Cyber security in an age of state-sponsored cyber attackers
Businesses and cities share a very real threat in today’s increasingly complex world, faced as they are with the ever-present possibility of a cyber attack, including state-sponsored cyber attackers. Here the current key considerations for cyber security are highlighted.
A cyber attack can come at anytime, and without warning – many of them devised by more and more sophisticated hackers, with an ever-expanding arsenal of tools at their disposal.
Profile of a cyber attacker
The profile of an attacker has evolved from the lone actor to highly organised groups often funded by nation states. These state-sponsored cyber attackers are no longer simply targeting your installations or private data – they’re engaging in cyber espionage and IP theft, looking for an entry point into critical infrastructure, or building management systems.
Such attacks have already been shown to cause devastating levels of damage on an increasing scale – in some cases putting companies out of business, shutting down entire power grids across cities, and crippling essential services, leaving lives at risk.
A cyber attacker needs only a single entry point to gain access to a target’s network and critical infrastructure. Physical security systems are increasingly being used as that entry point, with this issue emerging as the most significant evolving risk in the sector.
NCSC warning: UK faces a full category 1 cyber attack
The extent of the nation’s cyber security risk was recently revealed by the UK’s top cyber-defence centre. In its latest Annual Review, the National Cyber Security Centre (NCSC) revealed that the organisation has been defeating an average of 10 attackers per week – most of those attacks executed by state-sponsored cyber attackers employed by hostile nations.
In the same report, the head of the NCSC, Ciaran Martin, warned UK businesses that it’s just a question of time before the UK gets hit with a widespread cyber attack, stating, “I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack.”
A Category 1 attack is defined by the NCSC as a cyber attack that causes “sustained disruption” of essential services or affects national security, leading to severe economic or social consequences, or even to loss of life.
Combatting the threat
The only way to combat this looming threat is to be aware of the risk and bolster existing security systems. Just as you might prepare for the possibility in your area of a natural disaster, such as an earthquake, you must take the correct preventative measures to brace for a cyber attack knowing that although you may not get hit for many years, there’s also the possibility that it could happen tomorrow.
Interconnectivity of operations increases risk
In today’s world, it seems that everything is increasingly connected – from your phone, to your car, to your toaster, to your surveillance system. With technological advances, businesses and cities have come to rely upon this inter-connectivity for running operations smoothly, allowing for greater convenience and better collaboration.
Yet for all of the practicality presented by the world of IoT, this intertwined approach is also the very thing that can leave your most critical infrastructure vulnerable to an attack – after all, your physical system is only as secure as its weakest point, or the least trusted device connected to it.
In spite of this known risk, the interconnectivity of business operations can’t be easily escaped. An offline strategy is no longer a viable strategy – the base of software and hardware updates alone is so fast that if you keep your system in a closet, you’ll miss out not only on functionalities that keep your system at optimal performance and resilience, but also on critical updates that keep your deployments safe.
Even if you could operate offline, there’s still always the risk of a breach being brought in from a third party. All it takes is a USB stick, or unauthorised access to another local device.
Cyber security starts with trust
The best way to combat a cyber attack is to seal off any and all entry points to a potential infiltrator, such as a state-sponsored cyber attacker. This process starts with building trust.
You need to first be able to trust all the people you work with, starting with your employees. Many businesses have been exposed to a malware attack or data breach that began internally – for example, a loyal employee plugging in a personal device at work, such as a phone, not realising it’s already been hacked.
Many such breaches can be prevented with the simple introduction of generalised employee training, designed with cyber security in mind.
Thorough vetting of your supply chain
It is equally important that you trust those working with you on your supply chain – your vendors, manufacturers, and those deploying your systems.
You must be sure to select vendors and integrators that build their own businesses on a foundation of cyber security best practices. This starts by asking some key questions before engaging in a partnership:
Is the vendor being transparent about cyber vulnerabilities? Do they have a strategy in place to close up security gaps? Do they place a priority on security when developing their own products? Will they take responsibility if your devices get hacked? And finally, who owns the company building the hardware and software?
This final question is particularly critical in light of the latest report from the NCSC’s findings on the level of threat from hostile nations. Choosing the wrong foreign government-owned vendor could leave you vulnerable to “back-door” entry points, allowing a vendor to tap into your devices any time they wish to. In this way, they have the potential to execute denial of service to a third party, or to use their IP cameras to tap into your private network.
With all of this in mind, it is clearly important to take the time to select partners who can show that they have your best interest at heart. The right vendors should rate cyber security as a top priority, over product prices and features. They should also be able to provide the right answers to all of the above questions.
Laurent Villeneuve, Product Marketing Manager. Genetec Inc. www.genetec.com