We spoke to Paul Graziano, Cyber Security Compliance Manager at Transport for London (TFL), about his job to defend the UK’s largest public transport network through innovative approaches.
The transport system is part of our critical national infrastructure – how do you see the cyber threat against this evolving?
I think cyber security within critical national infrastructure is becoming an increasingly complex task. A common security challenge is that many of the systems and devices we rely on were built when security wasn’t really an issue. They were designed for only a few people to have access to them. Now, more and more modern industrial control systems are being connected by IT Infrastructure, which is of course a positive thing.
However this means we don’t design ourselves into a position where we have to break in security to protect residency devices, which is what we’re currently working on. Instead of having security by design, we need to put the monitoring around these systems, so we know what users are accessing, know what they’re doing, as well as the network monitoring around these devices too.
What can we do to protect our critical infrastructure against attack
There’s no simple answer to this. In some ways, what we’re trying to do now is use a framework we’ve adopted in Information Technology (IT) to protect Operational Technologies (OT) which involves a security strategy. Security needs to start right from the beginning of the procurement of new systems and IT needs to make sure any new systems meet our security requirements.
I think we need to assume that we will be compromised. As long as the Security Operations team have that visibility, we will be able to respond to any incidents if need be and they’ll also need to be able to pull the plug in worst case scenarios.
A lot of work has been done within the government to help us out. The Centre for Protection of National Infrastructure (CPNI), a UK government body, released a number of frameworks for industrial control systems. They believe we should structure our industrial control systems to make them secure and deploy frameworks around them to achieve that.
What are your thoughts on the value of threat intelligence and and security analytics in the fight against cybercrime?
Both are extremely important and a vital part of Security Operations. Threat intelligence is a necessity as we need to understand what the new threats are and how that could morph into an attack on TFL.
Security analytics is just as important because to protect your network you need to have good visibility over it and you can only really achieve that through security log analytics. To do this you need to have the capability to sort logs from a range of sources and correlate these for suspicious activity. This enables you to benchmark it in order to understand what normal looks like and then you can look out for anomalies.
Will the Internet of Things change the way you address cyber crime?
Absolutely. Up until recently, the increasing number of devices being connected to the internet were mainly from the commercial side, but now it is entering the business side too. Every connected device is a potential target for botnet activities because they are not inherently secure, so they’re easily targeted and taken over as part of a larger attack. This is a very difficult problem to solve and we can’t be isolated as a business in dealing with it, there needs to be a consolidated effort.
How are you using virtualisation to transform your business?
TFL are hugely into virtualisation. A really good example of this would be TFL.gov.uk, our public facing API that’s used for TFL’s journey planner, which powers applications like Citymapper too.
In terms of its impact on our business, it has changed the way in which we think about new projects and new applications. Previously we had to rack up a new server every time we started a project. Now we can rapidly develop, build and test prototypes for new applications at very little cost. It gives us a lot of flexibility as we can scale up pretty much automatically when we need to, which we would never have been in a position to do before virtualisation.
There is a renewal aspect to it too, that if configured correctly, it’s relatively simple to spin up a new server if your prime one goes down. So there are many great benefits to virtualisation.
What other technologies would you suggest adopting in the fight against cyber-crime?
My idea is not so much a technology, but an awareness strategy. If you look at the number of the high profile attacks over the last year, a lot of them started with simple phishing attacks. Our spam filters will never be able to spot the first email from a newly setup phishing campaign and they’re purposefully designed to do that. One of the only ways to protect against this is to ensure our users are sufficiently trained to detect suspicious emails. I think improving communication with employees and making them aware of the impact an attack could potentially have, is vital.
In terms of actual technology, I think privileged identity access management is also key to a security team. It’s important to understand who has access to the most critical parts of your business as during a compromised attack, hackers will look for the business’ ‘crown jewels’.
One of the technologies that the industry is looking at more widely is called ‘deceptive security technology’, this is essentially a very old security component called a ‘honeypot’. A honeypot is a system that is built to be insecure and placed in a public part of your network. By doing so, you can see who finds it and what they do to it. This enables you to understand what sort of attacks are being targeted at it, providing a wider picture of the threat landscape. It is essentially a piece of proactive threat intelligence to find out if people are attacking parts of your network.
Thank you very much for answering all of our questions Paul and we wish you a fruitful career at TFL.