Threat Convergence – Gone, but not forgotten by Mike Gillespie

The concept of threat convergence, or the convergence of physical and cyber threat, was everywhere for a while; magazines, online portals and even mainstream press carried stories related to and talking about threat convergence. Then that went away and we all moved onto other things like GDPR. The trouble is, not everyone understood converged threat and what it meant for their own organisations before we moved on. So, as it slipped from conference seminar agendas, the threat remained. I am re-addressing it here, in a post – Critical National Infrastructure (CNI) hacking world, or one that has already seen elements of physical infrastructure attacked through cyberspace; we are just beginning to awaken to the real scope of the issue.

According to research by Corero Networks, more than a third of CNI in the UK (39%) have not completed basic cyber security standards issued by the UK government. The National Cyber Security Centre (NCSC) warned us that a serious cyber campaign was being waged against our own CNI since at least March 2017 and is ongoing. When an attack is successful it can have devastating consequences.  In Ukraine, for instance, we have seen power grids taken down multiple times and their postal service brought to a standstill for two days by cyber attackers. We have been lucky not to have had this degree of disruption yet, but the nature and scale of these attacks, as outlined by NCSC Head, Ciaran Martin, means that it is “when not if” the UK will be victim of a category one cyberattack targeting CNI.   This represents the real face and potential impact of threat convergence and makes that figure of 39% non- compliance, genuinely unnerving. Cyber threat went physical some time ago and since then we have been in constant catch up. Threat to assets, people, places, information have been on the convergence agenda for a while but we have to accept that each of these areas offer threat to organisations too. A grip on convergence will mean a 360 degree view threat, which is much more realistic.

Working across cyber-physical realms for many years, has been an advantage that I am keen to share with other security professionals. I have watched numerous systems, including those intended to provide physical security throughout many organisations become web enabled and networked in a drive to embrace efficiencies, savings and agility. Yet, as time has gone by, the gaps between our physical and cyber security worlds has not closed at the same rate as that of our uptake of the enabled technology. Meanwhile, the exploitation of those gaps is becoming increasingly common, as poorly configured and secured devices, such as Digital Video Recorders, get harvested and utilised to facilitate massive Distributed Denial of Service Attacks (DDoS). If we are talking about convergence, this blending of the security disciplines is the singularity; the security goal should be the point at which the two worlds come together in terms of function, users and outcome.  But it seems we continue to circle each other like wary gunslingers when it comes to converged or blended security. Every day those gaps are exploited by those who mean harm to our organisations and whose approach is far more joined up and converged than those of us defending.

In practical terms, we need to be able to have cross discipline understanding. That means that cyber security teams are involved in managing and securing systems that in the past they may not have had sight of, let alone be tasked with protecting. You cannot secure an asset that you do not know about and you cannot manage the lifecycle of something that offers risk through obsolesce because if that asset was never on both physical and cyber security radars; the risk is not being managed.  We have to understand that some systems therefore, offer risk to what has previously been viewed as an IT domain, the network.

This brings me to the nature of devices and systems we are hooking up to our networks now. We know from bitter experience that not all security systems are created securely. We have seen security equipment hacked, compromised, damaged or leveraged for bigger attacks and this is an unintended consequence of our commitment to networked systems of all kinds. The National Cyber Security Strategy discusses the danger from legacy and unpatched systems that sit in our CNI as well as in general business because they are an opportunity for an attacker,  and at the moment we are once again playing catch up in trying secure these systems.

At the moment, it is not a legal requirement for any manufacturer to ensure that systems they build are secure at the point of shipping and are patchable and are built on current and not legacy operating systems. There is really good quality  guidance available for buyers now and I would suggest reading the Surveillance Camera Commissioner’s Buyers Guide, offers great advice that could be applied to buying a variety of security equipment not just camera systems. We need systems to be built and supplied securely, installed securely; not with default login credentials left on, for instance, we need them managed and protected properly. Here, however, we hit another possible gap in the armour; is the network we are placing our great new secure security system on, secure itself? If we are going to take this seriously then we need to know we are not specifying and procuring great quality kit just to leave it on a vulnerable network that is not properly protected. Once again, that need for joined up thinking and moving security out of silos, arises.

Furthermore, this moves beyond managing just the technical threats, and requires that we also pay more attention to managing the people (insider) threat too.  Often when security people use the term insider threat they are referring to someone performing malicious activity, however, much of the research is telling us that far more insider threat is negligent and accidental and down to poor education.  If the people for instance, are not trained in how to respond to phishing emails and we know from experience that the toxic payloads these emails deliver can have devastating consequences on businesses and their supply chain partners, then no amount of technology can save the day. So going back to threat to and from people, places, information and technology and blends of these, we can see that people offer cyberthreat to our physical systems too…

Finding a way to manage the threat that these security gaps continue to represent is every bit as important as understanding the threat from and to our people, places, technology, and information. It is vital that we do for only then will we really have understood converged threat and answered that threat with converged security.

About Mike Gillespie

Managing Director and Co-Founder of Advent IM Ltd, Vice President of the C3i Centre for Strategic Cyberspace + Security Science (CSCSS)

Mike is a leading information security practitioner, and is well versed in the threat to organisational information assets. A former member of the CSCSS Global Cyber Security Select Committee, he is now the Vice President of C3i Group. Mike serves as a cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and serves as the Cyber Security lead for the surveillance cameras guide from the UK Government’s Surveillance Camera Commissioner. As a subject matter expert Mike is called upon regularly to speak at events and contribute editorial, including for the BBC and The Sunday Times as well as regular industry media.