Securing Critical National Infrastructure

CNI security: managing the public/private conflict of interest

26th September 2024 • Online

 

Most of our CNI is in the hands of private companies. They need to spend more and tell us more.

In the UK, there are 13 Critical National Infrastructure Sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Because AKJ Associates runs separate events for the finance sector, for the purely public sector and for healthcare, this CNI Summit will focus on the rest. Clearly, in many, public-private partnership is critical, but what they all share is their importance to the maintenance of the economy, safety and civil society of the United Kingdom.

These sectors face a huge range of threats, ranging from all the standard varieties of attack on digital networks to sophisticated nation state attacks to challenges in IoT/OT infrastructure. All of them are struggling with legacy technology. All of them face the vastly increased attack surface that comes with rapid digitalisation and the use of Cloud. And all of them require huge investment in security right now.

As Chatham House has pointed out, there are many “obvious parallels [between the] critical national infrastructure sectors [and] a UK-wide CNI sector dialogue on cybersecurity could help ensure that industries learn from each other. This could be followed up with a prioritized list of how to tackle the remaining challenges where prioritization takes into account risk, as well as the time required to mitigate it.”

Parliament has recognised the importance of this topic: “Digital infrastructure is critical for supporting growth and helping to transform the delivery of public service…Much of the UK’s CNI is underpinned by this digital infrastructure, which must be resilient to cyber attack…[but] much of the UK’s CNI is privately owned.”

And the NCSC has pointed out that CNI has to be resilient not simply against sophisticated actors in search of valuable data, but also against actors whose main aims are disruption and denial of availability.

In addition, private sector companies that underpin our national security and safety will find themselves subject to ever more regulation to counter the conflicts of interest between shareholder value and profit and investment in the security of critical systems. Regulators also understand that private companies may be incentivised to constrain information sharing during incidents, limiting government entities’ ability to understand and influence outcomes critical to the country.

So, this event will feature presentations from government, the public sector and the private companies upon which our CNI rests. It will look at everything from malware, to APTs, to threat intelligence and incident response, to OT security.

 

The e-Crime & Cybersecurity CNI Summit will take place online and will look at how cybersecurity teams are tackling this new world.
Join our real-life case studies and in-depth technical sessions from the security and privacy teams behind some of the world’s most admired brands. 

  • Defeating ransomware and malicious malware

    • The NCSC still assesses that ransomware remains one of the greatest cyber threats to UK CNI sectors.
    • In other words, the threat of malicious malware has still not been adequately confronted and, in the context of CNI, the losses can be catastrophic.
    • Forget about basic cyber hygiene and awareness, how do we protect the UK from this?

  • From security to resilience

    • If security cannot be guaranteed, and attackers will eventually succeed, then you need to decide what that success looks like.
    • Resilience is being able to maintain at least the minimum viable organization and, in CNI, it means maintaining the level of service required to keep the country running.
    • How can you help with critical resilience?

  • Maximising the utility of threat intelligence

    • The UK's NCSC highlighted emerging threat to CNI.
    • Attack surfaces are increasing and geopolitics are expanding the range of threat actors and types.
    • How can organisations make the best use of threat intelligence to genuinely reduce their risk of breach?

  • The answer really is zero trust, isn’t it?

    • Look at the key security and resilience challenges: ransomware, third-party, malicious insider, and the rest.
    • None of them have been solved by better technology or better awareness or better security culture. And AI and OT insecurity will make things worse in CNI.
    • Unless we decide to abandon the public internet, and take security seriously, then zero trust is the only answer. So, how to get there quickly?

  • Evolving incident response: lessons from the past

    • CNI organisations need well-rehearsed playbooks, Boards who have experienced realistic war games, to be battle-tested against sophisticated Red Teams and to pay attention to the successful attacks of the past and present.
    • How can you help them develop and hone incident response procedures that work?

  • Upskilling security teams

    • Organisations have limited budgets
    • The skills shortage in security staff growing
    • This dynamic affects the type of on prem security operation firms can employ
    • So how can CISOs continuously upskill their teams?

  • Why regulation will drive CNI security

    • Governments have ceded power to private sector organisations with more money, better agility and all the technology.
    • But as governments belatedly recognize their dependence on private companies to deliver the modern state, they will remember their power to regulate, control and even nationalize.
    • What are they thinking today?

  • Reducing your attack surface

    • Initially, digitalization was touted as a panacea for productivity, innovation, flexibility and agility.
    • It turns out that the rapid adoption of new technology and connectivity comes with new and complex costs.
    • When the delivery of a critical service is paramount, how do we re-engineer digital systems to prioritize availability and not privacy or ‘security’?

  • The dangers of digitalisation – securing IoT and OT ecosystems

    • “There continues to be a heightened threat from state-aligned actors to operational technology (OT) operators.
    • The NCSC urges all OT owners and operators, including UK essential service providers, to follow the recommended mitigation advice now to harden their defences.”
    • How can you help CNI-related companies harden their OT?

  • Securing third-party tech

    • Resilience and security increasingly come down to key dependencies outside the organization.
    • With on prem tech the past and Cloud and external IT the future, how do organisations ensure security when they rely on vendors who are vulnerable but above leverage with even their biggest clients?
    • What about security vendors? What is your advice?

  • Developing the next generation of security leaders

    • If cybersecurity is to change to meet the evolution of our digital world, then so must those who implement it.
    • CISOs cannot cling to an IT paradigm and companies must move away from hiring on false pretences (on budget and commitment) and firing at the first breach.
    • What does a next-gen CISO look like and are you one of them?

  • Detect / prevent malicious insiders

    • When nation-states decide that cyber-offense is justified, the world becomes strange.
    • One example: banks have been infiltrated by Chinese operatives who understand their control environments to commit financial and cybercrime.
    • CNI is under attack from these attackers and other compromised employees. How do we stop malicious insiders?

Who attends

Job titles

PCI Manager
Senior Internal Auditor
Payments Design Authority
OT Security Analyst
CIO
Chief Information Security Officer
Information Security Engineering Principal - Head of Technical IS Assurance & GRC Platforms
GRC Manager
Programme Manager
Director of Financial Operations
Cyber Security Analyst
OT Technical Director
InfoSec Manager - Digital Investigations & Forensics
Principle InfoSec Architect
Global PCI Analyst
Head of Security Architecture
Lead Security & Compliance
Information Security Officer
Security Assurance Analyst
Head of Information Security
IT Compliance Manager
IPR Manager - Data and Technology
Group CISO
Principle Security Engineer
Senior Project Manager
I.T. Security Manager
Security Eng
Security Programme Manager
Security Training and Awareness Manager
Head of Client Onboarding
Lead Enterprise Security Architect
Information Security Specialist
Information Security Operational Analyst
Information Security Manager
Senior Information Security Officer
Group Chief Information Security Officer
Head of Detection and Response
Cyber Intelligence Specialist
Operational Audit Manager
Group CISO - Interim
Information Security Analyst
Global Head of Security Architecture
MD
Head of Cyber Security
Group Information Security Manager
Divisional Information Security Officer
IT
Information Security Analyst
Cyber Security Manager - ‪Penetration Testing
Senior Security Engineering Manager
Director of Information Security
Business Professional
Cyber Security Manager
Head of Technology & Payments
Chief Risk Officer
Information Security Risk & Assurance Specialist
Cyber Security Analyst
Cybersecurity Architect
Manager, GMS Europe
Cyber Compliance Analyst
Senior Cyber Security Consultant
Senior Security Product Manager
Product Manager
Finance Project Manager
Compliance and Security Analyst
Data Protection Administrator
SOC Analyst
Group Head of Security Engineering and Product Security
Vice President Cyber Security
IS Security Support Engineer
Payments Strategy Associate
Cyber Security Consultant
Head of Information Security Assurance
Head of Information Security
Director of Information Security
Senior Security Manager
Senior Information Security Manager
Data Protection/Cyber Security Manager
IT Security Manager
Payment Security Manager
Compliance and Audit Manager
Card Systems Specialist
Information Security Consultant
Senior GRC Operations Analyst
Information Security Manager
Cyber Security Risk and Compliance
Payment Operations and Assurance Manager
Security Operations Lead
Information Security Manager
Cyber Intelligence Specialist
Lead Cyber Authority
IT Security Manager
Digital Safety Compliance Analyst
Information Security Manager
IT Compliance Manager
SOC Manager
Group Application Security Manager
Head of Data Protection and Privacy
Cyber Security - OT Security Product Manager
Information Security Risk & Assurance Specialist
Cyber Security Change Manager
Head of IT Compliance
Information Security Analyst
Information security Manager
IT Risk and Compliance Analyst
Head of Group Management Services Europe
Cybersecurity Security
Cybersecurity Manager
Cyber Security Operations Lead
Team Lead, Card Systems UK and Ireland
PCI DSS Compliance Lead
Senior Cyber Security Analyst
Payments Acceptance Manager
Project Manager
Cyber Governance Consultant
Head of Security Risk, Assurance & Compliance
Assistant Manager Internal Audit
Assistant Manager Internal Audit
Group Data Protection Officer
Senior Manager Information Security
Head of Cyber Regulation and Policy
Domain Architect-Payments
Head of Cyber Development and Assurance
Cyber Compliance Analyst
Group Data Protection Administrator
CISO
Head of Data Engineering & Data Platform
Payments Compliance Product Owner
Senior Manager-Cyber Security
Director of Security Strategy and Governance, Risk & Compliance
IPR Analyst
Senior Infrastructure Security Architect
Information Security Manager
Director of IT
Payment solution designer
Cloud Security Threat & Vulnerability Specialist
Internal Audit Manager
Editor
Head of Global Cyber Security
Cyber Security Analyst
Cyber risk and compliance analyst
IS/IT Audit Manager
UK Security Operations Manager
Product Manager (Compliance Frameworks)
Platform Security Manager
Global PCI Lead
Cyber Security Architect
Digital Safety Compliance Manager
Cyber Security Manager
Global Head of Cyber Governance, Risk and Control
Lead Security Architect
Security Compliance Manager
Head of Information Security Services
Cyber Security Manager
Director, Security Operations
Information Security Risk and Assurance Specialist
Associate Director
Cybersecurity
Head of Security and Compliance
Head of DevOps
CISO
Principal Cloud Security Engineer
Chief Information Security Officer
Cyber Risk & Assurance Manager
Head of Security Data Science
Information Security Manager
Project Manager - Cyber Security
Head of Information Security
Cyber Security Analyst
Identity and Security Analyst
Security Consultant
Solution Architect - PCI

Companies

EasyJet
Formula 1
Vodafone
BT
Pennon Group
Ocado
Which?
Brambles Industries
Hutchison 3G UK Ltd t/as Three UK
Tata Communications
Sky
IMG Media Limited
Wejo
Which?
Virgin Media O2
Trainline
Heathrow
Pearson
BP
Sky
BBC
Network Rail
Toyota PLC
Vodafone
Post Office
BP
Sky
Virgin Media O2
EasyJet
A.P. Moller - Maersk
South Western Railway
British Car Auctions (BCA)
Hutchison Whampoa (Europe) Limited
Manchester Airports Group (MAG)
National Highways
Hutchison 3G UK Ltd t/as Three UK
Sky
Informa
Pearson
BBC
The Walt Disney Company
Hutchison Whampoa (Europe) Limited
National Grid
BT
Wessex Water plc
Valero Energy Corporation
Virgin Media
Sky
SSEN Transmission
RATP Dev
Virgin Media O2
BP
Pearson
Sky
BBC
Cadent Gas
National Grid
Constellation Automotive Group
DPD (UK)
BP
Informa
Transport for Greater Manchester (TfGM)
Associated British Ports
Network Rail
Rail Delivery Group
Informa
Transport for London (TfL)
International Airlines Group (IAG)
BT
Sky
BBC
OVO Group
British Airways
Tesco Mobile
Contact Centre Panel
Communisis
Hutchison 3G UK Ltd t/as Three UK
Aston Martin Lagonda Limited
OVO Group
Virgin Media O2
Sky
Ocado
Reward Gateway
Hutchison 3G UK Ltd t/as Three UK
Rail Delivery Group
DHL
North Sea Transition Authority
Vodafone
South Western Railway
Sky
BT
British Car Auctions (BCA)
Toyota PLC
Manchester Airports Group (MAG)
Transport for London (TfL)
Trainline
BBC
Post Office
Scottish Water
UK Power Networks
Trainline
Hutchison Whampoa (Europe) Limited
Pearson
ETEL (European Tyre Enterprise Ltd)
Sky
Virgin Media O2
BP
Vodafone
Hutchison 3G UK Ltd t/as Three UK
TieTa
WPP Group
Giffgaff
Avanti West Coast
M&C Saatchi Ltd
Formula 1
The AA
OVO Group
Cadent Gas
Sky
Arriva Group
Associated British Ports
Delinian Limited
Alesther
Springer Nature
Ocado
Delinian Limited
Telia Company
M&C Saatchi Ltd
Sky
Hutchison Whampoa (Europe) Limited
British Airways
Valero Energy Corporation
Virgin Media O2
BT
FedEx
Transport for Greater Manchester (TfGM)
ETEL (European Tyre Enterprise Ltd)
Constellation Automotive Group
Hutchison Whampoa (Europe) Limited
Financial Times (FT)
Communisis
Pearson
A.P. Moller - Maersk
Vodafone
Heathrow
British Airways
Woven by Toyota
Sky
ETEL (European Tyre Enterprise Ltd)
Transport for London (TfL)
Pearson
Trainline
TieTa
Vodafone
Post Office
Liberty Global
Virtually Informed
Condé Nast
Cadent Gas
Manchester Airports Group (MAG)
WPP Group
Sky
Taylor & Francis Group
Pearson
BP
Virgin Media O2
Vodafone
Hutchison Whampoa (Europe) Limited
BBC
Penguin Random House
British Airways
Sky

Employee Size

10,000+
10,000+
10,000+
1000-1999
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
5000-9999
10,000+
10,000+
10,000+
10,000+
10,000+
500-999
3000-4999
10,000+
100-499
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
5000-9999
100-499
10,000+
100-499
3000-4999
1000-1999
1000-1999
5000-9999
10,000+
5000-9999
10,000+
10,000+
3000-4999
1000-1999
1-99
10,000+
10,000+
1000-1999
10,000+
1000-1999
10,000+
10,000+
10,000+
10,000+
3000-4999
1-99
1000-1999
5000-9999
3000-4999
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
500-999
3000-4999
10,000+
10,000+
1000-1999
10,000+
10,000+
10,000+
1000-1999
10,000+
500-999
5000-9999
100-499
10,000+
100-499
10,000+
2000-2999
10,000+
10,000+
1000-1999
500-999
5000-9999
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
5000-9999
10,000+
2000-2999
1000-1999
10,000+
5000-9999
10,000+
5000-9999
1000-1999
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
1000-1999
10,000+
10,000+
10,000+
5000-9999
1000-1999
5000-9999
10,000+
10,000+
10,000+
3000-4999
10,000+
10,000+
10,000+
5000-9999
10,000+
3000-4999
10,000+
1000-1999
10,000+
10,000+
10,000+
10,000+
10,000+
10,000+
100-499
10,000+
5000-9999
10,000+
Jan-99
5000-9999
5000-9999
5000-9999
10,000+
1000-1999
3000-4999
10,000+
10,000+
10,000+
5000-9999
1000-1999
10,000+
10,000+
2000-2999
10,000+
500-999
10,000+
5000-9999
10,000+
10,000+
3000-4999
100-499
500-999
10,000+
10,000+
5000-9999
10,000+
10,000+
10,000+
10,000+
10,000+
500-999
10,000+
5000-9999