The Life & Death-Issue of Cyber-Security

3Questions to Andrey Suvorov, Kaspersky Lab

Cyber-security is a big part of the debates around the digital policy agenda in Europe. But what is cyber-security, what are the threats and what is the solution? Netopia talked to cyber-security expert Andrey Suvorov of Kaspersky Lab to get wiser.

Per Strömbäck: Why do hacks and other cyberattacks happen? Who is behind them and what are their motives?

Andrey Suvorov: In my role as head of critical infrastructure protection at Kaspersky Lab, the bulk of my time is spent considering cybersecurity in industrial settings. So it makes sense that I respond in this context. Let me start by explaining that I would prefer to use the term cyber incident, as opposed to referring to cyber-attacks only.

We are so dependent on technology now that even unintentional operator failure may lead to serious losses. For example, an experienced operator can run the wrong version of the right engineering package, which will in turn alter the settings. This can be as simple as the operator losing their attention. In this case, there’s no attack agenda behind it, but it’s just as damaging. These are what I classify as the first group of threats – human vulnerability.

The second group of threats is represented by people who take advantage of their knowledge of, and access to, industrial control systems to steal final products physically. For example, oil products (manipulating the process in the off-loading stage), or electricity during its distribution. They do not intend to destroy the process and/or company assets, but rather steal what is being produced. Unfortunately, it is difficult to detect such industrial fraud using existing solutions.

Targeted attacks represent the third and most dangerous group of threats. It usually takes months, or even years in some cases, of preparation, intrusion and collection of all details before an attack may happen. Hacktivists, cyber-criminal groups and government backed teams of experts may lead such sophisticated campaigns. Political and commercial motivations are among the top reasons to do it (based on analysts’ reports, cyber-attacks cost companies $400 billion every year). With industrial cybersecurity (ICS) organisations, it can be really scary as many ICS components are available over the Internet – 220,668 industrial cybersecurity components were discovered by the Shodan search engine. Most of the remotely available hosts with ICS components are located in the United States (30.5%) and Europe.

PS: Are 100% unhackable systems possible? Or even desirable? Can we trust in technology solutions?

AS: As all existing and future technology solutions are designed and implemented by humans, we cannot guarantee that other people with “bad agendas” will not identify and exploit their weaknesses. But definitely we can reduce the surface of possible cyber-attacks using some simple, and some more complex, strategies.

Critical infrastructure – power stations, transport companies, and other operators of services vital to the lives of individual citizens – are vulnerable to cyber-attack.

The simple strategy is to improve cybersecurity awareness and shift the work culture to be more cyber savvy. It’s worth noting, the majority of targeted attacks still present via an initial stage of infection. This usually results from a lack of cybersecurity awareness. For instance, an employee accessing links from a phishing email or via the use of a compromised USB drive.

The long-term approach is to create a trusted technology ecosystem, that is built using a “secure by design” model. In an industrial context, any new part of a technology system (a sensor, PLC, switch, integration SW, etc.) should be designed and tested with deep assessment of executable logic.

PS: Should I be worried? What should I do?

AS: When we speak about threats and concerns in relation to cybersecurity, it’s important to understand the threat in multiple contexts. Firstly, there is the threat to individuals, directly experienced through such things as fraud, ransomware, corruption or exploitation of personal data, etc. This can be deeply concerning for victims and can have very personal impacts.  The important thing is for people to stay alert. Any user can be a victim of cybercriminals, and everyone should be prepared for this. One cyber-attack can cost a user tens of thousands of dollars. User’s identity can be stolen and used to affect their acquaintances, important files can be destroyed or stolen, so it is easier to prevent than to bear such consequences. The must-have for every Internet user is a reliable security solution. But, in addition to this, users should increase their cyber savviness to be able to identify cyber-threats when they encounter them.

Next there is the threat to business – the consequences of which can be far-reaching. Attacks on businesses, of all sizes, happen regularly and their effect can range from inconvenient to crippling. When it comes to business security implications, it is very important to mention that valuable cybersecurity is not a project but a process, so an iterative approach for all parts should be applied. Business security products and services should be designed to cover all four strategic directions of IT security – threat prevention, detection, incident response and attack prediction.

The final context is perhaps the scariest of all. Critical infrastructure – power stations, transport companies, and other operators of services vital to the lives of individual citizens – are also vulnerable to cyber-attack. And there have already been cases of such attacks interfering with such services. Whether for criminal gain, espionage or terrorism, securing our critical infrastructure is a priority for governments around the world. The consequences of not being able to capably secure critical infrastructure could be devastating – on economies, businesses and the individuals who rely upon these services.