By Alex Campbell – Associate Partner, EMEIA Advisory Centre, Cybersecurity, EY
Regulations like the Network Information System (NIS) directive are helping critical national infrastructure (CNI) firms re-inforce their obligations, but it isn’t always clear how best to allocate spending to meet these regulations and evolving threats. These are some of the issues debated with senior business leaders at the FT’s managing cyber risk in critical infrastructure conference.
Here, I’ll be outlining key discussion points from my panel on security spending for CNI firms in a changing regulatory and threat landscape.
Changing regulatory environment
What happens when a national healthcare system is disabled by a hacktivist group? Or when millions of smart meters due to enter UK homes by 2020 are hit with a cyber-attack?
To minimise such risks, The Network Information Systems (NIS) Directive that came into effect earlier this year will force the UK’s most critical industries to boost their cybersecurity or face hefty fines of up to £17mn.
It ensures UK operators in electricity, water, energy, transport, health and digital infrastructure, are prepared to deal with the increasing number of cyber threats, power outages, hardware failures and environmental hazards.
Spending trends amidst growing threats
CNI firms have experienced dramatic change over the years. The energy sector for example, has transformed from one relying mainly on key facilities secured behind physical infrastructure, to one of the most interconnected with endpoints across homes and businesses around the country.
Spending is increasingly focused on smart grids for electricity, gas and water, with the use of digital data to react to fluctuations in usage and demand.
Within homes, internet of things (IoT) devices and apps, which allow users to control their power and utility consumption, are also expected to multiply, as is the risk for holding these devices to ransom.
To protect against the threat of IoT-based attacks, Gartner forecasts that worldwide spending on IoT security is expected to reach $3.1bn in 2021, with more demand for tools and services aimed at improving discovery and asset management, software and hardware security, and penetration testing.
Yet perhaps the most crucial investment for CNI firms, to meet evolving threats and agreed by industry delegates, will be in security by design. When this is across all new devices as standard, there will be less need to budget for security separately.
Investing in prevention vs detection
Each sector has its own culture, risk appetite and level of security spending.
Given that CNI firms offer services that are essential to every aspect of society, there was an agreed responsibility across the room, to be a step ahead.
However, across most of our CNI clients, security investments continue to be focused on preventative tools, and not enough on detection.
The key is finding the right balance given the sector’s risk profile. With the NIS directive requiring both the proactive monitoring and reporting of security breaches, a rebalancing exercise that emphasises early detection and response capabilities will provide the sector with a much needed sturdy and compliant approach.
Investing in old vs new systems
CNI often runs on legacy IT systems so it’s important to consider if security investments demand system overhauls, or can existing systems be bolstered to work harder.
The NIS directive provides the opportunity for CNI firms to take a closer look at systems already in place. Changes are not always easy to make as availability is key, so firms must take this opportunity to identify areas to modify, consolidate, or fill in the gaps to ensure systems are reliable in terms of preserving the integrity of CNI assets and not putting valuable data at risk.
Investing across the supply chain
Securing the supply chain is one of the most significant challenges facing CNI firms. The National Cyber Security Centre provided a guide of 12 principles to improve supply chain security awareness, but that doesn’t fully cover the needs of firms with national security requirements. More, for example, is still needed to help CNI firms make more informed investment decisions on vendor security.
Under the NIS directive, CNI operators need to report security breaches across their ecosystem. Therefore, investing in reviewing, strengthening or replacing the weakest link in their supply chain, will help CNI firms lock their place as part of a secure national network.
Spending according to sector benchmarks
As my panel drew to a close, I was asked: “How much of their overall budgets should CNI firms be spending on security? Should certain sectors be increasing their spend amidst new regulations and threats to match others across their industry? The simple answer is: “It all depends”.
As a sector, benchmarking security spend can provide useful guidance but must correlate with the maturity of CNI companies benchmarked against.
A company that invested considerably on security improvement a few years ago, may see overall spend decrease as certain processes mature and efficiencies are realised (e.g. through centralisation of monitoring, identity provisioning, automation etc.). Therefore, benchmarking a company’s security spend should be against CNI companies in a similar place in terms of technology maturity, investment cycle and business transformation.
Furthermore, different CNI companies have a different risk appetite and tolerance levels, even if they are in the same industry.
As cyber resilience continues to be a major concern, particularly for companies that make up critical national infrastructure, collaborating across industry, by sharing investment and security strategies, is vital in helping us move towards a better working and protected society.
Click here to follow our blog series
Alex Campbell – Associate Partner, EMEIA Advisory Centre, Cybersecurity, EY