More than half (59%, in fact) of respondents to the latest social media poll conducted by Infosecurity Europe 2019 believe that an attack on the UK’s Critical National Infrastructure (CNI) is likely this year. As more devices, systems and infrastructure are connected to the Internet, the cyber and physical worlds are becoming increasingly linked, and in turn opening up new attack vectors.
Attracting 12,100 responses, the Infosecurity Europe Twitter poll was conducted during the week of 4 February. Infosecurity Europe also asked its community of CISOs about the challenges presented by the increasing convergence of cyber and physical domains and how security can be managed in a cohesive way.
The responses to Infosecurity Europe’s poll also indicate that organisations in all sectors are not properly prepared to manage security effectively across both the cyber and physical environments. Lack of collaboration and low levels of awareness of key legislation appear to be the biggest problems.
According to Ciaran Martin, head of the UK’s National Cyber Security Centre, a major Category One (C1) attack on our CNI – one that disrupts essential services or otherwise affects national security – is a matter of ‘When’, not ‘If’.
Over two-thirds (68%) of respondents say the security teams in charge of their physical and cyber infrastructures never collaborate. This ‘disconnect’ leads to misaligned plans and conflicting priorities, while at the same time creating ‘silos’ that make it difficult for CISOs to gain full visibility of controls and risks across both the IT and Operational Technology (OT) environments.
Defence of critical assets
“Defending critical assets is a team sport,” explained Nigel Stanley, CTO and global head of OT cyber security at TÜV Rheinland. “IT, physical and OT teams need to get their act together and start to share and learn from each other.”
Kevin Fielder, Just Eat’s CISO, agrees. “The increasing convergence of the cyber and physical environments is inevitable. Managing this development in a cohesive way will strengthen enterprise security.”
According to Fielder, it’s the insider threat that needs most urgent attention. “Those intent on accessing money, information or IP will often find it easier to do so from the inside – and we’re moving towards a world where this can mean an immediate impact to life. The hacking of a building’s management systems, for example, could suppress a fire alarm or sprinkler system, or maybe even prevent people from leaving the premises.”
Only 16% of respondents to the Infosecurity Europe poll were aware of the EU’s NIS Directive – which is designed to improve the security and resilience of network and information systems – and its implications. The legislation, which was put in place in 2016, sets out security requirements that apply to all operators of essential services and digital service providers. Failure to adhere to these could leave security gaps that present attackers with ‘open doors’ through which they can access infrastructure and physical assets. UK organisations found to be non-compliant can be fined up to £17 million.
“I cannot believe that any cyber security leader in a sector impacted by the NIS Directive would be unaware of its implications for their business,” observed Nigel Stanley. “Lack of commitment to secure critical infrastructure is the worst sort of negligence. Forget what the regulators demand. Organisations should take the initiative and secure assets based on a proportionate cyber security and business-led risk assessment.”
Self-regulation: the way forward
Kevin Fielder suggests that, if the industry doesn’t take the lead, further regulation will follow. “It really is in our best interests to self-regulate and protect members of the public. If the industry doesn’t produce connected devices that are, by default, both secure and manageable over the long term, it will not take many real incidents for Government regulations to quickly materialise.”
Victoria Windsor, Group content manager at the Infosecurity Group, stated: “The security challenges resulting from the convergence of physical and cyber environments will take centre stage at Infosecurity Europe 2019 and for very good reason. Operational systems in every industry are being connected to corporate and cloud environments, with the safe ‘air gap’ between IT and OT no longer existing. Cyber risk is now impacting the physical realm. That being so, organisations must have effective management strategies in place. Technology such as unified threat management tools has a role to play, but it’s also vital that teams collaborate and communicate to understand blended cyber-physical attacks and develop joint approaches, plans and policies.”
*Now in its 24th year, Infosecurity Europe – for which Risk Xtra is an Official Media Partner – takes place at Olympia, London from 4-6 June. Each year, the event attracts over 19,500 information security professionals. 400-plus exhibitors will be showcasing their products and services. Upwards of 200 industry speakers are lined up to take part in the free-to-attend conference, seminar and workshop programme. For further information and to register your attendance visit https://www.infosecurityeurope.com