Protecting the UK’s physical systems, such as energy grids, telecoms and the NHS, was the hot topic of debate during a keynote panel at Infosecurity Europe 2018 in London.
Spencer Summons, group head of information risk & security at Tullow Oil, kicked off the conversation saying a culture change is needed to make sure cybersecurity becomes front of mind going forward, in an industry that is predominantly focused on physical security and human safety procedures.
“Safety is a huge thing in an offshore environment and I don’t think cyber is seen in the same way as safety – but it’s getting there,” explained Summons, who works for an oil exploration company with many employees working on offshore vessels.
He said the immediacy of a cyber threat is less obvious than the threat to human life on a vessel out at sea, so it is more difficult to get members of staff to adopt further cyber-safety procedures, such as increasing the length of their passwords.
“But we need to ensure we continue to have security and culture change programmes as part of any security piece,” he said. “Part of the solution is about [board level] buy in, but the conversation doesn’t stop there, we need the same conversations at a tactical and operation level – and we can all agree it’s the people on the ground that are in control.”
Summons said it is about introducing emotion into cyberattack prevention. “It has to be real for them, so we’ve been showing hacker demos and showing them what might happen if someone hacks into their machines.”
Peter Gibbons, chief security officer at Network Rail, agreed, he said his employees take “great pride” with the physical assets they are responsible for. “And if they see someone tampering with it they get really upset, but they think cyber is something different.”
Changing the narrative
Network Rail has already been working on communicating the importance of cybersecurity throughout the business. Back in 2012 at the time of the London Olympics, Gibbons said the organisation changed its narrative when it came to cyber-attacks.
“The Olympics was a public transport event, there was no driving to the venues, so if the train stops running and no one gets to see Usain Bolt win the 100 metres, we’d be in the spotlight,” he explained.
“So from a business perspective we changed the narrative from a technical problem to a business problem. The story around cyber is not about losing a server in a rack, it’s about how many people didn’t get to work.”
Balancing cost savings
A question from the audience asked the panel how they balanced the need to upgrade cybersecurity systems versus the business drivers of cost savings and operational efficiency.
Summons replied that it comes down to what businesses believe forms a risk perspective, especially when the company has a huge number of legacy systems.
“How do we address systems already in existence that are arguably working well? We might look at some simple, physical security systems, particularly when looking at a vessel.”
But Summons said it comes down to making sure there is a representative stakeholder group which meets regularly to identify and prioritise risks, ensuring cyber has a seat at the table.