Mike Gillespie Q&A: “Our critical infrastructure is built on old platforms that aren’t necessarily security-patched”

“We’re seeing firmware vulnerabilities discovered on a daily if not hourly basis.

“We’re trying to plug holes because the planning wasn’t in place for the new cyber landscape that we’ve entered. And with the internet of things, the pace of change is getting faster and faster.”

Just one of many fascinating, useful or downright disturbing insights from IFSEC Global’s chat with the man who ranked number 14 in our top 50 most influential people in security and fire for 2016.

The founder of a consultancy – Advent IM – whose expertise spans both information and physical security, Mike Gillespie is well placed to survey a security landscape whose physical and digital components increasingly overlap. Gillespie is joined in a conversation – which covers cyber security in the boardroom and supply chains, and for small businesses and individual citizens – by Ellie Hurst, Advent IM’s marketing, media and communications manager.

Cyber security in the boardroom

IFSEC Global: What are you doing at the moment as a company? Any interesting developments?

Mike Gillespie: We’re continuing our mission to drive security up the organisation, to make it a board-level agenda. As part of that we’ve just written a brand new training course about security for the future and we’re planning on launching a seminar session trying to get greater engagement with senior management, to get them to have ownership of security in the same way they have ownership of finance, HR, health and safety.

There is a trend to almost try and shortcut security – this attitude of “oh well, don’t bother with it, just get it done.”

I think our [business] leaders are put off engaging with security because they see it as a dark art – highly technical, full of jargon

IG: Who are these courses aimed at?

Ellie Hurst

Ellie Hurst: Business leaders and senior level. We’re trying to remove some of the mystique, because the language around cyber and information security can be quite baffling. If you’ve not come up that route to the boardroom you may feel slightly disadvantaged.

Legislation has just come out in America that says companies must reveal if they have a cyber expert on their board. The next logical step from there would be to make it a requirement to have one, though as yet that isn’t the case.

IG: Why is there such a disconnect between the boardroom and security?

MG: Security professionals don’t speak the language of business. And they don’t develop security strategy based on supporting business objectives.

I think our [business] leaders are put off engaging with security because they see it as a dark art – highly technical, full of jargon. In some cases may feel intimidated or not wanting to appear stupid by not understanding what they’re being told.

Very few security professionals drive their security strategy based on threat and harm. They’re not explaining the threats and risks.

And so the professionals themselves have almost isolated themselves from the business by not being business-focused.

IG: So they need to learn to communicate in a more straightforward way?

Speaker: Definitely. Once you get that culture right in the boardroom, you can roll out that culture throughout the business.

The idea is to make things better and to do that you have to look at the way you do things, and the way you’ve always done thing isn’t necessarily the way to continue.

Small businesses and cyber security

IG: What about businesses that might not even have a boardroom level – small businesses?

MG: A lot of SMEs don’t see themselves as under threat. Organisations have to understand the value of their assets, of their information assets, and understand how attractive, how valuable, those assets are to a potential attacker.

Many microenterprises have incredibly valuable information assets – R&D organisations, emerging tech organisations – and they are as much under threat of attack as large organisations or government departments.

Supply-chain security

Once you’re inside a supply chain entity, it’s often easier to move down networks from inside than it is to attack a fortress from the outside

The other thing is understanding supply chain security. Quite often it may be the end target that is the result of the initial breach.

Once you’re inside a supply chain entity, it’s often easier to move down networks from inside than it is to attack a fortress from the outside.

Businesses need to think about what’s in their supply chain up and downstream from themselves. If just one of our suppliers has cyber security, then the whole of our supply chain is potentially compromised.

EH: When Target [the US retailer] was breached it was through their air conditioning contractor.

MG: Security strategies in general, both in the physical world and in the cyber world in fairness, are very much perimeter-based and outward-facing. So once you’re inside, quite often it’s very difficult… a lot of organisations don’t have an adequate and appropriate detective monitoring strategy in place.

So once inside a network often you can move around with impunity. And this is what we see, that a lot of organisations we do see with significant data breaches, Talk Talk, Sony, Target, the attackers are inside the network for week before they’re detected.

The Maginot Line by Goran Tek under CC BY-SA 3.0

IG: Really? Wow. So I suppose it’s a bit like the Maginot line in World War 2….

MG: Absolutely. Without wishing to sound too arrogant, we have been talking about the need for a greater understanding of cyber threats to physical systems and physical estates in general for several years now. It’s become trendy now to talk about convergence, but it’s been there and very real for some years.

We’re seeing attacks on physical buildings, on CCTV systems, on air conditioning systems, vehicles, tram systems, train systems are all coming under attack. And sometimes for direct malicious intent with a view to causing accidents, damage, bringing down national infrastructure. If it’s a weak system, a legacy system, poorly installed and poorly patched, it then allows a foothold to be gained.

It’s a bit like when you’re breaching a port: you need that initial bridgehead. You build, consolidate, then push on to attack elsewhere in a network.

Because a lot of our critical national infrastructure is in private hands, there is no common oversight of everything

IG: You’re only as strong a your weakest link… 

EH: Our critical national infrastructure – things like nuclear plants, transport, all that – is often built on old platforms that aren’t necessarily supported or security patched anymore. Because a lot of our critical national infrastructure is in private hands, there is no common oversight of everything. And the supply chain into that infrastructure is probably from the private sector as well.

Not only do you have a threat from your supply chain, your supply chain is probably quite convoluted with different frameworks, people here there and everywhere. And the end user is probably in private hands as well.

Physical systems are being managed across cyberspace that maybe weren’t designed to do that. It’s been kind of shoehorned in, because if it still works we still use it, you know?

MG: If you’ve got a CCTV system going back 10 or 15 years, how old is the security management software controlling it?

We’re patching IT systems on a weekly basis for Windows-based vulnerabilities. We’re seeing firmware vulnerabilities discovered on a daily if not hourly basis. Yet how much of our security system is being maintained in a secure manner?

We’re trying to plug holes because the planning wasn’t in place for the new cyber landscape that we’ve entered. And with the internet of things, the pace of change is getting faster and faster.

Already we’re seeing situations where we have a nice secure network, someone thinks it would be a great TV and they run Google Hangouts on it to do video conferencing. Then they put a massive door in the middle of their security solution.

Cyber regulation

IG: It almost feels like we’ve got a good handle on traditional crimes now, which have been falling across the developed world for several decades… But with cyber security it seems like criminals have a bit of an upper hand….

MG: Yes, traditional crime is three-dimensional and well understood. If you get mugged in the street the location of the crime, victim and perpetrator is the street. When you get mugged online, the criminal could be in Uzbekistan, I’m in Birmingham, and who knows where my bank account is?

So jurisdiction is a massive thing the police are trying to get a handle on. We have no global cyber laws.

IG: It takes a long time to put this regulation in place, especially across borders, whereas the threat changes quickly….

MG: The law just isn’t capable of keeping up with the cyber landscape at all.

EH: Criminals don’t worry about legislation or privacy or any other considerations a security professional is up against. So they’ll just build whatever they need, and sell that tool to other people as well.

There’s more criminals, and they’re better equipped, and they’re very fleet of foot as they don’t have the same constraints.

MG: It’s also becoming very organised and business-like online. We’re now seeing sites on the darknet where people are actually offering hacking as a service. Denial of service, as a service. They’re marketing themselves.

If you want to attack a particular organisation, destroy its assets, steal its information, you can go online and hire a criminal to do it for you.

The death of privacy

We’re sleepwalking into a constantly connected, non-private environment”

IG: The equivalent of hiring a hitman to bump off a rival. Wow. What vectors of attack does the Pokemon phenomenon and other augmented reality apps and games create?

MG: We’ve already seen the Pokemon network taken down by attackers. The CIA released a statement around the threat of using games like Pokemon. You’re using a mobile device, using location services, so a service somewhere on the internet can work out where you are and serve up the right Pokemon content.

You’re basically walking around broadcasting where you are in the world.

The fascinating thing about all of this is we appear to now have a generation of people who no longer have a concept of personal privacy.

Google maps has been mapping where we go for some time. I just think we’re increasingly sleepwalking into a constantly connected, non-private environment.

It’s bizarre. In only 30 years we’ve gone from very little technology to almost being unable to live without it.

I have a daughter just coming up to 20. I look at the apps she puts on her phone and she doesn’t even look at permissions, what it’s asking from her. It’s just something for free and that’s fine by her.

EH: You get people worried about being profiled by the security services, but they’re being profiled by Google and Facebook without any concern. But they’re very worried about GCHQ.

If the product is free, then you are the product.

Organisations have completely lost sight of the fact we lend them that information. They don’t own it

MG: Everything we do online is generating data that is being harvested.

What’s more frightening is the complacency of the organisations harvesting our information, and how little respect they seem to have for our personal data.

Nearly half of organisations turn round and say they’re just not compliant with data protection. You think: “hang on a second, you’re not even compliant with the law!” It’s not optional, it’s the law. You’re not compliant with it, and you’re happy to say you’re not compliant with it. It’s almost like people see data protection as optional.

On one hand they want to gather all this data about us – our movements, shopping, habits – and on the other they’re saying they can’t be bothered to keep it safe and secure.

Organisations have completely lost sight of the fact we lend them that information. They don’t own it.

As data subjects we remain the subjects of our personal data. They have an obligation to look after it on our behalf.

So when organisations like Talk Talk, V-Tech, Sony, say they take the protection of their customers’ data very seriously, I say “well hang on a second, you just lost hundreds of thousands of records, how could you take it seriously?”

Then they say they didn’t lose anything serious – just name, address, date of birth, your email, possibly your name and age of your kid.

What does that say culturally about how important they view us and our information?

IG: Thank you, it’s been fascinating. Is there anything else you want to add?

EH: I was really interested in the US idea of having a cyber expert on the board. There’s very few reasons why they would want to do that, unless they wanted to place accountability in commercial organisations for serious data breaches.

Where the US goes the UK normally follows. So from a best practice and security hygiene perspective, businesses need to think about this. But realistically we also know they shy away from it because of the difficulty and complexity of language. So if we can facilitate a more collaborative and inclusive attitude then it might start to make a difference.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today