Last Thursday saw the official launch of the International Operation Technology Security Association (Iotsa) at Watermans' Hall in London, though the body was actually formed at the tail end of 2016 by a group of concerned CISOS.
The non-for-profit organisation aims to raise awareness and adoption of essential security practices among users and operators of operational technology such as SCADA, ICS, IIOT and IOT as its founders say that there was no established forum for the topic. And with attacks ranging from substation switches in Ukraine to thermostats on office air-conditioning systems, it is apparent that successful exploits continue to grow
Created by CISOs for CISOs and senior management, headed by president Mike Loginov, a distinguished CISO himself, the group aims to provide a platform for sharing of opinions, insights, and thought leadership among its members who straddle manufacturing, utilities, energy, processing, high tech, media and telcos, CNI, law enforcement, military and intelligence plus supporting industries.
Membership is free until the end of this year, plus there are a range of sponsorship opportunities, with current sponsors including Norway's powel, Cyber adapt, and Ascot Barclay Group.
At the inaugural lunch speakers included John Noble, director of network management at the UK's NCSC, and Charlie McMurdie, formerly of the serious and organised crime squad, head of Fraud at Scotland Yard during her 30 plus years in law enforcement, as well as having been senior cyber-crime lead at PWC.
Mike Loginov, president at Iotsa told SC Media UK, “We recognised the huge gap between IT security and operational security, which were two totally different roles,” adding that the demand for security in operational networks continued to grow with the IOT and IIOT, but that there was a lack of support, despite the fact that, say a manufacturing plant or power plant going down had a bigger impact that an IT network being hit, which most often just caused inconvenience.
This view was echoed by Noble whose presentation emphasised that the NCSC is very keen to support Iotsa as operational security an important area for the government, with Noble telling delegates, “Operational technology is important to everyone, particularly CNI. The people who are our adversaries are spending a lot of time looking at how they can use it, and working in preparation for when they might use it, and every day we see people attacking, most often state actors, though criminals too.”
Just prior to the NCSC's first anniversary (a year today), Noble noted the seriousness with which government takes the issue of cyber-security is seen in the £1.9 billion made available at a time of austerity – obviously not all of that going to the NCSC, but other government departments and law enforcement too. He acknowledged that with this massive investment in cyber-security it is right that the expectations are high regarding what will be delivered, giving the tax payers value for money.
Noble listed the four different areas being looked at by the NCSC (paraphrased below):
Understanding your adversary – operational teams looking at the adversary, every single day, many of them are state actors, looking at using [hacking] operational technology.
Second, is engagement teams, going out and working with the different sectors. They work with government but also work with industry. And working with industry is a vital bit of the strategy. Although government has put a lot of money in, it can't do it alone.
A third area is the development of our capability. It's both about people, growing the number of people we have who can be cyber-professionals, and it's about increased diversity (noting that the 40 or so people in the room were overwhelmingly predominantly white males), within the NCSC it's a real priority, and its is reaching out to schools, including a competition for 8,000 girls, getting them to understand the technology and make it more secure.
Then comes incident response. The annual report figures were noted - 590 significant serious cyber-incidents reported – and since going to the printers another 33 have been added – so 623, of which 30 are categorised as most serious, because of the sector or seriousness. Wannacry was at the top end, very close to a Tier 1.
Among the themes that have come out:
1. Getting the basics wrong, not patching, poor admin. And if we got the basics right the vast majority- not all – of the attacks would be stopped.
2. About getting the balance right between security and efficient operation, and when an incident is investigated by the NCSC, it's usually because they haven't got the balance right. And that is particularly difficult in operational security where taking complete systems down is difficult due to the need for 100 percent uptime in many systems.
3. People not really understanding where the risk is, and with operational technology, failure of equipment and failure is an issue, along with mergers and acquisitions, where companies take on a whole load of risk that they don't understand, often sacking the people looking after that network, and we see the attackers going through as a result.
4. Finally, comes legacy systems which is particularly an issue in operational technology. Nine times out of ten the NCSC finds that to be an issue when it goes to a company.
Secure by default is where we have to get to said Noble. He then wished Iotsa the very best of luck, and repeated his plea that people, including those at the event, should report incidents to the NCSC, commenting, “The NCSC is only here to help victims, it's not a regulator, not fining people. It takes reports coming to the NCSC which it will treat confidentially, and use that to run through its databases – both secret and public sourced data to identify other victims and the people seeking to do us harm.”
McMurdie also noted how it was essential for industry cooperate with state bodies as well as providing self-help groups as the cyber-security capabilities of the police is limited, with recent cuts taking manpower down from 140,000 to 120,000, of whom only a few hundred would be involved in responding to cyber-crime (in all its teams such as the Falcon unit at the Met Police, local and regional forces, and the NCCU at the NCA). In comparison, the big four consultancies would have many highly qualified specialists, and policies and processes to retain those staff.
Consequently industry and law enforcement will never be the complete answer as they don't have the resources, the expertise, the sophistication, speed and scale – that exists in industry. There is a need to cooperate, share and build capabilities, given that it is a challenge for the police to even afford the salaries paid to cyber-experts. So McMurdie suggests industry delivers on the tech side and, “let the cops focus on investigation, arrest and prosecution, laying hands on people." One particularly frightening recent statistic cited by McMurdie was that among SMEs that are the victims of cyber-attack, 55 percent of fail to recover.