As cyberattacks are ever evolving and becoming more advanced, it’s time for technology leaders to step up and ensure they have the right measures in place to maintain a robust cybersecurity programme for critical national infrastructure (CNI). We hear from Kim Legelis, CMO, Nozomi Networks, who explains the cyber-risks associated with CNI and advises on how to tackle them.
Nozomi Networks is an industrial-focused cybersecurity company founded in 2013. Being industry focused means the company secures CNI and the operating systems that runs things such as water, powerplants and manufacturing. These systems are separate from traditional IT networks. The company was founded to specialise in carrying out security in the operational technology environment, which has challenges around identifying the components that are in it.
What is critical national infrastructure and why is there such a high cyber-risk associated with it?
The key to CNI is that it’s critical, it’s national and it’s infrastructure. In describing CNI, it is clear to those of us in the industry that it’s an area of particular concern because the impact of cyberattacks on CNI could have long-lasting effects on both the safety of citizens and on national and economic security. It is therefore an area of focus for industries and companies and of course, governments, which are putting in place voluntary or mandatory regulations to help improve security and raise awareness.
What are the cyber-risks that are unique to CNI and how does the cyberskills shortage exacerbate the problem? How does this have an impact on Europe?
The risks to CNI are very much related to the exposure of the operating systems that control them. So, in most CNI sectors, the systems that are critical are operating systems that manage the power or keep the water systems clean or run the transportation systems, however the risks to these systems are unique and unlike those targeting traditional IT environments. These risks require special skills and special technologies in order to address them. Traditionally, 10-20 years ago, many of these systems were not connected to the Internet, they were isolated, but that’s not true anymore. As these systems have become modernised and as their operations have become more connected, new risks have been introduced. However, these risks can fortunately be mitigated. There’s a lot of good news around securing CNI now that didn’t exist five years ago and there’s a lot of innovation that’s gone on in order to help manage the skills shortage. This is as much a human problem as it is a technology problem. I think everyone feels certain that the shortage of cybersecurity personnel is an issue that exposes CNI because expertise is limited and in short supply. From our perspective, one of the best ways to solve that problem is through training and education and giving an incentive for individuals to go into this profession. The other important aspect is that this problem will have to be solved using technology – for instance, Machine Learning and automation to carry out tasks of identifying the risks that exist in CNI and OT environments.
You really must do three things to ensure you have cybersecurity within your operation, especially at the CNI operational level. That is; to know what you have in your network – you cannot protect what you don’t know you have. Gaining visibility into these networks has traditionally been an extremely difficult challenge and fortunately, technology now makes that possible through automated asset discovery. We have customers who, when they use technology for the first time, automate discovery – it’s like they were blind and now they can see. So, the first step is to have visibility into what the network looks like so that you can monitor it. The second step is to be monitoring it for unusual behaviour or for known malware that exists. The third step is to make sure that you have programmes and plans in place to take action and to quickly mitigate risks that you’ve discovered through that monitoring. This is a place where testing and exercises can really help so that humans can learn to react quickly and efficiently when incidents are simulated. The exercises help incident responders know how to digest the information they receive about risks and take action quickly.
How are governments in Europe approaching this issue of operational cybersecurity and CNI?
I think they’re tackling CNI and cybersecurity in many ways. In the EU, there is a regulation that has come into place – NIS – in other countries there are voluntary regulations, in the US there is NIST. All of these have critical elements that are required for CNI cybersecurity that range from some of the things that I mentioned around network mapping, monitoring, incident response and awareness training. Governments are therefore taking a wide-range of approaches, they’re also collecting intelligence and sharing that intelligence confidentially inside of industries so that risks targeting particular industries like the utility sector, the oil and gas sector, or the transportation sector, are shared so other companies know how to protect themselves more effectively. Good intelligence contributes immensely.
Are there any ways that governments could be improving their approach?
The interesting thing about CNI is that it is a mix of both public and privately held organisations. Organisations have substantially improved in their ability to secure the operating systems that make sure CNI runs smoothly, so they’ve made great strides. I think the challenge they face now is to ensure they are using the most modern technologies available to automate the tasks at hand, especially in the face of personnel shortages and expertise shortages.
What sectors do you see being most targeted by cyberattacks?
I believe the utility sector, the oil and gas sector, transportation, and critical manufacturing are all areas where we see companies taking steps to put technologies and programmes in place to minimise the cybersecurity risk.
Why do you think these sectors are being most targeted?
There are several motivations for threat actors, which include: nation states motivated by a wide range of factors – from espionage to disruption and hacktivists who need to make their point. From our experience, most of the issues that exist inside CNI that are discovered through our innovations around giving visibility actually have more to do with misconfigurations or human error that has happened when the systems were set up or maintained, as oppose to actual cyberthreats from the outside. So, it’s not really an attack that creates risks in most cases, it’s actually just the exposures that exist within those operating systems. When you put defences and monitoring in place, you identify those in advance of attacks which helps you lower your risk.
How are fire drill tests used as a cyberdefence method?
Organisations and governments conduct exercises that pull together the players in a company or in an industry to simulate an attack. They do this sometimes as a public-private collaboration across an industry where they simulate various aspects of an attack – cyber, sometimes physical – and they observe the monitoring that goes on and people simulate what their reactions would be. It’s a great way to speed your ability to respond in the face of an attack.
How is this relevant to CNI?
Because the impact of a breach or an attack on a critical national infrastructure company or system could be so dramatic. We’ve seen that most of the really significant exercises and testing is going on in those sectors because they want to minimise the possible impact of damage.
Is the issue of cyberattacks on CNI taken seriously by governments and companies within the EU?
I think it’s taken extremely seriously both by governments and by private sector companies who operate CNIs, whether that’s power plants, water companies or transportation companies. If you’re an intelligent CIO or an intelligent CISO, your board is asking you if your operations are secure – how are we protecting our power plant, our oil refineries, our water supply and our transportation systems from cyberthreats? That’s the question that’s being asked at the highest level within those organisations and that’s driving action for CISOs to ensure they have both visibility and strong cybersecurity programmes to protect their critical operations.
What immediate action do you think would be best moving forward to secure operations?
You might have a pessimistic attitude when it comes to being able to secure critical national infrastructure. However, many in the industry are now quite optimistic about the ability to secure CNI against attacks due to the advances in technology that allow them to have visibility and situational awareness into these operating systems. This also allows them to mask the assets that need to be protected and to monitor them to identify threats that exist in those environments. Those are the aspects that are really making the difference.
The combination of people and technology is at a point now where it’s time for the industry to take action. They have been improving and now it’s time to make sure you have what you need in place for a robust cybersecurity programme for CNI.