In-depth

CNI: employers, not hackers, are the real risk

Inside the enterprise: Carelessness, not conspiracy, could prove the greatest threat to national infrastructure.

Powerlines

There's been no shortage of security advice for businesses recently. Earlier this month, GCHQ and the Department of Business, Innovation and Skills issued guidance for corporations on how to protect themselves from cybercrime.

And this week, companies running parts of the critical national infrastructure, or CNI, have come in for scrutiny and so has the behaviour of their staff, with a new guidance document produced by the Centre for Protection of National Infrastructure and PA Consulting, a management consulting firm.

Governments around the world have started to worry that critical national infrastructure, including power, water and transport, has become a target for both cybercriminals and for foreign governments keen to disrupt a potential adversary, or an economic rival.

The idea that a government, or groups associated with them, might attack another nation's CNI has led to organisations, such as NATO, putting cyber warfare higher up their agenda.

Security groups have also started to discuss the idea of a Geneva Convention for cybersecurity: governments might agree, for example, that hospitals should never be attacked by a virus, or a distributed denial of service attack.

But the definition of national infrastructure is broadening as governments and security agencies realise how much different parts of the economy depend on each other.

Electricity or water might be obvious critical infrastructure, as are transport and healthcare. Equally, though, fuel is critical and so are fuel deliveries; we all need to eat, but without banks or even cash machines, people cannot buy food. The result is that more companies' systems are critical, on a national level, than their IT managers might initially think.

According to Bill Windle, one of the co-authors of the report and a security specialist at PA Consulting, this is illustrated by studies in the US that suggest big cities would start to lose vital services just a day and a half after a power outage, as equipment for pumping water or sewage stop working.

A cyber attack, though, is not the only way critical infrastructure might fail. Sometimes, as Windle points out, problems are caused not so much by bad people, but by good people trying to cut corners or make honest mistakes. There is also the danger, he says, that some employees will engage in "counterproductive behaviour" if they think no-one is watching.

The result is a document called HoMER, for holistic management of employee risk. The guidance spans the accidental or foolish such as sharing passwords to fraud or theft, or installing malware on employers' systems. But the guidance is not just about controlling employees' actions: it also encourages staff to think more about information security, and also challenge behaviour they spot that could be unsafe.

"In IT security, people are always the weak link," says Windle. "If you look at Stuxnet, that was an advanced technical attack, but it was also designed to spread via USB. There will always be attempts to exploit social engineering or human actors."

It may be one more document to add to the reading list, but as the guidance suggests, safety is as much about creating trust between the employer and employee as it is about building ever higher walls.

Stephen Pritchard is a contributing editor at IT Pro

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
Justice Department unveils civil cyber fraud initiative to battle online crime
cyber attacks

Justice Department unveils civil cyber fraud initiative to battle online crime

7 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021
The best defence against ransomware
Whitepaper

The best defence against ransomware

1 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021