Interview with Agustín Solís, Director of Security Systems, Thales España
Terrorism, economic interests or geopolitical conflicts. There can be many causes behind an attack on a critical infrastructure. Knowing that the risk can be minimized but never eradicated, it is essential to be prepared to respond to any incident, explains the Thales España expert and director of Security Systems Agustín Solís.
WHAT RISKS ARE BEING TAKEN BY COMPANIES WORKING IN CRITICAL INFRASTRUCTURES?
The CIP (Critical Infrastructure Protection) law lays down a series of obligations for operators aimed at improving their defences in providing essential services for society. It is non-coercive and is not governed by a sanctions system. It is based on the conviction that it is necessary for the country and on the principles of public-private collaboration. Spain is reasonably protected in the physical domain; not so in the cyber environment.
IS THERE A CALENDAR THAT DEFINES HOW ASPECTS STILL PENDING IMPLEMENTATION WILL BE ENCOMPASSED? IS AN ADEQUATE BUDGET BEING ALLOCATED?
The approach is fairly clear in regard to deadlines. Even so, not all of them are being met, often because the operator needs to collect a great deal of information on the infrastructure, which is no trivial matter. Furthermore, the socioeconomic and investment sphere does not favour this type of development. It is never enough, even less so in an environment in which public deficit is being controlled and reduced. More would always be required.
WHICH ARE THE CHALLENGES THALES IS FACING AS A SECURITY PROVIDER?
We are working in the Spanish and international market to provide a comprehensive solution within a certain budget. The risks are increasingly posed by the cyber and not the physical world, and the combination of both; a physical attack, jointly with a cyber attack, can produce disastrous effects. Our challenge is to cover the full spectrum of threats.
WHICH IS THE COMMON DENOMINATOR IN THE DEVELOPMENT OF TECHNOLOGICAL SOLUTIONS FOR THESE INFRASTRUCTURES?
Depending on its geographical and geopolitical situation, each infrastructure has its own risks and threats.
But conceptually there are components of the solution that are common to any type of asset. For example, a sensorization layer is always required, via perimeter video or intrusion surveillance, although a healthcare centre in an urban area is not the same as a refinery in the desert. The case studies are infinite when we go down to the detail and the implementation.
The same applies to cybersecurity. Each information system has its own characteristics, but there are rules applicable to different cases. We have to be able to cover the entire circle, from threat analysis to attack response preparation, to provide the right solution at the level of risk we consider it appropriate to maintain, since zero level is very difficult to attain.
HOW IS A CRITICAL INFRASTRUCTURE PROTECTED AND WHAT COULD HAPPEN IF A LINK IN THE CHAIN FAILS?
Our technology, in the event of an incident, pursues the assurance of the infrastructure’s operational continuity; that the effect on it will be minimal. We seek to deter with a fenced or guarded perimeter, with video surveillance or access control systems, with geolocation of where the intrusion has occurred and with secure communications to inform the operator and the security forces. We are talking of defence against deliberate acts as opposed to system failures and catastrophes. Physical protection has room for improvement.
The same is the case for cybersecurity. But it is not easy for an attack through cyber means (malware or malicious software) to cause damage in the physical world, because this would require great in-depth knowledge of industrial control technologies and their application to the specific infrastructure they are seeking to attack.
Fortunately, the necessary capabilities (knowledge-related, technological, financial and organizational) to prevent this type of damage are very considerable. Even so, we should be prepared. While the systems may be technologically secure, the human link in the chain tends to be the weakest and subject to being violated. A large proportion of attacks come from the inside. In cybersecurity, we are dealing with passive assailants; employees are used and duped.
For example, they receive an email, click on a link and, involuntarily, facilitate entry of malicious software that spreads across the company. This is why awareness-raising and training are important.
WHICH PROPOSALS IS THE PRIVATE SECTOR MAKING TO THE EUROPEAN REGULATOR?
Among others, establishing a quality seal, with a voluntary certification and labelling process by cybersecurity providers; promoting a design-led security approach, incorporating the requirements from the moment a product is conceived; an international framework that balances security and privacy; information protection; sectoral analysis and sharing centres; and measures to reduce market fragmentation and thus create European leaders in cybersecurity that compete with the major international actors.