What do we need to deter insider threats?

‍Klaus Mochalski

Hello and welcome to a new episode of OT Security Made Simple. I'm Klaus Mochalski. I'm the founder of Rhebo. With me today is Mandana White. Mandana is CEO of Smart Grid Forums. Mandana, please introduce yourself to our listeners.

Mandana White

Hi, Klaus. It's lovely to be here. Thank you so much for the invitation. I'm Dr. Jamie Mandana White. I'm the founder and CEO of Smart Grid Forums, which is an independent conference organizer specialized in the European power sector. We've been operating for about 14 years now in this sector. And what we've seen over these last 14 years or so is an increased focus on the need for cybersecurity within power utility organizations, particularly since COVID, and particularly since the outbreak of geopolitical tensions, not just across the region, but across the world.

We're very focused on empowering cybersecurity teams within grid operators, not only to invest in technology, but to really empower their people and place them at the center of the utility organization to drive change, transformation, and a much more secure grid for the future.

Klaus Mochalski

The electricity sector, or let's call it the grid operators arena, is still – let's put it positively – a maturing market, as we are learning every day. Not every organization in this area has arrived at the set goal of their security journey.  

I understand you're just coming back from one of your signature events. What are some of the mega trends that you've been observing at this show?

Mandana White

That's right, Klaus. Yes, we've just run the SG Tech conference, which is our annual PowerGrid Innovation Conference held in The Hague this year on the 18th to 20th of March. And we had around 470 participants, which is a record number for the event, and it indicates the increasing interest and engagement with some of the subject matter that we're covering.

Essentially, the conference is about driving innovation in different domains of the grid, namely the substation area, SCADA infrastructure, smart meters, and then really looking to how cybersecurity can enable much faster implementation of new technologies. Because we know that the technologies are there and innovation is plentiful by this time in the sector.

But what's holding it back is a really secure implementation of these new technologies. Some of the key themes that came out of the conference [were that] technology has been moving really fast. And I think the utilities now have access to budgets, reasonable budgets, sometimes quite significant budgets, to implement new security solutions.

Where the gap still lies is the human factors, for sure. That's still where the gap is. Education of the workforce to make sure that the human side of cybersecurity is much more secure but also positioning cybersecurity teams at the center of the organization. That's yet to happen. By nature, cybersecurity people tend to be below the radar. That's understandable. That's traditionally the way it's been done.

But if you think about the equivalent in society, our police force, for example, if they [would] go below the radar, we [wouldn’t] have a more secure society. We’d have a less secure society because that only emboldens the bad guys. If the police force is not visible, the bad guys feel emboldened and empowered to take aggressive action in society.

One of my missions for the year ahead is to help not just inform grid operators about the technologies and help them make the right investment choices, but to help the cybersecurity teams really rise up in terms of visibility and to use their voice not only to empower their workforce, but also to state their intentions on how they're going to maintain security and enforce security in the power grid going forward.

Klaus Mochalski

Right. That's a very important topic. We spoke on this podcast a couple of times before about this specific challenge. Let's talk a bit about your recommendations, like your best practice recommendations, how to build a stable organization on the cybersecurity side to defend against these new threats.

Before we delve into this, just based on the recent experience, what you heard from the conference, are there any significant changes, like with the current change in geopolitical situation? Are there any changes in the threat landscape that you've been observing that also inform certain staffing decisions?

Mandana White

Yeah, definitely. I think so. And we know that the cybersecurity skills mix is quite complex. It's not just about technical skills that are required for cybersecurity people. It's also a good awareness of psychology, criminology, more social factors as well, human factors. And where cybersecurity professionals have been very focused on the technology side of things, we really need to shift now towards a lot more of the human factors. Embracing the human factors- Being more integrated into the organizations and driving the agenda, not just responding to threats, but actually getting ahead of the threat. That's really key.

Some of the things that came out of the conference, and out of our audience research as well, is the threat landscape where utilities used to be concerned about – ransomware attacks, that are based on ROI, a little bit of hacktivism, maybe some gentle disruptions to make a political message – those threats are less of a concern now as compared to the insider threat, which is becoming an increasing issue. And nation-state attacks as well. As we can see, the war landscape is becoming really, really unpredictable. The rules of war no longer apply in any sense of the word. They've not even been defined for cyberspace. But even physically, they no longer apply. International laws are being broken all the time with impunity.

And if that's happening in physical war, then what can we expect in cyber war, which is the next stage? And we're already seeing ripples of that. Utilities are expecting that to intensify. And they're looking for strategies, not just technologies, but strategies for how to combat this in a more proactive manner. Not just to wait to be attacked, but how can they actually proactively avoid, deter these attacks? That's one thing.

But the insider threat is something that everybody is concerned about. It's high on everybody's agenda, but the solutions are really clear right now. We had the NCSC (National Cyber Security Center) in the Netherlands presenting some figures that show that insider threat is on the increase. It's a far more significant issue now, particularly in the post-COVID world, where I think a lot has changed and a lot of systems and structures have been turned on their heads. Citizens aren't really sure about what to expect from their governments and their societies anymore. Crime is on the increase and it's out of control. It feels like it's every man for himself right now in many circumstances.

Klaus Mochalski

Do we have any idea, based on the research that you did, why specifically insider threats are on the rise? Is it already part of the hybrid warfare that everybody is talking about, that foreign state actors are trying to penetrate foreign organizations by putting insider assets, basically human assets, into the organizations? Is this what we're seeing?

Mandana White

Yeah, this has been going on for some time. We know that this has been the case for some time, but it goes beyond that. It's the cost of living crisis. Many people are now quite desperate because they're feeding information to adversaries in order to gain some monetary benefits.

Klaus Mochalski

Making them easier targets, I guess.

Mandana White

Making them easier targets. Some utilities have said that they're starting to profile their incoming staff members, and some of their existing [staff] for psychological vulnerabilities, such addictions that make people more vulnerable to manipulation and extortion. This type of thing is being taken a lot more seriously, where perhaps the power grid didn't need to worry about that level of psychological profiling in the past is now becoming quite essential. Because if we think about the role that the power grid now plays as a critical infrastructure, it's really on the front line in terms of war and attack and having to protect and secure society.

Klaus Mochalski

Pressure on staff is increasing, both on the staff that are already there, but also related to the staff shortage. Fewer people have to do more work, which always creates pressure. And this would make them vulnerable and susceptible to those threats that you're describing.

Mandana White

Absolutely. And then there's ideological threats. Are the people that we're hiring – perhaps from other parts of the world – ideologically aligned with us? And that's a bit more of a mixed picture as far as I can see. Some utilities are saying: We need absolute alignment. Others are saying:  Actually, we've got such a shortage of workforce. And can we really be sure that even our own workforce is aligned with us right now because everything is up in the air and looking to other parts of the world proactively? So that's a bit of a mixed environment.

But all of this makes for a lot more uncertainty and a lot more, I suppose, nervousness for utilities in terms of how they should be hiring, how they should be profiling, how they should be upskilling and keeping their teams aligned. They know that too much pressure of this nature could turn the workforce off. But then, not enough can leave the environment uncontrolled and susceptible to external threats.

Klaus Mochalski

Right. Let's look at this issue. I guess the potential solution to this problem is twofold. There's both technology and organizational improvements in play. On the technological side, I guess we probably... You mentioned that technology is moving very rapidly, so I guess the proper tools are probably readily available. You don't just have to defend your perimeter, but you have to move your defenses inside your organization, and the technical tools for that are available.  

Let's look at the staffing issue. Do you have any recommendations? Where can we learn how to avoid some of the problems that you describe? And I guess we all understand that it's a numbers game. Statistically, there will always be a risk. So, how can we... And on the podcast with my guests, we talk a lot about reducing risk, and that's how we treat the OT risk as well. It's just a risk to your business. And the same is probably true for what we're discussing right now.  

What are the best ways to reduce this risk? Where can we turn? Where can the infrastructure operators turn to learn how to hire proper staff, the right people, to reduce the risk that they get these potential inside perpetrators in their organizations?

Mandana White

Yeah. Yeah, that's a really good question. I mean, where do you start with that? And it's about leadership, really. It's about leadership and a voice that is so loud and so compelling that there's no denial of what the rules are and what constitutes compliance with the rules and non-compliance with the rules. I think these are some of the things. Particularly in Western societies, we're starting to see a crumbling of compliance just due to lack of awareness of what the rules are absolutely.

And if we look to [Dubai] – I've spent some time in Dubai over the past year, quite a significant amount of time – and this is a society that is led very efficiently and productively through clarity of rules and absolute enforcement of those rules and consequences around the non-compliance of those rules. And we see that this is a society with about 80 % non-locals, foreigners living, building and working together in harmony because everybody is aware of the rules, lines up with the rules, and understands the consequences of non-compliance.

I think that's a really good model for how we can introduce a much more certain approach to cybersecurity within our utility organizations is to be absolutely clear about what the rules are to make sure that people are informed and empowered. And that the rules are reinforced. And that the consequences are clear to people. So, that the skills are there, the awareness of good cyber hygiene is there, and that people respect the organization enough to comply with those proactively. Not just wait to be told they've done something wrong, but proactively every day, make sure that they are working to best practice.

The second thing is when there's rogue actors internally, that we act on those quickly and the consequences are clear and that threats, internal threats are removed swiftly and that the wider workforce is made aware of that.

The third thing is the leadership voice. The cybersecurity leadership voice needs to be loud and clear. And I've got to say that as an event organizer, for me, it's not loud and clear. I find that the cybersecurity people are too below the radar. They're too afraid to speak up. They're too afraid to express their opinions because they think it will inform the opposition. Well, the first thing is to inform your own side and to empower your own side. Actually, by the opposition hearing how strong you are in terms of how determined you are, how strong your strategy is, how relentless you are in the reinforcement of those things, that in itself will act as a deterrent.  

I gave the example of a police force that is below the radar, is not visible in society, does not have a voice. How much do we believe in that police force? How much of a deterrent is that police force? We've got to think that our cybersecurity teams are the police force within our utility organizations. We just need to see them rise to a much higher level and to be a lot more vocal and to reinforce, reinforce, reinforce – and not to be afraid of any consequences.

The only consequences that anybody should be afraid of is non-compliance with those rules. I think that sounds a bit radical, but we've only got to look at examples in other facets of society and of life where similar behaviors are achieving similar results, which is that lack of visibility creates a lack of belief and lack of compliance.

Klaus Mochalski

Right. Let me take up your first point.  

I think on the second point, we probably get pretty broad agreement. I've talked about this issue a lot that organizations are not not yet ready, that cybersecurity is not in the minds of senior management, senior executives of the organization, where it should be because business risk should be and usually is on top of their mind. So, OT security risks should also be.

You have to lead it from the top. If you get information from your organization, trust your organization, build this organization internally. And of course, there are constraints with regard to staff shortage. But this is how you should build your organization and not just say: Well, the IT department will take it as well. That's not how it's done. I think here we get a pretty broad agreement and the more mature organizations have been doing this or at least starting to implement this for quite some time. We're seeing good examples here.

But I'm interested in your first point where you looked at the example of Dubai. I've also been there a lot and I always enjoyed the environment that feels very safe if you're there. Even if you don't know your way around, It feels a bit like being in Switzerland, but of course, in a different setting. But can you transpose this type of strict regulations and compliance in organizations to liberal Western societies? Or is this just too much? Because I also see that, especially in large organizations, here in Europe, for instance, or in the US, everybody is complaining about compliance already. You are arguing for stricter compliance rules. So how can we deal with this discrepancy here?

Mandana White

Okay, this is a personal point of view, but the difference that I see is that the rule of law is absolute. In a place like Dubai, the law is indisputable. It can be challenged and it will evolve, but through collective agreement rather than through ducking and diving the law. We have this Robin Hood mentality in the West, which is, if I don't like the law, I'll just go and do something against it and come up as a hero.

We can see what's happening in the US with the CEO of a pharmaceutical company or health insurance company being shot, and the guy is a hero for having done that. That is the wrong moral attitude, and we should not be supporting that behavior. That should be punished. That should not even be allowed to happen. That be deterred.

Whereas in Dubai, what I'm seeing is that the rulers, the government, are not above the law, and that is communicated continuously that the king, the prince – these individuals, these figure heads – are more than just figure heads. They have to comply with the law. They have to set the example. They have to be consistent with that. And if they're not, there's going to be an overturning. There's going to be trouble. They set the example and the population follows.  

And we need to see a lot more of that in the West. We should not be celebrating morally corrupt behaviors anywhere in our systems. Because when we do that, we signal that if it's okay for our leaders to behave in that way, it's okay for the population. And then we have the Wild West, where anything is possible as long as you can get away with it. And I think that's the social environment that we're operating in in the West. And it's crumbling. It doesn't hold. It's crumbling.

I can give you the example of the UK, where crime has reached such a height that the most prosperous members of the UK society have been leaving. And where have they been going? They've been going to Dubai because they want law and order. I look around in Dubai, I see more British people in Dubai than I do in London.

Klaus Mochalski

That's interesting. But if we agree that this is the way to go forward, who do we turn to for leadership? Is it our organizations like the companies, or do we need to look at our political leaders? Because usually what you describe is something that the political leadership needs to implement, and it's usually a long process. Is it only them? And we also have quite some cybersecurity legislation in place across the EU and across the world. Basically, they have done their homework to an extent for this specific threat we're talking about. Is there something that the organizations can do to support this?

Mandana White

Yes, absolutely. And I think the media plays a huge role in this as well. The cynicism around leadership is not just at the political level, it's not just the governmental level. It's on every level. I think I can certainly speak for the British. There is an absolute disdain for leadership in British culture. I can't talk about the rest of Europe.

Klaus Mochalski

Yeah, we see it here as well. I guess that's the problem across all the Western countries, mostly.

Mandana White

When we have that, then there's no order. When there's no hierarchy, there's also no order. And then we leave key decisions in our societies to the population who are not educated, informed, or experienced enough to make those decisions.

Brexit being one of those decisions. Right now, perhaps, tariffs in the US being another one of those decisions, where the wrong decisions are being driven for the wrong reasons – thinking that this is going to be a silver bullet is going to lead to an amazing outcome. And it's not. It's just causing more deterioration of society that's already crumbling.  

At this stage, I would say it's a different strategy for us in the West in that every single one of us plays a leadership role in our sphere of influence, in our little circle, whether that's in our family or in our company, in our teams, our departments. But we need to reinstall a leadership culture, where we remove that disdainful leadership. We respect leadership. We respect the people who've worked hard to rise to a level of leadership, where they have the experience, the expertise, the wisdom, the foresight They're able to take the risk. We need to admire and respect that and actually line up with it.

And when we do that on a small level, it starts to ripple out to a larger level and eventually to society as a whole. That's not going to happen overnight, but this is what I want to empower our cybersecurity teams to do. They, right now, they are the most important people in the utility organization, from my point of view, from what I see.

Because without their voice, without their input, without their expertise, we can't roll out these new technologies knowing that it's a safe investment that we're going to get a return on. We can invest in them, we can roll them out, but if they're not cyber-secure, they're of no use to anybody. We may as well go back to air-gapping everything, because if it's not secure, it's not going to be functional for very long. And therefore, it's the taxpayers’ money thrown down the drain.

Cybersecurity people are absolutely key, and there is still this tension between the technical teams and cybersecurity teams, between different levels of the hierarchy. It's a very fragmented-minded workforce environment that we're seeing at the moment in Western utilities. And that cohesion needs to come back into place for the utility organization to function in a much healthier manner.

We do need hierarchy. We do need leadership. We do need wisdom at the top. We can't have the workforce that's just out of university making key decisions. That's preposterous. 30 years ago, we would never have considered that. We put new graduates through a lengthy program to acclimatize to the grid, to understand the priorities, to develop the mindset before we gave them any significant responsibility. And we're just trying to short-circuit all of that, get young people into jobs that they're in over their heads with and can't cope with. And then leadership not making decisions because they know their decisions are going to be met with disdain.  

Klaus Mochalski

I think that disdain is something every employee can, to an extent, relate to. And maybe we can use cybersecurity as a training ground to get better as a society. And starting with this smaller arena, which is an issue that has been coming up over the past years and we have to tackle now. Everybody agrees. A litmus test could be the complaints in the cafeteria about the stupidity of senior leadership that has to go away.

The OT security staff, they have to trust the decisions of their senior leaders. They have to have the feeling that they are being taken seriously, and there needs to be transparency across the organization. If you still have this complaining going on, then you know that something is not right. If we get this right for OT security, we are probably getting it right for the entire organization if we use it as a blueprint. If we get it right in an organization, we can probably then extend it to the society because the people control that.

This could be a very good way forward. And in that sense, it could be very inspiring, far beyond the realm of OT security.

Mandana White

Absolutely. Absolutely. Imagine that ripple effect on society as a whole. It would completely transform where we are now to where we could be. Absolute transformation of society. People would enjoy their governments again. They would enjoy their social systems and structures. There'd be real pride in paying taxes to support these systems again. I mean, who wouldn't want that? So yeah, definitely. So, that's my intention for the year ahead.

One thing I found a little disappointing from the conference – the conference went really, really well, there were so many fantastic conversations, lots of new technologies. I must say the suppliers have really raised their games. The solutions are fantastic. The price points are very manageable – is what's missing is that intentional communication from the cybersecurity teams. And for the next year for SGT 26 in Paris, my intention is to really empower that group of people, specifically, and to get them to speak on a much higher level more openly, with a lot more transparency and with a lot more confidence. It's an intention about what they want to achieve in their organizations. So, that ripples out. That's the intention for the year ahead.

Klaus Mochalski

Very good. Let's finish with this very positive note. We are certainly supporting this from our end as well with the resources that we have. And let's hope this pens out and that we have a positive development in the year ahead and the years beyond.  

Mandana White

Absolutely.

Klaus Mochalski

Thank you very much, Mandana, for being on the show. It was a lovely discussion. I really enjoyed it. And maybe let's do a follow-up in a few months and see how this is developing and penning out.

Mandana White

Yeah, would love to. Thank you so much, Klaus. You have a good day.

Klaus Mochalski

Thank you. You too. Bye.

‍