BP’s Chief Information Security Officer (CISO) has warned that while collaboration between critical national infrastructure (CNI) providers and government agencies has improved markedly, intelligence sharing is often too slow and relationships with US agencies “difficult to navigate”.
Speaking at the SINET security event at the British Museum on Thursday, BP’s CISO Simon Hodgkinson – who said the company has to deal with a colossal 109,000 suppliers – also warned that the company plans to put greater “market pressure” on its supply chain, amid concerns about the “rudimental” security of industrial control systems and other operational technology (OT).
Too Many Agencies…
Hodgkinson was sitting on a panel with Malcolm Norman, the CISO of services company Wood, Ignatius Britto, the head of enterprise IT security at EDF Energy, and Tom Wilson, the CISO of US utility, Southern Company Services.
The BP CISO told the audience: “Collaboration is king and I think what the NCSC has achieved in the UK is excellent. It’s still not a one-stop shop though, there are relationships around it that we need to foster; the CPNI, GCHQ.
He added: We also have fantastic relationships with US agencies but they are many and varied and sometimes difficult to navigate. There’s the NSA, Department of Energy, Homeland Security, FBI… sometimes it can be a bit difficult to understand who you should be collaborating with.”
Need for Speed
Need for SpeedAnd while trust relationships are strong, he suggested that agencies were still “polishing intel” before sharing it, because they didn’t want to send across raw data with too many false positives — potentially watering down the impact of collaboration. Hodgkinson said: “My greatest desire is to sign a disclaimer to say ‘tell me everything’ and never mind the false positives.”
“The bad guys are moving at wire speed. Collaboration is improving but we still sit down together once a quarter. That’s not sufficient.”
Supply Chain Weaknesses
Supply Chain WeaknessesPanellists agreed that security was now “table stakes” and while 10 years ago CEOs and board members may have ticked boxes for insurance purposes, they now saw it as mission critical.
A supply chain with poor security design and patching remained a significant risk for CNI, Wood’s CISO, Malcolm Norman noted: “Industry needs to think about how to support the ‘mom and pop shops’? Because they are the soft underbelly… how can we support them without blowing their business budget?”
The panellists agreed that there was a role to play for larger scale buyers in “educating” those in their supply chain and even extending security guidance, although many noted an implicit legal risk that resulted from this.
Tom Wilson, the CISO of US utility, Southern Company Services, meanwhile, emphasised: “We’re facing attacks from foreign intelligence agencies. Without gov’t support that’s not a fight we’re going to win.”
He added: “The US gas sector alone can’t bring enough pressure to bear on suppliers. With global collaboration that could change.”
As BP’s CISO added: “We could let regulators work, but market forces can also exert pressure. There are examples of exemplary practice but they’re rare. Operating practices need to evolve.”
The CNI supply chain, it would seem, has quietly and politely been put on notice. Amid the discussion, meanwhile, no mention of regulatory support. With the NIS Directive putting little onus on software and hardware suppliers, and even new UK IOT security rules looking heavily watered down, CNI providers, it would seem, are going to have to do their own regulating.
Top image, from left: Professor Paul Dorey, CSO Confidential; Ignatius Britto, EDF Energy; Malcolm Norman, Wood; Tom Wilson, SCS; Simon Hodgkinson, BP. Credit: Computer Business Review.
See also: New IoT Security Regulations: The Devil’s in the Details
