Our society depends on electricity so much that we, individuals, take it for granted. If you store food in a refrigerator, work on a computer, save time through online banking, and appreciate instant communication from anywhere in the world… (You get the picture); then you should be thankful to people who keep our power generation running, and to those who protect them from malicious hackers. Like Benjamin Collar, Head of Industrial Cyber & Digital Security for Europe Power Generation at Siemens – who, in other words, helps electrical suppliers stay undisrupted by cyber threats.
We caught up with him in anticipation of the cyber security summit he is helping craft as a steering committee member: CS4CA Europe, uniting IT/OT security professionals from across Europe to collaborate in keeping our critical assets safe from cyber threats – something that, in Benjamin’s words, is less about dark magic than it is about strategy:
Q: How do you explain your job title to someone outside the cyber security industry?
A: Simply put, I help customers stop the bad guys from disrupting electrical supply. I like to dispel the myth that cybersecurity is magic or dark art. It is risk management, to be addressed as a mature enterprise normally would. I grant, though, that there is an abundance of special concerns and approaches in this field.
Q: What are some of the key recent shifts in the cyber threat landscape that you’ve been seeing, and what do you think they mean for cyber security?
A: Something that really strikes me is the power disparity between defenders and attackers. Absolute mundane attacks can have significant effects. The increase in ransomware that affect industrial operations really illustrates the disparity: Norsk Hydro decided to revert to manual operations after a successful attack; the city of Baltimore is facing multi-million dollar costs to recover from ransomware too. These attacks are, frankly, boring. They don’t appear to be extensive, coordinated, spy-versus-spy activities but rather just criminals looking to make a buck. And what can we do about it? It’s been said before and bears repeating: hygiene and user education. It starts and ends there.
Q: Is cybercrime evolving quicker than security?
A: Progress in security requires investment in the first place and market acceptance in the other. If a company develops a new tool, approach or solution, then that company has to productize, market, sell, and execute successfully to have an impact. In most cases that impact will be small (at least at first). Customers have to understand their risk, decide to invest, implement, etc. The timeline for these combined is extensive. On the other hand, new cybercrime approaches require investment, but don’t require the rest to be successful—the rest is just icing! If the new approach works, cha-ching! So yes, cybercrime evolves quicker, is deployed faster and has a faster turnaround. It’s also more measurable than defense, so business-minded criminals see the opportunity for what it is.
Q: What do the next 5 years hold for your industry?
A: I foresee continued investment in hygiene topics and an increasing investment in machine learning. It’s well known that cyber security has a talent gap and our best bet for the mid-term is to augment the available human capital with advanced technical tools.
Q: What is the best or worst security advice you’ve ever heard?
A: Some years ago, we were all told that eating eggs can raise your cholesterol: therefore please don’t, it’s dangerous for your heart health. Somewhat recently we’ve learned that this is not entirely true; if you’re predisposed to high cholesterol, eating eggs increases the risks. The point is this: advice depends on context. What’s good for yesterday, like 8 character passwords or SMS-based 2FA, isn’t good enough today.
Q: What’s your favourite way to stay informed about cyber security?
A: I’m personally a fan of podcasts. I receive and consume enough screen-based information; it’s quite nice to get the daily or weekly news via another medium. Right now I listen to the Internet Storm Center’s StormCast and the CyberWire on a daily basis.
Q: What gets you up in the morning?
A: Morning is one of the few opportunities I have for “quiet time” which is some sense motivates me itself. Most days I get up, do some yoga and meditate, then spend some time with my family. Starting the day like this sets me up emotionally and mentally for the challenges ahead. It’s the daily changes that get me out the door: from one day to the next a new vulnerability can rock the world or new research can open our eyes to ways to improve. Knowing that the customers I work for are protecting the very infrastructure we all depend on, day in and day out, seals the deal for me. Let’s go!
#
Benjamin Collar is a Steering Committee member of CS4CA Europe – the 6th annual European Cyber Security for Critical Assets Summit, to be held in London, 1st-2nd of October 2019. Take part in an event that units all stakeholders in the European industrial cyber security space: secure your Early Bird pass here (save €250 before 1st of August).
