Cybersecurity

Turkey’s recent power blackout in April 2015, whatever the real reasons are, has been a powerful reminder of how vulnerable we are to a potentially massive, unexpected infrastructure collapse. It should be viewed as a wake-up call to prompt our government, military and businesses to have a hard look at how we should prepare ourselvesto counter this 21st century, asymmetrical threat to our economy, business, society and national security.

If the power out(r)age in Turkey was indeed a technical glitch, then there is no doubt that the existing systems should be made more reliable and those in charge of the systems better trained and equipped. If it was a result of a deliberate action by a malicious party, then, again, the systems should be made more reliable and less prone/vulnerable to attacks, cyber- or otherwise.Hence, a vigorous effort is needed – drastically different than our traditional defence against any known security threat to date.

It is inconceivable to presume that the authorities did not take countermeasures to ensure the reliability of critical infrastructure. They have no doubt assessed the risks and possible threats that could compromise the system –not only in energy, which is the backbone of our lives, but also in financial services, telecoms and military defence systems. However, this latest event demonstrated our soft-belly and that the risks lie elsewhere, where nobody looked and/or made an effort to take relevant precautions.

Disruptive cyber attacks coming as they do at little or no risk of retaliationhave increased, and energy, infrastructure and utility companies are high value targets due to a number of factors:

• the valuable oil and gas exploration information they hold,
• the critical infrastructures they support,
• utilities’ customer information and financial processing systems,
• a highly competitive industry which places a premium on competitor intelligence,
• controversial operations, which could attract ‘hacktivists’.

The energy and utilities sector has already faced a wide variety of highly sophisticated cyber attacks, including Nightdragon, Stuxnet and Shamoon. In particular, oil and natural gas companies have been hit by a persistent targeted spear-phishing campaign, which lasted for many months.

Of specific interest to attackers are the industrial control systems (such as process control, automation or SCADA systems) that operate mission and safety critical infrastructures such as oil and gas drilling; production refining; electricity generation, transmission and distribution; and portable and waste-water networks.

The security risks will only increase as the sector deploys new and more powerful technology through initiatives such as smart grids and digital oilfields.

The security risks that emerge from a plethora of technological advances and information sharing will only increase, becoming more sophisticated and damaging over time.Of specific interest to attackers are the industrial control systems that operate mission and safety critical infrastructures such as oil and gas drilling; production refining; electricity generation, transmission and distribution; and portable and waste-water networks.

Many critical entities around the world have neither no serious plans nor adequate planning. Some threat vectors are easy to predict, such as a terrorist attack on the physical infrastructure. Natural disasters are less easy to predict but can be prepared for. However, the least predictable threats come from the virtual world. The famous Stuxnet worm has taught the IT world that even off-line systems have exploitable vulnerabilities.

Those carrying out cyber-attacks can be hostile governments, ideologically motivated individuals, those representing various corporate entities and “lone wolf” or small groups who prey upon vulnerable hardware and software, often so that they can blackmail the target entity. They represent an asymmetric warfare that targets governments, companies, military and citizens.

It’s not just the big enterprises and governments that need to worry; cyber criminals are constantly looking to exploit the weakest link in any industry and organization. They are very effective weapons for terrorists and hackers seeking to instill fear in general population, making them doubt their governments’ ability to govern.

The power blackout that brought the daily life to a virtual standstill for 55 million people in the United States and Canada on August 14, 2003, was the unintended result of strained power lines and power system weaknesses. A similar breakdown occurred in the Turkish power system in March 2015.

Yet these disruptions to infrastructure demonstrated the relative fragility of industrial bases of the US and Turkey and foreshadowed their susceptibility to harm, particularly from intentional actors. They represent an asymmetric warfare that targets governments, companies and citizens. They are also very effective weapons for terrorists seeking to instill fear in general population, making them doubt their governments’ ability to, well, govern.

The financial, operational and reputational costs of cyber-attacks continue to increase around the globe. Major attacks in Europe, the United States and Asia are adding tens of billions of Dollars in costs to international business as well as governments.

• The intentional and unauthorized release of classified U.S. documents through WikiLeaks demonstrates that the cyber threat is real, present, and serious.
• Saudi Aramco was victimized by a major cyber-attack in 2012 when 10,000 hard drives were destroyed by an insider, working for a government or business rival, resulting in massive loss of data.
• Sony Corporation was victimized by a North Korean cyber-attack in late 2014
• Bank of America customers in 2013 could not access their ATM accounts because of a cyber-attack. New York Bank regulators have warned of the possibility of “cyber Armageddon.”
• Consumer companies Target and Home Depot have been victims of cyber-attacks that have left tens of millions of customers with their personal data compromised.
• The White House, CIA, Department of Defense and State Department have been attacked by hackers.
• Companies in Turkey and Israel are among the most targeted in the world but major attacks occur routinely against European and Asian targets.

Even if control of the cyber world is unachievable, the threats it harbours can be mitigated and risks effectively managed. Countermeasures can significantly increase data security. Some of these include, but are not limited to, access control and authorization, awareness training, audit and accountability, risk and security assessment, penetration testing and vulnerability management.

The first step is to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents. It is our belief that cyber security requires the commitment and support of C-suite and government leaders, not only that of IT managers.

The cyber-attacks are only one side of the medallion. There is the business and government continuity and making sure that, in the face of ever evolving threats, “business as usual” can go on. In the end, it all comes down to human factor. Humans design the systems, humans seek the vulnerabilities, humans erect defences and humans betray the weaknesses.

We give our clients confidence that they are adequately protected against cyber threats by helping them to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents. It is our belief that cyber security requires the commitment and support of C-suite executives and government leaders – not only that of IT managers.

With those results in hand, we develop an effective and cost effective approach to the enhancement of the client’s daily operations. We don’t stop there. We work to develop long-term resiliency, enabling the client to recover operations quickly and at limited cost.

We provide expertise and services that fully support your cyber security programmes from any stage in their lifecycle:

Industrial control system security – Comprehensive cyber security services for process control and SCADA systems across the energy and utilities sector. This approach incorporates all our services listed above, is specifically designed for industrial control systems and delivered by a highly experienced team of control engineers and security specialists.

Security strategy, leadership and governance – Coaching and advising; ensuring you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility.

Risk management and assurance – Audits and assessments against all industry and regulatory standards – such as ISO27001 and PCI DSS. We support your compliance initiatives by identifying areas for improvement and helping you deliver your improvement plans.

Technical security services – Penetration testing; computer forensics; biometrics and identity management; e-Discovery; secure coding and infrastructure; and SCADA. We also offer practical support with implementing and testing security solutions to ensure confidence in your controls.
Security culture development services – Pragmatic and effective solutions to reduce the cyber risk created by the actions of your people; including social engineering vulnerability assessment, behavioural analysis and developing effective security cultures.

Cyber specialist education services – University accredited, hands-on technical training in the fields of information security, ethical hacking and computer forensics to give your people the deep technical knowledge and awareness they need to perform their role.

1. We have deepexperience….all team members have at least 25 years experience in various security issues.
2. We have diverse experience….the team members have backgrounds ranging from the highly technical, for example, a PH.D. in electrical engineering—to the highest policy level security experts from the USG.
3. We work with IT experts at corporations but also work with C-suite level officers, working to change, when needed, corporate culture.  This reflects our commitment to long-term solutions.
4. We work comprehensively….we begin with an audit that identifies good as well as poor IT practices.  We don’t seek to fix what isn’t broken.
5. We offer comprehensive solutions….we employ our skill sets to address not only hardware and software problems but we go further.  As the Snowden case illustrates, insider threats can be lethal.  We use our knowledge and approaches learned at the CIA and in protecting US nuclear assets at the Department of Energy to identify those who may pose an insider threat to corporate secrets and data.
6. We work with the client at his site for most of the above but offer to return in 6-12 month intervals to review and update procedures that have been put in place.  We seek to build relationships, and do not take a “one and done” approach.
7. We do NOT believe there is one “fix” to the problems of cyber hacking.  Rather, we build capacity but also help corporations plan for resilience in the event of a cyber attack.