You can’t help but wonder whether Robert Hannigan can easily get to sleep at night, given the report into cyber-security threats he has just co-authored.
The former head of GCHQ and number 10 security advisor earlier this year put the finishing touches to a paper for the Lloyd’s Register Foundation highlighting the plethora of threats posed by new technology.
“It is anticipated that risk of deliberate attack will increase as the Industrial Internet of Things (IIoT) expands as cyber attackers, from criminals to nation states, seek to exploit newly connected systems and newly created vulnerabilities,” the resulting Foresight Review said .
The report noted that damage from cyber incidents can take a wide range of forms, “including physical, economic, reputational, psychological and societal harm.”
The report’s findings are not for the faint-hearted, but Hannigan is more attuned to cyber threats than most. Not only was he director of GCHQ, he also led the creation of the UK’s National Cybersecurity centre, oversaw the well-regarded Active Cyber Defence Programme and created the first country’s cyber-security strategy.
Now it is the threats posed by the IIoT that are at the forefront of his mind. This refers to interconnected sensors and instruments networked together with computers’ industrial applications to improve efficiency and productivity. It includes associated software and hardware technologies for delivering processing and analytics.
The Foresight Review identifies four driving forces behind the adoption of IIoT; the need to improve operational processes, the green agenda and the potential of IOt to optimise energy efficiency; access to data markets; and improving customer experience including providing data-based customisation in real-time.
So why is this technology of concern to Mr Hannigan, and to his report co-authors Sadie Creese, professor of cybersecurity, University of Oxford and Professor Richard Clegg, chief executive, Lloyd’s Register Foundation?
Simply put, the concerns are that IIoT is growing too big, too quickly, with the potential for cyber attacks to be severe as systems are connected and automated. “The current pace of change in operational security capabilities will not match the fast emergence of new security risks in IIoT environments”, the report warns.
But for Hannigan it is not just a case of failing to keep pace.
“One of the worrying things was that the enthusiasts for the adoption of IoT in the industrial space — some of those who are most far advanced, including healthcare — are not necessarily the ones who worry most about security,” Hannigan said in a recent interview.
“There is a lack of correlation between adoption and security best practice. That’s setting us up for some difficulty.”
Ultimately, the Foresight Review report says that many IoT industries do not have a cyber security mindset, with security considerations losing out to longer established safety requirements and also coming into conflict with other priorities.
For example, a company might want to minimise downtime by keeping a compromised system running, rather than taking it down.
Companies may be very familiar with health and safety and other requirements but less knowledgeable about cyber risk.
Hannigan uses the example of the vast supply chains some companies have. He says: “Typically in BlueVoyant, we see companies who may have 10,000 suppliers, and they can realistically look at a tiny percentage of those actively, with pen tests etc. The rest, they will tend to use questionnaires. And that’s inevitably never going to be very effective for the obvious reasons.”
Supply chain risk
He says that it is not necessarily the large suppliers that pose a risk. “Some of the nation state ones have been delivered through really quite small suppliers; lawyers, for example, who have a deep connection into the business, are trusted, but whose security is probably not where it should be,” he says. “So trying to quantify that risk and prioritise it, I think is absolutely key”.
While cyber security awareness is growing, persuading an organisation’s management to invest in resources to tackle the issue is an ongoing challenge, the report says.
This is where “effective external approaches” are needed to incentivise companies to expand their cyber crime detection capabilities.
Hannigan is firm that one of these needs to be greater regulation. “The sort of ‘best practice’ and ‘hoping for the best’ and ‘kitemarks’ approaches aren’t really working, because they’re not changing the market, he says.
“In the market, there’s not enough incentive to spend more money on products that have greater security built in, if you can just do it on lowest cost and churn out millions of devices with virtually no security.”
Follow guiding principles
Hannigan says there also has to be a point at which manufacturers take responsibility for security in IIoT devices, although he accepts there is a “delicate balancing act” as software producers might be deterred from manufacturing if the rules are too onerous.
Another tool that can be used is cyber insurance, but the report notes there are challenges accessing the full-range of harms, and deciding where primary liability lies in complex, interdependent IIoT systems.
So there are challenges to be overcome in terms of using a changed mindset, regulation and cyber insurance products to tackle the issue of cyber crime.
The report sets out guiding principles for companies to follow including assuming failure as a basis for security strategy development, assuming insider threat within systems and supply chains and seeking ways to identify and test for systemic risk.
For Hannigan the IIoT networks are here and cutting yourself off from them is not possible for all but very small businesses. “You will really need to have an iron discipline,” he says.