Protecting the UK’s critical infrastructure from cyber attacks | Daily News Byte


In the first part of this article, we sat down with Derrick Mitchelson, Field CISO at Check Point, a global cybersecurity solutions company, to discuss the potential dangers of being caught off guard by a cybersecurity threat against critical infrastructure—especially in the Britain, which has the National Health Service (NHS) as an additional target in the overall critical infrastructure attack surface.

We’ve uncovered the reasons why critical infrastructure everywhere – but especially in the UK – is particularly vulnerable to cyber attacks. But while we had Derick at the helm, we asked him what it would take to mitigate the vulnerability of critical infrastructure.

Turns out it’s not as simple as we’d like to hope.


You mentioned that one of the big problems that made critical infrastructure particularly vulnerable was the lack of cyber skills – and the wage disparity between private companies that could afford to pay for higher skill levels on the open market. So we need to pay and train our cyber security experts better within critical infrastructure projects?


We absolutely do. It takes time to bring in graduates and interns and build them up. But it also takes a different way of working to make sure you keep them too. Within the industry at the moment, staff are moving very, very quickly. Senior CISOs are moving at the fastest speed I’ve ever seen. And whenever leadership moves, you tend to bring that team down, middle management, as well. And then the cyber-engineers have a choice of where to go. And it’s very, very hard to keep them in critical infrastructure when they can get twice as much money to work outside of critical national infrastructure. That’s definitely part of the problem.

Skills, salaries and outsourcing?

So, is there some sort of leveling as far as wages go? Potentially, because we are at a tipping point to admit that wages are too high elsewhere. I’m talking to colleagues and they’re talking about bringing in penetration testers, vulnerability management engineers, and the salaries some of them are talking about are ridiculously high. You know, that’s a few years of experience and they’re talking about almost six-figure salaries. That’s what I’m talking about in the industry without it being sustainable.

We have to do things in a different way. Should we consider potentially more managed services to tackle the skills shortage? Should we look at (for example) world checkpoints and say instead of just providing services, can you manage services, and performs monitoring, and hunt threats, and and the response to the incident? Then you could at least implement it as a standard in most agencies. I think we’re getting to the point where health boards are saying we might never have these capable teams running things in-house, and you know, maybe we need to step back and say, concentrate on strategy, concentrate on performance, but maybe outsource sources could be the answer to some of these challenges.


It’s not as if the NHS doesn’t do a lot of outsourcing already. It’s an understandable model, even within what is essentially a socialized health care system. So you could make the argument, why not hire existing vulnerability mitigation experts, at least for the time it takes to bring in and train those graduates and interns you mentioned?


It certainly works with many external suppliers. I think security is one thing that needs to be done differently. The thing is, Scotland has 22 health boards. I am not sure how many trusts there are in England and Wales [There are 42 in England, and 7 in Wales].

But we are at the point where we say we have to hire a small number of organizations that can implement standards in healthcare. And then we need to do the same for other utilities. There is no doubt that it should be done in exactly the same way. Energy companies that may be cash-rich at the moment in the geopolitical environment, maybe it’s a little different for them. They’re in a different space, probably, than the rest of the CNI (critical national infrastructure), but I see outsourcing coming back and becoming more important. There is no doubt about it.

Internet threats?


You mentioned IoT (Internet of Things) devices as potential points of vulnerability. Currently, there are more than twice as many IoT devices in the world as there are human beings, and the number will only grow. Are we potentially only increasing our vulnerability the more we connect to potentially poorly secured devices?


There is no doubt about that. It’s not potential, we are absolutely increasing that landscape of vulnerability. There is no doubt about it. These devices are now everywhere in CNI. And what worries me is that many of these devices are coming through business channels rather than digital security channels. What I mean by that is that they are not necessarily rated for safety by design. They are not necessarily connected properly in the segmented parts of the network. And they are not necessarily then run or owned or managed as part of a service also run by digital security teams.

There are many of these devices, and there is very little standardization around them. So many of them are using outdated operating systems, and they are not patched. They don’t scan, we don’t even know what the devices are are in many ways. They don’t sit in our CMDB (configuration management dashboard), so we don’t understand the impact if they go down or stay up. And in many ways, because we don’t scan them, we don’t really know if they’re compromised or not.

So we’re in a very, very dangerous landscape with IoT. I get it — like everyone else, I enjoy bringing IoT into my environment and using it. I think there are huge benefits from IoT within healthcare, but we also need to remember that a large part of our CNI consists of flat networks. We are not dealing with mature organizations that are divided everywhere.

When you start having flat networks and you’re talking about healthcare, you’re looking at flat networks that 90% of the public has access to — you can go into a healthcare environment, nobody’s challenging you, you can walk around and you’ve won don’t challenge them, because that’s what they’re there for – you can find network ports, and depending on how they are actually configured, you can potentially put an IoT device on these networks. And my strong suspicion is that you can turn them on, and in some cases they will absolutely get an IP address and start doing things that you wouldn’t want them to do.

So I think we’re wide open as far as IoT is concerned. There is no doubt about it.

A great solution.


That raises a big question. How do we protect and secure the critical infrastructure we have?


We need to do a lot more on security strategy and planning. That’s the first thing I would say. If we continue to fight to try to strengthen our security, we will make short-term gains, but we have to step back and do things differently.

For example, before I left NHS Scotland I made the business case for a center of excellence for Healthcare Scotland, where we would like to set up a single organization to take responsibility for safety. And not just safety, it would include standards for policies and processes, so we can really start to understand the level of maturity of posture across the NHS in Scotland. Because if you get one weak NHS board, they’re all lumped together, they’re all interconnected, so that immediately becomes your weak point. It’s not the boards that have the biggest amount of money and the biggest teams.

We need to step back and understand how we can do this less often by actually creating a strategy where security by design is the way we operate. I absolutely understand that in a critical national infrastructure, the very term “critical” says that all the staff will not have time to step back and actually say “Well, here’s something that came up, should I click on that?” Shouldn’t I click on it? And in a medical setting, I log into the system to access patient records, but where am I actually? leaving? What do I click on, what do I do?” Honestly, you work differently at CNI than any other part of life in the UK, or any other part of the world. Staffing, education, culture, that’s certainly part of it. But we have to get it right that strategy, we need to reduce the number of suppliers in the environment, but also reduce our reliance on some elements of the supply chain that don’t perform very well. That means we can actually reduce the number of compromises and breaches that we have.

We need to move forward with that digital agenda because it means we can have a much smaller enterprise to manage. We can get rid of our mainframes and get rid of some duplication and systems. But again, we have to do it by design. Stepping back and looking at the strategy, getting the right level of investment, putting the systems together and understanding how we can manage things in the right way would give us a lot more return on investment because we could actually start bringing teams together, start bringing investment vessels together , start merging management.

In the third part of this article, we will complete the picture of how critical infrastructure could be adequately protected against the potential of cyber attacks.


Source link