Protecting infrastructure: it’s impossible to stay alert all the time – interview


Unlike computers, humans grow tired of being “always alerted” – even in the face of the gravest of dangers.

The deteriorating cybersecurity landscape has prompted numerous warnings of impending doom, with critical national infrastructure (CNI) operators urged to be more vigilant.

While, thankfully, none of the darkest scenarios of attacks on power grids and nuclear facilities have materialized, CNI operators need to be constantly wary of ever-prowling threat actors.

According to Alex Tarter, CTO and chief cyber consultant at Thales, operational technology (OT) is one of the areas which CNI operators need to protect that the public is probably less aware of. However, as the use of Stuxnet malware in Iran has shown, OT breaches can cause severe damage.

“But we now realize that because we live in a highly interconnected society, we’re going to have to focus a lot more on if something is disrupted or compromised, how do I respond?” Tarter told Cybernews.

"Having a set of controls instead of best practices isn't sufficient cyber-hygiene. I think this realization led to companies looking at everything in terms of risk management,"

Alex Tarter, CTO and chief cyber consultant at Thales, said.

Operational technology within critical national infrastructure is always a lucrative target for state-sponsored actors. Do you think operators are aware of the looming cyber threats?

I think operators are very aware. At least since Stuxnet. For the past 12 years, people have been ramping up to the fact that cyberattacks are an existential threat. But it’s only really in the past couple of years that they have started to see these things take effect in a much more significant way, through things like ransomware.

Operators are aware, but they’re also very conscious of the limitations of what they can do to counter it. The playbook around how to defend critical infrastructure and operational technology is subtly different from how you would protect enterprise IT, which is why it’s taking a little bit of additional time and comprehension.

Could you talk a bit more about how OT defense is different?

One difference is that OT is designed to be incredibly reliable and consistent. That’s required to perform a lot of automation and deliver the processes it was set up to do. Meanwhile, enterprise IT is there to support human interaction.

Using OT, humans support machine communication: the machines communicate with each other to carry out a given process. Therefore, if you have a well-defined process disconnected from enterprise IT systems, then patching doesn’t have the same criticality as it does in IT systems.

That’s because, in an IT system, you can’t always predict what computers will be communicating or doing. For instance, it’s not always guaranteed where my laptop will be, what websites I visit, or how I communicate with people. Patching is about reducing that attack surface, because the CISO can’t predict how someone will use that computer to carry out human interaction.

But when it comes to OT, the interactions are very prescribed and understood. In that regard, I should be able to understand what should be communicating with what and minimize the attack surface.

Typically, the computers aren’t moving around in a manufacturing facility or a power station. It’s just a different way of operating a different attack surface and different expectations, which is why the defenses you use to protect a more predictable system are different from the defenses you’ll need against an unpredictable system such as enterprise IT.

How would you define that change? I mean, how CNI operator logic has shifted regarding attitudes towards cybersecurity?

We’re slowly starting to come around to it as an industry. We used to think of cyber in terms of control-based security: if I do these five or six things, I should be fine. So, if I have a firewall, antivirus – great, those are my security controls. And we realized that’s not a great way of looking at it.

Having a set of controls instead of best practices isn't sufficient cyber-hygiene. I think this realization led to companies looking at everything in terms of risk management. And that’s useful for trying to identify what you should be doing.

"If you look at any new UK Ministry of Defense or government strategy for cybersecurity, you’ll often see the word resiliency. That is an acknowledgment that managing vulnerabilities is a never-ending task. There are always more,"

Alex Tarter said.

There is never one correct answer. There are only degrees of risk: if I don’t move forward, something bad could happen, but if I do, potentially I disrupt something. I think we’re moving now towards talking more about resiliency. That means moving beyond risk management to resiliency management: you’ll start seeing that everywhere.

If you look at any new UK Ministry of Defense or government strategy for cybersecurity, you’ll often see the word resiliency. That is an acknowledgment that managing vulnerabilities is a never-ending task. There are always more. So, you’re never going to get on top of them. And there’s not a lot you can do about the threats.

What we can do is focus on minimizing the impact those threats have. Resiliency is thinking that an attack has occurred and assessing its potential impact and how we minimize it when something goes wrong. Since we live in a highly interconnected society, we’ll have to focus a lot more on: if I am attacked, how do I respond?

Western countries have urged CNI operators to be vigilant about possible significant cyberattacks. Have you noticed operators changing their behavior in the past six months?

There has been recognition. When certain events happen, they hit the news and everybody’s more aware. So they take that to heart. And I think there is an uptick in vigilance, concern, and being more careful.

Now the challenge is maintaining that tempo. It’s impossible to be in a state of heightened alertness constantly. What we’re trying to do at the moment is not only learn what actions we need to take in a heightened alert state, but also how we can automate them. We can start to implement some repeatable systems since computers don’t get tired, and humans do.