The critical infrastructure providing the most basic foundations of our society is at threat. As we continue to move our traditional technologies online, our core systems that ensure our societies remain running are at an ever-increasing risk of attack. By 2025, leading analysts from Armis predict cyber attackers will have weaponised operational technology, damaging the core of our societies and opening up new significant dangers to our way of life.
However, this is only the beginning. According to the European Parliament, it is expected that by 2025, cyber crime will cost the world economy around $10.5 trillion annually whilst ransomware attacks are expected to accelerate to every 2 seconds by 2031. These issues are only heightened by internal challenges our organisations face. According to ISACA’s “State of Cybersecurity 2022” report, 62% of European organisations feel they lack the cyber security professionals necessary to implement their strategies coherently. Meanwhile, new challenges continue to open up through geopolitical threats as well as new technologies hackers are taking advantage of in their daily pursuits of our critical infrastructure.
To overcome these challenges, we require high-level skills, succinct processes, new technologies, and thorough awareness to maintain cyber security at the forefront of our businesses’ concerns and ensure the safety of our society. Nevertheless, most of all we require communication. This is to ensure expertise throughout our cyber strategies, as by working together with our peers, we can help to protect ourselves from common threats. Hence, in this context, we sat down with some of Europe’s leading cyber security voices speaking at the upcoming 10th Edition of the Cyber Security for Critical Assets Europe Summit to ask: What do you perceive as the most pressing challenge facing your cyber strategies today, and what is the best piece of advice you can share with your peers?
Ben Ramduny, Chief Information Security Officer and Deputy CIO, Neptune Energy
“My most pressing challenge is equipping my teams with the soft skills needed to be effective in communicating the risks, influencing the business to change and leading IT to implement change.
Finding technically competent analysts or highly organised compliance leads or deep risk specialist or OT technicians is not my problem. Finding these people who can also talk to the business, build credibility, relationships and a desire to change is where the challenge is.
Writing a cyber security strategy is bread and butter, good and ChatGPT can do that for you, making it real and changing an organisation’s culture requires a team of people who can get everyone excited about the need to do something without resorting to FUD.
My advice is to build a training programme for you people that focuses as much on soft skills and leadership as it does in technical competence. The value a technically competent person can deliver is magnified many times if they are also well versed in soft skills. Our training programme includes, presentation skills, how to talk to non-technical people about technical topics, negotiation skills and understanding then using knowledge of people’s different personality colours to communicate better”.
Thomas Mortsell, CISO, Aneo
“The most pressing challenge facing cyber strategies today is not the strategy itself, but to get a full understanding of the company strategy in development. With that I mean insight into the company strategies and plans usually kept secret by the board or board of directors, and those that express future development plans for the company itself. The reason I find this challenging is that lack of insights makes it harder to build and develop the corresponding cyber strategy to match the business plans, and therefore harder in budget and activity planning. On top of that it also makes it harder to make the board and directors to fully understand that the wrong cyber strategy may put the business plans or stock value at risk. CISO and CIO must be included and informed about relevant company secrets to ensure their strategies, capabilities and capacities enable proper protection and support to the business”.
Christos Syngelakis, CISO/DPO, Motor Oil Hellas
“What do we have to face? An ever-increasing number of recognized problematic implementations appear in every aspect of activities that have been running for years or others that simply want to be done immediately. In what environment should these be addressed? In an environment where threats turn into dangers at a rapid pace, with a clear technological solution. However, a bigger problem is probably the limited human resources that are available and can be involved in solving the issues that concern us. And it certainly takes time, a long time, which runs hopelessly slow knowing that the problem is there and threatening us accordingly.
Our problem is to set up a strategy that will consider these risks, opportunities and priorities. A strategy that, in the eyes of those who will have to embrace it and take ownership, will be understandable, realistic, rational, and feasible. This is not a wish list.
In our professional meetings and conferences, I believe that we should share our problems, not necessarily their magical solutions. Because magic solutions do not exist, Meanwhile transparent discussion of experiences may finally give some of us the possibility to find a way to overcome some of the problems.”
Antonio Courbassier, Cyber Security Manager – Industrial Control Systems Governance, Norsk Hydro
“ICS asset management is still one of the biggest challenges, the lack of visibility also means it’s difficult to look for security gaps and vulnerabilities, defend against configuration errors, sideloading of malware via technical attacks or command injection attacks by rogue network elements.
Clear network and asset visibility is integral to protecting your organisation. Investing in new technologies will help to overcome this challenge, however the technology by itself does not solve it all. As most tools employ passive asset discovery and traffic analysis to preserve the operational integrity, it is important to engage the right personnel, so the tool is placed properly on your network, providing much better accuracy and visibility. Multiple passive sensors may have to be deployed depending on the network topology.
Just tapping the tool to core switch/routers may not have visibility into the local traffic of the distribution switch, i.e. traffic between critical assets attached below the same distribution switch.”
Trish McGill – Sr. Subject Matter Expert Cyber Security IT/OT
“As technologies advance, at a very high speed, so do the skills of hackers seeking to exploit vulnerabilities. In order to cause disruption in any shape or format, hackers look for vulnerabilities that have not yet been discovered. The constant technological evolution is a catalyst for them to easily find new flaws to exploit.
What will happen to the trust online? Will more people go back to analog, because nobody knows if a robot or human is your conversation partner online.
How about the mixed blessings of AI? Vast innovation and improvements on the upside. On the downside, AI will also lead to innovation in cyber crime.
We need to anticipate and address tomorrow’s cyber security challenges to stay ahead of the curve. There is progress in cyber security, but at the same time we are more connected than ever before and are providing hackers more opportunity…
Stay ahead of tomorrow…”
Maurice Snoeren, OT Security Officer NL, RWE
“One of the pressing challenges is securing the interfaces that connect our critical control systems (OT) with other infrastructures. Keeping things simple and standard over the different factories is an important topic for us to be able to protect and secure our critical assets. On the other hand, digitalisation requires more and more connections. Besides our own digitalisation transition, our suppliers are exploring this digital landscape as well. Proposing many solutions to improve their services and support, which is obviously not a bad thing. You can think of remote support or continuous monitoring to improve maintenance activities or solving problems remotely in a fast manner. To support this, suppliers often propose different interfaces in the form of IoT, wireless networks or 4G modems. Resulting into a more complex and interconnected OT infrastructure. If we do not do anything about this, the security of your critical assets is at stake!
My advice is to really separate IT and OT at least on a technical level. Do not integrate your OT with your IT infrastructure. Both environments are really different in terms of operations, maintenance, governance, culture, design, processes and security. Keep your OT environment as simple (or dedicated) as possible. This reduces the attack vectors to your critical assets significantly. Don’t allow wireless modems (4G) to be directly plugged into your OT environment to extract information. Instead, create a standard secure interface providing all the data that is required by your suppliers. Really think about which interface is really required to be implemented. Almost everything is technically possible, but is it also necessary?”
Wayne Harrop, Ast. Professor of BCM (fmr Director) Centre for Disaster Management, Coventry University
“The most pressing challenges facing OT/IT cyber strategies are in essence a collective fivefold problem. While they might vary slightly for each organisation, those involved will recognise these familiar patterns: (1) Keeping pace with rapidly evolving cyber threats (including non-traditional geopolitical domains), especially in a workplace with a skills shortage. (2) Dealing with poor buy-in, inattentive culture, and inconsistent leadership support. (3) Monitoring generative and adaptive technologies that are likely to outpace the organisation’s defensive posture, while simultaneously learning how to integrate protective technologies into the cybersecurity portfolio. (4) Establishing stronger asset discovery, rating vulnerabilities better, and maintaining supply chain security management assurance. (5) Meeting increasing Governance, Risk Management, and Compliance (GRC) outcomes driven by partners, customers, regulators, and competent authorities.
Organisational strategies must incorporate continuous and expansive learning to address increasingly complex and asymmetrical threat vectors. These strategies must involve building layered defences between IT and OT convergence and should robustly demonstrate combined IT and OT incident response capabilities. Internal support must be garnered, and supply chain security must be maintained, all under the umbrella of growing GRC requirements, legislation, and new directives. Effective risk assessment and prioritisation are critical factors, but crisis management and Business Continuity Management (BCM) need to be better aligned with C-SIRT settings. Engineering organisational learning will be central to positively amplifying a culture of vigilance, adaptation, and collaboration. A strong focus on sustainability and renewable technologies will shift the focus, and therefore, resilience MUST be a pivotal part of the next strategic infrastructure renewal and asset management phase.”
Tony Proctor, Senior Security & Information Risk Adviser, West Midlands Combined Authority
“Ensuring cyber resilience – that’s the key challenge. Being able to effectively counter the most widespread threats (e.g. ransomware) but not just focusing exclusively on them. Making sure that there is a good understanding of risk throughout organisations”.
“To share with your peers? Discussing the issues that we all face with appropriate people in a suitable forum can really help in securing organisations. We safeguard our data with a “need to know” and can therefore be reluctant to share our own challenges and experience. But done carefully, this information sharing can make a considerable contribution to resolving and preventing issues, providing reassurance, improving awareness and in some cases facilitating mutual assistance during a crisis.”
In this context, CS4CA Europe brings together cyber security experts from across Europe’s critical industries to London on the 26th – 27th September 2023 to discuss the key issues our cyber strategies face today. It will discuss a range of key themes including:
- Overcoming the cyber security threat landscape in critical infrastructure, through addressing challenges brought about through ransomware, insider threats and malicious actors in light of Russia’s invasion of Ukraine.
- Ensuring assets remain safe and secure throughout digital transformation efforts by addressing common concerns surrounding IT-OT Convergence & Investment struggles.
- Responding to NIS2 and other new frameworks throughout Europe to allow assets to stay protected.
- Guaranteeing success through cyber security strategies, with discussion on ensuring effective leadership, overcoming the skills gap and strengthening supply chains.
- Driving discussions surrounding new technological opportunities and threats, such as those brought by AI, Machine Learning and Quantum Computing.
- Looking ahead to the future through developing and deploying effective responses to the issues of today.
It remains imperative that we continue to communicate and advise each other to stay one step ahead of the biggest threat actors, ensure you book your tickets fast for CS4CA Europe. Here you will learn more from some of the top cyber security experts from across Europe, which will help you learn how you can best stay secure looking into 2024.
Limited free passes available to asset owners* with code: JCPASS
*Exclusively for senior operators of critical infrastructure / assets owners
