Note this post originally appeared on the BH Consulting blog and was written by Gordon Smith.   In front of its largest ever attendance, the annual Irish cybersecurity conference IRISSCON tackled some big themes. Among them were: attacks against critical […]

Note this post originally appeared on the BH Consulting blog and was written by Gordon Smith.

 

In front of its largest ever attendance, the annual Irish cybersecurity conference IRISSCON tackled some big themes. Among them were: attacks against critical infrastructure, increasing regulation, the need for empathy from security pros, and – naturally – AI.

From the off, 2023 struck a more downbeat tone than last year’s edition. The first keynote speaker was Viktor Zhora, Deputy Chairman at Ukraine’s State Service of Special Communication and Information Protection. The man tasked with protecting Ukraine’s critical infrastructure outlined Russian attacks against the nation’s digital systems in grim detail. In many cases, these attacks predated the invasion of troops in February 2022 he said.

The first two keynotes of the morning at IRISSON got extensive coverage in the media. Karlin Lillington, writing in the Irish Timessummarised the opening presentation. “Mr Zhora said that even though cyberattacks “may not cause such an evident destructive impact as the missile strikes, the effects should not be underestimated” because they are complex and widespread and threaten essential services, from power and water supplies to medical care and communications.”

Rising attacks against critical infrastructure

Data Breach Today reported that cyberattacks against Ukrainian critical infrastructure have intensified during 2023. “In the first 10 months of this year, Ukraine’s national computer emergency response team, CERT-UA, logged 2,054 cyber incidents, compared to 2,194 for the entirety of 2022,” wrote Mathew Schwartz.

Ukraine’s experience gave it more confidence in their capacity to counter future attacks, Zhora said. But he left a stark warning to everyone in the room. “It’s crucial now for everyone to realise the degree of danger posed by the combined use of conventional and cyber warfare. Democracies should immediately adapt their military doctrines to address emerging cyberspace-based threats.”

Help Net Security led with commentary from Rik Ferguson, whose talk immediately followed Zhora’s. It neatly illustrated one of the happy coincidences of IRISSCON, where common themes often emerge from different talks.

 

The operational technology challenge

Ferguson outlined evolving threats to critical infrastructure, and how IT and operational technology environments are becoming increasingly interconnected and interdependent. He said have only been eight examples of malware specifically written to target operational technology (OT) – as distinct from IT – that runs critical national infrastructure. Stuxnet in 2010 was the first the most recent was CosmicEnergy in 2023.

One still-unattributed incident involved an external attack against a steel mill in Germany in 2014. It misused operational technology to make changes in the operating environment. Workers were unable to safely shut down a furnace and it melted to the ground. Ferguson said attackers are getting better at using legitimate tools found in OT environments, so they don’t need to develop custom malware.

This was a stark reminder to security professionals that there’s lots of work ahead to protect OT systems to a similar level as IT. Ferguson pointed out that the standard model for building and securing an OT network is very different to IT, and many OT devices suffer from insecurity by design. Some were never intended to be connected to the internet. Historically, different teams were responsible for running OT and IT and so there has been distrust and bad feeling between them, which they need to put aside in order to find weak points in the infrastructure and protect it better.

A regulatory onslaught?

In a first for IRISSCON, a panel debated the increasing regulation in security, and whether it could inadvertently lull organisations into complacency by making them focus on compliance. Among the rules governing many organisations are the NIS2 Directive, the Cyber Resilience Act, the Cyber Solidarity Act, and the Cyber Security Act (Certification). The panellists were the renowned security research pioneer Katie Moussouris, cybersecurity advocate Jen Ellis, University of Oxford Professor Ciaran Martin, and Joseph Stephens, Director of Resilience at Ireland’s National Cyber Security Centre.

Security professionals can feel like they face an increasing burden to comply with regulations. But Jen Ellis likened the situation to food labelling which took time to become established but which is now accepted and expected. Joseph Stephens said that more recent regulations make security the responsibility of senior leadership. “This is how we need to go. It’s not fair to put the burden on security teams,” he said.

Katie Moussouris urged security professionals to get involved in developing regulations where they have the opportunity. Without the contribution of experts, legislators could develop rules that aren’t practical or that hinder effective security. Moussouris said there was a need to measure outcomes – to make regulations but then check in with organisations to find out how they implemented them in practice.

AI is coming

No conference in 2023 would be complete without referring to artificial intelligence, and IRISSCON delivered. Dave Lewis, global advisory CISO with Cisco, remarked that AI is “now popping up in every conceivable aspect of industry”. The technology is “really good” at improving the operations of your systems, he added.

Deryck Mitchelson, EMEA field CISO for Check Point, chimed in on this point. With so many alerts coming in to security operations centres and incident management systems, AI can help security teams from being overworked and potentially missing vital signals that something’s wrong. “The amount of data coming into a SIEM is absolutely massive. We need to start using AI to correlate what is a threat versus what is just noise… AI is absolutely fantastic at cutting through the noise and focusing on the important points.” He gave the example of the ransomware attack on Colonial Pipeline in 2021. “Any AI-based behavioural engine would have spotted it, said it wasn’t normal, and blocked it,” he said.

Technology can help, but security pros can also do more to understand threats ‘left of boom’ – that is, before they impact an organisation – so they can handle incident response more effectively. That was the contention of James Burchell, sales engineering manager with Crowdstrike. Drawing on his background in both the military and corporate cybersecurity worlds, he said it was vital to take a proactive stance to cybersecurity in the modern threat landscape.

Involving law enforcement in incident response

In a callback to a talk from the very first IRISSCON back in 2009, the head of the Garda National Cyber Crime Bureau emphasised the need for businesses to report instances of cybercrime so police can understand the nature of threat that other businesses face. Detective Superintendent Pat Ryan urged delegates to include law enforcement as part of their incident response. This allows police to learn more about current cyber risks, he explained: “intelligence is the bedrock of policing”.

He acknowledged the extra disruption that this can cause and said the Gardaí would lend a sympathetic ear. “We understand you need to get your business back up and running quickly. Investigations can take time, but they lead to good results,” he said. “We’re there to help and to advise… We have teams attached to the Cyber Crime Bureau who are experts, highly skilled, highly trained, and we’re here to support victims of crime and provide guidance where we can.”

This note of empathy for victims of cybercrime was one of the strongest themes of the day. Jude McCorry, CEO of the Cyber and Fraud Centre Scotland suggested diverting some proceeds of cybercrime towards supporting victims.

Why empathy counts in security

Empathy in security was also on show in many other talks throughout the day. Andrew Hay, COO at Lares Security, drew parallels between security training and rugby coaching. He called for a different approach than the old school militaristic authoritarian approach of “do this because I say so”. He argued that it’s better to coach people towards better security behaviour through demonstration, guided learning and understanding.

Angie McKeown, a security architect with Microsoft’s CTO team, talked about the problem of securing an organisation’s digital identities that have the potential to cause the most damage if compromised. Noting that many admin credentials have too many privileges, McKeown said it was a question of how to secure them without causing friction. It can help to see it as a change management project. She urged security pros to find an influencer at a senior level who can help to push the message in positive terms about security. One option is to frame the change as liability reduction for the CEO.

“Don’t lose that empathy because it’s what helps you to push through that change… people want to understand why the change is happening. Be kind, help them understand the bigger picture,” she said.

Listening + understanding = trust

Security awareness practitioner Michelle Levesley made similar points in the context of raising security with the board of directors. “To be trusted, listen,” she said. “I think cybersecurity people forget to listen. Leave the silences to be filled. In cybersecurity, we don’t do that. We mandate, we prescribe, we lecture, we yell. We particularly need to listen to human factors experts.”

Ultimately, security needs to get to a similar standing in the business as other departments in convincing senior management about the need to invest in certain projects. “You don’t hear finance or HR or marketing say very much ‘I don’t get the budget for this’,” she said.

One way to do this is by getting to know how the board likes to be presented with information. Security professionals can become a trusted source by presenting information proactively without senior leaders needing to go chasing for it. That insight is invaluable in explaining why certain threats are or aren’t a risk to the business.

That was a flavour of the talks. As the event drew to a close, there was plenty to keep security professionals motivated about the challenges ahead.

      

 

The above Images courtesy of Help Net Security.

 

IRISSCON 2023 in Pictures

The images below are courtesy of Thom Langforn Photgrpahy. We want to extend a huge thank you to Thom for all his hard work on the day and the excellent photographs.