National Grid CISO talks up security convergence

National Grid's chief information security officer and head of digital risk Graham Wright talked targeted attacks, critical infrastructure and the blurring of physical and digital security at a recent London conference.

UK National Grid under constant cyber-attack
UK National Grid under constant cyber-attack

In a keynote speech at the Cyber Security Summit in Westminster, London last week, Wright – who has previously held senior cyber-security roles in the Cabinet Office, Ministry of Defence and at Northrop Grumman– described how his role was primarily to support the business and ‘keep the lights on and the gas moving'.

“For me security is and will only ever be a supporting functionality that is there to enable the business,” he said before adding that his job is also to  speak up when the business measures are ‘not necessarily thinking about security'.

He continued that much of his job was ‘translating' vulnerabilities and other risks to boardroom members and said that it is important to place as much emphasis on correct procedures as on ensuring the protection of data and sensitive information – as an incident could have a ‘direct impact on the sort of equipment we operate'.

In his presentation, the National Grid CISO described how he has the equivalent of a CERT team reporting to him, as well as other groups that take care of information architecture (such as new data centres), GRC, training and awareness, privacy and legal (co-shared with another senior manager).

Interestingly, he said that the company is increasingly seeing the blurring of the lines between physical and digital security – adding that ‘most of our physical security is dependent on networks'. At the same time, there are controls to keep out intruders and customised SCADA-like systems that regulate gas.

As far as the threats are concerned, Wright talked about how remote control access is an ‘increasing risk' and said that the National Grid's systems are ‘bespoke' systems that go beyond SCADA systems and come from ‘boutique companies that went out of service years ago'.

“We're worried about terrorism, domestic and international, IP theft – (although National Grid doesn't have a huge amount) – and fraud, but it's not a bank.” Wright went onto say that this meant the National Grid had to balance its security focus, and hinted that the company has previously been hit by denial-of-service (DoS) attacks on its websites relating to fracking – even though the group is not directly involved in such projects.

Phishing has been a problem in the past, says Wright, revealing that they often form the base layer of ‘very good targeted attacks'. National Grid's own security awareness training revealed that 80 percent of its staff was able to spot spear phishing emails.

He went on to say that the insider threat remains a concern given the deluge of inter-connected devices, as well as physical threat and vandalism, and cited Stuxnet, Shamoon and Saudi Aramco as examples of the threat facing critical infrastructure.

Critical infrastructure…that's the thing that will really worry National Grid.”

Speaking shortly after the presentation, 451 research security analyst Javvad Malik said in an email that the move to merge physical and information security has had ‘varying degrees of success' – much like previous talk of a paperless office.

“Whilst having your door access control system on the same network and under the same control of the network administrator; in isolation it tends to not add a great deal of value,” he told SCMagazineUK.com.

“Where we are seeing things get more interesting is where correlation systems are able to take such information and ingest it to provide additional context.

“For example, as a sysadmin, I may see that Doug has logged onto a system in an office at a weirdly late time. If I have the ability to correlate this with your physical badge swipe, and IP-based CCTV and other stuff then it becomes useful. 

“The other challenging part is that physical has a large impact on security from non-security controls. For example, your HVAC may not be a typical security control, or one that a sysadmin is best equipped to deal with in terms of knowing what operating parameters should be. But in most building they are on some sort of IT system and centrally controlled. So do you bring those into the IT security realm or leave those to be managed by facilities?”

Malik says that, ultimately, such a convergence will depend on the business.

“It will vary depending on each company and the types of controls – so this on-off love affair between virtual and physical security will continue to get drawn out longer than we had to wait for Bruce Willis and Cybill Shepherd to get it on in Moonlighting.”