Critical Services and Security Operations: "Cybersecurity cannot be seen as the company's firefighter"
Cybersecurity at the level of critical services and security operations was highlighted in the last round table of the IT Security Conference 2023, with the participation of Banco de Portugal, REN, EE-ISAC and Cybersafe.
The last round table of the IT Security Conference 2023 was entitled "Critical Services and Security Operations" and featured the views and experiences of Pedro Rodrigues, Head of Cybersecurity and IT Compliance at Banco de Portugal, Rafael Aranha, Head of Cybersecurity at REN, Aurélio Blanquet, Secretary General EE-ISAC and Dinis Fernandes, Executive Manager at Cybersafe.
In terms of regulation, Rafael Aranha began by explaining that REN operates in Portugal under a set of regulations - NIS1, Anacom's Security Regulation, ENTSO-E - which guarantee the "security of supply and the security of the electricity market". The appearance of the NIS 2 directive has helped to complement the responsibility for risk management and training. "Fortunately, some regulation has appeared, but the regulations have to match up with each other," warns the Head of Cybersecurity, considering, however, that there is a challenge here in the way the regulations relate to each other.
In Dinis Fernandes' experience, regulation has proved to be a "catalyst and a simplifier" so that companies' Boards of Directors and Senior Management have the same objectives in terms of cybersecurity. "When we have the same objective, the budget to carry out projects appears, the will for the various areas to interact appears," he says. As far as NIS 2 is concerned, the Executive Manager sees the directive as a 'push' for more and more sectors to comply with the requirements and thus increase their cybersecurity.
With regard to NIS 2, and in the context of its application to services and critical infrastructures, Aurélio Blanquet also highlights and reinforces the importance of extending the directive to other sectors, as well as within the scope of application in each sector. "Cybersecurity has become part of the boardroom table, but it's a recent movement, it's no longer an IT issue, but it's not something that's widely felt by business, and it's going to have to become one because NIS 2 requires it," says the Secretary General of EE-ISAC, the non-profit association set up in Brussels to share information and analyze security information, with the aim of creating a community for exchanging information. In this way, NIS 2 also leverages the need to increase sharing and cooperation at European level, within each sector and within sectors, assures Aurélio Blanquet, anticipating that the new directive will also lead companies to take on the necessary training and awareness-raising of their resources.
Critical services protection and cybersecurity beyond incident response
In terms of cybersecurity and the protection of critical infrastructures, Pedro Rodrigues argues that it is "essential to have at the root the identification of what the critical systems are, how we are going to protect them and this always implies some level of isolation", clarifying that exposure in critical systems should not be the same as that observed in public systems. The Head of Cybersecurity and IT Compliance at Banco de Portugal recalls that organizations' cybersecurity teams must not lose sight of what the critical assets/systems are.
"Cybersecurity cannot be seen as the company's firefighter," stresses Rafael Aranha, who adds that cybersecurity needs to be "transversal to business processes" and cannot "be seen as a vertical area of a company" or as an incident management area.
The role of AI in defending organizations
With all the attention it has been receiving, artificial intelligence can, in Pedro Rodrigues' view, "help achieve a goal of optimization and much more efficient operation from a defense point of view". It is necessary to create test environments, understand the added value, and choose the use case to solve.
However, the Head of Cybersecurity believes that critical infrastructures may not be the "right environment" for this type of testing with AI, and that it is necessary to choose the right use case and gain confidence in the tools. "It will enhance our defensive capabilities and bring us a little closer to the offensive capabilities we have to deal with every day," he reiterates.
Trends in security operations
Working in security operations centers (SOC) since 2007, Dinis Fernandes has seen an evolution in this tool. "In the last two years, security operations have changed more than in the last 15. There's this difficulty that everyone knows about with the lack of security analysts, the lack of qualified people," says the Executive Manager who, on the other hand, highlights the growing number of alerts that SOCs receive. The problems listed have led to the emergence of a number of products, including the introduction of XDR and MDR tools, which add incident response capacity to the SOC, broadening its environment and scope of action.
Cooperation as a tool in incident response
Closing the round table, Aurélio Blanquet highlighted information sharing as essential in improving individual response to security incidents. "In addition to defense, in the sense of detecting, responding to and recovering from incidents, the next step is to at least not be one step behind the community that is trying to attack us, and to start thinking about preventive cybersecurity," he said, concluding that everyone should "work for the group so that each of us can then work better for ourselves in return."
Source: Marta Quaresma Ferreira on www.itsecurity.pt