Kathy Gibson is at the NEC XON Summit in Sun City – Threats to national infrastructure is not just about malware: advanced persistent threats, military threats, insider threats, hacktivists, individual hackers, criminal organisations and culture all contribute to vulnerabilities.
“This means defence is not just about one thing,” says Justin Kershaw, director at Raytheon. “If you don’t think about everything, you are leaving the barn door wide open.”
This starts with good governance, he points out. “You need to make sure that laws match policies and that policies match procurement.”
It’s about procurement and supply chain integrity – issues that are getting more important all the time, Kershaw says.
It goes without saying that system, end point, network and data security are all important, too.
“Customers still think it’s a technology problem, but that is number three among the issues,” Kershaw says. People and processes come out ahead of technology in addressing the cyberthreat.
People refers to organisational development: paying attention to issues like cyber defence organisation structures, governance, security strategies, industry and government partnerships
And in terms of staffing: job definitions and recruitment, classroom and self-directed training, on the job training, leadership development and performance assessment, awareness in the form of broad awareness programmes, and compliance testing and promotion.
Processes, says Kershaw, are the difficult part of cybersecurity “But it has to be done.”
These include the concepts of operation, standard operating procedures, risk management, priority information requirements, systems security, plans and certification, executive communications, incident handling and operations.
When it comes to technology, there is a wealth of offerings to choose from. “Our job is to understand what they are and give customers what they want,” Kershaw says. “The truth is that every company has particular technologies they want to use.”
Among the many technologies that Kershaw highlights is cross-domain information sharing, “This is something that comes up a lot these days when we are trying to integrate things like open source intelligence with things that are of a classified nature.”
Another technology that Kershaw thinks is often overlooked is fly-away kits – giving people the ability to address remote issues on-site.
Defence-grade cybersecurity has to consist of products, managed security services, and system integration, Kershaw believes.
“You have to be thinking about all three of these.”
The only way we are going to have success in the fourth industrial revolution is via industry-government partnerships, Kershaw says.
For people working in national defence, he points out that lengthy procurement processes mean that solutions are often out of date by the time they are in place.
“We need big thinkers to sit down and tell us what the future is going to look like, so we can think about it and budget for it ahead of time,” Kershaw says.
Raytheon has been doing security work for the US government for the last 50 years. It set up its cyber division about 15 years ago to meet a specific defence need.
Cybersecurity vulnerabilities stretch from national infrastructure right down to the individual user, and touch every instance inbetween.
When we talk about Industry 4.0 and cyber-physical systems, there are new threats that we have to consider, says Indi Siriniwasa, vice-president: sub-Saharan Africa at Trend Micro.
The main issue is that consumers are no longer just people, but devices too – and these increase the threat landscape enormously.
When we get into smart cities the threats become much more widespread, with the ability to adversely affect millions of people, Siriniwasa points out.
The smart city market is expected to grow to $1-trillion in the next two years, so there is no doubt is it happening.
“But have they considered security when they design these smart cities – or is it a bolt-on?” he asks. “It seems that it is a bolt-on.”
For instance, surveillance systems with weak password controls around the world number in the millions.
When we talk about smart energy, the ability to create better energy efficiency and management is a great benefit. “But imagine if someone gets access to those devices,” Siriniwasa says.
The same goes for smart transportation systems. “Hackers are trying to find ways to hack into these systems.
Smart connectivity and smart governance are all designed to make our lives easier, but are subject to security threats.
The same threats that we encounter in the enterprise could threaten smart city services, Siriniwasa explains. These include ransomware and DDOS threats.
But specific IoT threats are also a reality that we need to guard against, he adds. These could attack the devices themselves, the control layer, the endpoint controls or the IT system.
Siriniwasa says Trend Micro has formed a new company to understand and address IoT threats. It offers security solutions for devices, middleware, the network and the enterprise infrastructure.