chungking - Fotolia
Organisations typically need to rethink what they think they already know about cyber security in shaping their future strategies for protecting critical national infrastructure (CNI), according to Mike Gillespie, managing director and co-founder of security consultancy Advent IM.
“Instead of focusing only on resisting cyber attacks, organisations need to look at how they can be more resilient,” he told the CNI security track of the International Security Expo 2018 in London.
Gillespie noted that most organisations that suffered as a result of the WannaCry and NotPetya attacks were not resilient enough to enable rapid recovery.
“Once the systems were taken offline, they were unable to restore them without significant disruption to the business and in some cases loss of data,” he said.
A recent survey revealed that 70% of organisations polled would opt to pay the ransom if they were hit by a ransomware attack.
“Another piece of research indicates that organisations would rather put money aside to pay to get data back than invest proactively into the defence of the organisation and building resilience,” said Gillespie.
In addition to an unwillingness by many organisations to invest in resilience, many organisations are failing to recognise that all of them are potential targets for cyber attacks, he said.
“Many organisations say to me that they are not an attractive target, but every organisation is an attractive target because in cyber space they are just a point of contact on the internet that can be exploited to reach an end goal,” said Gillespie.
Organisations are failing to recognise or understand that attackers typically go after the weakest link in a supply chain or any other ecosystem to gain a foothold and work through to find the ultimate target, he said.
A well-known example of this is the attack on US retailer Target, where attackers were able to gain access to a database of 45 million payment card details by attacking a poorly defended air-conditioning maintenance portal used by a third-party contractor.
“The portal was effectively a poorly protected back door that ultimately enabled attackers to get into the Target network and access the payment card data they were after,” said Gillespie.
“This is just one of dozens of examples of where the original breach comes in through a poorly protected back door, and often they are back doors that are unknown to the core IT teams.”
Returning to the theme of resilience, Gillespie said that in 2017, a government report identified cyber as a tier 1 threat to the UK’s critical national infrastructure.
“The report noted that market forces had failed to result in the expected level of resilience in the critical national infrastructure in the face of the fact that more than 30 nation states are known to be developing an offensive cyber attack capability,” he said. “But according to a recent parliamentary report, 16 months later, the government has failed to act with urgency.”
UK attack imminent
The report went on to say that a major cyber attack on the UK is a matter of “when”, not “if”, and that there is an expectation that the UK will suffer an attack on its critical infrastructure in the next 12 months.
“The report’s authors were struck by a lack of political leadership, and perhaps that is down to Brexit or GDPR [General Data Protection Regulation] getting in the way, but perhaps there is actually what we see in research as apathy towards this at the senior levels of leadership in parliament and in CNI.
“There is an unwillingness to accept that this is a real threat, an ignorance about what cyber threat actually means to them, an unwillingness to resource this adequately, and a continual believe that there is a magic cyber amulet that is going to protect us all.”
However, Gillespie said one thing has learned in 30 years in the security industry is that no technology is the solution on its own. “You have to have a holistic approach, and the technology, if you are not careful, only makes the situation worse,” he said.
Another key challenge, said Gillespie, is that some of CNI is in the public sector, some of it in the domestic private sector, and a “considerable amount” is in non-UK private sector hands.
“In the UK, we are increasingly selling off our critical infrastructure to foreign industry, and CPNI [Centre for the Protection of National Infrastructure] still have this myth in their heads that when they tell the critical infrastructure providers to do something, they will jump and do it, despite the fact that half of it is not owned by UK companies any more and has no vested interest in protecting the UK’s critical infrastructure,” he said.
“They have a vested interest in making a significant profit out of our critical infrastructure, and may possibly be one of those more than 30 countries developing a hostile attack capability against UK critical infrastructure.”
Read more about CNI security
- Cyber security top priority for aircraft makers, says Airbus.
- Airbus helps drive critical infrastructure cyber security.
- CNI industry needs secure products, from secure suppliers, with secure development lifecycles, say CNI experts.
- The interconnected nature of critical national infrastructure means the impact of the risk and the cost of a cyber attack grows exponentially every day.
Gillespie also highlighted the security risks associated with the increasing number of internet-connected devices that are being put into homes and businesses.
“We are becoming more interconnected as individuals and businesses, and we are putting millions of devices onto the internet in an insecure manner, some of which are making it into our networks and are connected to our critical infrastructure,” he said.
The next point of concern said Gillespie, is that, according to government statistics, 99.9% of all successful attacks exploit a vulnerability that has been known about for a year or more. “So we get told that systems are vulnerable, and then we leave them vulnerable,” he said.
“And this is really no better when it comes to CNI. This sector is not magically much better at patching systems. Actually, we have a toxic mentality that because we are CNI and we are somehow air-gapped, that patching is much less important to us.”
The reality, he said, is that two-thirds of CNI firms have suffered service outages in the past two years, of which 35% were due to a cyber attack, while 11% of CNI organisations admit that they do not always ensure that critical vulnerabilities are patched.
One of the key findings of the data handling review that followed HM Revenue & Customs’ loss of 25 million records in 2007, said Gillespie, was that organisations should have an information asset owner who can identify what information they have got, why they have got it, what its purpose is, what its value is, who it needs to be accessed by and who it needs to be shared with, and make sure information risks are properly identified.
“Fast forward to today, and how many of our CNI organisations have got anywhere close to that?” he said. “The reason so many organisations had a panic six months ago about GDPR is because they did not know what information they had, why they had it or what its purpose was, who needed to have access or who they’d even shared it with.”
Cyber preparedness survey
According to a 2014 BT cyber preparedness survey, only 17% of UK business leaders saw cyber security as a major priority, compared with 41% in the US. “There is no updated statistic, but from experience, four years later, I would not say we are a lot better than that today,” said Gillespie.
All things considered, he said, it is time to ensure there is real and positive security culture change led by senior leaders in UK business, including CNI, or all the security policies in the world will be worthless in improving organisations’ security posture.
“There is a massive gap between what we say we do and what we actually do, and some of the biggest offenders in breaching organisational security policy are senior managers and members of IT security teams,” he said. “These are the two groups that seem to think security does not apply to them because the culture is all wrong.”
According to Gillespie, the UK needs to address its corporate security culture, the lack of understanding of information assets, and the “abject inability” to keep critical infrastructure safe.