Just Do It: Maintaining your Cybersecurity Fitness 

I was a late bloomer in fitness training, but over the past ten years, I have learned to change how I think about the problem. I was working out the other day, and I had an epiphany on how my changes in thinking about fitness mirror the OT cybersecurity problems I see every day at BlastWave. I wanted to share some of these and see if they were relatable to the readers of this blog, if they also happen to be into fitness, or if they just want to see some cybersecurity struggles analogies; –).

1. Consistency and discipline are key: If you do it, do it right.

Fitness success is about showing up every day and executing your plan. Sometimes, you take days off unexpectedly, or life gets in the way, but those are exceptions, not the rule. When you show up, you do what needs to be done, and you do it with proper form (or you can get hurt). The same is true for cybersecurity. If you create policies, segment your network, add users, or respond to alerts, do them right. Don’t just click on that email, dismiss that alert notification, or create a new user because you got an email. Make sure you do it right. If you take shortcuts, your network could get hurt. Just like pulling a muscle because you didn’t warm up can take you out of commission for a while, clicking on that notification without thinking might be letting in a hacker with an MFA bombing attack vector for initial access.

2. Grind it out: Regular improvements make a huge difference in the long run.

I use a connected fitness device called Tonal for strength training. One of its greatest assets is adding a single pound of weight to a move when it thinks the user is ready to handle it. It also tracks your overall strength score (at a per-muscle group level), and these small increases add up over time to double or even triple your strength score. Regular improvements in OT cybersecurity include segmenting a few more devices into their own segment or process group, narrowing down the protocols allowed to specific devices, or adding/removing a user to a particular group of users. These small actions improve your cybersecurity “strength” score to block more risk and minimize your attack surface. Make it a priority to do this regularly.

3. Leverage technology: Make sure you address all facets of the problem

I mentioned Tonal (strength) above, and I also use or have used Peloton (running, biking, and rowing), Form (swimming), and Fight Camp (boxing) - all connected fitness devices that take away the need to hire a personal trainer, while still getting some of the best advice from experts in the field. Each system has a set of “programs” that ensure you look at the big picture when working out. Rather than just “do a run” or “lift some weights,” you follow a guided workout routine that makes sure you are improving all parts of your body. If you only monitor your network, then you are not preventing attacks. If you have an excellent recovery plan but no plan to avoid getting attacked, then you are not looking at the big picture. Make sure you address every phase in the Zero Trust Strategy.

Don’t skip leg day. Don’t forget to implement passwordless remote access.

Just Do It.

BlastWave (with our partner Dragos) discussed this last week in a webinar focusing on all aspects of Zero Trust Cybersecurity for the DoD. The goal was to show that you needed a solution for all parts of your Zero Trust strategy, especially for OT networks. If you missed it, check it out here (link)