Security, ultimately, is all about culture. The way an organisation approaches security and integrates the tools and processes needed to achieve it. It is vital to create a culture in which security is designed into every technology and human action. Security by Design is achieved when every aspect of an increasingly complex and distributed organisation contributes to people, data, and systems instead of being a potential vulnerability.
Threats against Critical National Infrastructure (CNI) in all its forms are rising. A recent Accenture Report contains some stark figures showing that hackers understand the potential profits to be made from undermining basic utilities like power and water. The attack on the Colonial Pipeline in the USA in May 2021 made global headlines. It brought home to ordinary people the possibility that the utilities and services they depend on each day can be disrupted by cybercrime.
Earlier this year, the UK Government reported that Great Britain was the third most targeted country by hostile states. Its statement referred to all public services as CNI – everything from utilities to pensions, health and state-stored personal data of citizens.
In the past, attacking CNI meant infiltrating a physical plant or operational technology (OT) system. Now it just takes a few strokes on a keyboard once the hacker has found a gap in IT security – a phishing attack, a bad password, or an unpatched bit of software – and an entire system could be frozen. That is when the gas or water or electricity stops and an entire community or even nation is brought to a halt. Most scenarios imagine that state actors are the biggest threat. But that is also changing.
Attacking CNI is now the business model for criminal hackers
Attacks based on pure financial greed are rising fast. Ransomware attacks have been growing exponentially over the past few years. Everyone remembers the famous UK National Health Service incident when, for a few days, it was feared the entire network had been compromised. Attacks on water, gas, electricity, and other utilities are regularly in the headlines – criminals know they can exploit the digital transformation of CNI. Increasing connectivity, reliance on third parties and an extended supply chain open a broader (and deeper) attack surface. Accenture’s State of Cyber report showed that attacks through the supply chain have increased by 26% in the UK, accounting for 64% of breaches.
Securing CNI demands a culture change and a holistic approach
That is why it’s important to foster a culture change across the utilities sector.
There is a lot of change in the sector which introduces potential risks to the organisations. This includes business consolidation and digital transformation that the organisations are going through, but also regulatory changes affecting Critical National Infrastructure (CNI) such as the EU NIS Directive with new requirements for reporting and supply chain management. Accenture’s report emphasises that every CNI organisation needs a threat-centric and business-aligned approach across people, process, and technology domains.
Accenture’s MD and Cyber lead for energy and resources, Kristian Alsing highlighted defence-in-depth and zero trust as some of the established good practices to build into a holistic security approach including “the ability to link each activity anywhere within your system to the identity of the device, the person and the data that’s being accessed or used.” and implementing both “preventative as well as detective control to confirm if it has been circumvented”. He also highlighted the importance of real security assurance through testing of controls and exercises of security processes.
The role of Cloud
Cloud is a huge opportunity and from a business perspective making the most of the benefits represented by the cloud is a priority, but many Security departments struggle to really understand what the business is doing. For instance, massive investment is in the new initiatives which are largely enabled by the cloud, with the change happening at a much faster pace than what organisations used to. “Many organisations struggle to understand the broad range of assets they have and how they interact on a moment-by-moment basis,” says Kristian, “It’s hard to understand a complex utility, but CNI organisations must be clear about who is doing what. How do you integrate the cloud into the wider controls and frameworks already in place within the organisation? What does the cloud provider do and what do you need to do to secure the connections and protect data and systems? That takes a lot of work.”
Organisations should use structured approaches when assessing and implementing security (in the cloud and otherwise). Some of the relevant resources such as NCSC CAF guidance for CNIs (and the related list of ‘actions to take when the cyber threat is heightened’), a general NIST CSF (Cyber Security Framework), or cloud-specific guidances such as CSA (Cloud Security Alliance) best practices, should be considered and adapted for your specific situation.
You need to know exactly what you’re responsible for
Your security function needs to lead. There is still a lot of misconception among non-security professionals that you can just turn on the security in the cloud and you are done. As an organisation, you have to understand which security functions YOU are responsible for and which are provided by your cloud provider. “You need to consider what is available natively with the cloud provider, and what controls you may want to centralise – such as managing keys or access to critical functions. It also needs to be integrated into your broader cybersecurity framework and operations,” Kristian told me.
It’s a task that demands commercial and legal agility as well as a deep understanding of your technical controls and who is responsible for what. That must be clearly stated and always followed.
Naturally, engaging with suppliers is also vital. And it’s also important to make sure you can provide relevant visibility and reporting to both the board and regulators.
So, what are the top three things CNI organisations need to do?
Summarising our conversation, Kristian’s list is both simple and logical:
- Know your risks; understand how your applications, infrastructure, services, and your business fit together.
- Focus on business resilience; know what the critical business systems are and how to restore them in various scenarios.
- Deliver real security assurance through testing of controls and exercises of security processes.
It is therefore vital that there is a shared responsibility in place between a cloud provider like Salesforce and a CNI organisation. Kristian stresses an integrated approach across all departments; “Don’t rely on one department or team and don’t rely on the contract. Adapt to the changing threat landscape with agility across all involved” Sound advice in dangerous times.
Cyber Security Challenges & Priorities
Listen to Industry experts share their views on the current and future challenges we are facing.
For more on Salesforce’s security and resilience efforts, visit our trust website. Need help with your security efforts? Trust is our No 1 value and Salesforce is continuously developing and improving capabilities so our customers to use Salesforce clouds in a secure and compliant manner. Learn more at our security page.