Day one of the Cyber Security Conference 2016 got off to an interesting start when Ralph Langner, one of the main protagonists behind the analysis of the Stuxnet malware found to have infected most of the worlds nuclear reactors, announced to the audience that our nuclear power plants are still so vulnerable that a serious attack is almost inevitable. It certainly woke up the delegation from Sellafield.
Perhaps that wouldn’t have been so bad had he not then gone on to explain how one would go about planning and mounting an attack. (Hopefully Ralph has no plans to join IS anytime soon.) In short, if your organisation uses industrial control systems, (like most critical infrastructure facilities) then your security is seriously at risk and bar going back in time to operating these systems manually, it doesn’t appear that there is much that can be done about it.
Next year, let’s hope Ralph fulfils his promise and returns to deliver Part 2. How to defend against a cyber attack?
Much of the morning session covered the current landscape in the industrial control system world, with Ian Buffy also covering the recent (Dec-15) attack, which brought down the Ukraine Power Grid for 2 hours after hackers took control of the power station before trashing a range of components. Nice!
The afternoon session moved onto more central themes, including talks from Richard Bach, of the Dept. of Culture, Media and Sport covering the governments activity and cyber security plans over the coming 2 years, Andy Hayne, from Secarma, raising the UK skills gap issue and Seb Somes from the MOD, explaining their current strategy for improving security and reducing risk through their supply chain.
The main themes coming through from all speakers during the the day were:
- Every business and organisation should be implementing Cyber Essentials no matter how small.
- Cyber attacks are inevitable so we just need to get used to that idea.
- Start preparing, this means 2 things, take action to improve your protection (Cyber Essentials) but don’t assume that protection will ever be enough so prepare an action plan in the event that when something does happen, then you know how to respond.
The day closed with a set from comedian Arron Bennett on his experience of identify theft, both against him and what happened when he stole the identity of the Home Secretary. Funny… well it was until he got himself arrested!
A gloriously bright morning welcomed visitors to day two of the conference with another great line up of speakers and topics.
Highlights for me were Jenny Radcliffe and her revelations of the people hacker or social engineering. No high tech shenanigans here, just good old fashioned confidence tricks, techniques and skills to extract valuable information from unsuspecting organisations. Jenny was as persistent in her presentation as no doubt she would be in real life, reminding the audience that no matter how good they might be personally at detecting or evading her hacking charm, she would eventually find someone in their organisation who wasn’t. Think cyber security is your biggest risk, think again!
Other speakers reiterated the point, in particular Brian Campbell of Fujitsu was quick to point out that the most successful phishing attacks are usually preceded by a significant amount of detailed social engineering. And if you have ever used a spreadsheet for storing your passwords, as I have, well this talk would put paid to that idea. Brian showed the audience all the data recovered from a recent key logging malware infection, which included amongst many other things, thousands of screen grabs, displaying everything that would have appeared on the display over the time of the infection.
Other talks included Sam Alderman-Miller from Darktrace, selling advanced network monitoring software, which monitors your network in real time and help Drax Power station avert a potentially devastating outage, while Stuart Wilkes explored what we should all learn from the TalkTalk breach with the benefit of hindsight. To avoid a 20% drop in share price and presenting a very confused response to the public and media the lesson was easily drawn, you need to pre-plan for the eventuality you will get hacked, even and especially if you think you won’t.
A number of speakers also touched on yesterday’s theme of the widening skill gap, although extended slightly with some startling figures that showed the number of women in IT at only 10%, it’s lowest ever level. Now that’s not a great stat for any industry, which the conference agreed, and a discussion session followed on what we as an industry should be doing to address the problem. Now, while well intentioned, this all felt a bit like tinkering at the edges. With stats this bad, I really wonder if this is a time for some direct positive discrimination in favour of women. (Maybe we’ll come back to explore this issue again and I really hope our next recruit wont be a man.)
Dan Prince closed the morning session with an impassioned case for being optimistic if you are a North West cyber security business. Lot’s of skills, research, entrepreneurship and opportunity in what is a growing security sector. Quite simply, with an increasing amount of ‘stuff’ to protect in an environment of increasing threat. what reason is there not to be optimistic?
All in all an excellent conference, with lots to think on and work on as I return back to Holker where I’m certainly looking forward to bringing more of the cyber security piece into the work we do with our customers. What’s not to be optimistic about indeed?