Defending critical national infrastructure... hmm. Does Zoom count as critical now?
All the old lines are getting pretty darn blurred, say security experts at Euro online confab
Infosec Europe Does your IT security model take into account things like pacemakers? According to Dr Victoria Baines, speaking at Infosec Europe, "we also perhaps neglect the idea that critical infrastructure might be inside people" as well as merely carried in their pockets.
Raising a thought-provoking talking point during a webinar, Baines invited listeners to think about a person with a pacemaker who leaves a hospital. She said "the traditional approach to infosec is that you protect things within your perimeter" while raising the question: What about items you may be responsible for that leave your perimeter in non-traditional ways?
Baines was speaking during a panel webinar about protecting critical national infrastructure (CNI). She was joined by Airbus CIO Dr Kevin Jones, who opined that cyber-attacks on CNI were much harder for common-or-garden cyber criminals than trying to compromise anything else.
"You really have to have a lot of intelligence in the data centre about the [CNI] system you're trying to hit. You can't just connect up a standard IT pentest toolkit; you need to define something from the beginning," he said. "When it comes to traditional CNI, you're defending against those threats and risks."
He pointed out how the whole continent is largely dependent on remote connectivity suites and access methods, saying that the definition of "critical" national infrastructure is no longer as clear as it once was.
"How do we protect those from commodity cyber attacks, even DDoSes against specific companies? There is, of course, the challenge that it's quite clear for CNI that they are CNI. It's very clear in law, there's things like the various regulations around those topics. Especially the NIS regulations from Europe. They are built with that resilience and redundancy and impact mindset in mind. It's far harder to see from emerging IT infrastructures what we want to protect there."
Ledum Maeba, head of Avanti's infosec division concurred, adding: "No matter the technology you have in place, to fight attacks – cyber attacks, if there's no national commitment and support it's very difficult."
The National Cyber Security Centre's Paul Chichester also agreed, adding his view from the UK government CNI protection perspective.
Operational resilience is really at the heart of what organisations need to care about. But that has quite profound organisational challenges, where we look at the cybersecurity function. For me I think this is not a tech problem for the organisation, it's an operational one. I think understanding that and realising that how you manage that risk is an operational challenge for an organisation. And it affects everything. That's still something I think we've got wrong.
Chichester added: "I don't think we've really understood at an organisational level very often the importance of tech to our operations… the pace of this environment changes so quickly that we end up getting left flat-footed."
What is simple commercial tech today could well become CNI tomorrow – even if you, the operator or customer, don't realise it. ®