Tell us a little bit about yourself, and your background…
My background in industry spans the development of cyber security solutions across UK Government and Defence, Electric Power, Oil and Gas, Telecommunications and Financial Markets. My roles have encompassed cyber security strategy, resilience, architecture and design, red teaming, security operations centres, incident response management, data protection and privacy, cyber threat intelligence and risk management.
As Professor of Cyber Security at De Montfort University, I focus on the protection of industrial control systems and operational technology within critical national infrastructure.
Q1: What are critical infrastructures telling us and what are they struggling with the most?
I think the area that critical infrastructures, and indeed large organisations in general, are struggling with is resilience. Continued operations are dependent on the people that deliver them and working in an environment shaped by COVID-19, where key staff may be unavailable, is likely to be challenging. The expertise sits in people, and although we try to codify this understanding into policies and procedures, we are still reliant on knowledge and experience. This is amplified in control systems, which as we know, may have been in place for a number of years and not well documented. Factor all this into the mix of an evolving risk landscape, then maintaining the assurance of your operations is something most organisations will struggle with.
Q2: What is your advice for companies looking to baseline and start their OT security journey?
Fundamentally, companies should look to understand the entirety of their OT estate, then ask themselves which elements of their business, across people, processes and technology, are essential to continued operations. The scale of OT implementations can be significant in critical infrastructure organisations, and sometimes the magnitude of the problem can overcomplicate the analysis. Companies are unlikely to have the budgets or the risk appetite to try to secure everything at once. Instead, by working out which components are critical to their operations, they can start a prioritised and risk-justified journey towards overall protection of their OT estate.
Q3: Once IT and OT converge, they can effectively work together to create an advanced industrial environment that is productive, safe and secure. What are the steps these teams should take and the questions they should ask?
Teams should ensure they understand the interdependencies of the IT and OT estates. We see a tighter coupling of IT and OT to provide faster information exchange to underpin improvements in operational efficiencies. This tighter coupling, however, provides opportunities for misuse of the equipment, either intentionally or accidentally, that can have a negative effect on the ability of a critical infrastructure provider to maintain services. I tend to look at the problem from the viewpoint of a threat actor, and ask myself eight questions:
1. Which devices are attractive to a threat actor?
2. Can we better protect these devices?
3. How interdependent is the IT and OT and what routes exist to reach these devices?
4. What events would occur in an attempt to access and manipulate these devices?
5. How and where can we deploy sensors to detect these events?
6. How will we determine which of the possible alternate routes to a device are being used by an attacker?
7. How can we predict an attacker’s next activity?
8. What does our incident response and recovery plan need to describe and test in order to mitigate residual risks identified?
Typically, the steps I would suggest a team takes to address these are:
1. Model the potential attack behaviour based on threat intelligence.
2. Analyse the deployed IT and OT architecture to identify those assets essential to the continued operation of the critical infrastructure.
3. Assess the various routes that exist from the likely initial points of compromise to the critical assets.
4. Overlay the potential attack behaviour onto the various potential attack behaviours onto the routes that exist to the critical assets to determine the courses of action available to a threat actor.
5. Identify the security testing and remediation necessary to better protect the critical assets and the devices that provide a route to them.
6. Determine where you require sensors and endpoints to detect threat actor activity.
7. Update your incident response and recovery plans in light of the assessed threats to the critical assets and the residual risks you carry that cannot be mitigated by better protection or detection.
Q4: What are your predictions on industrial cyber security in 2021?
I think the main focus of critical infrastructure providers in 2021 will be on developing resilience in a world where pandemics may become more frequent. We’ve all experienced the disruption to our lives as a result of COVID-19, and epidemiologists suggest it is possible that we may see similar pandemics in coming years. Regardless, I think it has become apparent that as a nation we need to develop greater resilience to incidents of this scale.
Q5: We can probably agree on the fact that cooperation is key. How do you think we can achieve industry-government-academia cooperation to build the components of an ecosystem security framework?
It’s essential that we focus on agreed priorities. Each type of organisation brings a different perspective and set of capabilities. Academia can bring new concepts, technologies and ways of working. Industry, as the providers and operators of critical infrastructure, can define the detail of the challenges they face and assess the real world utility of any solutions at scale. Governments should define national priorities to protect our wellbeing and prosperity. If we combine these, we could build an ecosystem that targets our efforts on high priority issues. To enable this, we need a forum to better exchange ideas and agree the priorities.
Thank you to Allan for the insights shared during this interview and for his involvement, as a Steering Committee member, for the upcoming CS4CA European Summit.
Keen to learn more about the state of industrial security across Europe?
Join us at the CS4CA summit, October 6th & 7th in London, to connect with critical infrastructure leaders across the region as well as hearing from expert speakers including:
- Andy Powell, CISO of Maersk
- Stuart Okin, Head of Security Privacy & Resilience at Ofgem
- Cristian Cucu, CIO of Nuclearelectric
- Claudio Bolla, Group Information Security Director of INEOS
- Cesar Ramos, Head of Cyber Security at Iberdola
- Nicola Caramella, CISO, Ansaldo Energia
View the full line-up at: europe.cs4ca.com/speakers
Or, check-out the online agenda here: europe.cs4ca.cpm/agenda
