CyberOwl has engaged with over 50 shipping owners, operators and equipment manufacturers in the last 12 months. More is being done on vessel cyber-physical security than is publicly evident. While different strategies and priorities are being applied, there are some clear common challenges. Some strategies are already bringing in early successes, but has the maritime sector learnt the lessons from peers in more cyber-mature sectors?Read More
The water sector often has the luxury of relying on the fact it is a less visible target for cyber attacks than other critical national infrastructure (CNI). The sector has not faced a high profile cyber attack in recent years, and as one CISO put it to us “after all, water doesn’t blow up”. But those with responsibility for building resilience in our drinking water supply are facing new threats and changing regulation from its 15 different regulatory bodies. High (if slightly vague) expectations on resilience and innovation were set within Price Review 2019 (PR19), with individual Asset Management Plans for 2020-2025 (AMP7) reflecting the increasing importance of cybersecurity at a board level.Read More
It is a challenging time to be a CISO at a European utilities and transport provider. Ciaran Martin, CEO of the NCSC, has openly declared he is in little doubt the UK will experience a Category 1 attack in the near future, one that causes sustained disruption to essential services and could lead to loss of life. State-sponsored attacks on public services are becoming more evident, cyber-physical risk on industrial control systems is increasingly in the spotlight, and boards are starting to ask difficult questions about cyber defences and investments. And then there is the Networks and Information Systems Directive (NIS Directive).Read More
Don’t expect leadership to engage if you don’t make it easy to understand the risk
The concept is over half a decade old. Yet, beyond the banking sector, critical national infrastructure organisations have been slow to embrace cyber resilience. Security is binary and difficult to measure. On the other hand, the language of cyber resilience facilitates board-level engagement of cyber risk. It’s time to stop aiming for total security and start aiming for resilience. It doesn’t need to be a huge, paralysing programme. Start simple: baseline your cyber resilience, get your board’s buy-in, then work systematically towards improving it over time, based on your risk appetite and the budget you can unlock.Read More
Don’t take it personally. Cybercrime is just business. The “entrepreneur” may be after money, glory, attention or some other objective, but in the end competition and economics prevail. Is it easier to break into your home or your neighbour’s to achieve their objective? What is the easiest way in?
If your conclusion is to throw a tonne of resources at building an impenetrable fortress, then you may have missed the point. Walls can be scaled. If you reinforce your windows, that will simply incentivise your attackers to try the hatch in the roof. Where does the spending end?
A more sensible strategy is to make calculated, adaptive, timely choices. The risk of cyber attacks is just that, a risk. And like any business risk, the appropriate response is to manage it with an appropriate amount of resources. Total prevention is ideal, but often does not support the economic argument. On the other hand, mitigation costs significantly lower than recovery. Early intervention minimises the impact of cyber attacks. Your attackers have broken through your roof hatch and are fumbling in the attic. Nothing has been stolen. Now pack up the valuables and calmly leave the building.Read More