discouraging group activities and keep a 1.5 to 2-meter distance. If we, as society follow these rules, it is difficult for the virus to spread, the number of infected persons will be controllable, and our health system can take care of the people who are seriously ill. In the meantime, herd immunity will gradually grow in our society and hopefully, we find a cure soon.

The government prefers option 2 to save people from dying.

What happened after the speech

After the explanation of COVID-19 virus, there was an “aha” moment in our society because now we understood the real problem and our options. The day after the speech there were two major changes in our society:

  1. Trust in the government that they are doing the right things
  2. People followed up on the rules imposed by the government

Still, we have many questions and yes, we are all very concerned about the economic impact but for now, we have the feeling the situation is under control and it gives us time to think about the next steps.

When the government is not able to address the problem to the society properly (partially this is happening in the US), there is just not enough trust in the government to motivate people to do the right thing with all its consequences.

Cyber security for the OT domain

As a business consultant for security, I am fascinated about how we changed our behaviour after the speech of our prime minister. Is it that simple? Explain in simple wording the core problem and the reason why a certain plan was chosen? I think the answer is “yes, it is that simple”.

Often, I experience a similar kind of phenomenon when I talk with companies about cyber security and in my case, cyber security for the OT domain (same as production domain). Cyber security in a company is merely as strong as the weakest link. In other words, security must be the culture of a company supported by every employee. This is not always understood; too often cyber security is a topic for specialists cascaded with instructions to the employees. To change the culture in a company, people need to understand the problem and why certain steps are taken.

The real problem for cyber security

However, before you explain the problem to your colleagues, you first need to understand the real problem by yourself and that is not always easy. The problem for security is not about which firewall or software package to deploy. I have defined the problem for cyber security as follows:

“On what basis, how and to what extent do I have to invest (read budget) in cyber security to have a risk exposure that is deemed acceptable to me and the company?”

I have chosen this problem statement for the following reasons:

  • You cannot reduce the risk to zero. As a company, you always have to accept and manage a certain risk
  • To reduce the risk to an acceptable level, you need a budget. Plans have no value if ultimately the budget is not available

In other words, cyber security starts with risk versus budget. Companies that Yokogawa has supported based on the above problem statement, have been able to develop a corporate cyber security plan which could be explained and embraced by the employees.

Determine the budget for risk reduction

To determine the budget for reducing the risk you need three parts:

  1. The risk exposure baseline – What is your current identified risk
  2. The security target – What measures do you want to have in place to reduce the risk
  3. Policies and procedures to connect people to technology

If all three parts have been developed, the step to calculate the budget is not so difficult anymore.

Cyber security life cycle program for OT security

We have developed a cyber security life cycle program for OT security which follows all these steps. We conduct three types of risk assessment; technical, business and operational to determine the risk exposure baseline. We have 30 best practice policies and procedures available, ready to be updated following the company requirements. And we use the IEC62443 and the NIST to determine the security targets to determine and select the proper countermeasures.

With our life cycle program and structure, we help our customers to understand the real problem, to understand where they are today and to understand where they would like to be in the future and what investment is required to reduce the risk to an acceptable level. With all this information you can explain in simple wording to the organization what the real problem is for cyber security and why you have chosen for a certain plan to reduce the risk to an acceptable level.

My strong belief

I am aware that many of us including myself currently have other problems on our minds than cyber security. The impact of the virus will likely affect all of us and life as we know it will probably change for a long time. However, it is my strong belief that our society is resilient and if we support each other, we can win this challenge. For now, stay strong and follow the rules to keep yourself and your environment safe and hopefully we can have a conversation about cyber security soon.


No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.