Really not, like you don't have to be kind of a weird person to be
constantly hovering around your PC being situationally aware having it all wired,
the telemetry pouring out, you're constantly monitoring the safety and
security of your PC.
Very unlikely that you're going to do that on an individual basis.
But if you're dealing with the transportation sector, or
you're dealing with the military or power, then you are absolutely doing that.
And I think it's a good kind of first view of how different
protection methods might be for something small, something large.
Small things can be manual, large things can't be manual,
you have to have some way of scaling.
Small things can be in some sense, they don't have the need to scale.
You don't need to be able to measure how quickly something can be deployed when you
scan your PC at home.
If it takes an hour or two [NOISE] no problem.
You want to deal with scale when you've got thousands or tens of thousands or
even millions of components, suddenly scale matters.
Like if you want to run scans on all of these things and
they each take two hours you may have a problem, so
you have to attend to fundamentally different set of concerns.
So this idea of situational awareness is one that I think is pretty useful.
But a more interesting one frankly,
that illustrates the difference, is something known as diversity.
Now diversity means intentionally introducing difference in an ecosystem.
So for example, I'll give you a contrary example.
There's some companies,
like here in the US there's an airline called Southwest Airlines.
I can show you a picture here of all the airplanes lined up at an airport.
Southwest, in order to keep their costs low, in order to keep sort of the training
and the operations kind of uniform through the whole fleet,
they fly one kind of airplane, 737.
Good idea, these are all wonderful jets.
And it allows the training and the operation to be the same.
They're all the same.
They don't have ten different kinds of airplanes.
But suppose
the Aviation Administration of the United States decided to ground that jet.
Well, that would cause a big problem because they don't have great diversity.
Now again, this is not cyber issue,
I'm just trying to illustrate the strengths and weaknesses of diversity.
In contrast if you look at it sort of as a bio-diverse ecosystem in a beautiful
picture here of an ecosystem.
Where you've got lots of different foliage and plant life and animal life and
other types of things, bacteria, and soil and everything is different and
they all work together in a very symbiotic and diverse manner.
It be different to take something like this out with say one crop disease
by taking one segment of the very diverse population out, but
it wouldn't take everything out.
So the idea say for your PC to have diversity doesn't make sense,
because you're going to pick an operating system, you're going to pick applications,
you're going to just be what it is.
But in a large ecosystem around some critical infrastructure component,
you might decide specifically to introduce diversity into that populous.
Meaning lots of different operating systems, lots of different applications,
diverse network technologies, diverse geographic regions, and on and on and on.
The reason being, that if somebody attacks one component of that infrastructure
sector, it will not easily cascade across to other sectors.
This idea of cascading is a weakness in a non-diverse ecosystem.
When you have everything the same, a bazillion Windows computers
are vulnerable if they're all connected together.
If somebody's got a killer virus for Windows, it's going to cascade.
But if I introduced five other operating systems and sprinkle them around suddenly
my Windows virus that comes in will only cascade to other vulnerable systems.
When it hits a diverse interface,
hits something that's not willing to accept that virus, it stops.
You can see how that's a good way to stop cascading.
No meaning in the context of a small system.
Fundamental consideration in the context of critical infrastructure.
And the reason I think it's such an interesting one is that IT and
system managers generally hate it.
[LAUGH] And so the problem we have, in cybers is once in a while we hit on
something that cybersecurity experts want, but IT folks don't like too much.
And diversity is the poster child for that.
A contraexample would be virtualization, where data center managers and
CIOs and IT managers love virtualization.
It reduces, costs, improves flexibility and
security people should love it as well because it allows us to microsegment and
to shrink wrap perimeters without hardware and on and on and on.
So it's not always the case that we're at odds, but for critical infrastructure I
think you want to keep in mind that there's going to be a fundamentally
different set of protection measures that we use than for small.
And occasionally, we may find that they're somewhat at odds with our IT partners.
Now I got a little quiz here, and the answer's all of the above.
Those are all true statements with respect to critical infrastructure.
So I hope this has been a helpful introduction to something that I really do
think anyone who considers themself a cybersecurity expert
has to have some facility with.
And if you are a decision-maker, particularly in government, then I hope
this has helped clarify some aspects of cybersecurity in a larger context.
I'll see you in the next video.
