In this era of digitalisation, everyday tasks are now easier to complete and much can be done with a touch of a button. But as I am completing my Masters degree in risk management at City, University of London, I have learned that any benefit comes with a cost: there surely is a price to this technology convenience. Today, we are more dependent on technology than ever: banking matters, social interactions, and even basic grocery shopping have all moved to the cyberspace. And in some cases, this dependency is so acute that an internet malware, like Wannacry, is able to bring many parts of the NHS to a halt.
I have always been fascinated by this relationship between humans and technology, which got me to pursue a career in cybersecurity.
The first challenge I faced was where to start. Cybersecurity turned out to be so vast and diverse, being deeply rooted in nearly all other sciences. I reached out for advice to friends who work in this field, and to my university supervisor, who started his career in the defence sector, and naturally ended up in cybersecurity. The advice I got was that because attacks are getting more costly and sophisticated, the traditional passive approach to securing system is becoming less feasible in today’s complex environments. These approaches are evolving into more active and intelligent defence models. Complex systems, like the human body, require an immunity system to actively defend against threats and respond to anomalies. The analogy between humans and technology is more apparent, and with an undergraduate degree in artificial intelligence, I found myself at the cross-roads between security and machine learning.
Despite my passion for cyber, entering the market was very challenging: The competition is so tough, especially at entry level. At the time I was looking for topics for my Master’s thesis, so I figured that coming up with an original idea, and finding a company to sponsor it, was my best bet.
In 2015 and 2016, two major cyber incidents took place in Ukraine; the energy grid was attacked by an unknown group. The attacks left tens of thousands of people in part of the capital and a surrounding area without electricity for hours. The incidents drew huge attention from the security community, given their magnitude, scale and impact. This was by no means the first major attack on a Critical National Infrastructure (CNI) operator; as a matter of fact, the NCSC suggests that CNI incidents are more common than are currently reported, or than have been detected. So, studying how cyberattacks on CNI can be better responded to is definitely a topic of interest to many industries and organisations.
My research will study established security frameworks, in order to formulate a risk-informed and holistic security approach that could better prevent a CNI attack. The Ukraine attacks, having received wide media coverage and technical analyses, were my starting point. To give the new approach some credibility, I needed to test it with industry experts who have experience in utility compliance regimes and are familiar with the attacks themselves. I reached out to my network again and was introduced to Secgate, which was very interested in the research and was willing to connect me to their professional network to explore my research idea.
Because I am taking the Ukraine attacks as a case study, I had to narrow down my research into CNI protection in the Utilities sector. But when I started looking into the issues facing cybersecurity in CNI, I was faced with a wide spectrum of regulations, standards and frameworks. The vast majority are based on historical experience and good practices, not on lessons learned from major incidents. Because of this, they may not cover a wide range of scenarios; some could devolve discretion to the entity and require guidance from the regulator on the level of conservatism applied to their implementation, while others are based on contradictory instructions. As such, if there is a gap in the regulation, e.g. a particular aspect of security is missed, this will affect all parties in the same way and the systematic risk on the CNI in question will be high.
I needed to find a way to measure these gaps. A colleague at Secgate advised me to use a method called ‘Cyber Maturity Assessment’ or CMA. Luckily, Secgate have done CMAs in utilities and were able to guide me through the process and provide the resources I need. The next challenge was how the attacks can be broken down into steps which can be systematically compared to the gaps in the CNI security frameworks that I will be studying. This problem has been discussed in the security community: The solution was mapping the incident to the ‘Cyber Kill Chain’, a seven-step framework which identifies what the adversaries have completed in order to successfully bring the energy grid down.
There is a good reason why I have chosen to do my research at an office desk, not at a university desk. Having the ability to do it in a creative start-up environment, and the chance to reach out directly to professionals, will offer me the the opportunity to answer some fundamental questions: Is the UK’s infrastructure as vulnerable as Ukraine’s? Would we suffer the same consequences? Is the industry prepared for it?
I will share my findings with the readers of Cyber World in a series of articles, commencing with a review of gaps in different approaches to compliance for CNI security in the next edition, and a final paper that will compare these gaps to the Ukraine case study and draw some conclusions pertaining to the effectiveness of CNI security standardisation within modern economies.