What’s the cost-of-living crisis got to do with safeguarding energy infrastructure?
The energy industry saw almost a quarter of all UK cyber attacks in 2021, more than any other1. Perhaps the link is not so surprising because many think that phishing and social engineering attacks will grow as criminals exploit employees’ financial fears to gain access to data and systems.
Such findings only add to the pressure on CNI security, ranging from data theft and ransomware that all industries face, to sophisticated threats2 from malevolent nations. Defending CNI is increasingly complex with new security vulnerabilities created as power grids decentralise and more Internet of Things (IoT) devices are deployed.
To help address the dangers, the UK is tightening regulatory compliance. A good example is the update of the Security of Network & Information Systems Regulations (NIS Regulations). Tick all the compliance boxes and you should be safe, right?
Not necessarily. That’s because implementing cyber security management just for compliance can leave organisations overly confident about security. A risk-based approach in which assessments and organisational measures enable risk-based decisions based on technology, cost, threat nature and the likelihood of a risk being realised is better.
Tighter security in the cloud
The risk-based approach almost always points to cloud migration as the most efficient and cost-effective way to strengthen security. The public cloud offers the potential for tighter security than on-premise deployments thanks to centralised security management, automated patching and log monitoring, advanced threat detection and access control.
Ultimately though, the security of cloud-based systems depends on the practices used during and after migration. A rigorous risk-based approach helps ensure proper planning and implementation of cybersecurity during cloud migration, such as robust authentication, reliable access control and accurate configuration of security settings.
It is also necessary to consider shared responsibility for security of the different types of cloud deployment with varying levels of responsibility between the cloud provider and the cloud service customer.
Security that’s designed in
Risks can also rise as organisations take advantage of cloud-native approaches to develop products more quickly, leading to greater application vulnerabilities. DevSecOps embodies a Secure by Design approach that allows vulnerabilities to be identified and addressed early in the development lifecycle, reducing costs while delivering the speed and agility of DevOps.
DevSecOps is not simply about a tool or a process; it is a culture in which security is embedded within software development/operations cycles, with the responsibility for security shared across the team.
Identity management for all
Another pillar of cloud security is Identity and Access Management (IdAM). Shifting to the cloud changes how organisations apply security. Users and resources are no longer inside the corporate perimeter or hidden inside the data centre; instead employees work more from home, field offices and remote locations.
Ineffective passwords and knowledge-based authentication must be revisited, with identity management an essential component of a zero trust framework. This is best achieved with a clear IdAM roadmap to coordinate multiple teams and efficiently onboard applications and systems to the identity governance and access management systems.
NTT DATA can help. As the world’s second-largest managed security services provider3, we offer a broad portfolio of security services built around an advisory approach that supports the highest standards of governance, quality, consistency and outcome.
Please contact us to discuss how to achieve the highest security through cloud migration and modernisation.
Sources
2 https://www.ncsc.gov.uk/news/ncsc-warns-of-emerging-threat-to-critical-national-infrastructure
3 Gartner 2022