deepagopi2011 - Fotolia
“Essentially this is moving forward with the government’s cyber security information sharing partnership [Cisp], which has been the starting point of sharing best practice, challenges and collectively trying to bring a plan together,” he told Computer Weekly.
However, the NCSC will be mainly focused on essential services and critical national infrastructure (CNI), said Millet, who is a member of the advisory board of the Cyber Rescue Alliance, director at resilience firm Albany Pearl and former head of resilience at E.ON UK.
“If the broader business community continues to fail to recognise the challenges of the threats out there, they will continue to be left behind,” he said.
“The government has a huge challenge in not losing sight of those industries that fall outside the providers of CNI and essential services, but are truly the backbone of UK business, and that includes small to medium-sized enterprises [SMEs].”
Millett believes that what currently sets essential services firms apart from other businesses in the UK is a real understanding of the cyber threats they are facing.
“They know there are lots of bad people out there that want to do bad things. They have had the blinkers removed and, by sharing collectively incidents they have had to respond to, they have learned collectively,” he said.
This is, in large, thanks to governments around the world providing platforms for engagement, he said, such as the UK’s Cisp, now under the NCSC.
Read more about CNI security
- CNI industry needs secure products, from secure suppliers, with secure development lifecycles, say CNI experts.
- The interconnected nature of critical national infrastructure means the impact of the risk and the cost of a cyber attack grows exponentially every day.
- The UK needs to develop awareness of the vulnerability of industrial control systems to cyber attack and technology-specific security systems, says researcher.
Governments need to move away from classifying too much information around cyber attacks, said Millett, so that more useful information can filter down to businesses faced with similar threats.
Millett praised the US for sending a team to the Ukraine in the wake of the December 2015 cyber attacks that cut power supplies to around half the homes in Ukraine’s Ivano-Frankivsk region for several hours with the aim of getting an understanding of what happened.
“But trying to get an official stance and trying to get some information was problematic from a UK point of view, while the US government was quick to publish a report, which was far in advance of what was being done in the UK,” said Millett.
“We need to declassify information so that collectively we talk about it in a language that people in ordinary businesses can understand, including SMEs, because SMEs need to be secure to avoid being a way in for attackers targeting businesses higher up the supply chain,” he said.
According to Millett, many larger organisations are still failing in the procurement process to understand the vulnerabilities of suppliers and how suppliers are managing those vulnerabilities.
“Even when companies are looking at vulnerabilities at the procurement stage, few are following up to audit and test. While organisations are keeping an eye on changes in their own organisations, they are blind to changes inside suppliers, which, if not managed, could lead to new vulnerabilities,” he said.
The only way organisations can be truly resilient, said Millett, is to look at the business from end to end, which includes every organisation that enables that business to deliver its products and services.
“Historically this has been called business continuity, and the only way you can enable continuity of your organisation is to make sure all your suppliers can deliver as well,” he said.
One way of doing this from a cyber security point of view is to use monitoring and assessment services, such as those offered by SecurityScorecard.
“Such services can assess the security vulnerabilities of your supplier, which from a technical point of view may be linking into your networks,” said Millett.
“The whole business continuity resilience model is out there, organisations just need to embrace it by ensuring that they put the right resources and the right cost model in place to build a resilient organisation,” he said, reiterating his theme of resiliency at the (ISC)2 Emea Congress 2016 in Dublin.
Building resilient societies
Governments have the same duty and responsibility, said Millett, to build resilient societies. “It is multi-faceted, but it has to be done in the light of the fact that governments are giving more inter-connectivity to society.
“From an energy point of view, they are trying to give control back to customers through smart meters by linking energy-saving devices. But, at the same time, governments have to educate and engage with society on the security aspects,” he said.
However, Millett said despite all the doom and gloom, from first-hand experience in the CNI sector, there is a great deal going on to ensure that disparate systems that were never intended to be connected to networks remain secure and that new systems being developed are secure by design.
“It would be doom and gloom if we were not talking about the possible issues, if we were not recognising that there have been attacks on critical infrastructure, and if we were not recognising the need to think differently about the security challenges,” he said.
There is a lot of good work being done, he added, to ensure that infrastructure is secure and that blackouts do not happen. “We are talking about it, we have the ability to prepare, we have the ability to think the unthinkable and we have the opportunity to defend critical networks,” he said.