Robust cyberprotection for critical infrastructure – a UK perspective
In Part 1 of this article, we sat down with Deryck Mitchelson, Field CISO at Check Point, a global cybersecurity solution company, to examine how vulnerable critical infrastructure was to cyberattack – particularly in the UK, which has a national health service as an additional target in its overall critical infrastructure attack surface. In Part 2, Deryck outlined some radical first steps towards mitigating the risks to critical infrastructure, including pay equity with cyberprofessionals in the commercial world and even potentially outsourcing critical infrastructure protection to existing expert organizations.
While Deryck was outlining these options, he touched upon how to make cyberprotection genuinely robust for critical infrastructure.
To do any of the things you’ve outlined takes political buy-in, doesn’t it? Are politicians sufficiently aware of the danger?
I think there’s a growing awareness – that’s why we’ve had the NIS (network and information systems) regulations update. But we need to get away from what I call the checkbox compliance place we’ve got to, where politicians potentially think we’re in a better place than we are. We’re not in a good place at all. And checkboxes are not the answer. We need to be doing proper incident response exercises as well, so that we’re more rehearsed when the problem actually hits.
But we’re miles away from that.
This is not something we can fix this year, next year, in three years. We’re talking about stepping back and making sure we’ve got a 10-year plan to deliver maturity, and we can only manage that if we get year-on-year investment, which doesn’t often happen. And CNI tends to need multi-year investment, so it’s difficult to actually deliver things and get the proper traction. But that’s what I would like to see. Consolidated architecture around security is a huge thing at the moment, and not especially within CNI (critical national infrastructure). That’s something that will reduce the vendor landscape and build a strategy around consolidation. A smaller number of suppliers, vendors with managed services, I think that’s a really good starting point.
Do we think CISOs and politicians are taking this danger as seriously as they need to? And if not, how do we get them to?
I would always say no. I absolutely do not think that we’re doing enough. I do not see the joined-up conversations around these issues. I don’t see the investment that we need to get across the entire CNI. I don’t see the sponsorship from that executive level. I think we’re in a better place now than we were. But we need better quality talent in there as well. So we need to attract really good CISOs, and they need to deliver the programs I’m talking about, deliver the strategy. These CISOs need to be sitting at the right level, around the executive table, so that they can actually influence properly.
As far as the impact on healthcare comes from cybersecurity and digital security, we need the CISOs to be having those conversations about strategies and plans. But unless we join things up and start to start to do this holistically, we’re going to continue to see the same types of breaches, outages and vulnerabilities that we’ve seen this year.
So no, I think the CISOs need to massively step up. And it would be really reassuring to see a level of expertise running across all the agencies. We need people that have got many years of delivering these sorts of complex programs. That’s obviously what’s needed. And to do it holistically, rather than at a Scottish level, and an English level, and a Northern Irish level. We need to start joining these conversations up much more than they are today.
That’s where we’re going to start to drive things forward. These conversations need to be so much more joined-up, in spite of devolved powers and responsibilities. Cybercriminals don’t care about devolved powers, they only care about vulnerabilities. So I would say we need more money, better governance, better senior roles, and joined-up conversations – that’s what’s needed.
But no, I still don’t think we’re taking it seriously enough. We will still have several breaches next year, I have no doubt, within CNI. And we’ll still be talking about how we’re further investing and what we’re doing around it, how the regulations are going to be improving upon things, we’ll still be talking about things next year. I want to see us actually doing things.
We’ve said that critical infrastructure is by definition “critical” – it exists at a fast pace, with little time for reflection and strategy. Is it impossible to make strategic progress without the kind of joined-up conversations which will, as you say, cut across current levels of administration?
Is it impossible? No, but it’s the right right way to do it, to join up the dialog. That’s what it comes down to — if it’s the right way to do something, then those who are accountable need to find a way of making it work, with a joint approach. That’s very much what I’m saying. So, you know, we’re very lucky, a lot of money has been invested in the UK in MCSE (Microsoft Certified Systems Engineering). The level of expertise is probably only surpassed by what we see at a federal level in the United States. So that’s the level of what we’ve got running. That’s absolutely great as far as incident response, and as far as some best practices that you can actually deliver are concerned.
What we now need to do be leading underneath that. Underneath MCSE, we have areas that can help with healthcare and areas that can help with utilities. So that’s where we should start to join up the strategy, the conversation, and then we can start to really influence how NCSC (the National Cybersecurity Center) can run some of these services as well.
I don’t see that as working as well as it should do. And I see no reason why we can’t join up conversations that we already joined up in response to Covid. Covid forced the four nations to come together and try to talk about data sharing in terms of how you could access your health records on different services. For example, you could get contact-traced in one country, even though you lived across the border.
I would just like us to continue in the same vein and say that it’s got to be the same way of working over cyberthreats. Why would NHS England want to be doing anything different than NHS Scotland is doing or vice versa? We’re all working for the same goal at the end of the day.
It’s got to start with politicians saying we’re going to do things the right way, once. That we don’t necessarily need three different, national ways of doing things. We need one way that’s applied across the board.
Should there be some new overarching authority specifically to deal with this, and to go into all those different areas where there’s critical infrastructure vulnerability? And if so, how should it work? What should its powers be?
Well, my suspicion is that that’s coming anyway. We’re now in a world where we’re going to see much more regulation. We’ve reached that tipping point where we’re probably going to see more in the way of regulation than we have governance, more than we have compliance. If that’s going to be the ask, then we need to understand where the accountability sits. Where’s that level of executive sponsorship and governance for this?
I’ve been talking about bringing these joined-up strategies, conversations, and dialogs together. They need to come together in “a somewhere.” What that somewhere looks like, I’m not really sure, but I don’t think it would be particularly difficult for the accountable bodies to sit down and agree how this would actually work.
We’ve got various security sources across the United Kingdom that I know they already collaborate on. I just think it’s an extension of that thinking. CNI needs to make sure that it has the right governance and accountability, which starts to drive that through.
There are already ways of determining maturity against compliance – we get an audit score of exactly that when complying with the NIS regulations. That sort of audit score could drive the joined-up strategy, that drives the innovations that need feeding across the whole nation, so that we share learnings, impacts, vulnerabilities, and helping each other across the board.
That definitely isn’t happening right now.
How do we persuade the politicians that it needs to be a thing that happens critically?
It starts with influencing civil servants and politicians. It starts with chief executives wanting to have the conversations with their agencies and their directorates as far as what we’re doing. The reason I’m saying we’re not doing enough is that I suspect cybersecurity budgets are going to be either flat or even cut in the immediate future.
I don’t think we’ll be seeing anything like sufficient investment any time soon. But we’re starting from a very low maturity base, so it needs it. We’re not going to get that level of investment unless we’ve got our top chief executives asking for it.
That means they need to understand themselves what the risk is within their organizations, they need to be able to make a case that we want more nurses, doctors, MRI scanners, we want better lab systems, but we need better digital health as well as better physical health. And all these things need to have a proper, secure by design, digital infrastructure sitting underneath them. If you just invest in the nurses, the doctors, the scanners, you’re suddenly going to find that your systems were vulnerable, and your threat landscape was much bigger than you thought it was. That’s my fear.
I think it will be interesting to see what the investment in security looks like in the short-term future. Whatever it is, that investment has to filter down into the strategy and designs that sit underneath it. That’s what I’d like to start seeing.
But I don’t think we’re going to see that. I think any increased investment will go on wages and pensions and not to underpin our services. We’re going to leave ourselves open. You can have more nurses than you’ve got at the moment, but if they’re not going to be able to access critical services like electronic health records to see what patients’ prescriptions are, if the labs aren’t going to be able to return results, providing healthcare services is going to be very, very difficult. Everything has to be done from the top down in terms of strategy, but deliver from the bottom up.
We’re not in that space. And we need much more investment in cybersecurity than we’ve got.
30 November 2023
29 November 2023
28 November 2023