28 July, 2022
In this episode, our new host Chloe is joined by Lucie and Luc to discuss:
The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.
Subscribe to our podcast on:
Chloe Seaton: Hello and welcome back to the latest episode of our cyber security podcast. I'm Chloe Seaton, an Ethical Hacker in our cyber security practice here at PwC and your new host. And with that in this episode, we're going to be talking about the growing regulatory focus on the cyber resilience of organisations. It is our increasing dependance on technology, which means that cyber resilience of organisations is important now more than ever. Especially for those regulated sectors such as energy and financial services. It is cyber resilience that protects our national security, the integrity of our markets, and the stability of our financial system. But what does this increased scrutiny actually mean for those organisations in regulated sectors, and what are the actions they need to be taking to improve their cyber resilience and ensure compliance for tomorrow? Joining us in this discussion is Lucie Usher, an EMEA Intelligence Officer at FS-ISAC, the Financial Services Information Sharing and Analysis Centre. They are the only global cyber intelligence sharing community for financial services and Luc Manfredi, a Director here at our cyber security practice at PwC and the former head of cyber resilience for the energy and gas regulator Ofgem. So to kick off this podcast, I really wanted to get your thoughts on why there is this increasing focus on cyber resilience of organisations by our regulators. Lucie, if we start with you, what is currently driving up this agenda?
Lucie Usher: Well, we've observed an unprecedented busy two years on the cyber threat landscape. So regulators will be closely monitoring, of course, the same events and incidents that are relevant to our membership too. Events such as the ongoing Russia-Ukraine conflict, the fast-paced changing of tactics used by the wide variety of ransomware threat actors, and of course, the supply chain risk. Now not only the regulators and the finance sector, but all sectors will be conscious of the considerations to the supply chain risk. Since the pandemic really took hold back in March 2020, there's a concentrated risk owing to the explosion of software suppliers and the rapid digitalisation of banking systems. So many of the suppliers will have customers across the industry and this is where being part of a sharing community such as FS-ISAC really comes to the fore. There's also been a shift in accepting that yes exercising and knowing what to do to prevent a cyber attack to your organisation or supplier is good cyber practice, but also building in resilience of what to do when that attack happens. It's now more of a case of when, not if.
Chloe: So you say that you are only resilient as your providers, what's the best way for organisations to minimise these third party risks that you've mentioned?
Lucie: Be aware of the suppliers to your organisation, liaise with all of your different units and practice and exercise those attacks and exercise when an attack does happen to your supply chain attack as well.
Chloe: Yes, right. So as an intelligence officer, what are some of the cyber threats and risks that you are seeing for financial organisations?
Lucie: Well, as I've already said, it's been a really busy past two years back to say 2020 with the initial start of the pandemic and the concerns around the supply chain risk from that wider digital footprint with large volumes of workers based at home during those lockdowns. Through to now with the large focus on the Russia and Ukraine conflict. Now whilst that conflict is ongoing currently and of course has taken a lot of attention and focus, there's been a lot of other cyber related activity that of course would have been of relevance to the regulators as well, such as the increasing variety of different cyber criminals using ransomware and extortion tactics. Now we observe at FS-ISAC that the general ebb and flow of the different malware has been reported to us by members be that Emotet, Agent Tesla, FormBook, RemcosRAT and also the proliferation of mobile malware targeting banking applications on handheld devices as well. We've also seen and worked through with our members the supply chain attacks on, say, SolarWinds, Microsoft, Accellion and these are large suppliers across all of the sectors, not just finance. At FS-ISAC we've a member led cyber threat level. I always think this is a really important part of what we offer our FS-ISAC. Now it's essentially a thought leadership regional group made up of FS-ISAC members. We at FS-ISAC, we don't set that cyber threat level, but we enable our members to discuss and derive that themselves. It's not set by ourselves. So within the last eight months so back to December time in 2021 it's been raised from guarded, consider that more of a business as usual stance, to elevated twice. Once back in December before the Log4Shell vulnerability and then again in February, following on the Russia-Ukraine situation developing. It's excellent for our members to share not just their thought leadership and mitigation advice with the wider FS-ISAC community and beyond but it also goes to strengthen the sectors outside of our community as well as building the preparedness too.
Chloe: Switching focus over to you, Luc now, so if we're looking at this from an energy sector point of view, particularly looking at the critical national infrastructure where organisations' infrastructure tends to be a lot more complicated with that added layer of operational technology. They're not just dealing with their IT Infrastructure now they have that operational technology that they also need to think about which has also become more connected during the pandemic with people working from home to the Internet raising risks in that area. So with your background in cyber resilience at Ofgem what does the cyber threat landscape look like for those sectors in energy?
Luc Manfredi: Yes, thank you, Chloe. In particular, for the energy sector, we are driving as everyone knows about our Net Zero goals. That means that organisations will be more reliant on data than ever. That means that convergence between operation technology and IT that requirement to access data is going to be increasing and it's accelerating this transformation, a requirement for data that obviously from a threat perspective means that organisations that perhaps were working in isolation mode or not directly connected in particular in their operation technology space, that required that data whilst they're relying with legacy assets, assets that perhaps were not considered security into account in the past, that obviously from a threat perspective is a massive challenge. And as these organisations have such a massive asset landscape, hundreds of thousands of sites scattered across the country, that means that the transformation and changes that they need to make to their infrastructure will take some time even to get them to that minimum base standards. Especially in the energy sector we also see a lot of additional players coming in the market instead of being a monopoly with only a few players. This requirement for decentralisation means that additional organisations have been added into the scope of the regulation and obviously additional threats are going to be able to potentially impact those additional organisations. And perhaps they're small, they do not even have a security function. Consider when they started so that means that from an impact perspective, this is going to be increasing quite a lot.
Chloe: Yeah, great. And I think one of the things that's really interesting in the energy sector space is because now the operational technology is kind of the new thing that we need to protect for our critical national infrastructure, there isn't that much advanced monitoring systems out there for those operational technology networks, and they're very new. So one of the things that I do within my role in Ethical Hacking is thinking about, you know, how are these networks going to be attacked and what monitoring and defence systems are already out there. And one of the things that we have kind of discovered is that they're not very good at doing that. And I think that's the difference between the energy and the financial sector, if I'm right, is that because we are now seeing operational technology come to the forefront, we don't have the monitoring systems there quite yet. Is that changing?
Luc: Well, it’s evolving I would say and we need to think, as you just mentioned now the lifespan of the energy sector or power plants in general tends to be 20 or 30 years. So a lot of our infrastructure has been built in the 80s, 90s as well. That means that cyber was not even a topic back then. So as you rightly pointed out, a lot of organisations need to start thinking of this concept of defence in depth, especially for the legacy assets, you may still have critical processes running all even Windows boxes out of support, without the necessary layers of security that you will respect in the financial sector or any other sectors. And with this increased connectivity that I just mentioned, obviously this is a massive challenge. So what organisations tend to do is to apply these wrappers, if you like, to understand what are the crown jewels, the critical processes, the SCADA systems, critical infrastructure to actually running activities and then understand what are the type of monitoring they can do. The challenge, like I said, we're talking about legacy infrastructure. In many cases, organisations still have somewhat of a flat network and are not really divided between the operational technology space and the normal corporate networks. So they always need to go on a journey understanding what they got, understand that the crown jewels, segregating the network and only then start thinking about monitoring the lower levels. That's evolving and especially over the last three years has been evolving a lot. And there is a lot of specific monitoring technologies for operational technology that are helping to drive that change but it’s taking time, especially we're talking about in general the energy has hundreds of sides, different levels of maturity, legacy systems so it takes a long time. The change process is quite slow.
Chloe: And would you say that your clients are waking up to that fact that they need to do that now, or would you say that it's still a bit of a slow burner, still trying to get, you know, leaders on side in this space?
Luc: No, I think that since 2018 they made substantial progress obviously before the regulation was there, this was really slow, but now there's a massive focus from all regulators really to ensure why this is important. And now as you said, the first thing is to ensure they had the leadership sponsor and support all the way from the CEO, the right governance in place. And especially this is a new challenge for CISOs as well because back then they were only perhaps responsible for IT. That's what they know, they see what they've been doing for years and all of a sudden, oh, I need to worry about all this new space that is not, they don't even speak the same language as engineers on the ground. So that they need to break those barriers first, get the buy-in, then start discussing the same language with the business and the engineers, and try not to impose that normal cyber mindset on technologies because that will not fly in the lower levels.
Chloe: Yeah, I think it's building that bridge between the engineers on the ground and the people that have been doing IT security all their career. Thank you. So in response to these growing threats, and the potential impact of them, what is the regulatory action that we see and we've mentioned a little bit, but around cyber security and cyber resilience. So for you, Lucie, let's start with you on that.
Lucie: OK, so say that the Bank of England and the Prudential Regulation Authority, also more commonly known as the PRA, they run the CBEST framework, which is an intelligence led penetration exercise. And the best way to think of it is like a toolkit to assess an organisation's weaknesses and vulnerabilities. So this is an absolutely excellent way to identify and access those financial organisations deemed critically important to stress test their systems, strengthening their posture, and in turn, the wider financial ecosystem.
Luc: That's a really good point. So in a way, like I mentioned before, all these sectors are slightly behind in comparison with the financial sector, and this is something that they're tried to leverage from them as well. And in the future, they're going to be introducing a similar scheme across all the different critical infrastructure sectors. But so far, the main focus, like I mentioned, is on the regulation to ensure that all operators meet this very basic profile, minimum requirements in terms of cyber resilience and then take it to the next level. But like I said, it will take some years to progress. So in particular, we've been working with the NIS regulation for the last two years, sorry, four years now since 2018 in particular in the UK, I now this is evolving because so far the sectors that are captured are what were deemed to be considered critical sectors back then which is only water, electricity, health and obviously communications and obviously financial services. But now this has been evolving over the last couple of years and what is called NIS2 is coming in the horizon and in particular firstly Europe and this is going to be also introduced in the future after Brexit in the UK. But this is standing especially on the back of the pandemic, what we have seen so far expanding and dividing what they call essential services and also important sectors. So that means that additional areas as essential that were not considered before, like public administration, space, and additional areas that cover important sectors that will include critical manufacturing. For example, we saw in the pandemic how food is now extremely important, obviously, and especially manufacturers of medical equipment. Those are going to be considered and captured by the regulation as well. So that will mean that a lot of sectors that perhaps in the past did not have to take cyber into account or the level of maturity was really, really low, especially if we're talking about food production, supply chain around those areas, they will need to start thinking about what are these new requirements that are going to be posed by the regulators.
Chloe: Great. Thank you. And just on that point, and you know, either one of you can answer Lucie or Luc for these, you know, now important sectors that are the added group into the regulation, the NIS2, how are they going to cope? Where do they start when it comes to understanding their cyber threat landscape Lucie, if we start with you
Lucie: Of course, so I would say for non-financial organisations they should engage with their own sector regulator and get advice there but also the UK's National Cyber Security Centre, the NCSC, they have a wealth of advice and guidance on their website. They are a helpful bunch and really responsive to feedback as well for their guidance as well. They have their active defence program and their advice and recommendations are really, really useful and so we emphasise that and push our members to the NCSC advice as well.
Luc: Yeah, absolutely. And that will be the first recommendation in general from regulators. There is a lot of information out there and obviously this organisation will need to start from somewhere. Their main number one thing is to understand your essential service, understand what are your crown jewels, understand what you got, what are the things you cannot live without, and take it from there. Ensuring, as I discussed before, you have the right support from the top in terms of what they're going to be, the requirement is what is going to be the role if you have a CISO or what led the requirement from a governance perspective to ensure that you can push any security initiative because without that buy-in, at the top of organisation, it’s really difficult to progress. And once you understand your assets, especially if the organisation is a lower level of maturity, they need to be at least in a position if something goes wrong tomorrow, how they're going to be able to respond and recover. So the second thing that normally regulators will discuss with organisations until you get your progress, you can progress your improvement plan so you can get the basics of security in place, at least have a well rehearsed response and recovery plan and again, working with the likes of NCSC that they can support on that as well, especially considering if they are essential services or critical sectors.
Chloe: So it's to protect the crown jewels, buy in from the top and also a good recovery plan. Am I missing anything out of those?
Lucie: I don't think so. I think also sort of siloed departments have just got no place in the cyber threat world right now. So know absolutely all of your departments what they do and also have a good comms strategy as well include them in your exercising.
Chloe: Yes. Information sharing. Great. So we've touched upon it a little bit there, but just adding a little bit more meat to the bones now, I guess the important bit, why our listeners have tuned in. So what does this actually mean for these organisations, the ones that are now the important sectors, but also the ones that are critical. What does this mean? What are the action steps and what do they need to focus on now to ensure compliance, especially now we’ve got NIS2 coming in.
Luc: Yeah, sure. The first thing they will be required this also by all regulators, as I mentioned before, to perform an initial self-assessment to understand what is the current security posture across all different areas of the site. And in particular in the UK of the cyber assets and framework or CAF. And this again, like I mentioned, is starting from the basics. Understand what you got, understand your assets and what your current governance and then will bring down the levels then to understand how you manage risk, which is the core of the NIS regulation. And once you understand your assets, you can do an exercise to perform your self-assessment against your crown jewels, against the threats that you may be identified in particular. And again, it doesn't have to be super specific, you can start at a high level, get your key assets first, perform that self-assessment and then the suggested approach is to do that mapping against the CAF and against your controls and understand what are the risks and how to mitigate the risk. That obviously will lead to a transformation program or improvement plan. And that's what normally organisations need to showcase to the regulator and how they are going to be progressed in this evolving again many years in some cases, depending on where they start on the journey.
Chloe: And is there anything additional from a financial perspective that you would like to add there, Lucie?
Lucie: No, I don't think so. I think Luc has covered it really. But just to reiterate, just be vigorous in your self-assessment and make sure you're continuously exercising, testing to find the gaps, plug them, reassess and test again.
Chloe: So would it be fair to say that our financial sector appears to be more mature in their resilience planning compared to the energy sector?
Lucie: Whilst I wouldn't want to compare them to the energy sector, the finance sector is obviously quite mature in this regard and whether they are required to or not, information sharing does help firms get intelligence and knowledge of best practices needed to ensure that compliance as well. They're able to discuss in communities what the threats are, at FS-ISAC we have members explaining their own analysis on particular intelligence and also how other firms can mitigate against that threat. Also, we've got different working groups for special interests and that's a really useful way for organisations to talk and discuss different types of threats and interests. And I think that the finance sector have just been doing this for a longer period of time.
Chloe: Yeah. And I think, you know, anything, even if it's across sectors, there's lessons to be learned. So that's why I ask the question it’s around, is there anything that, you know, the financial sector is doing that the energy sector could?
Luc: Well as I mentioned before, CBEST is an absolutely brilliant scheme. I think it will be able to replicate what the financial services sector are doing in terms of its CBEST scheme, because that's a really well thought out process on how to perform testing about specific threats. And I think all the other sectors are going to be introducing that in the short term as well. That will be really key, I think. And also the interest groups that Lucie mentioned is something that also all the sectors are leveraging as part of NCSC and that is working really well in particular in areas like you mention that perhaps have not been considered in the past, like security monitoring for OT and other initiatives that perhaps other sectors are slightly behind. So they can leverage the lessons learned from the financial sector and from the NCSC obviously and how they can really upskill their security capabilities quite quickly.
Chloe: Great. Thank you. So this is a question for you, Lucie, and Luc, we'll start with Lucie. Do you have any examples of some of the ways that organisations are addressing this to improve their cyber resilience and ensure compliance?
Lucie: Well, again, that does go back to whether or not they're part of information sharing groups. And I think that's a really really useful way if you consider it like a safer neighbourhood sort of scheme, sort of, I can't help but refer back to my sort of police background. If you can sort of ensure that your good cyber practice works, then you can also share that wider across the industry. And we have wide public private partnerships that we largely support with the UK and NCSC for instance and again, it's spreading that and that experience and also knowledge throughout the other sectors as well.
Chloe: Is that kind of where we're at within the energy sector or would you say that information sharing is still a learning curve?
Luc: No, they have certain ways to share information. They have their own forums where they get together and they discuss threats and any matters regarding security. So that's already in place only for the last couple of years to be honest, but it is working quite well. But again, in terms of specific activities that they doing, as I mentioned before, as they have such a massive asset base, imagine thousands of sites all across in particular in the UK, for example, they start doing some sampling, getting different types of sites from legacy, some from US sites to perform those self-assessment that we were discussing. So they can understand what is a different level of controls and how they will vary depending the size, if they are newer or if they are older, especially as we've been discussing so far as we open the floodgates with more data, integrating operational technology into the scene as well.
Lucie: There's also a few cyber coordination groups in the UK who work with the regulators to address issues like third party supply chain issues or cloud security. So it's always really good to know that it's not just a one way street.
Chloe: Yeah and Luc, your answer mentioned, you know, different regions across the world, which leads us nicely into the next question. So we've already talked a little bit about incoming NIS2 but what does the future regulatory landscape look like outside of our front door, we're talking in different regions across the world now. So in other countries, what are they doing to improve their cyber resilience, what regulations are they facing?
Luc: Yeah, this is a really good point. In particular, for example, in America and the US, they help in the energy sector, what's called NERC CIP, which is also similar as we have in the UK, but they have a slightly different approach that instead of being a risk based approach somewhat in certain areas, they need to comply with a minimum set of requirements and go through sometimes things becomes it could become a tick box exercise. So it's really careful and that's why I think that the NIS regulation learned from that in a way to ensure that operators of essential services see this and okay I need to comply with the standard and they will only do things that are bounded by the standard because as we've been discussing so far, threat actors do not think that way. It always has to be a risk-based approach. And I think that's the main lessons learned from the NIS regulation and it's going to be continued to evolve as part of NIS2. And I think over the next couple of years, we're going to be expanding the footprint as now NIS2 is already, expand it to new sectors, sectors perhaps with that lower level of maturity that will take some years to evolve, especially in the operational technology space. The pace of change as we were discussing tends to be slower. So in order to make any change on the regulatory space, we always need to think this is going to take two, three or four or more years ahead to actually be implemented on the ground and the threat actors do not think that way the threats are right now. So that's also something that we always need to consider.
Chloe: Great. Thank you. And what about you, Lucie, from the financial sector perspective. What are you seeing in other regions around the world in terms of their regulation?.
Lucie: So for our sector, it's not just financial regulators making the regulations any more. Cyber, well it’s everybody's game now. So the regulatory landscape is getting more and more complicated. So whilst NIS2 does try to achieve a level of harmonisation, as Luc’s mentioned, between the regulations, all sectors and governments are essentially continuously playing catch up to the current risk and threat landscape. Compliance is especially complicated for multinational companies who are encountering the same type of legislation, however, in multiple locations, so the overhead to comply with new efforts around the world is greater. However, efforts like the cyber risk profile, which has been developed by the industry, attempt to map all global regulations back to NIS so you can self-assess once and then reuse that in multiple locations.
Chloe: So to provide a recap, we've talked about the current geopolitical climate and what exactly is driving up this agenda of increased regulations to improve cyber resilience, we've shone a light on the greater digitalisation and operational technology. We've dove into the actions organisations need to be taking now that regulations are tightening, finally providing some details around what exactly are those new regulations. For example, being NIS2. But before we wrap up, I wanted to ask our guests today for their final thoughts and a piece of advice or takeaway for our listeners. Luc, if we start with you.
Luc: Yeah, in terms of advice, my suggestion will be not wait for the regulation to hit your door. Really, this is something you can start right now, especially for the organisations that are not captured by the regulations as yet, because the last thing you want, especially if their level of maturity is really low, is to only be starting when the regulators knocking at your door because that will show that you're not been investing in cyber before. So this is something the self-assessment, everything that we were talking so far is something that organisations can and should really be starting right now, especially considering how the new sectors are going to be captured by additional regulations that will be.
Chloe: Great so that's being proactive rather than reactive and you Lucie?
Lucie:I would say you're not alone. There are others having similar discussions to what you might be wanting to have. So please join in with your peers and also seek out those sharing communities, share experiences, your mitigation advice, be a good citizen and exercise, exercise, exercise.
Chloe: Thank you so much both and thank you to our listeners for tuning in. Don't forget to subscribe to our cyber security podcast to help you stay ahead of the cyber trends and issues that matter most. In the meantime, you can check out our website at pwc.co.uk/cybersecurity. See you next time.