INTERVIEW: Ian Goslin, head of UK cyber security at Airbus discusses how to protect critical infrastructure and being ready for cyber threats
Protecting critical infrastructure
In Newport, Airbus is focusing research on industrial systems and how they can be protected from cyber attacks. There’s also a clear focus on critical infrastructure.
“We are in a very privileged position because research is extremely valued at Airbus, and is one way that the company remains such a leading-edge technology company. This ethos feeds right through to our section of the company and allows us to research and develop tools for threat intelligence, incident response, and penetration testing,” says Goslin.
“The Innovations Centre at Newport in Wales is focused on industrial control systems and ways to make them more secure. It examines the threat vectors that national critical infrastructure organisations face, and ways to defend against them.
“They are developing advanced cryptography for SCADA systems, and have also done some work on sheep dip computers, which are used to test files on removable media for viruses and malware, to ensure they are safe to be used on industrial sites.”
Building on its history of securing the aerospace industry, the company recently partnered with SITA to deliver cyber security services for the air transport industry.
“Airports are a vital part of national critical infrastructure, and an essential part of a functioning economy and modern society. As a result, the airport industry remains a prime target for cyber attackers looking to cause disruption and chaos,” explains Goslin.
“Following our experience of securing the manufacturing process for Airbus aircraft, we have also grown our customer base among vertical industries involved in industrial control systems, including a range of energy and utility companies.”
Businesses are ill-prepared
According to Goslin, cyber threats are diverse and constantly emerging.
He says that businesses and the general public can be affected if they have poor cyber hygiene. In many cases, they’re simply unaware of the scale of attacks.
“Today’s threat actors cover the full spectrum, from nation state hackers to criminal groups and hacktivist groups, but the threats launched depend on the type of organisation being targeted and the degree of their cyber understanding and resilience,” he tells us.
“Threats are becoming richer and more mature, but it is usually the simple exploitation of poor cyber hygiene that results in the greatest threats to the general public. The WannaCry outbreak was a classic case of what can happen when cyber hygiene is neglected, particularly in regards to patching.
“Once good cyber hygiene and defences been put in place, it’s important to focus on how quickly we respond, stop, block and recover from attacks. It’s the speed of our response that matters. It’s naive to believe that we will always be one step ahead – for example, when zero-day attacks are launched, they take advantage of new vulnerabilities that haven’t yet been reported, so they often have some initial effect before they are spotted and dealt with; the trick is to identify early and respond quickly in order to minimise the impact.”
Commenting on recent attacks, he points out to WannaCry and NotPetya: “The most notable attacks in recent years have to be the recent WannaCry and NotPetya attacks, for the sheer scale of the damage they caused and the number of organisations affected across the globe. Their success is disappointing, given that they were associated with poor cyber hygiene, but it has at least brought the importance of good cyber hygiene to the fore.”
“One of the most sophisticated attacks to date was Stuxnet. Likely to have been state sponsored, it proved that even systems that have been air gapped can be compromised, which is worrying given how heavily the technique is relied upon in OT environments,” he adds.
Looking to the future
Many in the industry are worried that there’s a growing cyber skills shortage, but Airbus is one of the companies looking to change this. Goslin explains how his company has been working with academic institutions to train the cyber pros of the future.
“We partner with universities, including Cardiff, to offer students support as they go through their Masters and PhDs. We also advise universities to help make sure cyber security syllabuses remain as relevant as possible for the workplace,” he says.
“We run a variety of recruitment and development programs to bring in and develop young people, and we take time to expose them to issues in the cyber security space. As we grow the business, we are also bringing in engineers with broader skill sets and helping them to develop specialisms in cyber security. We are a member of the National Cyber Security Centre and help our employees to obtain their Certified Professional (CPP) certification.”
Speaking about the future of cyber security, Goslin concludes: “Over the coming years, we’re likely to see more of the same types of attacks we experience today – but, like all organisms, these threats will evolve. Malware will become more challenging, social engineering will become more sophisticated, and the attempts to compromise poor cyber hygiene will increase and become more targeted.
“One threat that is likely to increase in the future is the corruption of information. Rather than flagrant data theft, we can expect hackers to try and corrupt data in order to lead organisations to make poor decisions.
This is a much more complicated threat because it is so difficult to spot – it leaves such a small footprint behind, that even when it’s been identified and eradicated, the damage that has been done is often too subtle to pick up.”
Do you know all about security in 2017? Try our quiz!