We haven’t always had electric light at the flick of a button, let alone instant internet connection. And yet, these are things we ‘can’t live without’ now – so much so, that most of our other critical assets rely on such commodities running 24/7. With that in mind, we take a moment to appreciate those who dedicate their careers to securing the smooth running of the energy sector – people like Ingolfur Thor Gudmundsson, Senior Information Security Officer [Security, Risk & Compliance, Finance & IT] at Ørsted.
Apart from protecting his company and all their stakeholders from cyber threats, Ingolfur is also a Steering Committee member helping craft the agenda for this year’s CS4CA Europe – the Cyber Security for Critical Assets summit uniting IT & OT security professionals to collaborate in addressing the cyber threats jeopardising Europe’s critical assets. In anticipation of the summit, we ask Ingolfur about his work and predictions for the cyber security industry:
Q: What gets you up in the morning?
A: My main motivation in my professional life is to contribute to the green transformation by helping secure a stable generation of green energy. It sounds grandiose, but this is what has kept me wanting to work in the energy sector and especially within cybersecurity: Knowing that every day we are doing more and more to protect our company and all our stakeholders. Reaching this goal is an ever-growing challenge, and working in challenging environment gets me up in the morning.
Q: How do you explain your job title to someone outside the cyber security industry?
A: This can be very tricky at times. I remember when, very early in my career, back in Iceland, I tried explaining to my relatives that, as a communication technician, I was keeping the telephone and internet systems running. Their response was “but I can always make a phone call or go online without any issues, so why are you needed?” ????
I guess this confusion is quite common, especially when you combine the terms IT & OT, critical infrastructure, essential services, and cybersecurity. There are areas, especially within critical infrastructure, where people take extremely important services for granted – such as the availability of phone lines, of the internet, and of electricity coming in from the sockets at home. But in reality there are a lot of efforts being made “behind-the-scenes” keeping these essential services running.
Q: What are some recent key shifts in the cyber threat landscape that you’ve been seeing, and what do you think they mean for cyber security?
A: There are increasing threats, on a daily basis, against companies that deal with critical infrastructure and/or essential services – such as energy and utility companies. Energy companies will need to continue increasing their protection levels, based on changing risks and evolving threats, in order to protect one of societies’ most needed commodities: electricity.
Q: Is cybercrime evolving quicker than security?
A: As we know, cybercrime is increasing and we’re seeing more and more ransomware attempts in critical infrastructure sectors – the latest being the Norsk Hydro attack. But not only ransomware attacks seem to be increasing, other general attacks that could potentially disrupt the delivery of essential services are too. I don’t think we’ve seen the last cyber-crime attack yet, so we need to remain vigilant.
While keeping in mind that the next attack is most likely not going to be identical to previous ones, companies and authorities need to be diligent in learning from the attacks that have happened. So it is very important to be able to communicate what is going on or has already happened, both internally and externally, on a need-to-know basis. The Norsk Hydro attack is a prime example of great communication processes working. Good business continuity plans are key for restoring services after an attack.
Q: What do the next 5 years hold for your industry?
A: We will likely see more attacks and major breaches – possibly breaches and disruptions directly affecting critical infrastructure sectors. There will be more focus on regulatory compliance within the energy sector, both with the current and future versions of both EU-NIS in Europe, NERC-CIP in US, and other countries expanding their regulatory frameworks for critical infrastructure around the world.
Increasing regulatory compliance does not make us necessarily secure, but they are baseline minimum requirements. Layers of protection on top of regulatory requirements are still needed, based on each organisation’s risk appetite.
It is the responsibility of each country to secure their essential services/critical infrastructure, including reliable power supply to the people, and this responsibility must be taken more seriously. Operators of essential services must also protect themselves and, last but not least, push their suppliers even further to deliver more secure systems and be drivers of security improvement.
Q: What is the best or worst security advice you’ve ever heard?
A: “Why would anyone want to target us”, which is a common misconception in today’s world. No matter how small or big your organisation is, you can always become a target, and if not a specific target, a casualty of a cyber-war.
Q: What’s your favourite way to stay informed about cyber security?
A: Listening to IT/OT/ICS security related podcasts. I’d recommend one in particular: the “BeerISAC ICS Security Podcast”, which summarises all relevant OT/ICS podcast episodes in one place. I also usually end the week reading “Dale’s ICS Security Friday News & Notes” by Dale Peterson.
Ingolfur is a Steering Committee member for CS4CA Europe, the annual Cyber Security for Critical Assets summit dedicated to safeguarding Europe’s critical assets from cyber threats. This year’s summit takes place in London, 1st-2nd of October 2019. To book yours and for more information, visit: https://europe.cs4ca.com/
