Collaboration was a hot topic at the 2019 Cyber Security and Resilience Conference, as delegates from across the utilities’ spectrum gathered to discuss future-proofing assets against the threat from cyber-attacks.
After the conference was opened by Andy Bates, executive director of EMEA Global Cyber Alliance, Steve Trippier, CISO at Anglian Water, spoke about the future landscape of cyber-security and resilience in the sector. Trippier said that although the industry does collaborate, it is not enough by a “really long way”.
“We do quite a lot of collaboration with water, we do a lot of active threat intelligence sharing, we have a strategy board that is trying really hard to set some direction and to help each other – we do a lot of helping each other. But it’s actually not enough, not enough by a really long way,” he said.
Culture change
Cultural changes in the workplace were also discussed. Marilise de Villiers spoke about the need for “techy speak” to be translated into business language to ensure cyber-literacy and resilience was on the agenda for executive management.
She said: “My point of view and what I passionately believe is that organisations and society can only become truly secure if we strengthen the so-called human firewall and make people our strongest defence against cyber-attacks.”
De Villiers, founder and director of Marilise de Villiers Basson Consulting, said companies should not try to “reinvent the wheel” but should instead utilise the existing safety culture when implementing cyber-security systems.
For the day’s third talk, delegates were immersed in the world of international defence as Dr Tadas Jakstas, project manager at The NATO Energy Security Centre of Excellence, took to the stage.
Jakstas spoke about how NATO implements strategies to reduce the risk of cyber-attacks and organises its structure, taking a collaborative approach to cyber-defence.
“Looking at the future, training and education is and will be a key to enhancing NATO cyber-resilience,” he added.
Rounding off the first session was Andrew Tsonchev, director of technology at Darktrace, a leading machine learning company in cyber-defence.
Tsonchev talked about the cyber-security of the Internet of Things in critical national infrastructure. He discussed the “immune system approach” – similar to the way the human immune system works, but in cyber-security artificial intelligence (AI) machine learning is inserted into technological systems to root out harmful material.
“This is the idea that we are trying to push people to, when it comes to security, take seriously the vast, promising potential that AI machine learning has to enable this kind of approach,” he said.
EDF Energy’s security case and strategy development manager, Steve Rumbold, began the second session by talking about creating and implementing advanced but cost-effective risk and security management frameworks.
Outcome-based approach
Using security at Hinkley Point C as a case study, Rumbold said taking a more outcome-based approach towards nuclear regulation had resulted in savings. He said: “When I first started, the regulations were really prescriptive, some countries are still like that, but what it did was impose unnecessary cost – sometimes where we didn’t think we needed what was actually in the book.
“Critically for me it inhibited the whole profession because people were lazy and just thought: ‘It says it there so I will just do that.’ We are a long way from that.
“We now have security assessment principles which are outcome-based, we have to achieve certain outcomes, how we do it is up to us.
“That was very much co-developed with the industry. They were like the safety assessment principles, we weren’t completely re-inventing the wheel.
“The benefits of that is we have got more proportionate controls, we can make savings there and we have done.”
Gone phishing
Protecting customers from phishing attacks has been a key priority for utility companies, and Gill Thomas, assistant director, EMEA, for outreach at the Global Cyber Alliance gave a presentation on the benefits of using Domain-based Message Authentication, Reporting & Conformance (DMARC) as a way of preventing such attacks.
Multiple studies have shown that more than 90 per cent of all online attacks start with a phishing email.
DMARC is a tool that, if it is used by both the sender and recipient, helps prevent “email domain spoofing” – or an attack in the form of an email disguised as legitimate.
“It provides brand protection, people aren’t able to pretend to be you on email. It also stops you receiving an email from an imposter,” she said.
DMARC is a government-mandated programme and Thomas was keen to point out that HM Revenue and Customs made a “significant impact” by deploying it. In doing so it went from being the fifth-highest “phished” organisation to the 148th.
Supply chain
Protecting the supply chain in industry is another key cyber-security issue the utility sector faces.
Mary Sabalis, head of business systems at South East Water, and her colleague Caroline Gould, head of legal and data protection, discussed the need to build a joined-up approach to mitigate the human risks in the supply chain.
The pair posed questions for delegates. For example, do third parties use their own devices in the same way as their companies do? Failure to do so could result in a potential threat to security.
Nik Beecher, VP for cyber-security and ICT at defence and security technology company Leonardo, kicked off the afternoon with a discussion on securing a digital future.
Beecher warned that with customers increasingly demanding to communicate with their utility suppliers digitally, the “attack surface” has become more complex.
“Like it or not,” he said, “digitisation is going to happen to us all.”
Stijn Paumen, VP of business development at Wandera, gave an insight into securing “device-centric” security strategies for the modern workplace.
In particular, Paumen spoke of the need to ensure that mobile devices are secure. He cited examples where seemingly safe mobile apps had caused security threats. “By the end of this year, one-third of all malware will be on a mobile device,” he added.
Simon Newman, chief strategy officer at the Police Digital Security Centre, spoke about monitoring the vulnerability of interdependent systems and assets.
According to the latest statistics for England and Wales, there were a total of 4.5 million incidents of cyber-crime and fraud last year – just under half of all crime in the UK.
Newman said that one of the challenges for the police is the underreporting of cyber-crime – just 13 per cent is reported to the relevant authorities.
Views from the speakers:
Dr Tadas Jakstas, project manager, The NATO Energy Security Centre of Excellence
“Civilian and military interoperability in the cyber-domain should be enhanced.”
Nik Beecher, VP cyber security and ICT at Leonardo
“Even though we think we’ve closed the loopholes, technology keeps opening them up again for us because we continue to want to be able to exchange information faster, quicker, easier, cheaper and that comes with its own risk.”
Marilise de Villiers, director, Marilise de Villiers Basson Consulting
“People generally want to do the right thing, therefore we have got to focus on habits and how we allow those habits to become automatic.”
Andy Bates, executive director of EMEA Global Cyber Alliance
“Let’s try to translate the physical world and the world of criminals into this technological world, not just sit in an isolated little technical bubble.”
This conference was sponsored by: