Derek Bok, Former President of Harvard University
If you think education is expensive, try ignorance
Derek Bok, Former President of Harvard University
If you think cybersecurity is expensive, try the alternative.
Cyber-attacks – the deliberate targeting for purposes of stealing, compromising or destroying or denying access to data stored on computer information systems – is a new 21st century reality and thus a national security priority for governments and a critical risk for companies.
To be sure, cyber crime is real, costly, and it’s here to stay. Therefore, recognizing this reality we have to live with, it pays to be prepared and educated professionally to develop long-term security and business resiliency, enabling to foresee cyber threats and forearm ourselves to prevent harm (and if it comes to that, recover) our operations quickly and at reasonable cost.
Cyber-security aims to protect assets, which include data (both in transit and at rest),
desktops, servers, buildings, and most importantly, humans. Countermeasures can significantly increase data security.
Some of these include, but are not limited to, access control and authorization, awareness training, audit and accountability, risk and security assessment, penetration testing and vulnerability management.
We can help you with our competent international team, led by Dr. Jack Caravelli.
Please contact us for a free advice on your needs and vulnerabilities.
Mehmet Öğütçü, Chairman
Turkey’s recent power blackout in April 2015, whatever the real reasons are, has been a powerful reminder of how vulnerable we are to a potentially massive, unexpected infrastructure collapse. It should be viewed as a wake-up call to prompt our government, military and businesses to have a hard look at how we should prepare ourselvesto counter this 21st century, asymmetrical threat to our economy, business, society and national security.
If the power out(r)age in Turkey was indeed a technical glitch, then there is no doubt that the existing systems should be made more reliable and those in charge of the systems better trained and equipped. If it was a result of a deliberate action by a malicious party, then, again, the systems should be made more reliable and less prone/vulnerable to attacks, cyber- or otherwise.Hence, a vigorous effort is needed – drastically different than our traditional defence against any known security threat to date.
It is inconceivable to presume that the authorities did not take countermeasures to ensure the reliability of critical infrastructure. They have no doubt assessed the risks and possible threats that could compromise the system –not only in energy, which is the backbone of our lives, but also in financial services, telecoms and military defence systems. However, this latest event demonstrated our soft-belly and that the risks lie elsewhere, where nobody looked and/or made an effort to take relevant precautions.
Disruptive cyber attacks coming as they do at little or no risk of retaliationhave increased, and energy, infrastructure and utility companies are high value targets due to a number of factors:
The energy and utilities sector has already faced a wide variety of highly sophisticated cyber attacks, including Nightdragon, Stuxnet and Shamoon. In particular, oil and natural gas companies have been hit by a persistent targeted spear-phishing campaign, which lasted for many months.
Of specific interest to attackers are the industrial control systems (such as process control, automation or SCADA systems) that operate mission and safety critical infrastructures such as oil and gas drilling; production refining; electricity generation, transmission and distribution; and portable and waste-water networks.
The security risks will only increase as the sector deploys new and more powerful technology through initiatives such as smart grids and digital oilfields.
The security risks that emerge from a plethora of technological advances and information sharing will only increase, becoming more sophisticated and damaging over time.Of specific interest to attackers are the industrial control systems that operate mission and safety critical infrastructures such as oil and gas drilling; production refining; electricity generation, transmission and distribution; and portable and waste-water networks.
Many critical entities around the world have neither no serious plans nor adequate planning. Some threat vectors are easy to predict, such as a terrorist attack on the physical infrastructure. Natural disasters are less easy to predict but can be prepared for. However, the least predictable threats come from the virtual world. The famous Stuxnet worm has taught the IT world that even off-line systems have exploitable vulnerabilities.
Those carrying out cyber-attacks can be hostile governments, ideologically motivated individuals, those representing various corporate entities and “lone wolf” or small groups who prey upon vulnerable hardware and software, often so that they can blackmail the target entity. They represent an asymmetric warfare that targets governments, companies, military and citizens.
It’s not just the big enterprises and governments that need to worry; cyber criminals are constantly looking to exploit the weakest link in any industry and organization. They are very effective weapons for terrorists and hackers seeking to instill fear in general population, making them doubt their governments’ ability to govern.
The power blackout that brought the daily life to a virtual standstill for 55 million people in the United States and Canada on August 14, 2003, was the unintended result of strained power lines and power system weaknesses. A similar breakdown occurred in the Turkish power system in March 2015.
Yet these disruptions to infrastructure demonstrated the relative fragility of industrial bases of the US and Turkey and foreshadowed their susceptibility to harm, particularly from intentional actors. They represent an asymmetric warfare that targets governments, companies and citizens. They are also very effective weapons for terrorists seeking to instill fear in general population, making them doubt their governments’ ability to, well, govern.
The financial, operational and reputational costs of cyber-attacks continue to increase around the globe. Major attacks in Europe, the United States and Asia are adding tens of billions of Dollars in costs to international business as well as governments.
Even if control of the cyber world is unachievable, the threats it harbours can be mitigated and risks effectively managed. Countermeasures can significantly increase data security. Some of these include, but are not limited to, access control and authorization, awareness training, audit and accountability, risk and security assessment, penetration testing and vulnerability management.
The first step is to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents. It is our belief that cyber security requires the commitment and support of C-suite and government leaders, not only that of IT managers.
The cyber-attacks are only one side of the medallion. There is the business and government continuity and making sure that, in the face of ever evolving threats, “business as usual” can go on. In the end, it all comes down to human factor. Humans design the systems, humans seek the vulnerabilities, humans erect defences and humans betray the weaknesses.
We give our clients confidence that they are adequately protected against cyber threats by helping them to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents. It is our belief that cyber security requires the commitment and support of C-suite executives and government leaders – not only that of IT managers.
With those results in hand, we develop an effective and cost effective approach to the enhancement of the client’s daily operations. We don’t stop there. We work to develop long-term resiliency, enabling the client to recover operations quickly and at limited cost.
We provide expertise and services that fully support your cyber security programmes from any stage in their lifecycle:
Industrial control system security – Comprehensive cyber security services for process control and SCADA systems across the energy and utilities sector. This approach incorporates all our services listed above, is specifically designed for industrial control systems and delivered by a highly experienced team of control engineers and security specialists.
Security strategy, leadership and governance – Coaching and advising; ensuring you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility.
Risk management and assurance – Audits and assessments against all industry and regulatory standards – such as ISO27001 and PCI DSS. We support your compliance initiatives by identifying areas for improvement and helping you deliver your improvement plans.
Technical security services – Penetration testing; computer forensics; biometrics and identity management; e-Discovery; secure coding and infrastructure; and SCADA. We also offer practical support with implementing and testing security solutions to ensure confidence in your controls.
Security culture development services – Pragmatic and effective solutions to reduce the cyber risk created by the actions of your people; including social engineering vulnerability assessment, behavioural analysis and developing effective security cultures.
Cyber specialist education services – University accredited, hands-on technical training in the fields of information security, ethical hacking and computer forensics to give your people the deep technical knowledge and awareness they need to perform their role.