Engineers working on systems that form part of a country's CNI can no longer rely on their isolation from the internet for protection, according to a keynote panel at Infosecurity Europe 2013.
Control systems running transport, utilities and banking may have been operated independently of corporate IT networks, and therefore accessible online. But the trend toward using more common, off-the-shelf components and software, and the move toward programmable computer systems, rather than systems based on dedicated hardware and chips, could open up new vulnerabilities.
"A lot of CNI organizations are moving towards computer-based systems, especially to automate what were historically manual processes," noted Peter Gibbons, head of information security at Network Rail. Safety, he pointed out, is an organization's first priority. "We have to work with our engineers to help them understand that if a system is not secure, it is not safe."
At Heathrow Group, chief information security officer Mark James added that the airport operator needs to work with a range of stakeholders for its systems, from the airlines to companies supplying baggage handling equipment and, with Heathrow being updated, the construction sector.
"We have certain types of people using electro-mechanical systems and others using IT," he said. "With SCADA, we are seeing the need for close working between IT, and IT security, and people in the engineering community. The mindsets of these two communities are quite different."
This, James said, relies heavily on education, to ensure people running SCADA or electro-mechanical systems understand digital vulnerabilities, and how to protect against them.
At the Bank of England, the view of critical national infrastructure is slightly different, said John Milne, head of resilience at the Bank's special response unit. "The first challenge is what is the cyber risk: a clearer definition would be helpful," he commented. "The main problem we have trying to develop [a notion of] cyber risk is relationships. People are reluctant to share information about cyber events… more effective information sharing will make it easier for businesses to respond effectively."
But organizations are also benefitting from the changes to both mission critical and control systems, to make them more flexible. "In the IT world we have reaped great benefits from connecting systems together," said Gibbons. "In the IT world we've grown used to features being added to make systems easier to use. That is moving into control systems. But we have to maintain a focus on what is required, rather than a nice to have."
Companies involved in critical infrastructure are not isolated from other trends in IT, such as consumerization or BYOD. Employees need to be educated about how such more open systems can be used in mission-critical environments.
"You need some education around the consequences of a compromise," said James. "It really helps to flesh out what risks you are facing. Education first, but then [add] the appropriate level of assessment that is not so forensic that management teams cannot understand it."
Information security teams, Milne continued, need to be flexible and responsive enough to deal with new threats to CNI, as they emerge. "The sheer evolution of the cyber threat means that the defenses you have in place today may not protect you tomorrow."