View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 30, 2020updated 31 Jan 2020 3:53pm

BP’s CISO: Gov’t Agencies “Still Polishing Intel” as Adversaries Move

"Adversaries are moving at wire-speed"

By CBR Staff Writer

BP’s Chief Information Security Officer (CISO) has warned that while collaboration between critical national infrastructure (CNI) providers and government agencies has improved markedly, intelligence sharing is often too slow and relationships with US agencies “difficult to navigate”.

Speaking at the SINET security event at the British Museum on Thursday, BP’s  CISO Simon Hodgkinson – who said the company has to deal with a colossal 109,000 suppliers – also warned that the company plans to put greater “market pressure” on its supply chain, amid concerns about the “rudimental” security of industrial control systems and other operational technology (OT).

US intelligence/security agencies: a rich and varied ecosystem…

Too Many Agencies… 

Hodgkinson was sitting on a panel with Malcolm Norman, the CISO of services company Wood, Ignatius Britto, the head of enterprise IT security at EDF Energy, and Tom Wilson, the CISO of US utility, Southern Company Services.

The BP CISO told the audience: “Collaboration is king and I think what the NCSC has achieved in the UK is excellent. It’s still not a one-stop shop though, there are relationships around it that we need to foster; the CPNI, GCHQ.

He added: We also have fantastic relationships with US agencies but they are many and varied and sometimes difficult to navigate. There’s the NSA, Department of Energy, Homeland Security, FBI… sometimes it can be a bit difficult to understand who you should be collaborating with.”

Need for Speed

And while trust relationships are strong, he suggested that agencies were still “polishing intel” before sharing it, because they didn’t want to send across raw data with too many false positives — potentially watering down the impact of collaboration. Hodgkinson said: “My greatest desire is to sign a disclaimer to say ‘tell me everything’ and never mind the false positives.”

“The bad guys are moving at wire speed. Collaboration is improving but we still sit down together once a quarter. That’s not sufficient.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Supply Chain Weaknesses

Panellists agreed that security was now “table stakes” and while 10 years ago CEOs and board members may have ticked boxes for insurance purposes, they now saw it as mission critical.

A supply chain with poor security design and patching remained a significant risk for CNI, Wood’s CISO, Malcolm Norman noted: “Industry needs to think about how to support the ‘mom and pop shops’? Because they are the soft underbelly… how can we support them without blowing their business budget?”

The panellists agreed that there was a role to play for larger scale buyers in “educating” those in their supply chain and even extending security guidance, although many noted an implicit legal risk that resulted from this.

Tom Wilson, the CISO of US utility, Southern Company Services, meanwhile, emphasised: “We’re facing attacks from foreign intelligence agencies. Without gov’t support that’s not a fight we’re going to win.”

He added: “The US gas sector alone can’t bring enough pressure to bear on suppliers. With global collaboration that could change.”

As BP’s CISO added: “We could let regulators work, but market forces can also exert pressure. There are examples of exemplary practice but they’re rare. Operating practices need to evolve.”

The CNI supply chain, it would seem, has quietly and politely been put on notice. Amid the discussion, meanwhile, no mention of regulatory support. With the NIS Directive putting little onus on software and hardware suppliers, and even new UK IOT security rules looking heavily watered down, CNI providers, it would seem, are going to have to do their own regulating.

Top image, from left: Professor Paul Dorey, CSO Confidential; Ignatius Britto, EDF Energy; Malcolm Norman, Wood; Tom Wilson, SCS; Simon Hodgkinson, BP. Credit: Computer Business Review. 

See also: New IoT Security Regulations: The Devil’s in the Details

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU