Last week I spent a fantastic three days at Infosecurity Europe in London, an innovative and immersive event for the information security community.
It was an inspiring event, where I attended conference sessions and met with both established vendors and new players in the information security market. The most interesting part though was the countless opportunities to network and take part in eye opening discussions with my peers, learning from and debating with one another about how to protect against the threats of tomorrow.
So what did I learn from the event:
It's all about Culture
One of the biggest recurring themes coming out for me was the influence and importance of culture and the need to embed a security conscious culture within manufacturing operations in order to protect ourselves and our businesses from the threat of cyber attacks.
Lets consider that Critical National Infrastructure (CNI) systems have a lifespan of 10-30 years, whereas in IT it is usually 5. The security culture adopted across OT environments needs to be different to that across IT to reflect this. This becomes a problem when we consider that there is somewhat of a skills shortages for security professionals specifically concerned with the OT environment. Most OT people are engineers and not security experts, and there is often a reliance on the IT team to bridge that gap. But are they fully up to speed with the unique differences with the OT infrastructure to provide the correct level of advise and support? Training needs to take place, but training budgets are often the first to be cut to reduce running costs, it becomes a vicious circle. How do we address this to build a more robust CNI?
Don't just detect, recover
The security culture also needs to not focus solely on security, but also on recovery. CNI should be running the Cyber security framework backwards to be more effective - Identify, Detect, Protect, Respond, Recover. You need to isolate response from recover. Most OT will respond in manual mode, like Norsk Hydro did, but there is a need to focus more on recovery and apply appropriate security controls.
Patch people as well as machines
There is a disbelief by people of the actual risk of a poor cyber security culture, often down to fear or just not knowing what to do. People don’t want to appear stupid, so don’t ask stupid question on security.
Security can also be seen as an overhead, contradicting digitalisation and the OT/IT convergence which aims to reduce running costs. Many OT people often just don’t know how to write a business case to then invest in cyber security. A move to quantitative (i.e £ cost if impact should happen) risk assessments and away from a qualitative, experienced guess should help. There are also strategic partners in the market who can help in this area if needed.
Businesses need to be strategic in their approach too, to assess what their absolute critical assets are and make sure they can recover these processes, and quickly. Then test and keep testing until it's muscle memory.
Proactive Protection
Another key theme that was recurring at the event was around being proactive around cyber security protection. Review the events of the past to look into the future.
The time it takes to detect a data breach or some adversary inside of your network is circa 200 days. By collating event data and hunting for threats and risks you can often uncover breaches much earlier. As new threats are released, searching for past events takes a proactive approach to security.
AI is not just about terminators
Artificial Intelligence is seen as the technology that will be most relevant in the next 12-24 months. Mainly used to reduce false positives in SIEM and for threat hunting, end point protection. Claroty has already been addressing this in its CDT and we've also been looking at other AI solutions to help give our customers the best level of threat protection and detection.
NCSC: Vision for a more secure UK
The NCSC shared their vision on how we implement proactive methods to build a more cyber secure UK. Some of their methods include:
- Block at the source – Such as local central governments that are utilising ‘Public Service DNS’ to remove and block threat source to stop devices reaching malicious content.
- Passwords – Spreading the word to change your password less regularly but to use a more secure password, 2 factor authentication and different passwords per system. Where there is a need to store credentials for other systems then a password manager should be used.
- Phishing Attacks – These are down from 6% to 3% but still pose a risk to organisations.
- Declassifying threat intelligence – More threat intelligence is being declassified and made publicly available to help combat cyber crime.
Use Frameworks to reduce risks in CNI
NIS-D is playing an important role in improving cyber security. With the rapid increase in new vulnerabilities and malicious actors, cross referencing real world attacks from the MITRE ATT&CK framework will provide a good method to validate how these attacks are identified and detected.
At SolutionsPT we closely monitor and follow the ever evolving cyber security threat landscape across industrial environments, partnering and aligning to NIS and NCSC guidance to make sure we fully understand what the risks are so that we’re able to support and advise our customers accordingly.
Attending events like Infosecurity Europe are great in keeping us up to date with the latest thinking and it was a great opportunity to learn and share my experiences with my peers. Helping me and SolutionsPT to bring to latest developments and thinking of the best protection methods to our customers.
If you're unsure where to turn and the steps to take to help secure your Critical Infrastructure get in touch and see how we can help you.
