When the Colonial Pipeline fell victim to a ransomware attack on May 7, the pipeline was shut down. A state of emergency followed, and fuel shortages meant panic buying, flight disruptions and spiking gas prices. It was an insight into the type of disruption that occurs when cybersecurity systems fail to protect national infrastructure. When SolarWinds fell victim to hackers, the attackers were able to access the systems of numerous clients, including the Department of Homeland Security.
Could the same thing happen in Europe? We asked several leading technology leaders from across the region to put forward their perspective on whether Europe’s cybersecurity is up to the job.
Security is sometimes deprioritised when budgets are scarce
Adam Enterkin, SVP at BlackBerry
It doesn’t matter whether you’re securing a gas pipeline or life-saving medical devices, securing critical embedded systems presents unique and complex cybersecurity challenges. The reality is that government and private sector organisations are more often investing in IT to drive greater levels of convenience, which means that security is sometimes addressed in a siloed fashion and deprioritised during times where budgets are scarce.
On top of this, cybersecurity attacks have ramped up in volume and ferocity since the COVID-19 pandemic began a year ago. The recent Colonial Pipeline attack should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems that these days threat actors will stop at nothing to cause harm, sometimes regardless of whether there is a financial gain to be had.
There are several traditional steps that governments and the private sector can take to secure our infrastructure. First comes safety standardisation. The message of the UK’s Integrated Defence Review earlier this year was that data and a regulatory standard will be pivotal to a comprehensive cyber strategy that is able to sufficiently detect, disrupt and deter these adversaries. Establishing security standards and safe software development principles, exercising zero trust across entire systems and ensuring that every security protocol is implemented and enforced to avoid any blind spots in perimeter defences, should be an integral part of the UK’s new cyber strategy.
Secondly, and most crucially, we must take a proactive prevention-based security posture to cybersecurity. A few years ago, this approach was more an aspiration than a reality. The endpoint security tools of the day relied on signature hash matching and heuristics to detect malware, and then creating a tailored security control for every type of attack. However, with more than 350,000 new malware variants released into the wild every day, this traditional defence-in-depth approach to cybersecurity is no longer viable.
Now, organisations need endpoint defences that stop attacks automatically so that security teams can focus on business continuity, digital transformation, and resilience-building projects. That means adopting a proactive unified endpoint security (UES) strategy based on AI, ML, and automation. Having the capability to stop malware at the exploitation stage means organisations can increase their resilience, reduce infrastructure complexity, and streamline security management.
There can no longer be any question about what constitutes a responsible approach to cyber defence. Organisations must lead with a prevention-first approach.
We are utterly reliant on technology for day-to-day life
Gareth Williams, Vice President – Secure Communications & Information Systems, Thales UK
As organisations move towards greater automation, bringing systems online as part of digital transformation projects, there is unprecedented opportunity for success, particularly in terms of efficiency. However, whilst there are benefits there are also dangers, and the ransomware attacks on the Irish Health Service and Colonial Pipeline are a timely reminder of how utterly reliant we are on technology for day-to-day life, whether we are in the US or Europe. Businesses should not forget, greater connectivity is not without risk, and, as we have seen, anything that is put online can very quickly become a target for hackers.
Hackers have long sought access to network systems and the valuable data they hold, as was the case with the attack in Ireland. However, as critical national infrastructure increasingly embraces digitalisation, it is becoming a potential goldmine for hackers. As systems not designed to be connected are brought online as part of wider operational technology (OT) strategies, attacks on critical infrastructure will become increasingly common and severe. Bringing down a pipeline or power plant can be disruptive from an operational and economical perspective, but it can also cost lives. IT and OT attacks are not mutually exclusive, and success in accessing one type of technology can lead to the other being compromised.
Organisations which have both OT and IT system, therefore, cannot just rely on traditional cybersecurity strategies developed for data-centric IT systems to protect OT. Nor can they depend on perimeter security measures like firewalls to prevent unwanted access to their networks. Instead, it is vital that they approach them through a dual strategy.
This means understanding what is connected, who has access to data, and what else might be at risk, should that system be compromised. Once those factors are established, businesses can secure access through protocols like access management and fail safe systems. Combining multi-factor authentication with data protection methods such as encryption will ensure that businesses are not perceived as an easy target and will help them avoid becoming the next victim.
Security is sometimes deprioritised when budgets are scarce
Chris Powell, Head of Cyberlabs at technology consultancy 6point6
Ultimately, we do not know the motives or capabilities of potential attackers until we are pushed to the brink of hostilities, as our critical infrastructure will be the main target. In its current state, Europe’s cybersecurity is unable to protect critical infrastructure, but this isn’t the be all and end all it sounds like.
The recent attack against SolarWinds is a prime example of the problem. The solution, however, is to protect our supply chains through trusted procurements, then regularly enforcing checks, double-checks and triple-checks on the hardware and software. Including the providers themselves, their networks and even its employees. If there’s even a single weakness in this chain then, inevitably, someone will exploit it. It’s our goal and responsibility to identify threats and risks prior to breach.
Cybersecurity businesses need to educate their customers on what cybersecurity actually protects. Of course, it’s a very varied industry with some things that are easier to protect such as cloud technology, server infrastructure and end-user devices and things that are difficult to protect such as human error and industrial products.
Realistically, most companies that are victims of security breach are due to human error or password exploits and not malicious cybersecurity attacks. Cyber criminals are very aware of the defences that companies put in place to protect their stored and shared data.
Until we build cybersecurity into the sales price of our goods and services, there will be problems around protecting our critical infrastructure. We have to work to defend the organisations that are building the physical equipment and developing the software. This of course comes at a cost and everything really boils down to how much a business is willing to pay for the tech and power behind a cyber defence system.”
The once clear definition of critical infrastructure will blur
Quentyn Taylor, director of information security for Canon Europe
In the past critical infrastructure was easy to define, and easier to protect. It was operational technology (OT) such as water supplies, telecommunications, oil pipelines, major transport links like roads and railways. However, OT was historically not connected to the internet. This meant it wasn’t exposed to outside threats. As businesses dialled up investment in digital transformation initiatives, OT and information technology (IT) networks met, leading to complex OT IT security networks that require the highest level of security as critical infrastructure came online.
In the last ten years or so we’ve seen a significant shift. Today critical infrastructure has evolved. It is not only OT, it encompasses everything that’s inserted itself into processes that are now considered critical. For example, Facebook might not be deemed critical in itself, but it can act as the gateway to you confirming your flight. Similarly, WhatsApp video calls have this year provided people a way to interact remotely and bring people face-to-face, so to speak. Connecting people to their colleagues, families or to services – like remote healthcare – that are necessary for a country to function.
To accommodate the shift we’re to hybrid working, digital technologies that enable people to collaborate easily will be vital. Helping to meet the needs of employees and maintaining operational efficiencies. Many companies will have WhatsApp set up as their backup mode of communication should the first go down. If this were to fail too, companies could be left with no way to communicate and business could grind to a halt.
What’s considered as critical infrastructure today reflects the current needs of Europe, from home working to remote business operations. Europe’s cybersecurity needs to be up to the job and offer protection against potential risks. Core critical OT infrastructure might remain secure so far, but as our dependence on IT and digital technologies continues to grow, the once clear definition of critical infrastructure will start to blur, and Europe’s cybersecurity solutions will need to refocus to offer protection.