The EU directive on the security of Networks and Information Systems (known as the NIS Directive) “sucks” according to Jaya Baloo, the CISO of the Netherland’s KPN Telecom, speaking at an FT-sponsored event on critical infrastructure security this morning.
The multiple award-winning cybersecurity executive was sitting on a panel of industry experts at Siemens headquarters The Crystal, in London’s Docklands. She hit out at the directive for absolving hardware and software providers of responsibility for vulnerabilities.
Neither industry qualifies as a digital service provider under the legislation, she noted: “The NIS says hardware and software don’t need a cert. The NIS Directive sucks”.
The elephant in the critical infrastructure security room, meanwhile, is the fact that the protection industry tries to provide across an IT and OT landscape is compromised by intelligence and law enforcement agencies who aren’t disclosing 0days, she added.
“There is no vulnerabilities equity process. No sharing. If we want critical infrastructure security we need law enforcement and intelligence to share the info they know. Otherwise we are just creating both a white and a black market for vulnerabilities.”
Threats Mounting, Forward-Thinking Vital
The comments came amid an intense panel discussion on the best approach to securing critical infrastructure in an increasingly perilous online environment.
The CISO of Italian utility Enel, Yuri Rassega was among those emphasising the need for regular and extensive penetration testing to build resilience.
He said: “We do around 400 deep vulnerability tests on our critical assets every year. It’s not true that you can’t carry out vulnerability tests on live systems. That’s absolutely the wrong idea. We had zero WannaCry infections and we have a presence in 37 countries. We had zero infection because of preparation. This needs commitment from top management; you need to embed a security framework as if it were a constitution.”
NCSC – “We’re Here to Help”
Earlier, the CEO of the UK’s National Cyber Security Centre (NCSC) Ciaran Martin, emphasised that the centre was there to help support industry.
“Even richest company in the room is not expected to defend itself against an attack from the most sophisticated nation state adversary,” he said.
“We run 22 different information exchanges with industry. There are formal and informal mechanisms to engage with us.”
He also emphasised that attention needed to be paid to social media as a potential weakest link.
Referring to a 2009 G20 summit at which announcements were made to bail out banks (which he described as a “festival of cyber espionage”) an unnamed adversary compromised a system through the credentials of “an obscure official in the bowels of government”.
“We couldn’t understand how he had been found. Someone younger on the team said ‘is he on Twitter’? Sure enough, on his bio he said he was working on G20 preparations…”