Protecting critical infrastructure from cybersecurity threat – a UK perspective
In Part 1 of this article, we sat down with Deryck Mitchelson, Field CISO at Check Point, a global cybersecurity solution company, to discuss the potential dangers of being caught unprepared for a cybersecurity threat against critical infrastructure – particularly in the UK, which has a national health service (NHS) as an additional target in its overall critical infrastructure attack surface.
We discovered the reasons why critical infrastructure everywhere – but particularly in the UK – is especially vulnerable to cyberattack. But while we had Deryck in the chair, we asked him what was needed to mitigate the vulnerability of critical infrastructure.
Turns out it’s nothing like as simple as we’d like to hope.
You mentioned that one of the big issues that made critical infrastructure particularly vulnerable was a shortage of cyberskills – and a pay inequity between private companies that can afford to pay for higher skill levels in the free market. So we need to pay and train our cybersecurity experts better within critical infrastructure projects?
Absolutely we do. It takes time to bring in graduates and apprentices and build them up. But it also takes a different way of working to make sure that you’re retaining them as well. Within the industry at the moment, staff are moving around very, very quickly. Senior CISOs are moving around at the fastest rate I’ve ever seen. And whenever the leadership moves, you tend to get that team underneath, the middle management, moving as well. And then the cyber-engineers have got a choice of where they go. And it’s very, very difficult to retain them in critical infrastructure when they can get double the amount of money to go and work outside the critical national infrastructure. That’s definitely part of the problem.
Skills, salaries, and outsourced resources?
So is there some sort of leveling up possible as far as the salaries is concerned? Potentially, because we’re at the tipping point of admitting that the salaries are too high elsewhere. I speak to peers and they tell me about bringing in penetration testers, engineers working on vulnerability management, and the salaries some of them are talking about are ridiculously high. You know, it’s a few years’ experience and they are talking about near six-figure salaries. That’s what I’m talking about in the industry, and that that’s not sustainable.
We need to be doing things in a different way. Do we need to look at more managed services potentially, to deal with skill shortages? Should we look to (for example), the Check Points of the world and say rather than just providing services, can you manage the services, and do the monitoring, and do the threat hunting, and do the incident response as well? Then you could at least apply that as a standard across most of the agencies. I think we are getting to that point where health boards are saying perhaps we’re never going to have these capable teams to run things in-house, and you know, we maybe need to step back and say, concentrate on the strategy, concentrate on the performance, but perhaps outsourcing might be an answer to some of that challenge.
It’s not as though the NHS doesn’t already do a lot of outsourcing already. It’s an understood model, even within what is fundamentally a socialized healthcare system. So you could make the argument, why not outsource vulnerability-mitigation to existing experts, at least for the time it takes to bring in and train those graduates and apprentices you mentioned?
It certainly does work with a lot of outsourced suppliers. I think security is one thing that needs to be done in a different way. The thing is, Scotland has 22 health boards. I’m not sure how many trusts there are in England and Wales [There are 42 in England, and 7 in Wales].
But we’re at that point of saying we need to be outsourcing to a small number of organizations that can run standards across healthcare. And then we need to do the same across utilities as well. There’s no doubt that needs to be done in exactly the same way. Energy companies that are maybe cash rich at the moment with the geopolitical environment, perhaps that’s slightly different for them. They’re in a different space, probably, from the rest of the CNI (critical national infrastructure), but outsourcing I see coming back and being more and more important. No doubt about it.
Internet of Threats?
You mentioned IoT (internet of things) devices as potential vulnerability points. There are more than twice as many IoT devices in the world right now as there are human beings, and the number’s just going to keep growing. Are we potentially just increasing our vulnerability, the more we connect to what are potentially poorly secured devices?
There’s no doubt about that. It’s not potential, we are absolutely increasing that vulnerability landscape. No doubt about it at all. These devices are now everywhere within CNI. And what’s worrying for me is that a lot of these devices come in through business channels, rather than coming in through digital security channels. Now what I mean by that is that they are not necessarily assessed for security by design. They’re not necessarily plumbed in properly into segmented parts of the network. And they’re not necessarily then run or owned or managed as part of the service that the digital security teams run as well.
There are a lot of these devices, and there’s very little standardization around them. So a lot of them are running legacy operating systems, and they’re not getting patched. They’re not getting scanned, we don’t even really know what the devices are in many ways. They’re not sitting on our CMDB (configuration management dashboard), so we don’t understand the impact if they go down, or if they stay up. And in many ways, because we’re not scanning them, we don’t actually know whether they’ve been compromised or not.
So it’s a very, very dangerous landscape we’re in with IoT. I get it — like everyone else, I enjoy bringing IoT into my environment and running it. I think there are huge benefits to having IoT within healthcare, but we need to remember as well that a huge part of our CNI is made up of flat networks. We are not dealing with mature organizations that have got segmentation everywhere.
When you start having flat networks and you’re talking about healthcare, you’re looking at flat networks that 90% of the public have access to — you can walk into a healthcare setting, nobody challenges you, you can walk around and you won’t be challenged, because that’s what they’re there for – you can find network ports, and depending on how they’ve actually configured, you can potentially stick an IoT device on these networks. And my heavy suspicion is that you can plug these in, and in some cases, they will absolutely get an IP address, and they will start to do things that you wouldn’t want them to do.
So I think we’re wide open as far as IoT is concerned. No doubt about it.
The big solution.
That begs the big question. How do we protect and secure the critical infrastructure that we have?
We need to be doing much more around a security strategy and planning. That’s the first thing I would say. If we continue to firefight to try and strengthen our security, we’re going to make short-term gains, but we need to be stepping back and doing things in a different way.
For example, before I left the NHS in Scotland, I created a business case for a center of excellence for Scotland for healthcare, whereby we would look to set up a single organization to take responsibility for security. And not just security, that would include standards for policies and processes, so that we can really start to understand the level of maturity of posture across the NHS in Scotland. Because if you get one weak NHS board, they’re all joined up, they’re all interconnected, so that immediately becomes your weak point. It’s not the boards that have the biggest amount of money and the biggest teams.
We need to step back and understand how we can do this fewer times by actually creating a strategy, where security by design is the way we work. Now, I absolutely get it, that in critical national infrastructure, the term “critical” itself says that all the staff will not have time to step back and actually say “Well, here’s something that’s come in, should I click on it? Should I not click on it? And in a medical setting, I go into the system to access patient records, but where am I actually going? What am I clicking on, what am I doing?” You work differently in CNI than you do within any other part of life in the UK, or in any other part of the world, to be honest. Staffing, education, culture, that’s definitely part of it. But we need to get that strategy right, we need to reduce the number of vendors in the landscape, but also reduce the reliance on some elements of the supply chain that aren’t doing a very good job. That means that we can actually reduce the number of compromises and breaches that we’ve got.
We need to push forward with that digital agenda, because that means we can have a much smaller enterprise to manage. We can get rid of our mainframes and get rid of some of the duplication and systems. But again, we need to do that by design. Stepping back and looking at the strategy, getting the right level of investment, joining the systems up and understanding how we can manage things properly, would give us much more return on investment, because we could actually start to bring teams together, start to bring investment pots together, start to bring governance together.
In Part 3 of this article, we’ll complete the picture of how critical infrastructure could be adequately protected from the potential of cyberattack.