//////////////////////////////////////////////////////////////////////////
IT’S TIME TO MAKE SURE YOU HAVE
WHAT YOU NEED IN PLACE FOR A
ROBUST CYBERSECURITY PROGRAMME
FOR CNI.
What are the cyber-risks that are
unique to CNI and how does the
cyberskills shortage exacerbate the
problem? How does this have an
impact on Europe?
The risks to CNI are very much related to
the exposure of the operating systems
that control them. So, in most CNI sectors,
the systems that are critical are operating
systems that manage the power or
keep the water systems clean or run the
transportation systems, however the risks to
these systems are unique and unlike those
targeting traditional IT environments.
These risks require special skills and special
technologies in order to address them.
Traditionally, 10-20 years ago, many of
these systems were not connected to the
Internet, they were isolated, but that’s
not true anymore. As these systems have
become modernised and as their operations
have become more connected, new risks
have been introduced.
However, these risks can fortunately be
mitigated. There’s a lot of good news
around securing CNI now that didn’t
exist five years ago and there’s a lot of
innovation that’s gone on in order to help
manage the skills shortage. This is as much
a human problem as it is a technology
problem. I think everyone feels certain that
the shortage of cybersecurity personnel
is an issue that exposes CNI because
expertise is limited and in short supply.
From our perspective, one of the best ways
to solve that problem is through training
and education and giving an incentive for
individuals to go into this profession.
The other important aspect is that this
problem will have to be solved using
technology – for instance, Machine
www.intelligentcio.com
Learning and automation to carry out tasks
of identifying the risks that exist in CNI and
OT environments.
You really must do three things to ensure you
have cybersecurity within your operation,
especially at the CNI operational level. That
is; to know what you have in your network –
you cannot protect what you don’t know you
have. Gaining visibility into these networks
has traditionally been an extremely difficult
challenge and fortunately, technology now
makes that possible through automated
asset discovery. We have customers who,
when they use technology for the first
time, automate discovery – it’s like they
were blind and now they can see. So, the
first step is to have visibility into what the
network looks like so that you can monitor
it. The second step is to be monitoring it for
unusual behaviour or for known malware
that exists. The third step is to make sure
that you have programmes and plans in
place to take action and to quickly mitigate
risks that you’ve discovered through that
monitoring. This is a place where testing and
exercises can really help so that humans can
learn to react quickly and efficiently when
incidents are simulated. The exercises help
incident responders know how to digest the
FEATURE: CYBERSECURITY
information they receive about risks and take
action quickly.
How are governments in Europe
approaching this issue of operational
cybersecurity and CNI?
I think they’re tackling CNI and
cybersecurity in many ways. In the EU, there
is a regulation that has come into place –
NIS – in other countries there are voluntary
regulations, in the US there is NIST. All of
these have critical elements that are required
for CNI cybersecurity that range from some
of the things that I mentioned around
network mapping, monitoring, incident
response and awareness training.
Governments are therefore taking a wide-
range of approaches, they’re also collecting
intelligence and sharing that intelligence
confidentially inside of industries so that
risks targeting particular industries like the
utility sector, the oil and gas sector, or the
transportation sector, are shared so other
companies know how to protect themselves
more effectively. Good intelligence
contributes immensely.
Are there any ways that governments
could be improving their approach?
The interesting thing about CNI is that
it is a mix of both public and privately
held organisations. Organisations have
substantially improved in their ability to
secure the operating systems that make sure
CNI runs smoothly, so they’ve made great
strides. I think the challenge they face now
is to ensure they are using the most modern
technologies available to automate the tasks
at hand, especially in the face of personnel
shortages and expertise shortages.
THERE’S A LOT OF GOOD NEWS
AROUND SECURING CNI NOW THAT
DIDN’T EXIST FIVE YEARS AGO AND
THERE’S A LOT OF INNOVATION THAT’S
GONE ON IN ORDER TO HELP MANAGE
THE SKILLS SHORTAGE.
INTELLIGENTCIO
61