The topic of our panel discussion today is the future of critical infrastructure security. Well, that's a really interesting topic and let's start traditionally. So please, every member of the panel, introduce yourself shortly and give like one single statement. Why are you here? What are you going to be talking about? Tom? You may start, I guess.
Okay. So still the same Tom as before. Yeah. Still a manager for Ernest and young. Maybe just quick edition. So as you might have heard, I'm not doing only cybersecurity at the technical part, but I'm also coaching on design thinking and stuff like this. So yeah, I'm gonna bring the human factor in
As I had a presentation before, as well, Marco Vogel partner at KPMG cyber security and, or yeah, I wanna keep it, keep it at that level. Let's focus on the question on the, in a good discussion
In that case, I'll take all of their time and then I'll just speak about it. Good afternoon. My name's Richard Richard. I work for a company called turn intelligence, which is an advisory consultancy group and help humans, which we like quite a lot and organizations both in that technology, it OT space. And obviously we've seen about the instant response aspect that we can work with as well.
I'm Danny Hughes. I am a co-founder and the CTO of Veren a company specialized in industrial internet of things platforms as well as a professor at KV and where I lead the network to embedded software taskforce within the security group.
Okay. Thanks a lot. And as again, according to our standard procedure, we will start with our one general question. And anytime during the discussion, if anyone wants to ask something or add something, steer a discussion to different topic, just raise your hand. And I will notice you and bring a microphone to your place. Right? And my first question talking about the critical infrastructure securities, we've heard so many stories about it. So many horror stories, mostly fictional lately yet are. So why actually fingers crossed it will never happen, but why has until now nothing really bad happened is a critical infrastructure. We've heard so many predictions about like the world going to the end nuclear power plants, exploding, whatever nothing of that scale has happened before. Again, fingers crossed. So why are we doing something wrong? Are we predicting something wrong?
Probably. Okay.
Well, I mean, I think you do already see examples certainly for cyber-physical systems, the most critical cyber-physical systems falling under attack. I mean, ST's net is now rather old, but it's certainly a very critical system that was attacked using a cyber-physical means. And I think it just starts to broaden out to other systems distributed out throughout society and industry. It's a combination of awareness on the attacker side of what can be done and look to date that you haven't seen more, more interesting things happening.
And by the way, any anyone who wants to add you're welcome,
Sorry, from my experience. And mark alluded to it earlier, when these systems are designed, they're designed with a, a life cycle that's unusual to this environment. So it's 20, 30 years because of such. And certainly speaking from a London perspective within that transport sector, you are looking at networks and systems that were designed 25, 30 years ago. So there is a gap between the two. Yes. Now more so they're looking to connect to that, to use that technology. But I think largely that's why there's no, you know, doomsday events at the moment. There's no die hard four where, you know, the, the traffic systems come to a complete stop and trains stop popping out of the floor because there isn't that connection still.
Okay.
Maybe to add to what you've mentioned before. I mean, first question is what do you mean by reported? I think that's the first good question. I mean, I think what you see in the newspaper is just the tip of the iceberg. I think that's what no one was able to ensure that it's not in the news. And we see a lot of incidents happening where companies are doing a good job to ensure that it's not in the news, but it still has happened. So you see, you know, the, the one hand you see, I think incidents that are up to the press are really public. You have that reporting starting or based on the news in Europe, for example, ensuring that that incidents for critical infrastructures are reported to, to a certain government entity, like the federal security agency in Germany or some other entities. And there is some reporting to those by the way more understanding is not as much as they've expected, but still reporting of incident to, to, to these organizations that are not in the pressed that are not in the news. So still, I think we do not have the right level of transparency on what is going on. From my point of view, the toughest question a client can ask me is about benchmarking. What's going on? What happens because reality is, I think we do not really have the full transparency in what's going on.
That's one part of the answer. I think the other part of the answer is back to your example of, you know, the, the blowing up of, of, of a power plant from a Techer point of view view what's in, for me, what's their benefit. And we have, you know, different type of attackers could be, you know, state sponsored attack. They have, you know, certain, certain topics they wanna address. If you look into organized crime and for a lot of organization that I would say, that's the main attacker they have to be concerned about. They don't make money out of getting this plant blown up. They are not interested in that use case to look really from, they wanna make money and they look into ways how they can make money out of cyber attacks X and to blow up a plant. It's maybe not the, the most interesting case for them.
So we really have to understand the attacker view as well. If you look into telecommunication industry, for example, for a long time, they concentrated their security on securing their backend infrastructure up to the point they understood most attackers and more likely is that the way more people are interested in stealing their iPhones, because if you steal a router backend router in a telecommunication industry, there is no market for it. No one would buy it. And that's also what you have to have to keep in mind from a, from a company perspective, who is the enemy or who is the attacker? What are they interested in? What is the market for them? Is there a market for them basically organized crime, they wanna make money. That's their basic interest. And you have to think about from that point of view, what is the likely way, how they wanna address it in your organization? So we see from my point of view, an increase in attack yet it may be. And I think the whole industry is also, you know, making more noise than reality is about, but we definitely see an increase in that one. And I think we definitely have not the right level of transparency and the right level of communication between industries, between each of his other to better understand what we currently see in terms of cyber tech. Okay, great. Tom, you wanna try anything?
Yeah. And I, I actually would like to add on that because I, I really agree on what is the intention of the attacker. And I think if we currently at Stuxnet at Triton, we think of state backed actors, someone like energetic beer, or whoever might be linked to a certain government, but a thing with the ongoing integration of it and OT, it's gonna be much more likely that we see like a virus from ransomware example leaping over from the it to the OT department and doing massively harm there, even though it wasn't intended to be there. But I think this whole integration of it, OT can be much more of a risk than a dedicated state backed actor that is now developing a malware for Schneider or ABB or any of these big companies.
Well, it was actually a great point made by Marco that it's actually a great point and very scary point at the same time, that the only reason we don't have this nuclear explosions yet, it's only for the lack of financial incentives behind it. So it's all about the market then, like, do you really believe that the market itself can also kind of work the other way around and regulate itself back into safety? Or is it something which has inherently be done as a collaboration between the free market and the government?
I think that there's an essential role for government, especially as we use IOT technologies to connect these things largely because the technology moves so fast that, you know, the, the security guarantees afforded by one system versus another are extremely uncertain, even for people who keep up to date with the latest and greatest in standard mainstream security. So I think government regulations, certification and requirements are an absolute must if you want to keep those systems safe.
Okay, thanks.
I struggle with this because when we talk about government, that is only a real small part of the sector that we'll have contact with. So it is great when there's legislation that supports a lot of this industry, but the more often the targeted people and the ones that really of a lot of these areas, haven't got that government support, they don't get that government. Contact's great. When you're in a, in a legislative environment in nuclear, you've got an agency that looks after that in rail, across the globe. There'll be an association that's responsible for that, but there's so much more out there. And, and there's just not that support. So it does, it does worry me working with somebody, you know, someone that's worked in with, and I been completely immersed in government working with the national cybersecurity center and, and similar that's great. The moment I came out of that organization, there's nothing. And the nothing is really what a lot of people probably sit in here. They don't get that level of support or understanding or threat basis. So, you know, I struggle with the whole little G government. Yes.
So basically if I understand you correctly, what you imply here, that the definition of critical infrastructure is too narrow at the moment. Right. So what what's, what would you name the most vulnerable example of what has to be brought under that umbrella as well?
Oh, wow. There's I mean, there's, there's so where, where do, from my perspective, I worked in transport in an open transport system. So by its very nature, we encouraged people to come on. We now then started to ask them to connect to the stations with wifi. We then started to use that wifi to start getting some of the data from trains. So it just happens and happens and happens. I really dunno what the, what the answer is to it, but somebody grown up needs to step in and take control of it.
Right.
Maybe to, to come back to original question. I think we have to differentiate on the one hand between what is critical infrastructure and what is not critical infrastructure. I think both need help in terms of moral security, intelligence and moral security information. But still we, we should accept that, you know, certain industries or certain companies will never be a critical infrastructure from a regulatory or from a, from a state point of view. And that's okay for me, but still a threat may be relevant for the existing of that organization to come back to your question of what, what the government can do. So what I currently see is when we talk, when we talk about cyber attacks and information sharing communication, you see a lot of informal trust based circles. The seas of the big banks are talking to each other. The seas of the energy companies are talking to each other.
The sea of the telecommunication companies are talking to each other, but maybe just, you know, the 3, 4, 5 big ones, but not the, let's say the lower level companies. And what we currently don't have is a framework to really ensure good standards and good communication on all that one. Currently, if we look into it from a military point of view, all the pros are on the side of the attacker. He decides when he's attacking, where he's attacking, what method he's using. So he's in a very good position and we, as the other side, are not helping each other. I think that's, that's an area where we definitely have to improve that we have, and that's where can a government can help to set the frameworks in place and regulation in place to help organizations to share this information the standardized way. And it's not only, you know, the about technically exchanging information.
It's also to have, you know, the legal framework in place just to take the point of liability. If I am talking about security incident happening to my organization and my stock is going down 20%, can I maybe C will be liable from a, from a shareholder. These questions must be addressed and they can only be addressed from, from a government point of view. And once we have addressed the topic and have a sound framework in place, and that's where government can help to really help us to share that information on the good side, the enemy is someone else. It's not your comp typically not your competitor, at least from a security point of view, business competitor, competitive competitiveness is on other areas. It's likely not security. We should talk to each other and we should have a framework where we can all share the information and not only having these informal trust cycles and that's where we can definitely improve. And that's where we have to make improvement. Otherwise the attackers will always be ahead of every one of us,
Right?
Yeah. I think that's a pretty good point, California just passed law on, on IOT security, mainly focusing on just passwords and logins. So it's nice. If you think of that topic, just from a legal perspective, you're always just gonna be addressed one thing, but as mark said, having this, this framework and really like, okay, how do we share information? What is the central communication point that we can all go to and, and bring this information up? This is something we do, for example, in Switzerland. So EY and Google and other big fours, we have the digital Switzerland initiative. We actually completely not focused on the business competitiveness, but we all sit together. And for example, consult the Swiss government on topics of digitalization of security. And this is like the good framework that we can use. And we can use the brain power that is there to share information, to have a framework where we all meet dedicated setup.
And I think this would really help. For example, when I do some research, I recently found about 900 records of ma card victims with credit card information, bank account, all this kind of stuff, all valid, all working, but there is actually no one you can report it to. So you're sitting there with records from about thousand people in Germany with email addresses and passwords, but who you're gonna go to. So I send out solicited unsolicited emails to a bunch of government organizations and the providers that didn't even answer me right now. So you're there like, okay, what are we gonna do? And I think we really need to address that if we talk about IOT.
Okay, thanks someone. We have a question from the audience.
Thank you, members of the panel for wonderful deliberations. Yeah. So my, my question is with regard to these critical infrastructures and, and how they, they relate with each other in terms of development and in terms of increasing the capacity for, for communication, taking telecommunication as, as a case study, to understand how other, other critical players in the industry behaves. If you look at the telecommunication industry, they are talking about G five now, and GCs will still come immediately after the G five is launched and the regulator keep mounting pressure on them. And most times they're talking about increasing capacity to carry data, but on the other hand, they are increasing the security of the new generation of, of carriers. But the backward compatibility, they still have G one G two G three, all along with all the flaws along that line. And when you integrate this legacy technologies into the new model, you invariably has lowered the level of security and the attackers are aware of where they wanna come in. They want, they might not focus the G six and the G five, but it can come into the G one because these lapses will never remain and they are always carried over there. So the weakness will continue to be there also. And it goes across into all of that industries, not just telecom.
Yeah. Maybe I just quick comment. I mean, we've seen that at the last care communication camp in Germany where they actually, I think she was a lady, a researcher from Nokia who actually displayed how 5g can be hacked by exactly leveraging this downward compatibility. And I think, yeah, as much technology as we add into that, we not gonna fix it. It's getting more and more complex. And it's just reality. For example, if we look one of the largest telco providers in Switzerland, what they actually did, they started the backbone program, which is something I see a lot in the us, but in Europe still, it's quite not that where it should be, where actually like leveraging everyone who's out there and giving them a legal framework. If I find the security buck on Twitter, I can report that. And I, I am sure that I'm not gonna be sued by the legal team. So we should, if we don't catch up with the attacker, why not just crowdsource it and, and come from a completely different point of view, instead of just changing all the tax specs, we leverage all the security researchers that are out there and come up with something like a backbone program. So I think also to tackle this, we need to rethink the ways we, we currently do security. Thanks.
I think we, we don't have a simple answer from a security point of view and that that's true. And that will always be true, even if, you know, board members or management people would like to, to get an easy answer on that one. So I think there are some realities that we have to face and that we just have to, that we just have to accept. I think the sentence there is no 100% security was true, is true and will ever be true. We will always see new vulnerabilities or still old vulnerabilities that have not been fixed. We will always see this, you know, increasing complexity that has to be addressed. We see human beings that make a mistake. So we, and, and think that's one of the reasons why we can't only concentrate to protect our environment, to ensure that it is secure reality is there will always be, you know, this level of non-security that we have to address as well, meaning to detect attacks, to respond and to recover from a text and to do this in a lot of cases jointly within your organization, across industries, together with the government, think the enemy is someone else.
We have to work together to protect that environment. We have to think about how can we embed security in products? How can we ensure that we not trust other levels of technology, for example, that they are providing security? I think we, we see some, some companies here looking into what is called zero trust. So not trusting other elements in the, in the overall piece or the overall technology stack, and even, you know, with putting all these capabilities or controls in place that will still exist certain, certain rest of risk that we have just to accept that we have to address in, in a joint way as mentioned before. I think that's a reality that we have, it is a complex issue. It will be complex. We have to address it from a, from an organizational point of view. We have to get better from a communication point of view.
We have to work more together from an industry point of view together with the government. I think that's very important. We still have to, but always, and I think maybe Germans are, are struggling with that one with our, you know, attitude to 100% quality. Maybe that's one of the reasons why we are struggling with reporting incident that looks like, well, you've, you've done a mistake. No, that's not. That's not the case. Everyone has done a good job, but still there has rest that something happens. There's still a good attacker. I've found a new vulnerability that no one has thought about before. Very simple one, everyone looks into it and said, well, very simple one, no one has found that one before. It's a process we have to constantly improve. We have to constantly work on that one. And it's not an easy problem that we fix just by money, just by people or just in a second that's reality that we have to accept.
I can really only speak from the industrial domain, but one of the things that we've seen a lot in the field is that exactly, that kind of legacy as we bring more and more things online is a really big problem. So if you take even simple malware attacks, things like, for example, want to cry. Obviously there were a lot of home computers and health systems effect affected, but beyond that, I'm aware of a number of fortune. 100 companies were legacy elements in the production process were affected by onery and effectively shut down production completely. And these are often in cases where it's a large factory that can cost hundreds of thousands of euros for a day of shutdown. And the big danger is there. Especially as we connect things with industrial IOT, the previously these were disconnected islands that the it department got to ignore. They were part of operational technology with these small chunks of it embedded within them. And so they've been sitting there for oftentimes, literally 20 years, untouched not updated. And then as these things become connected, there, isn't always a complete picture of where those problems and that technical debt lies. So I think it's a really big problem, especially in manufacturing and it O T convergence at least.
Okay. Thanks a lot. We actually have just one minute left before the eagerly expected lunch break. So I am afraid we don't really have time for anymore. Questions left. If you still have some, you are welcome to just join the networking crowd in the lunch hall and talk to all the speakers and well, thank you very much, Tom and Marco and Richard, Richard, and Danny for taking part in this panel and for just sticking around. Thanks a lot. And let's have a lunch break and we'll see you back here in exactly one hour. Thank you. Thank you.
