By Alex Campbell, Associate Partner, Advisory Centre – Cybersecurity, EMEIA, EY
The National Cyber Security Centre’s 2018 annual review revealed it had stopped almost 1,200 attacks on Britain in the last two years and are fighting off about 10 attacks every week.
Meanwhile, ongoing threats of cyber reprisal saw the GCHQ, the UK’s largest intelligence agency, join forces with the FBI and US Homeland Security to warn that attacks against critical infrastructure are likely to continue. It seems almost inevitable that Britain will be hit by the most serious type of cyber emergency in the near future.
The new normal
In light of these threats, we have to accept that cyber-attacks targeting our critical infrastructure are the new normal. Furthermore, it’s getting harder to predict the goals and techniques of our opponents.
We’ve seen an increase in sophisticated cyber-attacks using multiple attack vectors typically combining social engineering techniques with advanced ‘zero-day’ malware.
Once the attackers have a foothold in an organisation, they can be entrenched for months. Attackers will exploit vulnerabilities such as unpatched servers or default passwords with a view of escalating their privileges. They may move laterally – often from the IT to the operational technology environment where critical infrastructure resides. What works to the advantage of the attackers, is that many of these systems run on legacy technologies with insufficient ‘hardening’ and with increased connectivity for remote administration and maintenance.
Other attack vectors we’ve witnessed are industrial control system vendors being compromised, which offer attackers another route into an organisation through updates and patches that appear legitimate.
The risk thresholds
While we may need to accept that it is impossible to remove the risks altogether, we can identify attacks early on, minimising their impact, and responding to them in a coordinated manner.
Organisations must also get better at identifying their critical assets and developing threat scenarios to understand, from an attacker’s point of view, how these assets can potentially be compromised.
Furthermore, organisations should consider the implementation of exercises and drills amongst their network of vendors, suppliers and other third parties to ensure that when an attack does get through, they are in the best rehearsed position to respond to it.
The regulations to combat the threats – are they working?
The Networks and Information Systems (NIS) Directive helps organisations operating essential services establish a baseline for combatting cybersecurity threats.
The main emphasis of NIS is on identifying cybersecurity risks and figuring out how to mitigate them. However, it won’t inform organisations what specific controls they need to implement as NIS is based on security principles and not prescriptive rules. This has left many organisations still unclear about their roles and responsibilities.
Steps to your NIS journey and improved cybersecurity
The first step is to identify your critical assets. Do you know what these are and where they’re located? Governments have set sector based thresholds for determining what is deemed an ‘essential service’, although these vary across European countries.
For essential services operators, NIS introduces a common approach through four security objectives:
- Objective A. Managing security risk
- Objective B: Protecting against cyber-attacks
- Objective C: Detecting cybersecurity events
- Objective D: Minimising the impact of cybersecurity incidents
Each objective is supported by a number of principles but the onus is on the operators of the essential service to select appropriate mitigating controls against the risks identified.
In doing so, organisations should consider aligning any cybersecurity initiative to wider business objectives and benefits. It’s not only about achieving compliance, but also demonstrating the value of cybersecurity to the business.
Current cybersecurity metrics are often technical and difficult for the business to understand. By translating these into business language and articulating the benefits an enhanced cybersecurity posture brings to the organisation over and above compliance, more people across the business are likely to get behind it.
The future outlook
In the short term, for organisations that already have ongoing cybersecurity programmes in place, their main focus will be on re-aligning those initiatives to NIS to demonstrate compliance to the relevant government authority.
For others, NIS is a good reason to rethink how they view cyber risks overall.
It’s too early to tell if European governments will eventually move towards the US model of setting more prescriptive cybersecurity requirements with a stricter enforcement regime such as NERC – CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection).
One thing that’s certain is the need for more collaboration between government and industry in dealing with major and potentially crippling cyber incidents.
This is where NIS can play a key role to reinforce the importance of sharing and reporting information for the wider benefit of all operators. Governments also have their part to play but clear separation is required between their ‘advisor’ and ‘compliance’ responsibilities to make this happen.
The National Cyber Security Centres that have emerged over the last few years across European countries can take the lead in facilitating this collaboration and promoting meaningful dialogue without fear of regulatory consequences.
Protection of critical infrastructure from cyber-attacks is one of the challenges of our time and although we cannot avoid a major incident, by increasing collaboration between government and industry we can help minimise its impact.
Contact: Alex Campbell
Also view Alex’s latest vlog here