ISC2 SECURE London 2024 addressed several key topics of cybersecurity concern today, including the threat posed to critical infrastructure, artificial intelligence, cloud security and supply chain risks.

As 2024 comes to a close, the cybersecurity sector can look back on a year of considerable change and challenge. Technology advancement, new threat types and several high-profile events have ensured that practitioners have been kept busy all year protecting the digital landscape for organizations and society.

As attendees at Prospero House in Borough Market for last week’s ISC2 SECURE London event learned, the year ahead is set to bring even more of these challenges, spearheaded by the rise of artificial intelligence (AI) and the risks associated with our ever-growing reliance on digital supply chains and our increasingly connected critical national and international infrastructure.

Governance and Critical Infrastructure

SECURE London began with a detailed look at “role governance as code” by Kirill Bogdanov, CISSP, a regional security team lead and security architect at EPAM Systems. His presentation looked in detail at elements such as cloud roles, identities, their lifecycle and governance.

“It is not easy to simply extend what you have on-premise into the cloud,” Bogdanov explained. “There are a number of challenges to overcome. There is no one size fits all solution. You are often dealing with at least two types of identities to implement, as well as [variations] in cloud infrastructure, as well as then having to cater for human actors as well as machine actors. They both need and share access to the same infrastructure and resources; they both need access to the same privileges and roles. But you can’t use the same approach for both,” he added, highlighting that was where the security challenges and considerations begin to manifest and why effective role governance is so critical in today’s increasingly automated and off-premise environments.

Nick Palmer, technical director at Censys followed with an insightful look at the challenges relating to protecting the UK’s critical infrastructure and ensuring essential utilities did not fall victim to a cyber-attack.

Palmer explained that over 80% of exposed administrative interfaces relate to building controls such as heating and air conditioning systems, seemingly low-level services, but ones that are increasingly connected to the same networks as business-critical services, creating a potential route into a network that may be an easy target if security vulnerabilities are not patched and such systems are not insulated from the outside internet. He also looked at some of the protocols at risk, such as Ethernet/IP and DNP3, and the dangers of unprotected human-machine interfaces (HMIs) and how these are increasingly raising the risk level within critical infrastructure environments.

“There was a whistleblower quoted in one of the national newspapers, working for one of the water companies. He said that ‘some of the software is older than me, some of the hardware is older than my dad’. The problem this raises is a very pressing one,” Palmer noted, highlighting that in an operational technology (OT) scenario such as a utility, these systems are part of the so-called “crown jewels”, the most valuable assets in most need of defense.

“The problem here being that we know what we should be doing, as there are lots of mandates and guidance available for us as practitioners to secure this infrastructure, but there are a variety of constraints and resource issues that we need to keep in mind when trying to approach the task”.

Palmer went on to discuss and illustrate several steps that organizations could take to safeguard critical infrastructure from emerging threats, whether in a critical infrastructure/OT environment or mapping the same steps to other industries and scenarios.

Supply Chains and AI

Today’s interconnected digital landscape relies heavily on supply chains and a network of suppliers and other third parties to do their part in ensuring an effective defense against cyber threats. However, the smaller organizations that underpin most economies and make up the bulk of supply chains face significant economic, resource and skills challenges in building cyber resilience in the face of an ever-growing and highly sophisticated threat landscape.

Steve Johnson, CISSP, head of information security at Risk Ledger and Fiona Bail of the National Cyber Resilience Centre Group, in a session hosted by Edward Parsons, VP of Global Markets and Member Relations, led attendees in a discussion focused on the need for change in supply chain cyber risk management and how to better build resilience.

The panel noted that organizations in every sector are becoming more connected and more digital. Supply chains are therefore becoming more important by the day and consequently so are their cybersecurity measures and countermeasures.

“In the 2024 Verizon Data Breach investigation Report, it estimated that 15% of data breaches involved a third party. When we surveyed ISC2 members, we found that 70% were spending more time evaluating third party software and hardware,” Parsons explained.

The small, micro and medium size businesses that form most of our supply chains and the economy in the UK face significant challenges building cyber resilience.

“I think there is understanding among large companies that they know the risk, but there’s a limit to what they can do with all their supply chains. It’s often hard to identify who they should be talking to and if they have found a problem, what support they can give to those smaller companies,” Bail said.

This perceived risk and the challenges of addressing it was also noted by Johnson, who explained that the potential impact of an issue was often seen as an obstacle to addressing supply chain cybersecurity shortcomings.

“As a supplier, being open about a vulnerability has consequences. There is potential for reputational impact, as well as commercial impact, so there’s often a reticence to step forward and understand what those problems are,” said Johnson, who also participated in ISC2’s supply chain task force earlier this year which produced a report on supply chain cybersecurity information sharing challenges.

The panel continued with a wide-ranging discussion of the need for change in supply chain cyber risk management to overcome these concerns and improve communication and peer learning between smaller and larger supply chain partners.

Isabel Barberá, AI privacy and security engineer at Rhite and an expert advisor to the European Union Agency for Cybersecurity (ENISA) followed this session with a look at the AI threat landscape. Barberá discussed key security concerns in AI development, procurement and use, along with explaining strategies to consider for risk management and compliance with emerging regulations like the recently adopted EU AI Act.

Executive Accountability

Communicating the security compliance posture of an organization requires specific focus and associated strategies to be successful and to engage executives and the board in a way they understand. A broad panel of professionals came together to discuss the importance and complexities of cybersecurity communication, comprised of Kevin Fielder, CISSP, ISSAP, ISSMP, CISO of NatWest Boxed and Mettle, Chris Gunner, group CISO at Pepper Financial Services Group, Owen John, CISSP, CCSP, head of cyber architecture at Imperial Brands and James Packer, CISSP, CCSP, ISC2 board member and cybersecurity transformation leader at EY Switzerland, along with panel chair on France, CISSP, CISO of ISC2.

“You will never find the same board anywhere twice,” said Gunner, making the point that board communications around cybersecurity is something you must tailor to the organization in question. There is no single playbook that will work for everyone, echoing a point from earlier in the day. “I’m in my third CISO role, each one has had entirely different requirements for how much detail the board wants, how and when they want it presented,” added Fielder.

The panel explored board accountability and effective ways to communicate and align security goals with business objectives.

To close the day, Matt Rowe, chief security officer at Lloyds Banking Group, completed a day of though provoking and informative sessions with a session dealing with the issues of tackling security in the face of uncertainties about future needs and threats. While the geo-political outlook remains unclear for the long term, the need to maintain effective cybersecurity and operational resilience remains critical. Rowe discussed what a security model for the next age might look like and how to achieve it.

“We are moving to an era of increased volatility. As security professionals we’ve all been saying this for a while, but I do believe we are seeing this elevate to a new level,” said Rowe. “We are in a market transition that is being driven by Gen AI in particular, but by emerging technology more broadly. We are in a transition right now, and it’s critical to understand when you are in a transitional to know that you are in one. Those that do will have an advantage.”

Rowe’s session looked at the need for safe velocity in relation to cybersecurity, ensuring that transitioning at speed to new and emerging technologies doesn’t compromise cybersecurity capability and best practice.