pixel_dreams - Fotolia
There are a number of security challenges facing critical national infrastructure, according to Steve Durbin, managing director of the Information Security Forum (ISF).
These include 5G technology, parasitic malware, cloud services and the potential breakup of technology giants, he told the CNI security track of the Security and Counter Terror Expo in London.
“One of the biggest challenges to managing CNI is trying to predict or anticipate and being as aware as possible of the dangers that are out there,” said Durbin.
One way in which the ISF tries to help organisations to do that, he said, is through its annual Threat Horizon reports that detail key emerging threats.
The Key emerging threats highlighted 2021 edition of the report, which is due for publication in April 2019, include the implications of digital connectivity, the increase in the digital cold war and businesses’ dependence on digital competitors.
The report breaks the threat horizon into a number of themes and threats, such as digital connectivity, which highlights the fact that organisations have become extremely dependent on digital connections for day to day operations and the need for a backup plan to deal with any disruptions.
“In terms of this theme, the top threat highlighted by the report is 5G, which will be rolled out fairly aggressively in the not too distant future, because of the way these technologies will effectively broaden the attack surface,” said Durbin.
Read more about digital risk
- RSA Security chief predicts that managing digital risk is set to become increasingly important to organisations as they complete their journeys to digital transformation.
- Cyber security and risk management among top business priorities for 2019.
- Mid-sized firms taking risks to get digital.
- Digitised companies must find the balance between the benefits and risks that come with rapidly advancing IT innovation.
“From a security standpoint and a business standpoint, it is significant because we are all interested in sharing information at increasing volume and velocity, which is essential for smart city infrastructure, autonomous vehicles, financial services, media and health services. The issue of latency is key.
“There isn’t an industry that is untouched by it, and if we look at that from a security standpoint, volume and velocity are two things that security people absolutely hate because it is very difficult to manage a security infrastructure with so much data moving so quickly.
“So while 5G is an enabler, it comes with some real challenges. This means we need to be aware of the implications of how operations could be disrupted or how reputations could be damaged if 5G technologies are compromised, and there have already been some proof of concept attacks,” he said.
The challenge, said Durbin, is in finding a way of protecting 5G infrastructure, and while governments can set and overall direction or strategy, he believes the onus will fall primarily on businesses. “It’s the businesses themselves that will have to protect against the threats.”
This means organisations will need to identify where 5G is going to be used. “That for me is the key opportunity. All too often, security professionals are late to the party. 5G hasn’t yet been rolled out, so there is an opportunity to look at how that might be used and to build in security ahead of time.”
Updating crisis management and business continuity plans
It is also essential for organisations likely to use 5G to update crisis management and business continuity plans. “Things will go wrong. 5G networks will crash and that will have very serious impacts because of the way it is going to be interconnecting devices.
“And finally from an organisational standpoint, we do need to be going into this with our eyes open. We do need to at the contractual agreements that we have with the 5G providers and consider the overall range of services they provide, and therefore the implications that that has for the organisation.”
Another threat under the theme of digital connectivity highlighted by the ISF report is parasitic malware, which dates back to at least 2007. Although not new, Durbin said the challenge here is that with the increase in network capability, with the connecting of industrial control systems, internet of things (IoT) devices and other critical infrastructure, an opportunity is created for hackers, hacktivists and nation states.
“Tesla, for example, discovered some parasitic malware in its cloud environment that was designed to use computing power to mine cryptocurrency on the behalf of cyber criminals.”
This not only steals power and raises power costs, said Durbin, but also degrades systems because infected systems tend to run at full capacity, which can lead to unexpected failures. “If you think about that within an industrial control system environment or IoT-based environment, then those can have very serious implications.”
The challenge for organisations is to understand the likelihood of a parasitic malware infection, what that might look like and what they can do.
“Taking action is about going back to more traditional information security processes, it is about looking at how you can invest in plugins to block the malware, about updating patch management, and it is about paying special attention if you operate in an industrial control system environment so that you can identify these things.”
The digital cold war
The second key theme highlighted by the report, said Durbin, is of a digital cold war. The ISF forecast is that by 2021, the digital cold war will cause significant damage to business, that espionage will be “rife” as nation states increasingly target next generation technologies to steal intellectual property, and that cloud services will become a prime target for sabotage as government and critical infrastructure providers move to the cloud.
“From a nation state point of view, if you really want to enact significant damage to the economy, the cloud is something that you would want to target.
Responding to these threats, said Durbin, is about deploying physical controls, it is about knowing who is coming into a work environment, and it is about blackout blinds to thwart spying using drone technology. “It is also about adopting a low-profile approach to research and development as well as putting in legal protections for intellectual property.”
When it comes to cloud, he said it is about better understanding where cloud services are integrated across your business and understanding you dependencies upon them. It’s also about reviewing your business continuity plans to ensure your business still runs in the event of a cloud service provider takedown.”
The third key theme highlighted by the report, said Durbin, is that of digital competition in light of the fact that competing in the digital marketplace is becoming increasingly more difficult due to changing regulatory frameworks, challenges to social norms and growing cyber threats.
“Despite all these, to stay relevant, organisations have to implement more and more complex digital transformation, and the first threat to consider is around the potential break up of big tech companies like Amazon, Google, Facebook, Microsoft and Apple.”
The future of tech giants
The ISF’s forecast is that by 2021, at least one of those tech giants will be broken up. “Already we are starting to see in Europe challenges to the way in which they operate, while in the US there is concern about the power and influence some of these organisations might have.”
Organisations need to consider how they would be affected if any of their key tech suppliers were broken up, said Durbin, adding that the potential disruption to the availability of products and services should not be underestimated.
“We also anticipate that attackers will be opportunistic in that environment, really looking at ways to get hold of your information and perhaps even highjack some of the services that organisations are being forced to move.”
In light of this threat, he said organisations need to understand their exposure in terms of specific tech giants, which will depend on things like whether or not they have multiple suppliers to help spread the risk. “It’s about reviewing your overall IT strategy and updating the resilience in the business continuity plans in the event of a break up.”
Another threat in this area, he said, that is particularly relevant to CNI is around rushed digital transformation because many of these new systems are being built on legacy. “And very few organisations are doing sufficient work to understand what that foundation might look like.”
A good example of this, said Durbin, is Equifax. “A US government investigation into the beach specifically called out the speed with which the company had grown, its inability to integrate and understand legacy systems from organisations that it had acquired, and therefore it raised the risk across the enterprise.
“Therefore it is important understand how digital transformation is being brought about, providing the opportunity to review whether planned digital transformations have a sustainable dependency on legacy or underlying systems and to engage with business to ensure security is involved in the planning stage of any digital transformation. It is about understanding the risk and managing that risk.”
Taking a fresh approach to risk management
In light of these emerging threats, Durbin said organisations need to take a fresh approach to the management of risk. This involves understanding that information risk cannot be isolated because it “overlaps with and bleeds into” operational risk, compliance and legal. But that requires change within the organisation.
“We have to move away from the stovepipe approach of the past and we have to have much more communication across the enterprise. Ultimately, it is down to the board of directors who are responsible for the risk appetite across the enterprise, and the board needs assurance.
“It needs to know the organisation is prepared for the next unexpected crisis, that there is an adequate level of situational awareness across the organisation, that basic cyber protection measures are in place, that information risk management methods are being applied and that there is good practice being implemented,” he said.
“And it needs to understand all of that from the business perspective. It is about thinking through security implications, but in terms of the business and about working collaboratively with business leaders in that regard to determine the potential impact of threats and how to address them.”