Keeping It Safe: How to Protect the Systems That Run Our Lives

Imagine a world where you wake up one morning to find your air-conditioning not working in the sweltering summer heat of Dubai and you’ve noticed this is due to a lack of power, which means you haven’t been able to turn on your coffee machine.

Sounds unpleasant, doesn’t it?

Now imagine this is a cyber-attack that has also taken out the ability of hospitals to provide critical care for patients and prevents airports from operating efficiently and failure of traffic management systems has caused Dubai gridlock. Suddenly, that coffee seems very insignificant.

This is the stuff of nightmares but it’s not entirely implausible. Thankfully, Cyber security the UAE Cyber Security Council, under the steady hand of Dr. Mohammed Hamad Al Kuwaiti in his capacity as Chairman of the UAE Cyber Security Council, are mitigating the risk through proper planning and preparation and being able to minimise the impact of an attack were it to be successful.

In recent days, he has announced that the nation’s cyber security capabilities are actively mitigating a daily average of 50,000 attacks on key sectors due to the efforts of the national security operations centre.

What is Critical National Infrastructure / Critical Information Infrastructure?

These key sectors are commonly referred to as Critical National Infrastructure (CNI) or Critical Information Infrastructure (CII). Think of these as national assets that are essential for the functioning of society.

In the UAE, these are Emergency Services, Healthcare, Electricity & Water, Government, Transportation, Oil & Gas, Information & Communication Technology, Finance & Banking, Trade, and Tourism & Real Estate.

For comparison, in the United Kingdom, there are 14 sectors Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, Water, and very recently in September 2024, Data Centres were added to the list. The addition of Data Centres recognises that they are vital for the nation’s operational resilience and the addition of this sector to the CNI list ensures that the UK Government can support and protect this sector in the same way as the other critical sectors and withstand cyber-attacks, IT outages, and other emergencies. This is no coincidence given that the United Kingdom is home to the highest number of data centres in Western Europe.

So how can we protect critical information infrastructure from cyber threats?

1. Identify Risks – being proactive can assist in finding weaknesses and threats (be they insider threats, physical threats, or cyber threats).
2. Secure Networks – don’t make an adversary’s job easy. Use firewalls, encryption, and multi-factor authentication.
3. Protect Physical Access – control who enters facilities and ensure the use of cameras and security.
4. Plan for Attacks – it’s not a case of ‘if’ but more ‘when’. Have an incident response (more on this shortly) and backup plan in place, socialise it so it’s fit for purpose and it’s ready to go.
5. Limit Access – use the ‘Need to Know’ principle so that only people who need permissions are given them.
6. Follow Security Best Practices – there are a plethora of industry standards and frameworks available to you such as Cyber Essentials, ISO, NIST (Cyber, Risk, AI, Privacy Management Frameworks) & 62443 when considering ICS / OT.
7. Secure your Suppliers – ensure your supply chain and vendors follow the strict cyber security measures you have set them.
8. Use Threat Intelligence – Stay updated on new threats using Cyber Threat Intelligence (CTI) and Open-Source Intelligence (OSINT).
9. Network Segmentation – the use of Zero Trust architecture will ensure critical systems are kept separate from less secure ones and are less likely to be easily compromised as a result.
10. Train your Employees – teach everyone about phishing, social engineering, and cyber hygiene. Make sure they can apply it to their personal lives too – you are more likely to get greater buy-in as a result.

Surely cyber security is the responsibility of the cyber security team?

I’m sorry to let you down here but cyber security is everyone’s responsibility.

In cyber security, our objective is to support ‘the business/organisation, be that in the private or public sector’ (for clarity, ‘the business’ from here on in) to achieve its strategic objectives and do so in a cost-effective manner. Perfect security is impossible – it’s getting a balance right between cost, speed, and quality. You can only pick two of the three.

As such, it is important that ‘the business’ has all the information to hand to make an informed business decision. From a cyber security perspective, we are looking to make the business resilient to cyber-based attacks.

Where does the threat come from? We can break this down into 6 categories.

1. Cyber Criminals
2. Insider Threat
3. Nation States
4. Hacktivists
5. Cyber Terrorists
6. Script Kiddies.

The threat landscape is ever-changing and nowadays, all sectors and organisations have to deal with an ever increasingly complex threat environment where we’re not only having to deal with ‘traditional’ threats such as viruses or business email compromise but we also have to deal with the likes of misinformation, disinformation, and deepfakes – all of which can destabilise societies and the ability to manipulate the public opinion.

Cyber Security Risk Management

In this context, think of this as a framework for managing cyber security risk. It’s a set of high-level steps that can form the basis of any cyber security risk management process. These steps will help you understand what a good approach to information security risk management looks like and help you to decide what approaches to cyber security are right for your organisation – there is no ‘one size fits all’ solution unfortunately.

1. We need to establish the organisational context – do we understand the business context within which cyber security risks will be managed? This is a whole organisation conversation involving all stakeholders. Questions to ask can include the following (this is not an exhaustive list).
   1. What is the mission of your organisation?
   2. What does your business care about?
   3. What are the critical areas of your business?
   4. Are there any external factors to consider (legal/regulatory contractual)?
2. Who are the decision makers & what are the governance processes and constraints? Here we are trying to work out how cyber security risk management will be controlled and directed within the organisation. As much as possible, we want to avoid silo-based thinking and to standardise the approach of how we manage cyber risk in the same way as we do with other types of organisational risk. More questions to consider at this point will include the following.
   1. Do we have an existing risk management governance and decision-making process in place? If so, how does it work?
   2. Does the organisation have a stated appetite for cyber security risks?
   3. Who has the authority and accountability for making decisions around cyber security risk? How is it delegated in large organisations?
   4. How do you manage situations over which you may not have full control (think vendors/ cloud service/ supply chain)?
   5. What is your security budget?
3. Are you able to define your cyber security risk challenge (i.e. what is your cyber security risk ‘problem’)? Questions you may need to consider will include the following.
   1. How complex is the challenge?
   2. Does cyber security risk have a cascading or aggregation of risk elsewhere in the organisation? Do you need to incorporate it with other types of risk (Cyber-Physical systems and Health & Safety)?
   3. Are you in a heightened threat environment (if you’re dealing with critical information infrastructure (CII), I will tell you what the answer is now – it’s a yes.)?
   4. Do you need to consider ‘Black Swan’ events (i.e. low frequency but high impact events)?
   5. Are you constrained by some of the technologies you are using (if you’re dealing with critical information infrastructure, and you’re using Operational Technology (OT), Industrial Control Systems (ICS), or Supervisory Control and Data Acquisition (SCADA), then again, I will tell you what the answer is now – it’s a yes)?
4. What approach are you going to use? As previously mentioned, there is no ‘one size fits all’ solution and no tool will be a panacea to your problems. Whatever approach you take needs to be tailored to the key characteristics of the challenge you have identified. Most risk practitioners will have a selection to hand to choose from. You may also be constrained by the business requirements. Questions you need to consider at this point will include the following:
   1. Does your approach meet the needs of your risk challenge?
   2. Do you have the right skills or experience to use a particular tool, methodology or approach? c. Are you able to bring in specialist help if required?
   3. How well does your chosen approach fit with the other approaches used for risk management purposes in your organisation?
5. Do you understand risk and how to manage them? Here, we’re looking to identify and assess cyber security risks so we can prioritise them. There are four things we can do with risk and all of them require a significant amount of effort, skill and knowledge.
   1. Accept a risk.
   2. Avoid a risk.
   3. Mitigate a risk.
   4. Transfer a risk. Remember that you cannot transfer the legal responsibility and that there are some types of risk that you cannot transfer such as the protection of Personally Identifiable Information (PII).
      The one thing we cannot do with risk is to ignore it and we can never eliminate risk in its entirety. The use of appropriate organisational and technical measures can help with risk using administrative, technical, and physical controls. Unfortunately, nothing is a given and there will be instances where an attacker will be successful – remember, we must be lucky every single time whereas an adversary only needs to be lucky once. This is where the effective use of incident management and incident response can help, and we will look at this shortly. Risk Management is a massive area to focus on, and for clarity purposes for this article, we have barely scratched the surface.
6. The next step is to communicate your findings and recommendations to the appropriate board member. This communication needs to be meaningful, and appropriate to the target audience – we, as cyber security professionals, need to be able to speak the language of the business so that we can put key findings across to the board in a language that they understand. Failing to do so can jeopardise the business through miscommunication or a lack of understanding. The UK NCSC. has created the Board Toolkit to assist with such engagements . Questions that you will need to consider will include the below.
   1. Do you understand what the board’s concerns are so you can provide timely and actionable intelligence to facilitate better business decision-making?
   2. Can you trace every risk you identify back to an organisational risk or loss?
   3. Have you considered how your present risks in terms of priority and that you’ve highlighted the most critical risks and recommendations appropriately?
   4. Have you standardised the language and risk statements in use so it’s consistent with other parts of the business? Are you sure that all the key stakeholders know exactly what you mean?
7. In this step, we are looking to implement the recommendations that have been made gaining (and maintaining) a level of assurance that the controls and measures work, in an effective and efficient manner and as expected. We are looking to incorporate cyber security in a secure by design manner, so we need to ensure that those with responsibility for implementation understand the risks that they are addressing and the recommendations we are using to manage those risks – whether they originate from people, technology, or business processes is irrelevant. Good cyber security risk management is a continuous activity, and we will need to consider whether the controls and assurance arrangements in place are fit for purpose. Questions you may need to consider here will include the following.
   1. Are these controls pragmatic, appropriate, and cost effective? Do they align with the organisational risk appetite?
   2. Have we considered a combination of risk management options (we don’t have to treat all risks with controls – we can avoid them if the business so wishes to do so)?
   3. Can we use existing controls to help manage the risk?
   4. Are we going to review the controls on a regular basis to ensure they remain fit for purpose?
8. Cyber security risk management is a continuous process, and we need to regularly review and adapt where necessary. It is an endearing process and not a quick fix. Questions to consider at this point will include the below.
   1. How do we know if the risk management programme is providing the assurance that we need?
   2. Have we developed metrics and performance indicators to provide tangible evidence of the effectiveness of the controls?
   3. Are we able to revisit the risk assessment and analysis when there is a significant change in the business or threat landscape?
   4. Are we using a variety of mechanisms to monitor and review our systems and services? Do we have a proper understanding of what ‘normal’ looks like in our organisation?

What is the Board perspective?

Boards need to ensure that from a business perspective, they are quantifying the economic exposure to cyber risk, and they need to be honest with themselves – are they fully in the loop about to cyber security matters? This is very much a two-way process – from the cyber security team to other teams and from the board / other teams to the cyber security team. A recent survey indicates that only 40% of finance teams receive regular updates from their information security team and a staggering 37% have never had one – to be frank, we must do better.

The ’so what’ of not doing so can result in several impacts – remedial costs, reputational damage, regulatory enforcement, and legal action. From a business perspective, are we happy with the level of risk? Do we know who has key responsibilities for ensuring this is achieved?

Not all cyber-attacks will result in a data breach but for a business, this is one of its biggest worries – the average cost of a data breach is assessed to be $4.88 million globally and in the Middle East, it is assessed to be $8.75 million according to the IBM Cost of a Data Breach report 2024.

We also need to understand that from a shareholder perspective, there is an increasing understanding that data breaches fall under environmental, social, and governance (ESG) considerations.

Ultimately, strong security practices come down to what sort of culture is present in an organisation and ensuring that staff are regularly providing cyber security training courses. Changing this culture in an organisation is not a quick process – it can take anywhere between 3 to 10 years. None of this is achievable without a suitable amount of funding and resources made available by senior management.

Incident Management

It is important that organisations practice their responses to these types of events prior to the incident itself and look to improve upon what is already in place.

What are the benefits of effective Incident Management?

1. Effective incident management lessens the impact of a cyber threat. It will not prevent the incident from taking place, but it will soften the blow.
2. Practice makes perfect – a well-rehearsed and practised plan will help you make good decisions under the pressure of a real incident.
3. A well-managed response, with clear communication channels throughout will help build trust with your shareholders and customers. Think of a Swan – graceful and moving steadily above the water whilst kicking away like mad underneath.
4. Learning from incidents will help identify gaps and issues with your response capability. Incidents happen and we cannot prevent them from happening but having lessons learned and lessons identified will help improve your response capability – slow is smooth, and smooth is fast.

How do we go about ensuring we have good incident management and response in place?

There are several areas we need to focus on.

1. Prepare response plans and availability. We need to make sure that the right people are involved when drawing up incident response plans. We also need to make sure the incident response plan is linked to disaster recovery, business continuity and crisis management plans, and supported with the relevant capabilities. People’s roles and responsibilities are defined and understood and provide appropriate training. Consider how you will detect incidents and what criteria will be established for escalation to senior management/ regulators etc. Are staff aware of any playbooks that may already be prepared for specific types of incidents? Have we got autonomy/ delegated authority in place to deal with specific situations or does everything have to go up the management chain? Do we understand any legal or regulatory reporting requirements – can we achieve them within the set timescales?
2. The purpose of practising response plans is socialising the response plans to incident responders and to ensure that staff are provided with continuous cyber security training courses are prepared to respond effectively during an incident. It will also help verify assumptions and identify any deficiencies or room for improvement in the plan. We can always make finely tuned adjustments to processes or incorporate lessons learned and identified into the process.
3. Proportionate response and effective communication during an incident are critical to the successful resolution of an incident. We need to make sure that we’re not going to overreact during the containment phase of an incident – we may not have the full picture of what the incident is. Jumping into an incident without considering multiple factors can result in more damage occurring than is necessary. If it is a targeted attack by an APT, for example, the attacker could react or bury themselves more deeply in our network. To use a phrase from the Admiral Nelson era of the Royal Navy, sometimes it is better to keep our powder dry. We need to consider primary, secondary, and tertiary effects. Communication is critical at this juncture – both with stakeholders and customers. Clear, concise, consistent, and authoritative communications will help minimise the impact of an incident and will help build trust with key stakeholders. It is also crucial to document everything at this stage– it helps build a timeline of events for future consideration and in the event of criminal or civil proceedings, it will help determine why certain actions were taken at the relevant points in time.
4. It is said that the definition of insanity is doing the same thing over and over and expecting a different outcome. Incident response is no different – we need to incorporate lessons from incidents into organisational improvements. What happened, why did it happen, what could we have done to prevent it from taking place and what can we do to ensure it doesn’t happen again? That response plans you used for the incident you’ve just dealt with. It may need to be tweaked because of a change in Tactics, Techniques, or Procedures from an adversary or a particular process that been found wanting. Incidents happen – we can’t prevent that. But we can use the good and bad from these incidents to continuously improve – was there anything we didn’t have access to that would’ve helped? What part of the plan went well and why was this the case? This can provide an incredibly valuable insight into how to improve future plans.

Learn advanced critical skills to navigate modern security and strengthen your capability to respond, protect and lead in this cyber-resilient world. Discover exciting learning opportunities with our upcoming courses: Introduction to Cyber Security, Certificate in Information Security Management Principles (CISMP), Certificate in Open-Source Intelligence (OSINT) Fundamentals, and Certified Cyber Security Specialist (CCSS).