voyager624 - Fotolia

Security by design vital to critical infrastructure, say experts

CNI industry needs secure products, from secure suppliers, with secure development lifecycles, say CNI experts

Security by design is crucial to the security of critical national infrastructure (CNI) in a hyper-connected world, a panel of experts has told Infosecurity Europe 2015 in London.

They said the CNI industry needs secure products, from secure suppliers, with secure development lifecycles, which then need to be integrated and connected to communicate in a secure way.

“But those are three issues that we have not quite got fixed yet,” said National Rail head of cyber security Peter Gibbons. “We need some real industry standards on the provision of secure products in a secure way, and that will help CNI suppliers on the journey to connecting it all together."

Gibbons said it is vital to start with a clear foundation of a secure product based on a clear set of requirements. “If we don’t do that, we are on a hiding to nothing, spending millions on security products on top of our core infrastructure because it was not built securely enough in the first place,” he said.

Gibbons added that CNI suppliers should ensure that security is driven into products by understanding their security requirements and then insisting that these are met by suppliers through product development. “Historically we are good at telling suppliers what we would like products to be, but not at what we don’t want them to be," he said.

“As a result, we have tended to end up with products that do what they are supposed to do, but that are not necessarily as secure as we would like them to be, and then we throw all manner of product on top to make it secure.” 

Read more about critical infrastructure

Product development key

Similarly, the panel said, secure product development is key to next-generation systems that will gradually replace legacy systems, which are not designed for the new hyper-connected world and typically present security risks because of workaround needed to enable things like remote access.

Automation will be one of the big opportunities for the next generation of systems used in CNI, said Cloud Security Alliance CIO and Intel Security European chief technology officer Raj Samani. 

“When we begin to connect systems up, amazing and remarkable things can happen. It is not necessarily a negative thing when it comes to CNI," he said.

Samani cited as an example an oil company in the Middle East that built and deployed one of the world’s first digital oil fields, giving the firm the ability to remotely control and manage offshore drilling from a central location. “The net result was increased oil production from 400,000 barrels to a million barrels a day from a brown field plant,” he said.

Samani added that there are now things like power substations and nuclear power plants coming online and providing enormous benefits to society. “But of course there are risks, and these need to be recognised and addressed,” he said.

Gibbons said not only automation but convergence will be key to future IT systems for the CNI industry.

“We need to think about what we currently see as the hard line between the IT systems of our business and control systems of our operational technology, because they are really the same thing," he said. “That line through the middle is going to get blown away, and our information systems will run the infrastructure.”

Read more on Hackers and cybercrime prevention