How to manage the changing cybersecurity landscape for critical infrastructure and industrial operations
Consultants and specialists designing and implementing surveillance and security solutions for industry and critical infrastructure face unique pressures. The physical protection of such ‘essential entities’ (as regulation increasingly refers to them) is obviously paramount, but today they also face the need to support protection from attacks in the digital realm. In addition, a changing regulatory environment needs to be navigated by all members of the value chain if compliance is to be maintained. Cybersecurity is, after all, a responsibility shared by all those involved in the design, specification, supply and use of a surveillance solution. Here we explore some of the issues.
A world where almost all industry is critical
Disrupting a nation’s essential services – including power and water supply, the provision of healthcare, interfering with manufacturing, and more – has been the goal of aggressors in conflicts throughout history.
Before the digital age, of course, attacks were exclusively physical. But the universal application of connected technologies in all areas of life over recent decades has created the opportunity for bad actors to use both physical and digital means to disrupt the services essential to society.
It’s no secret that cyberattacks are increasing in number and sophistication, and that they are being undertaken by a broader range of attackers. Whether hobbyist hackers being mischievous, well-organized cybercriminals looking for financial gain, or nation state-backed actors seeking to undermine an adversary’s society, cyberattacks come in numerous forms and from multiple sources.
Due to the highly connected nature of global supply chains, the breadth of those industrial sectors now defined as essential entities has also grown. Just two or three years ago, many people would not have regarded the production and supply of semiconductors as critical. But supply issues during the pandemic demonstrated how essential chips are to many – if not most – modern industrial processes.
The ‘butterfly effect’, where a small disruption in one system can have a major impact in another in the future, was shown to be true for the globally integrated technology supply chain.
Regulators face cybersecurity challenges
Faced by such a fast-moving and constantly changing cybersecurity environment, governments and regulators are unsurprisingly struggling to keep up. Increasingly, their reaction is to change the way that they regulate with regards to cybersecurity.
In broad terms, rather than defining what providers of essential services need to have implemented in relation to cybersecurity, the trend in regulation is to put the onus on the providers to prove that they have the necessary measures in place to stay cyber secure.
This change has serious implications for not only the providers themselves, but for any party providing expertise and solutions within the essential entity supply chain. The entire value chain – upstream and downstream – will be under scrutiny.
NIS2 as an example of the evolving regulatory environment
Cybersecurity regulations differ around the world. From the NIST Cybersecurity Framework in the US to the proposed Cyber Resilience Act in the EU, regional and national regulators are defining what they regard as the most effective approach to securing essential services from cyberattack.
The NIS2 Directive, which came into force in January this year, with EU Member States having until October 2024 to enact it into law, provides a useful example to highlight the implications of new regulation to essential entities.
NIS2 is a response to the evolving threat landscape, aims to enhance the overall level of cybersecurity in the EU, and closes the gaps seen in the original NIS Directive. The Directive looks to create “a culture of security across sectors that are vital for our economy and society and that rely heavily on Information and Communications Technology (ICT), such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure”.
It is clearly an example of the recognition by regulators of how reliant every sector has become on technology, and how any vulnerabilities are constantly being searched out and exploited by cybercriminals.
Under the Directive, EU member states will identify those businesses and organizations that are operators of essential services, and those organizations will have to take appropriate security measures and notify relevant national authorities of any serious cybersecurity incidents.
In addition, key digital service providers, such as cloud computing services, will also have to comply with the security and notification requirements under the Directive. The extension beyond essential service providers and into the entire technology supply chain is clear.
Surveillance solutions as part of the essential entity value chain
As mentioned, the protection of essential services has always been a priority. Physical measures – perimeter fences, access control, and security guards – have been enhanced through technology, with advanced video surveillance solutions in place at every essential service facility. The increasingly connected nature of these solutions has, of course, also placed them in the front line for cyberattack and under the scrutiny of evolving regulation.
Architects, engineers, and consultants designing and specifying surveillance solutions face a significant responsibility. Ensuring that surveillance solutions are designed not only for the physical and cybersecurity requirements of today, but which will adapt to the evolving challenges is essential in maintaining regulatory compliance.
This demands ‘system thinking’. Consultants must see the security solution as a whole rather than a selection of separate devices, and consider the relationships between the hardware and software of the solution itself, along with its integration into the broader infrastructure of the essential service provider. Solution design, implementation, integration, and maintenance all play an essential part in cybersecurity, and a recognition that any solution will evolve over time. A solution which remains static will eventually be exposed to vulnerabilities.
What does the changing landscape mean for surveillance solution designers?
Those designing and specifying solutions have an obligation to consider the potential wider risks posed by the technical offering that they are recommending. Whilst the solutions primary focus should be on addressing the defined operational requirements, IT and cybersecurity provisions are now also essential. Specifications today must be aligned to regulations like the NIS2 Directive to support an organization’s compliance.
As such, consultants must be confident that any vendor’s products meet the security policies of the individual customer, including all relevant regulation applying to the customer’s organization. Undertaking appropriate due diligence into the approach to cybersecurity approach of any vendor they are recommending is essential.
Consultants must also look to specify policies and processes for the technology vendors they are recommending, as well as the technical features that they provide. Features such as secure boot, signed firmware, security components that enable automatic and secure identification of devices, and a Trusted Platform Module (TPM) address the risks posed today and should be specified.
Specifications should also include important third-party certifications, such as ISO27001, and vulnerability policies, security advisory notifications, and a clearly defined security development model.
Finally, a lifecycle management approach should be included. The use of device and solution management tools and a documented Firmware strategy mitigate the future risk of an attack and safeguard customers moving forward. These features allow customers to operate their system and devices in as secure a manner as possible throughout their entire lifecycle.
Together, these policies and processes demonstrate the cybersecurity maturity of an organization, and its ability to adapt to the evolving threat landscape.
Changing roles in a changing cybersecurity environment
For every nation, the importance of minimizing the potential interruption to essential services is obvious and cannot be overstated. At a minimum, disruption will almost immediately lead to economic impact. This can quickly turn into significant societal issues, and potential risk to health and human life.
Wherever the threat comes from, the protection of essential services and the entities that provide them is therefore vital. Regulators worldwide have recognized this, and that the threats come from both the physical and digital realms.
However, they have also recognized that the threats from cyberattack are evolving so fast that any attempt to define cybersecurity measures will be out of date before they are published. Therefore, the regulatory approach has changed, requiring providers of essential services to prove that they have the technology, processes, and resources in place to deal with the threat landscape.
The effect is that anyone involved in the essential entity value chain needs to respond to this challenge, including those designing and specifying surveillance solutions. Mitigating the risks of cyberthreats is a shared responsibility. While our businesses depend on it, the consequences for society could be much greater.
Explore our approach to cybersecurity, resources, and best practice guidelines.