Though cyber security experts have long warned of the threats to Belgium’s critical infrastructure, recent incidents are now opening the eyes, wider than ever, of business and political leaders to the ecosystem risks of the world’s connected utility networks, power grids and other essential services.
Plugging these security gaps will require collaborative strategies among business, governments and the tech sector to try to remedy ecosystem weaknesses that could cause massive disruption, financial damage or loss of life.
Overlooked ecosystem risks
While industry and governments have invested heavily in cyber security — building cyber “walls” around internal company networks and legislating national security guidelines for domestic industries — less attention is paid to the risks posed outside the box, by the growing network of interconnected infrastructure.
Business or political leaders are now asking how a wave of cyber security breaches could happen, and what can be done to stop them. Part of the answer lies in the adoption of IT functionality across the industry’s operational environments. Locally, many Belgian infrastructure operators have embraced IT innovation to better manage their operations and reduce costs, including remote operating capability, so a company production asset can be managed from a central location or even remotely (anywhere, anytime).
Such innovation can bring significant benefits; however, it has often challenged Operations Technology teams, who were focused on physical protection of assets, rather than emerging, external cyber risks. Although many business systems are vigilantly guarded against cyber threats, operational systems haven’t always enjoyed the same security scrutiny. And, with the rise of interconnectivity between a company, its customers, suppliers, and even government partners, cyber threats can arrive from many sources.
More effort, inside the box:
Despite efforts by leading companies to protect their systems, there is still much work to be done.. For example, with heightened inspection, many high-profile ransomware attacks could have been avoided or at least reduced. And, despite the increased threat, many companies are still not meeting a minimum level of cyber security to fend off such attacks.
Segmentation of a company’s distributed network would reduce the risks, since firewall separations between key areas would make it easy to shut down and isolate a cyber hack. In order to confront these cyber security risks companies must invest enough to keep their operational environments up to date and address the costs of replacing legacy systems; implement scheduled maintenance shutdowns, which will likely impact production, could, however, lead led to security issues; companies should do more to press their technology vendors to deliver adequate updates to aging industrial systems. Failure to take the above-mentioned measures allows many operational systems to deteriorate with outdated functionality and a lack of much-needed security upgrades.
In addition to the technology aspect, corporate culture within many organizations can impede their cyber security efforts. Operations teams may lack cyber savvy, yet the issue may originate at the supervisory and executive board level, where leaders are not familiar with their own operational assets, nor understand their ecosystem dependencies. This culture may extend to front-line employees who aren’t adequately trained on basic “Don’t click the link” cyber-safe practices, nor are they encouraged to report operational issues or glitches that create vulnerabilities to future cyber-attacks.
More effort, beyond the box:
In addition to better internal awareness and controls, organizations should implement beyond-the-box planning to address ecosystem weakness. While national or regional governments might logically provide this oversight and coordination of cyber security strategies for critical industries, not many governments have embraced the task.
Exceptions to this general rule include the UK’s Government Communications Headquarters (GCHQ), which promotes cyber vigilance in industry, the U.S. Department of Homeland Security and other agencies that drive industry standards, and Singapore’s efforts to apply stringent cyber security regulations. However, most countries have yet to implement similar regulatory framework.
Cooperation is also limited at the trans-national level, due to lack of political consensus and the slow pace of legislative change. For example, although the European Union is in the midst of updating its Network and Information Systems Directive (NIS), it could take years for the NIS 2 guidelines to be implemented within member nations. Currently, even basic, cross-border sharing of intelligence, to alert national agencies of emerging cyber threats, is in its infancy.
In light of these realities, the critical role of ecosystem protection may hinge on industry collaboration, with leadership provided by the largest infrastructure and tech firms who can bring their counterparts to the table to iron out common principles and practices. Such industry-wide consensus could ultimately spur corresponding regulatory activity. For example, this variety of industry-made solutions has already taken place in the banking sector, where Europe’s largest banks worked together nationally and internationally to draft cyber security standards and threat intelligence information sharing.
This industry-driven approach could produce better, out-of-the box strategies, based on real world field experience from operators who already practice meticulous risk mitigation of their internal, physical assets. Today, most companies can quickly shut down (part of) their own operating environments, if a problem occurs, and revert to alternative processes. This ‘can do’ mindset must be extended to the ecosystem level, so that risks relating to an industry’s labyrinth of dependencies are identified, work-around solutions are developed, and back-up plans are tested and practiced jointly by companies, industries, tech firms and regulators.
While it will take time and commitment for the numerous stakeholders to develop effective ‘out-of-the-box’ approaches to manage the risks embedded in their ecosystems, it’s encouraging to see that industry participants are now taking preliminary steps.
Like any major challenge, it must begin with awareness, and recent, headline cyber-attacks are prompting CEOs and Heads of State to ask: “What assets do we have?” “What is our level of Operational Technology maturity?” and “How could the ecosystem impact our ability to operate?” Protecting the critical infrastructure upon which we all depend is a collaborative step for industry, government and technology to take on.
