Steven Kenny, Architect & Engineering Program Manager, and Andrea Monteleone, Segment Development Manager, Critical Infrastructure, at Axis Communications, have joined forces to pen a thought leadership article entitled; Keeping up with cybercriminals: Protecting critical infrastructure and industrial operations. 
Organisations that design and implement video surveillance and security solutions for industry and critical infrastructure face intense pressure to provide both physical and cyber protection.
Threats such as ransomware continue to be a serious concern for businesses and organisations in most countries with cyber becoming increasingly relevant.
All members of the value chain must navigate mitigating these attacks, as well as a changing regulatory environment, to maintain compliance. Cybersecurity, and protecting our critical systems and infrastructure, is a shared responsibility.
Almost every industry is critical now
Before the digital age, attacks on essential services were exclusively physical. But the universal application of connected technologies in all areas of life has created the opportunity for bad actors to use both physical and digital means to disrupt services.
The result is that major state organisations now must deal with threats on a digital front, ones that have the potential to be very costly.
Due to the highly connected nature of global supply chains, more industrial sectors are now defined as essential.
We abruptly discovered how much we depend on a huge number of services and products, which are now considered as essential. Just two or three years ago, many people would not have regarded the production and supply of semiconductors as critical.
But supply issues during the pandemic demonstrated how essential chips are to many – if not most – modern industrial processes. The ‘butterfly effect’, where a small disruption in one system can have a major impact on another in the future, was shown to be true for the globally integrated technology supply chain.
Cybersecurity is a challenge for regulators
Governments and regulators are having a hard time keeping up with the fast pace of change in cybersecurity. Some have changed the way they regulate the challenges posed by cybersecurity.
The NIS directive and more recently the introduction of the NIS2 Directive across the EU is a good example of this. However, some governments, rather than defining what providers of essential services need to have implemented in relation to cybersecurity, put the onus on the providers to prove that they have the necessary measures in place to stay cyber secure. Only time will tell if this approach works or needs to change.
This change has serious implications for the providers themselves and any party providing expertise and solutions within the essential entity supply chain. The entire value chain – upstream and downstream – will be under scrutiny.
Surveillance solutions need to form part of the supply chain
The protection of essential services has always been a priority. Physical measures – perimeter fences, access control, and security guards – have been enhanced through technology, with advanced video surveillance solutions in place at every essential service facility.
The increasingly connected nature of these solutions has, of course, also placed them on the front line for cyberattacks and under the scrutiny of evolving regulation.
Because of this, we need to ensure surveillance solutions meet the physical and cybersecurity requirements of today and can adapt to evolving challenges and regulations.
This demands ‘system thinking’. We must see the security solution as a whole rather than a selection of separate devices and consider the relationships between the hardware and software of the solution itself, along with its integration into the broader infrastructure of the essential service provider.
Engaging with partners throughout the value chain is key to this process, and so is working with managed service providers (MSPs) whose first priority is to meet enterprises’ and organisations’ security needs.
Meeting design requirements
Those designing and specifying solutions must consider the potential wider risks posed by the technical offering that they are recommending. While the primary focus of a solution should be to address the defined operational requirements, IT and cybersecurity provisions are now also essential.
And as such, vendors and consultants must ensure any product or service meets the security policies of the individual customer, including all relevant regulation applying to the customer’s organisation.
Mitigation factors such as secure boot, signed firmware, security components that enable automatic and secure identification of devices, and a trusted platform module (TPM) should be specified.
Specifications should also include important third-party certifications, vulnerability policies, security advisory notifications, and a clearly defined security development model.
Finally, a lifecycle management approach should be included. Using device and solution management tools and a documented firmware strategy mitigates the future risk of an attack and safeguards customers moving forward.
Together, resilience, policies and processes will help organisations adapt to the evolving threat landscape.
Confronting an evolving environment
Enterprises and organisations in the region cannot afford disruptions to their essential services. At a minimum, disruption will have an economic impact which could result in a stop in the production process, but this can also quickly turn into significant societal issues and a potential risk to health and human life.
Adequate protection from cyberattacks is, therefore, vital. Everyone involved in the value chain, especially when it comes to critical infrastructure and industrial operations, needs to respond to this challenge, including those designing and specifying surveillance solutions. While business operations may depend on the shared responsibility of mitigating cyberthreats, the consequences for our society could be much greater if we don’t all take them seriously.
