Defending critical national infrastructure... hmm. Does Zoom count as critical now?

All the old lines are getting pretty darn blurred, say security experts at Euro online confab


Infosec Europe Does your IT security model take into account things like pacemakers? According to Dr Victoria Baines, speaking at Infosec Europe, "we also perhaps neglect the idea that critical infrastructure might be inside people" as well as merely carried in their pockets.

Raising a thought-provoking talking point during a webinar, Baines invited listeners to think about a person with a pacemaker who leaves a hospital. She said "the traditional approach to infosec is that you protect things within your perimeter" while raising the question: What about items you may be responsible for that leave your perimeter in non-traditional ways?

Baines was speaking during a panel webinar about protecting critical national infrastructure (CNI). She was joined by Airbus CIO Dr Kevin Jones, who opined that cyber-attacks on CNI were much harder for common-or-garden cyber criminals than trying to compromise anything else.

"You really have to have a lot of intelligence in the data centre about the [CNI] system you're trying to hit. You can't just connect up a standard IT pentest toolkit; you need to define something from the beginning," he said. "When it comes to traditional CNI, you're defending against those threats and risks."

He pointed out how the whole continent is largely dependent on remote connectivity suites and access methods, saying that the definition of "critical" national infrastructure is no longer as clear as it once was.

"How do we protect those from commodity cyber attacks, even DDoSes against specific companies? There is, of course, the challenge that it's quite clear for CNI that they are CNI. It's very clear in law, there's things like the various regulations around those topics. Especially the NIS regulations from Europe. They are built with that resilience and redundancy and impact mindset in mind. It's far harder to see from emerging IT infrastructures what we want to protect there."

Ledum Maeba, head of Avanti's infosec division concurred, adding: "No matter the technology you have in place, to fight attacks – cyber attacks, if there's no national commitment and support it's very difficult."

The National Cyber Security Centre's Paul Chichester also agreed, adding his view from the UK government CNI protection perspective.

Operational resilience is really at the heart of what organisations need to care about. But that has quite profound organisational challenges, where we look at the cybersecurity function. For me I think this is not a tech problem for the organisation, it's an operational one. I think understanding that and realising that how you manage that risk is an operational challenge for an organisation. And it affects everything. That's still something I think we've got wrong.

Chichester added: "I don't think we've really understood at an organisational level very often the importance of tech to our operations… the pace of this environment changes so quickly that we end up getting left flat-footed."

What is simple commercial tech today could well become CNI tomorrow – even if you, the operator or customer, don't realise it. ®


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022