Mark Brown On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks

An Interview With David Leichner

Clean up your past — most companies seek to run before they walk — take the time to clean up your past and secure legacy systems with vulnerabilities.

Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Mark Brown.

Mark Brown joined BSI on 1st February 2021 in the role of Global Managing Director of the Consulting Services, Digital trust business and has almost 30 years of expertise in cybersecurity, data privacy and business resilience. He has previously held global leadership roles across industry organizations and professional services, including tenures as Global CISO at SABMiller plc, and Global CIO/CTO at Spectris plc, as well as leadership roles as a Senior Partner at Wipro Ltd., and was also a Partner at Ernst & Young (EY) LLP.

Mark brings a wealth of knowledge including extensive proficiency on the Internet of Things (IoT) and the expanding cybersecurity marketplace as organizations grapple with digital transformation and addressing new technology that brings new business opportunities and risks, with a sharp focus on proportional and pragmatic response based on his practical industry leadership experience.

Mark is internationally recognized as a leading authority on information resilience with a focus on cybersecurity and data privacy, presenting a focus on the way IT can enable business strategies. He currently leads techUK’s Industry 4.0 Cyber Security sub-committee examining the business impacts of Industry 4.0 on Cybersecurity and how businesses can be incentivized to safely adopt new technologies at minimal risk. Mark is also an elected member of techUK’s Connected Home Group, chairing the Cybersecurity & Data Privacy sub-committee and internationally has been elected to lead the landscape analysis studies within the Medical Device Innovation Consortium’s (MDIC) 5G Enabled Medical Devices working group.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised in Scotland as the middle child of a typical working-class family. My father was an electrician, my mother a housewife. I had an older brother and a younger sister. The focus at home was getting a good education and remaining fit and active through sports, a mantra that I carry forward into my family life today.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

There isn’t one single story that saw my move into the world of cybersecurity, more so a collection of life events that in combination saw me fall into cybersecurity as a career. I always demonstrated a natural flair for computing as a child, although it must be said that growing up in the 1980s in Scotland, there was limited access to computers. I joined the British Army in the early 1990s and as a result of a training injury, became office bound for months. During that time, I was able to deepen my knowledge in computing and enhance my skillset. Over the next few years, I was able to enhance my skills which eventually led to an appointment in a role where I was responsible for providing the security guidance on two of the British Army’s largest operating systems.

On leaving the forces in the mid-2000s, a role in IT was an expected next step for me. In hindsight, it was a fortuitous choice of direction as the world was just starting to recognize the importance of cybersecurity — in both the business landscape and society.

Can you share the most interesting story that happened to you since you began this fascinating career?

I have been fortunate enough to have worked in a variety of organizations throughout my thirty-year career in cybersecurity. Beginning with my military and government experience in the British Army, and then navigating my way through different industries such as consumer goods, data center management, industrial engineering, and professional services consulting, I have learned a lot and will always be grateful for this journey. However, through this myriad of experience, there are several interesting incidents, some of which cannot be recounted due to national security and others through client confidence.

What stands true about all my experiences however is the levels of constant change and the need for constant adaptation to circumstances. Life doesn’t stand still and neither does the world of cybersecurity — indeed a phrase I often use with clients in my advisory capacity is that “you have to sprint to standstill on the treadmill of cybersecurity”.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

There are a number of character traits that I work to. Trust, empowerment, diligence, attention to detail, galvanizing teams, ideation and invention and a natural curiosity. The level of impact on my career of these traits has transitioned over time as I climbed the seniority ladder within organizations.

As a leader, ensuring that my team has the opportunity to express their views, be seen, and to be afforded the opportunity to impact direction, is a critical objective that embodies trust and empowerment. When I take on responsibility for leading a new team, I always seek to empower, to trust individuals to bring their experiences to the forefront and to make the right choices. Rather than being a leader who directs, I prefer to be a leader who coaches and develops their teams to success.

This leads into my second key trait as a leader which is to galvanize teams. Much of my experience in galvanizing teams comes from my time in the British Army. Often thought of as a hierarchical organization where directional orders from superiors are all that matters, the best leadership models are evident in those leaders who inspire their teams to follow them. Practice what you preach, lead from the front, but listen to ideas from others and bring together a team bound by a common objective to succeed. There are times to lead from the front and there are times when a leader should coach/mentor from behind by offering support. Either way, it is important to ensure that the team is working towards a common and agreed objective.

My third key focus is to accept that life and time doesn’t stand still and that we live in constant change. I possess a curious mind, one that always looks to seek improvement or opportunity and within the world of cybersecurity, this is key. Cybersecurity leaders are often seen as naysayers, constrained by process and policy and stuck in the world of compliance. My cybersecurity focus is to enable business success and if that means changing the way in which cyber risk management objectives are achieved then I seek to explore how to do so. If we simply perpetuate life within constraints then we will never advance as an industry, a career profession or individually, instead slipping backwards towards irrelevance.

Are you working on any exciting new projects now? How do you think that will help people?

I work across a number of projects for clients largely in a strategic advisory role and as such get to be involved in a number of exciting arenas of technology development. One area that is particularly interesting for me currently is examining how the world of 5G and Internet of Medical Things (IoMT) can be leveraged in the delivery of the future of medical care. As technology and communications capabilities develop, there is the possibility to remove the shackles of constrained capacity within the healthcare system and create truly elastic capacity. As healthcare systems around the world struggle to meet the backlog of healthcare needs post COVID-19 pandemic, anything that can be done to rapidly expand the healthcare delivery footprint through 5G and IoMT can only benefit society.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?

There are many varieties of cyber-attacks that happen in the world today, but I will outline the 10 most common ones. As we become more aware of the various types of cyberattacks, it will become easier for us as a society to protect our networks and systems against them.

1. Malware Attack

This is one of the most common types of cyberattacks. “Malware” refers to malicious software viruses including worms, spyware, ransomware, adware, and trojans. The trojan virus disguises itself as legitimate software. Ransomware blocks access to the network’s key components, whereas Spyware is software that steals all your confidential data without your knowledge. Adware is software that displays advertising content such as banners on a user’s screen. Malware breaches a network through a vulnerability. When the user clicks a dangerous link, it downloads an email attachment or when an infected pen drive is used.

2. Phishing Attack

Phishing attacks are one of the most prominent widespread types of cyberattacks. It is a type of social engineering attack wherein an attacker impersonates a trusted contact and sends the victim fake emails. Unaware of this, the victim opens the email and clicks on the malicious link or attachment. By doing so, attackers gain access to confidential information and account credentials. They can also install malware through a phishing attack.

3. Password Attack

It is a form of attack wherein a hacker cracks your password with various programs and password cracking tools like Aircrack, Cain, Abel, John the Ripper, Hashcat, etc. There are different types of password attacks like brute force attacks, dictionary attacks, and keylogger attacks.

4. Man-in-the-Middle Attack

A Man-in-the-Middle Attack (MITM) is also known as an eavesdropping attack. In this attack, an attacker comes in between a two-party communication, i.e., the attacker hijacks the session between a client and host. By doing so, hackers steal and manipulate data.

5. SQL Injection Attack

A Structured Query Language (SQL) injection attack occurs on a database-driven website when the hacker manipulates a standard SQL query. It is carried by injecting a malicious code into a vulnerable website search box, thereby making the server reveal crucial information. This results in the attacker being able to view, edit, and delete tables in the databases. Attackers can also get administrative rights through this.

6. Denial-of-Service Attack

A Denial-of-Service Attack is a significant threat to companies. Here, attackers target systems, servers, or networks and flood them with traffic to exhaust their resources and bandwidth. When this happens, catering to the incoming requests becomes overwhelming for the servers, resulting in the website it hosts either shut down or slow down. This leaves the legitimate service requests unattended. It is also known as a DDoS (Distributed Denial-of-Service) attack when attackers use multiple compromised systems to launch this attack.

7. Insider Threat

As the name suggests, an insider threat does not involve a third party but an insider. In such a case, it could be an individual from within the organization who knows everything about the organization. Insider threats have the potential to cause tremendous damages. Insider threats are rampant in small businesses, as the staff there hold access to multiple accounts with data. Reasons for this form of an attack are many, it can be greed, malice, or even carelessness. Insider threats are hard to predict and hence tricky.

8. Crypto jacking

The term Crypto jacking is closely related to cryptocurrency. Crypto jacking takes place when attackers access someone else’s computer for mining cryptocurrency. The access is gained by infecting a website or manipulating the victim to click on a malicious link. They also use online ads with JavaScript code for this. Victims are unaware of this as the Crypto mining code works in the background; a delay in the execution is the only sign they might witness.

9. Zero-Day Exploit

A Zero-Day Exploit happens after the announcement of a network vulnerability; there is no solution for the vulnerability in most cases. Hence the vendor notifies the vulnerability so that the users are aware; however, this news also reaches the attackers. Depending on the vulnerability, the vendor or the developer could take any amount of time to fix the issue. Meanwhile, the attackers target the disclosed vulnerability. They make sure to exploit the vulnerability even before a patch or solution is implemented for it.

10. Watering Hole Attack

The victim here is a particular group of an organization, region, etc. In such an attack, the attacker targets websites which are frequently used by the targeted group. Websites are identified either by closely monitoring the group or by guessing. After this, the attackers infect these websites with malware, which infects the victims’ systems. The malware in such an attack targets the user’s personal information. Here, it is also possible for the hacker to take remote access to the infected computer.

For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?

Critical industrial systems are referred to in a number of different names, e.g. Operational Technology (OT), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC). Whilst referred to by differing names they are predominantly found in the industrial sectors and critical infrastructures and supporting industries such as electrical, water and wastewater, oil and natural gas, chemical, transportation, telecommunications, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods).

Unlike IT, when these systems break, the ripple effect of their failure is felt way beyond the individual asset and can result in societal level disruption such as power blackouts, transportation blockages and loss of integrity and security within the supply chain.

Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?

In 2021, there were 22 reported significant disruptions to critical industrial systems. Some of the most prominent incidents were in May 2021 with disruption seen at Molson Coors, Sierra Wireless, Ardagh Group, Colonial Pipeline and JBS Meats.

All these events are significant as in one way or another they impacted critical supply chains either at a societal level or to other organizations. The Colonial Pipeline ransomware incident is a perfect example of the significance of such a breach as it saw a week-long downtime for the largest gasoline pipeline in North America and resulted in widespread gasoline shortages in the southeast region of the United States, impacting power and utilities as well as transport hubs such as airports.

Why are critical industrial systems particularly vulnerable to attack?

Critical industrial systems are particularly vulnerable to attack as they are typically legacy in their nature and represent a less modern technology landscape than the world of IT. The sensitivity of the processes managed by these devices makes it more difficult to deploy traditional cybersecurity tools onto the industrial systems and therefore they are often left “insecure”. This is further compounded by the fact that most of these systems are not managed by the IT department, instead being cared for by OT Engineers who are not aware of the cybersecurity risk or implications. The OT Engineers are typically focused on safety and availability of the systems, with a secondary or indeed tertiary concern for confidentiality and security, therefore leaving these systems exposed.

What makes critical industrial systems such an attractive target for bad actors?

The attractiveness to bad actors of critical industrial systems is two-fold. Given the earlier explanation of why they are so vulnerable, this makes these systems “easy targets” for cyber-attackers as they know that the standard cybersecurity defenses are highly unlikely to be deployed in protection of these assets. The second reason why they are an attractive target is because of the level of impact of such a device being compromised. Given the criticality of the processes supported, either at an organizational or indeed societal level, the organization whose asset has been compromised will suffer near instantaneous and drastic financial impact. This makes it highly likely that the organization will seek to mitigate the impact by paying any ransom promptly to seek to recover their operational status.

Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?

Cyber attacks are a risk to everyone across society, both organizationally and as private individuals. In most cases, it will be an organization rather than an individual who will be targeted by a cyber-attack, however the consequence and downstream impact will most likely be felt by private individuals. This downstream impact therefore explains why class-action lawsuits common-place in the aftermath of a cybersecurity or large-scale privacy breach. Should this happen then the cycle of impact will revert to organizations as they seek to limit the impact to both brand reputation and financial damages which can run into hundreds of millions of dollars.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

There is no simple answer as to who should be called first, as in most cases the impacts will be different and there are several stakeholders that will need to be involved. Whilst law enforcement is often perceived as a critical first step, the role of legal counsel, insurer and press relations should all be early candidates for notification. All will likely have the same first question though, namely what has happened and for that reason, the cybersecurity expert and forensics team should be on a priority focus. Without their insight, the other stakeholders will simply be unaware of what has occurred and the impact of the incident to be managed.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Whilst I am not generally an advocate of legislative and regulatory response to guide cybersecurity, given the societal level risks and impacts resulting from cyber-attacks on critical industrial systems and critical national infrastructure, it is somewhat inevitable that regulatory reform in this arena is that path to follow.

Organizations managing such systems have to realize the societal responsibilities they hold and recognize that unlike IT, failures in this area have much broader impact and need to be evidenced as being addressed both in the short and long term.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?

1. Create an asset inventory — you simply can’t protect what you don’t know you have.
2. Bridge the gaps between your IT and OT functions and establish coordination points between the two teams and identify the core controls and policies that apply to both IT and OT.
3. Deal with your legacy.
4. Clean up your past — most companies seek to run before they walk — take the time to clean up your past and secure legacy systems with vulnerabilities.
5. Monitor your present — establish a continuous security monitoring capability for your OT assets
6. Plan for the future — think about future sector developments and how OT technologies will evolve, embedding principles of security by design.
7. Leverage specialist software to analyse your OT environment to identify changes to assets, communication links, vulnerabilities and potential attack vectors.
8. Do the work — don’t treat this as a project with an end state — it requires ongoing activities to sustain the benefits of steps 1–4.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Given the societal impact of cybersecurity, and the inspiration of doing good for society as a whole, I am inspired by the concept of “paying it forward”. The creation of an altruistic group who donated their services and experience in cybersecurity to benefit society as a whole on a national, multinational and international level would establish a force for good that can educate the next generation, support the current generation and collectively support resolution of cyber-attacks as they occur.

How can our readers further follow your work online?

I post regularly through a number of forums including Forbes Technology Council, LinkedIn and Twitter as well as thought leadership article and blogs being posted on the BSI website. The following links are the best places to read more of my thoughts and experiences in cybersecurity:

https://www.forbes.com/sites/forbestechcouncil

https://www.bsigroup.com/en-gb/our-services/digital-trust/cybersecurity-information-resilience/Resources/forbes-Technology-Council-blogs/

https://www.linkedin.com/in/markofsecurity/

https://twitter.com/markofsecurity

https://www.bsigroup.com/en-GB/our-services/digital-trust/cybersecurity-information-resilience/Resources/Whitepapers/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.