Written evidence submitted by Thales
Introduction
Thales is a global defence and technology business operating across the Defence, Digital Identity and Security, Aerospace and Space markets. Worldwide we employ over 80,000 people across 68 countries, with over 7,000 people in the UK, across all four nations.
The enduring aim of Thales is to exploit technology for the nation’s benefit. Our high-tech solutions, services and products help companies, organisations and governments to achieve their goals and ambitions.
In the Digital Identity and Security space, Thales brings trust and confidence to the connected world with expertise in physical and digital payment credentials and digital banking security. Over 3,000 financial institutions rely on Thales to protect their payment and banking services and $1 trillion interbank fund transfers per day are protected with our data encryption platforms.
Thales focuses on bringing high tech jobs that drive balanced, sustainable growth, and contribute to building inclusive economies, and delivering prosperity to people everywhere across the UK.
Thales and cyber
- As the European leader in cybersecurity and the world leader in data protection, Thales works with organizations to help them meet their cyber security needs, regardless of their field of activity, the criticality of their data or any country specific regulatory requirements; delivering cybersecurity that brings value to their core business and enables them to capture digital dividends whilst understanding the operational dependencies upon their data and digital systems and the most effective means to maintain operational resilience.
- In the UK, Thales is focussed on cyber security and cyber resilience, protecting Defence, Government and Critical National Infrastructure (CNI) across Information and Operational Technology. Whilst cyber security works to minimise the opportunities for a cyber-attack to occur, cyber resilience relates to putting measures in place so that one can effectively identify, respond and recover should an attacker manage to breach cyber defences and to maintain critical functions and outputs of digital systems. In order to have successful cyber defences, both security and resilience must be considered.
- Centred at our campus in Ebbw Vale, South Wales, and supported by Welsh Government and academia, Thales’ Global Centre of Excellence for Operational Technology exists as a cornerstone of Thales’ cyber capabilities within the UK and aims to support the Welsh Government’s programme of digital investment and transformation.
- The first research and development facility of its kind in Wales provides the perfect setting for SMEs and microbusinesses to test and develop their digital concepts while big multinationals can benefit from use of the research lab to develop major technology advances and exploit the global opportunities of digital transformation.
- Gareth Williams, Thales’ VP for Operations & International Development in our Cyber Defence Solutions Business Line, sits on the UK Government’s National Cyber Advisory Board, working with the Government to support the nation’s cyber resilience and preparedness against changing threats and risks.
The extent and nature of the ransomware threat (including sources), modes of extortion, and how the threat could evolve in future;
- All of the evidence supports a continuing increase in the volume and complexity of attacks on businesses across the spectrum. The geopolitical landscape is very challenging and from our threat intelligence, we are seeing that there is increased activity across all of the critical national infrastructure sectors.
- The Thales 2022 data threat report found that malware and ransomware are the leading sources of security attacks for critical infrastructure organisations and high impact sectors such as oil and gas. The threat is becoming more complex, more accessible and we see this continuing as an upward trend.
- There is a clear shift in emphasis to include all aspects of Operational Technology as well as Enterprise Information Technology through the development of increasingly sophisticated toolsets and playbooks to gain access to these systems in every market sector.
- There is a lot written about the IT aspects of ransomware but increasingly we are seeing the attackers move towards targeted attacks on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) technology. This change is significant for CNI which relies heavily on this kind of Operational Technology (OT) to make the UK function.
- The latest and 7th iteration of ICS specific malware was called PIPEDREAM which was discovered earlier this year and specifically targeted ICS. This follows INDUSTROYER2, STUXNET, HAVEX, BLACKENERGY2, CRASHOVERIDE and TRISIS. Whilst not specifically “Ransomware” it is important to recognise that the Operational Technology is now being directly targeted and the potential for links to ransom demands is clear.
Levels and sources of vulnerability of UK organisations to ransomware, including operators of critical national infrastructure;
- If an attacker can penetrate systems, they can launch either a direct attack or, in many, cases a ransomware attack as they have access to the systems. Typical ransomware exploits 2 effects – data leakage and data at rest access denial.
- For both direct and ransomware attacks, you need to quickly spot someone is in your systems and have a strategy for dealing with the attack. One of the growing challenges we see is the complexity of systems, and choices, exacerbated by a fast paced threat environment. Security and resilience is a risk driven calculus, but how do you assess the benefit and implications of the multitude of choices?
- Thales sees the use of hybrid physical and synthetic environments to model, simulate and inform organisations as a key vehicle for decision support; prior to incidents when deciding upon security and resilience approaches/choices, in preparing forces to defend (detect and respond) and post incident analysis.
- Previously, sectors such as automotive, energy and critical manufacturing lived in isolation and for many years this was a position of comfort. Increasingly, we are seeing operational technology become more interconnected, more interdependent and, therefore, more vulnerable.
- The increased uptake of electric vehicles, and drive for that to continue from Governments to support Net Zero targets, combined with the general energy supply and demand characteristics becoming more challenging, means that there is a clear need to share information. The interdependence of one sector on another demands that information relating to energy generation, transmission, distribution and storage will have to be shared with the electric vehicles themselves in order to enable the adaptive system to cope.
- Additionally, the manufacturing processes of key industries is becoming increasingly digitally controlled and connected directly or indirectly to the internet. Potential targets exist in the manufacturing of food and beverages, medicines, chemicals and other are example areas where there would be a significant impact on society if manufacturing was constrained or halted due to a ransomware attack.
- In general of the interconnected and smart world around us is becoming one large, complex operational technology ecosystem. Cyber security and resilience of increasingly connected systems will need to be underpinned by trust – trust of the interacting entities (people, devices etc.) and the trust of the data provenance and integrity.
- Thales believes that moving towards a Zero Trust architecture should be the first step. Zero Trust is a security model that requires strict identity verification and moves the decision to authenticate and authorise closer to the resource. It also means that organisations need absolute control of data and the cryptographic keys to data encrypted in the cloud. We see countries such as the United States bringing in regulations for their agencies to implement Zero Trust architectures.
- Encrypting or stealing information for financial gain is only one outcome of a successful attack, so we should recognise that the same attacks (exploitable vulnerabilities, techniques etc.) could be used to cause wider issues within targeted systems. This is particularly poignant when considering cyber-physical systems, the potential impacts an attacker could achieve are potentially greater with increased safety connotations.
- Vulnerability exposure and remediation for ICS can be much harder. It is not uncommon within the CNI sector to find aging systems with long operational life that are not routinely updated, monitored or assessed. The systems themselves were often conceived, built and installed when cyber security understanding was very low, and yet have iteratively expanded, often with addition of remote connections or new capabilities interconnected to the legacy system.
- Over the next 12 months, we expect to see an increase in such complex ecosystems, which will require fresh imagination when it comes to their approach to information-based cyber security architecture.
The UK victim experience, including sources of support for prevention, detection and recovery, public-private partnerships, the role of the media, access to and availability of insurance cover, and regulatory requirements placed on ransomware victims;
- As a global leader in cybersecurity and operational technology, Thales feels that it is important to state that being a victim of ransomware or other cyber-attacks does not denote a business as being a “bad business”.
- The resources available to would-be attackers are significant and the bottom line is that one cannot protect oneself from every eventuality especially whilst trying to run an efficient and effective operation. Often, attackers will always focus on weakest link which may be inside the company or if they fail there, it could be in a supplier or partner. The impact can be the same on business so it’s not just about one’s company but the whole supply chain.
- Whilst understanding risk and security is very important, the critical thing that businesses and organisations should be measured on is their ability to detect, respond and recover from these attacks when they happen. This is the essence of resilience and is what we should be focussed on.
- There are a wide range of options available for organisations to protect themselves and enhance their resilience- what’s important is that they recognise the need to protect against threats such as ransomware in the first place because it is not a case of ‘if’, but ‘when’ they will be subject to a cyber-attack. Many companies focus just on protection as their solution to ransomware and don’t ask the question of how they would cope when it does occur.
- From the response perspective, we are seeing more and more businesses now engaged with operational technology security and resilience programmes. Businesses are typically going through a cycle where the first stage is to understand and map out what they have in their estate. After this, it is about understanding the extent of the risk and how you close the risk gap before you move on to the detection and response capabilities so that you can respond to, and recover from, any events that might happen in an organisation.
- It is good to see that there are many companies now engaging in this process. Some companies are at much earlier stages than others, but we expect to see this continuing to mature into the future.
Reforms that might enhance the UK’s resilience to ransomware, reduce the economic and societal damage that it causes, and/or support the law enforcement response;
- There is a need for a focus on operational cyber resilience and not just cyber security and Government should help move the agenda from the identification of a potential vulnerabilities or attacks towards encouraging the instruments of government and our critical national infrastructure to make changes and mature their approach to the whole subject of resilience.
- This would necessarily include risks assessment, architecture, secure by design, verification and validation and in service maintenance in both the information and operational technology domains.
- It is important to note that resilience cannot be achieved by technology alone; there is a genuine need for more widespread awareness, exercising and testing of the infrastructure and towards better understanding of how owners and operators of critical national infrastructure can measure their resilience and effectiveness of their measures. This can be done at business level but should also be considered at a wider CNI level across sectors.
- The NCSC Operational Technology National Laboratory concept would go a large way to addressing this in the operational technology domain and should be supported fully.
- Thales believes that there is a need for increased regulatory influence over the CNI owners and operators to ensure they engage with the need for increased resilience in their operations. This does not need to be prescriptive as this will not be agile enough to evolve with the change in threat and environment but there should be mandated principles of resilience, secure by design, monitoring, detection, response, recovery, etc. Essentially the mandate should be for some form of demonstrable resilience and maturity in the Cyber Security Management System.
- The days of simply applying a list of security controls should be behind us; a structured approach, driving system level approaches to Threat and Risk Assessment, linking to business value is essential.
16 December 2022