• Ronald Heil, Partner |

Though cyber security experts have long warned of the threats to nations’ critical infrastructure, recent incidents are now opening the eyes of business and political leaders to the ecosystem risks of the world’s connected utility networks, power grids and other essential services.

Plugging these security gaps will require collaborative strategies — both ‘inside’ and ‘beyond the box’ — among business, governments and the tech sector, to try to remedy ecosystem weaknesses that could cause massive disruption, financial damage or loss of life.

Overlooked ecosystem risks

While industry and governments have invested heavily in cyber security — building cyber ‘walls’ around internal company networks and legislating national security guidelines for domestic industries — less attention is paid to the risks posed ‘outside the box’, by the growing web of interconnected infrastructure.

Recent headlines are jarring, including images of shuttered gas stations and grounded airliners after a ransomware attack on a major U.S. pipeline company. Similarly, news bulletins described how patient treatments were suspended in Irish hospitals after a crippling hack on the national health system.  Suddenly, it’s clear how a single attack on a seemingly isolated computer system can spill across an entire supply chain or disrupt vital public services.

For business or political leaders who are now asking, ‘How could this happen? part of the answer lies in the adoption of IT functionality across industry’s operational environments. Many infrastructure operators have embraced IT innovation to better manage their operations and reduce costs, including remote operating capability so a company production asset can be managed from central location or even remote (anywhere, anytime).

Such innovation can bring significant benefits; however, it has often challenged Operations Technology teams, who were focused on physical protection of assets, rather than emerging, external cyber risks.  Although many business systems are vigilantly guarded against cyber threats, operational systems haven’t always enjoyed the same security scrutiny. And, with the rise of interconnectivity between a company, its customers, suppliers, and even government partners, cyber threats can arrive from many sources — and spark unexpected consequences, near and far.

More effort, inside the box:

Despite efforts by leading companies to protect their systems, there is still much work to be done by many organizations. In my view, many high-profile ransomware attacks could have been avoided or at least reduced. And, many companies are still not meeting a minimum level of cyber security to fend off such attacks.

Segmentation of a company’s distributed network would reduce the risks, since firewall separations between key areas would make it easy to shut down and isolate a cyber hack. We must also ask whether companies are investing enough to keep their operational environments up to date and address the costs of replacing legacy systems; whether the avoidance of scheduled maintenance shutdowns that could impact production has led to issues; or if companies should do more to ‘push’ their technology vendors to deliver adequate updates to aging industrial systems. Whatever the answer is to these questions, it seems that many operational systems languish with outdated functionality and lack much-needed security upgrades.

Also, an enduring ‘people culture’ within many organizations can stall their cyber security efforts. While operations teams may lack cyber-savvy, the issue may originate at the supervisory and executive board level, where leaders are not familiar with their own operational assets, nor understand their ecosystem dependencies. This culture may extend to front-line employees who aren’t adequately trained on basic “Don’t click the link” cyber-safe practices, nor are they encouraged to report operational issues or glitches that create vulnerabilities to future cyber-attacks.

More effort, beyond the box:

Beyond better internal awareness and controls, there’s a need for greater beyond-the-box planning to address ecosystem weakness.  While national or regional governments might logically provide this oversight and coordination of cyber security strategies for critical industries, not many governments have embraced the task.

Exceptions include the UK’s Government Communications Headquarters (GCHQ), which promotes cyber vigilance in industry, the U.S. Department of Homeland Security and other agencies that drive industry standards, and Singapore’s efforts to apply stringent cyber security regulations. However, most countries are yet to implement similar regulatory frameworks.

Cooperation is also limited at the trans-national level, due to lack of political consensus or the slow pace of legislative change. For example, although the European Union is in the midst of updating its Network and Information Systems Directive (NIS), it could take years for the NIS 2 guidelines to be implemented within member nations. Currently, even basic, cross-border sharing of intelligence, to alert national agencies of emerging cyber threats, is in its infancy.

In light of these realities, the critical role of ecosystem protection may hinge on industry collaboration, with leadership provided by the largest infrastructure and tech firms who can bring their counterparts to the table to iron out common principles and practices. Such industry-wide consensus could ultimately spur on corresponding regulatory activity. For example, this variety of ‘industry-made’ solutions has already taken place in the banking sector, where Europe’s largest banks worked together nationally and internationally to draft cyber security standards and threat intelligence information sharing.

This industry-driven approach could produce better, ‘out-of-the box’ strategies, based on real world field experience from operators who already practice meticulous risk mitigation of their internal, physical assets. Today, most companies can quickly shut down (part of) their own operating environments, if a problem occurs, and revert to alternative processes.  This ‘can do’ mindset must be extended to the ecosystem level, so that risks relating to an industry’s labyrinth of dependencies are identified, work-around solutions are developed, and back-up plans are tested and practiced jointly by companies, industries, tech and regulators.

While it will take time and commitment for the numerous stakeholders to develop effective ‘out-of-the-box’ approaches to manage the risks embedded in their ecosystems, it’s encouraging to see that industry participants are now taking preliminary steps.

Like any major challenge, it must begin with ‘awareness,’ and recent, headline cyber-attacks are prompting CEOs and Heads of State to ask, ‘What assets do we have?’ ‘What is our level of Operational Technology maturity?’ and ‘How could the ecosystem impact our ability to operate?’ The next step is industry, government and technology collaboration, to think outside the box and protect the critical infrastructure upon which we all depend.