Cybersecurity for CEOs — or why Culture, DevOps and Agile Teams may be the determining factor tackling Cyber Risks.
Chapter I: Assume Breach.
This is the first “chapter” of a series of three blog posts all relating to the matter of Cyber threats, risks and security. Why not everything at once (I could, since I finished the entire set)? Well because I know that most of us (incl. me) have developed some sort of information-ADHD. Probably due to free news papers that are digestible within 20 minutes, Tinder, Twitter and — well I think you get the picture.
I am talking to you!
Before you chicken out: In the near future (Gartner says something around 2025) every relevant business will (also) be a digital business. So, yes cybersecurity should be relevant to you. But before sliding down that rabbit hole, let’s start from the beginning: after being involved in the cyber program of my organization for the past few months and two recent days in a large conference room filled with old white men — at the 5th Rail Cybersecurity Summit Senate 2020 in London — I would like to share my insights, which are meant for anyone in any industry, but especially for (chief) executives of asset heavy industries operating critical infrastructure with long (really long) life-cycles, such as the railway industry. Oh yes, and there were some non-white, non-male and not that old participants; if that’s of any relevance.
Disclaimer.
First things first: I am not a hardcore cyber security expert. I would not even consider myself to be a true railway expert (in my organization you need to be part of the game at least since world war II to call yourself a subject matter expert). I am writing this article from the perspective of a (somewhat concerned) user, aka customers (remember that’s the fuzzy odd mass that pays your salaries and funky expenses) and someone who understands business models, technology, organizational (and human) behavior and culture.
A short Tech Intro.
Until today we differentiate between OT and IT Environments. OT standing for Operational Technology basically meaning all physical technology such as signalling, telecommunications networks, tech on rolling stock etc. (these by the way may often run on Windows or Linux systems). IT then is classical business applications, desktop applications and physical workplace objects such as desktop PC’s, notebooks or mobile phones. Since the epic 1992 movie sneakers, IT at least has some understanding that cybersecurity is something that should be taken seriously. OT still today often feels being in a special snowflake situation. Where rules of the cyber realm don’t apply, and everything is a bit different. I am sorry, but I must disappoint you: you are not as special as you think. Luckily the acceptance of the fact that IT and OT need to grow together, ideally under a joint Security Operations Center (SOC) is growing across industries, also in the railway sector. Slowly.
The Dark Side knows.
The Jedi Masters thought it better to make the knowledge of the dark side inaccessible to their Padawans. They ignored the fact that the Sith possessed this knowledge and capitalized on this mystification, which created an even greater pull to the dark side for those weak in character. Since you’re vaguely interested in IT/tech/cyber you got the reference. If not: watch Star Wars. So, how does this translate? Well, there is a false assumption at play, that the current exposure of critical (railway) infrastructure and data to cyber (and physical) threats rests unknown to possible and probable perpetrators. This false belief underestimates the fact, that potential intruders do their homework more thoroughly and motivated than the industry players do. Hence, whatever is “exposed”, may be considered new to the industry and the public, however must be considered known to “the dark side”.
A New Hope.
So how can we fix this? We can start by accepting the reality that we will always be vulnerable and we do not possess all the right minds and tools to expose these vulnerabilities. IT has e.g. started paying “bug bounty” to any white hacker who finds a way into the systems. On the OT side we still largely live in the dark ages of legally persecuting anyone who addresses any vulnerability. This culture that seems to be an unholy alliance of hybris and fear needs make to make way to a collaborative, open way of partnerships, especially between operators and vendors.
Everything is connected.
We have fleets across industries (trains, busses, (star-)ships, cars and planes) that are technologically outdated and will never be inherently updated against cyber threats. By the way this does not mean that there are no cyber threats to those “old” assets e.g. since 1986 when Bosch released its CAN bus into operations, cars have been equipped with “computers”. So, age won’t secure your infrastructure. This points to a further issue: lifecycle and requirements duration of heavy assets (with extreme longevity) stand toe-to-toe with cyber threats that are highly volatile. This is a reality that we cannot flee from: We own and operate legacy systems, virtual and physical, which are also accessible to intruders, so we should learn to “own” this! Hence, we need to mitigate the implied risks. Even more when looking at what has been put into operation more recently: everything (brakes, train control, doors, cooling, heating, lights, passenger information, cameras etc.) is IP-based, meaning that everything is connected (often also to the internet) and thus creating a potentially unwanted way in.
There is Always a weak Link
The weakest link or way in will always be expose and exploited as point of entry (into any given network, component or object). If it is not the onboard Wi-Fi, it’s a network switch or the coach-to-coach Wi-Fi or the GSM-R network, or a third-party network; And if technically everything looks perfect, we still have the human as the weakest link. And no, 4G and 5G will not have an impact on security on trains or infrastructure, it will only affect the speed of the (data) traffic. So: assume breach. The question is not if your critical infrastructure has been hacked, the question is only if you know (yet, ever). It goes without saying but this is true for any industry and both IT and OT.
Low Readiness vs. High Impact
Looking at the entire industry, the overall OT-Cyber readiness in coping with and responding to threats is low. Today most parties — if at all — cope with the issue on a simulation level. There are little real technological or cultural measures implemented today to prevent, detect, defend and train (in terms of constantly making the system and organization more resilient) in place. However, first companies (primarily startups, such as the Israeli Cervello, Cylus or Waterfall) are launching prototypes and products that promise to prove valuable to the railway industry, especially in protecting the signalling network. And then there’s the matter of the actual trains: Sash Rigby the technical director of Modux showed us how he was able to hack not only one train, but via this train, a multitude of non-related trains around the world which had no connection or collaboration whatsoever and from different operators- he did this within 10 hours. Their initial ambition was to screw with onboard CCTV, the doors and passenger Information. They quickly realized to do all this no computer is necessary. They also realized the damage they could really do with computers (aka hacking) was significantly more impactful to railway availability, operations, reputation and passenger safety than the operators had anticipated.
In Chapter II: “on the matter of Culture”, I will be showing you what game the industry is playing today. Also, I will be elaborating on why cultural aspects of an organization may be key to winning this game and how a new cultural understanding and business practice in cybersecurity must arise.
