"their legacy systems increasingly interface with and are exposed to the internet."
Simple solution: don't.
Plans to fine Britain's national utilities and infrastructure providers £17m for shoddy cyber security will be at the forefront of industry's mind once everyone "gets over" GDPR, peers heard at a House of Lords committee. Speaking on a panel on cyber security for critical national infrastructure (CNI) yesterday, Elliot Rose, …
Simple solution: don't.
Exactly!
Back in the days before the internet was a thing, companies used to use "private circuits" for remote management of utilities infrastructure. Essentially they were a routed, unswitched physical connection from one premises to another. Brand names for the services included Kilostream and Megastream.
Unfortunately, when Broadband became ubiquitous, most companies identified a cost saving by switching to Internet based connectivity, but didn't factor in the security implications.
Maybe, instead of waving around pointless fines, the government should make it a mandatory requirement of operating, set in law, that utilities and power companies must use private circuits for their infrastructure.
@Alister "Brand names for the services included Kilostream and Megastream.". Now that does take me back to my Saturday Job days in the mid 1990s at a local public transport concern. Our divisional office was blessed with a kilostream link to head office in the next town - giving us two internal lines to direct dial HO (I suppose this was before DDI became a thing). Harsh punishment was dished out to those who used PSTN for head office calls instead of the Kilostream lines.
"...utilities and power companies must use private circuits for their infrastructure." A cursory search shows BT still provide kilostream, but only until 31 March 2020 which may hamper your proposal for mandatory private circuits (note I don't disagree with this)? The alternative is Wholesale Ethernet.
Back in the days before the internet was a thing, companies used to use "private circuits" for remote management of utilities infrastructure.
There's still many companies here in the States using "private circuits" just for the security reason alone. That's just one more (or many more) doors that are closed and locked to intruders. The IT security staff is better able to focus on the customer "access" instead of being spread over more infrastructure. Seems that the "private circuit" is actually cheaper than having the costs associated with using the internet. I don't see why the power and utilities can't do the same things.
By "private circuits", they're leasing just a line with a connection at each end and no "public" access to that line. Seems to be working from what I see.
"Maybe, instead of waving around pointless fines, the government should make it a mandatory requirement of operating, set in law, that utilities and power companies must use private circuits for their infrastructure."
If your mandatory requirement was flouted what would you do? Impose fines of course. Which is just what this regulation does. The only difference is that it says what's to be done rather than how to do it.
If your mandatory requirement was flouted what would you do? Impose fines of course.
Well actually I was thinking more along the lines of removing the company's right to operate. That might make the shareholders sit up and take notice.
The problem at the moment is that the fines are imposed on the imprecise notion of "cyber-security" which is always open to interpretation. If there was a clearly defined mandatory requirement which stated that there should be NO Internet connectivity to any CNI and any breach would lead to an immediate loss of operating rights, then the issue is clear cut.
"If you've got a margin of £1m, that security investment is significantly more expensive."
If you can't afford to run your business securely then you can't afford to run your business and should sell up.
If you choose to increase shareholder dividends (and director bonuses) by skimping on security you deserve to be fined, both the company and the directors.
A few million is nothing if you have a margin of billions. It's more expensive to you if you have a margin of millions.
The sterling figure is the same, the affordability is different.
I'm not defending them, I'm pointing out the bleeding obvious.
Severn Trents results for 2017.
"The FTSE 100 water group, which serves 4.4m customers in the Midlands and mid-Wales,......after pre-tax profits boomed to £543.7m in the year to March 31, compared to £504.4m the year before."
https://www.telegraph.co.uk/business/2017/05/23/severn-trent-raises-dividend-jump-profits/
And they can't afford a security expert?
How much is this years backhander costing.
...as most of the infrastructure services are, there's a simple answer.
Raise prices.
Even if it's a private company, fines benefit no victim, and they just help the Government, who are the ones who get paid. And they don't harm the companies.. Fines for Civil Servant Departments are particularly pointless, but even a fine for a competitive private company removes some element of competition from the market place. The only loser is the consumer...
If it were up to me, I would stop fining public bodies, who just pay in taxpayers own money, and start fining the managers personally. Or, better still, jail them....
There's a story today that security software is one of North Korea's successful exports. The country has been selling a range of security products under bland names and fake front companies to countries all around the world, including the US and Europe:
https://www.nonproliferation.org/wp-content/uploads/2018/05/op36-the-shadow-sector.pdf
Rose added that a lot of these organisations - including water, electric and telecoms organisations – are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet
There should be no legacy systems anywhere near the internet, that's just standard best practice.
There should be no legacy systems anywhere near the internet, that's just standard best practice.
"Legacy" is a word invented by salesmen who want to sell you some expensive new bit of crap. "Older than something I'm selling" is not a justification on its own for replacing something.
Note that HMG doesn't mind all UK water companies being foreign owned, or that some of them are owned by government operated foreign utilities.
Just as long as they aren't on the hook for any EU water quality directives caused by decades of (government) under funding.
Note that dividends over security or dividends over asset security is a Board choice.
You want to use the internet instead of private leased lines? This is the price you pay.
Historically only BT offered leased lines (IIRC) but maybe now it's something other providers might y'know provide? "Thames water telemetry. Brought to you by Sky" ?
...when they say "Because of difference in margins, in my experience it is more difficult for a water company, say, to hire a top cyber security team than it is for a bank. There is that industry challenge."
Its also because some companies like to cut cost for greed. And they see IT as a blocker so outsource it instead. Then big the cheapest option.
By focusing on skills from computer science and STEM, the government and industry are narrowing their pool for general diversity.
So they want the bizzaredly specific "cyber security geek" (best brown, female, LBQT) but think such peoiple can be had from the near infinite pool of literary types, sportsy jokers and rappers?
Hark, is that the sound of another of the country's essential systems expensively trying to reinvent a wheel that other people already invented over a thousand times before?
If tests prove they can't do it, and they don't have the resources/expertise to do it, and tasering them is (fun, but) a total waste of everyone's time, but you *need* it to be done right, then TAKE IT OFF THEM and have them rent it back, from people whose job it is to ensure the country's infrastructure isn't embarrassingly insecure shit.
How many times do people need to reinvent an SSL armoured REST API, with a test suite, staging area, and monitoring? It's not like the Internet Protocol is different for a sewage worker and a financial trader.
Starting with the Peer who inserted the relevant clauses-for-cash in the necessary Bill.
This is not an EU requirement.
It is driven by Tony Blair wanting to stuff up Gordon Brown.
Nothing else.
"“The Initiative to introduce coding into primary schools, which we welcomed in principle, may have fallen into some difficulties in practice," he said. "For one, it not obvious that initiative has included cyber security into its curriculum. Secondly, I'm not sure it's inspiring people into the profession."
MacWillson noted that currently just 7 per cent of of cyber security staffers are women, making up just 4 per cent of his own institute's ranks."
'
And 40% of all human effort and monies devoted to getting kiddies --- or anyone else --- to code, or do anything in the world, will be committed to achieving an equality of sex and ethnicity amongst those who finish.
For we are, above all, a moral people.
"a lot of these organisations .. are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet."
The solution being to build a distributed VPN network running on embedded hardware, providing end-to-end encryption and authentication. The Raspberry Pi could do the job.
Was going to post much the same.
Upstream was the proposal to mandate private networks.
Everything these days is "virtual" so a Virtual Private Network should meet the security requirements; that is, transported over a common carrier (the Internet) without any access to the Internet. I am not surprised that Kilostream is being phased out. There is an overhead in maintaining dedicated physical circuits plus a lack of resilience to physical damage. You need discreet physical routes all the way for your minimum two circuits, instead of doubled up connections to your nearest two network nodes. You need to manage the whole network not just the end points. You are limited to one supplier.
As far as I can tell the main problem is people wanting to have access to and from the network to the Internet. Just say no!
I think the proposed fines are a step in the right direction, but I don't think they go far enough. The UK's critical infrastructure is vital to the country's functioning, and any vulnerabilities in that infrastructure could have devastating consequences. I think the fines should be much higher to reflect the potential severity of the consequences of a cyber attack on critical infrastructure. Also, I think that the big companies should do it once a year a penetration testing Brisbane. This will discover all the vulnerabilities in their security system.