Richard Knowlton chaired his third and final Security of Things World Conference in Berlin (1-3 July 2018). The following are the comments he made to wrap up the conference.
As the chair, I benefit from having the last word and knowing that there is no formal Q&A afterwards. It means that I can pick up whatever threads interest me and follow them to see where they lead.
Let me start by going back over the three years that I have chaired this Security of Things World (SoTW) conference. I’ll then draw out some themes that I think we will still be discussing in 2019 and beyond.
One memory I have of that first conference in 2016 was that there were quite a few “security tourists” in the audience. IoT was a new buzz term to many in business. A lot of people came to SoTW not knowing much about IoT, but with a feeling that they should. I found the same when I spoke on IoT security issues at the Mobile World Congress in Barcelona only six months later.
At that first SoTW, there was an uncomfortable feeling in the room that something bad was inevitable and that we were not prepared for it. It was also much noted that there were no regulations or standards in place to help us confront the risks.
By the next SoTW in 2017, most of those concerns had been proved right: the intervening year had shown that we were not properly prepared, and something bad had happened. The major incident on everybody’s lips at that point was the series of Mirai attacks, starting in the autumn of 2016.
Once again, we all agreed in 2017 that it was going to get worse – and there were still no regulations or standards in place.
So here we are at the end of the 2018 conference. To use my earlier shorthand, we may be better prepared, but still not enough. And the general cyber security situation is getting worse.
The widespread NotPetya attacks got everybody’s attention between 2017-2018 – not least in Maersk, which announced a financial hit of at least €300m. We heard an excellent presentation yesterday from Maersk and it is only fair to say that the company – an accidental victim of NotPetya, of course – responded outstandingly to all the serious challenges they faced. But the general mayhem caused by the malware was a dire warning, followed at the end of 2017 by the deployment of Triton malware against industrial controls systems (ICS) in the energy sector, as well as other equally sophisticated new forms of malware.
Now in July 2018, we do at least have some regulations. Everybody knows about GDPR, which has been relentlessly drummed into our heads by lawyers and consultants alike over the last couple of years. But I’m constantly struck by the relative ignorance of most people about the other major piece of EU legislation that came into force in May 2018 – the Network Information Security Directive (NISD). This is despite the fact that the penalties for non-compliance (up to €19m in the UK) are potentially of the same order as those for GDPR.
I’ll come back to the NISD in a moment, but for now let me simply note that it leaves the issue of cyber security standards firmly at the Member State (MS) level, without establishing EU-wide benchmarks.
Standards will clearly continue to be a key topic. It was encouraging to hear in several presentations this year that smart people are working diligently to produce auditable standards-based control regimes.
This will be my last year as Chair of SoTW, so what scenarios will my successor face in the summer of 2019?
Let’s look first at the strategic level.
It is hardly controversial if I say that IoT devices will continue to proliferate at an extraordinary rate, most with a web connection, in the non-industrial as in the industrial context. A fascinating presentation during our conference also spoke of the dizzying proliferation of data, and the solutions being developed to manage its increasing decentralization through edge, fog and cloud technologies.
What about the threat landscape? On the one hand, the attack surface continues to expand at high speed, and we had a useful reminder not to focus simply on devices in this context, even if we use statistics about devices as a shorthand to describe the growth of IoT.
In terms of threat actors, one of our presenters provided useful data based on statistics from the insurance sector. Criminals remain the most important threat for most businesses across all sectors from energy to pharmaceutical, from health to maritime to manufacturing. We see this in the explosion of ransomware and crypto-jacking attacks (including Ransomware as a Service, of course), as well as the high levels of fraud that are being seen in all sectors.
But I am also concerned about nation-state preparations for cyber warfare in the critical national infrastructure space in general, and in ICS in particular. The involvement of sophisticated and well-resourced states in hacking is hardly new, but the political context is extremely worrying. The breakdown of the rules-based order, increasing nationalism, potential miscalculation and misattribution all complicate the merely technical threats.
We have been here before in the nuclear context, but there is a big difference now. In the Cold War, we had mutually agreed mechanisms in place to mitigate the risk that a state would use nuclear weapons to respond to an incident or a perceived threat. With cyber we do not. How will a major state react if its energy sector is brought down, for example, or other elements of its critical national infrastructure? Will it see it an act of war?
Turning to regulation, I have mixed views on the NISD. As I said earlier, I continue to be mystified as to why major corporations and their security managers seem so ignorant about it. I saw this apathy right from the beginning, when the EU started its so-called platform consultation process in Brussels in 2013. Very few multinationals took part and it all felt very “top-down”, in marked contrast to the parallel process that was taking place in the US with the development of the NIST framework.
Of course, the NISD is useful in encouraging countries which currently lack a strategy or mechanisms for cyber threat-management, such as the basic institutions to manage the risks. But there is no sign yet that the NISD will have the galvanizing effect of GDPR. It will be interesting to chart progress on this at the next SoTW.
Meanwhile, NISD certainly does nothing to encourage governments to share zero day exploits with the private sector. The old complaint is still valid: information-sharing with governments is all one way.
And finally, we will still have no widely accepted common standards.
What about at the tactical, operational level – what can we expect to see? The evidence – not least from what we have heard at SoTW – is that we are making progress in our general understanding and mitigation of risks associated with key points of potential vulnerability in the IoT. A few obvious examples:
Devices and software. An important development for me is the news that we are now able to prevent malware getting on to our systems, as opposed to detecting it once the infection is taking hold.
Unfortunately, though, I still hear far too many complaints about the quality of code in software and about vendors’ often cavalier lack of consideration for security. This is a real issue when the NISD does not cover software (or hardware) producers. We need to see significant improvements.
Networks. We heard about significant developments in enhancing network security, and I’m encouraged about the work announced at MWC 2018 on new developments with 5G networks.
Cloud: I have referred already to the really interesting developments described at SoTW in protecting the heavily decentralized models we now see in use.
Work will continue in each of these “tactical” areas and this effort is absolutely central to developing better cyber security protection. However, I would also like to flag up some other areas which I follow closely, and where more work is needed too.
People. In previous years we never talked much about security culture and the human factor at SoTW. I spend a lot of time on this in my practice, and it is really encouraging that so many speakers in 2018 have stressed the importance of security awareness and culture. After all, the Verizon and other major surveys all point out that up to 90% of cyber attacks succeed because of human action or inaction.
My point is always that we need to be doing much more to turn our people into our first line of defence, and not just regard them as the weakest link.
Of course, it all starts from the top. Very often security managers regard the Board as the enemy. Instead, we need to persuade Directors to be our major motor for change and improvement. If they don’t understand what we are saying, then in my view, that is our fault.
If the surveys are right, then the situation is improving. We are told that over half of Boards across the EU now regard cyber security as a Board-level issue and part of their overall enterprise risk management processes. GDPR has probably helped. But too many still regard security as an operational matter that should be left to technical experts three or more layers away from them. We need to keep pegging away at this issue.
Resilience has also featured more than ever before at this conference. I have always regarded business continuity and crisis management as fundamental issues. We all know that everybody is going to suffer a breach at some point.
Of course, managing the technical response and disaster recovery is essential, but security managers need to ensure that the enterprise has a proper process (exercised regularly) for managing the collateral issues in a crisis, especially those related to reputation, regulators and law enforcement.
IT/OT convergence. I find it very encouraging that this was such a regular theme at this conference, and I was particularly grateful to our presenter from Ireland for his analysis of the issues. My work in various sectors (manufacturing and energy, in particular) has shown that there can still be a worrying disconnect in two disciplines that must work together.
Finally, I was really delighted to hear companies talking here about the importance of their customers, and the value-add that security brings to their businesses. Two issues that often get left out at technology conferences. We forget them at our peril!