column

Cybersecurity – a question of tackling the symptoms, not the causes?

26 February 2018 • 4 min reading time

Whether it’s about the vulnerability of vital infrastructure to foreign hackers, or about waterway locks that are monitored digitally, the message is the same – cybersecurity in the Netherlands is below par. In consequence, it receives extensive media coverage. Because we still do not realise that systems are infinitely interconnected, it amounts to no more than tackling the symptoms, rather than the causes. TNO has developed various methods for defeating the causes.

Andre Smulders, Senior Consultant Security

Where does the system start, and where does it end? When considering the cybersecurity of systems, we immediately think of securing a clearly defined object, such as a waterway lock, a smart fridge, or a driverless car. However, the boundary of a digital system does not end at the physical limits of the object in question. If the lock, fridge, or car is controlled and maintained remotely, then the systems that are needed for those purposes form part of the digital infrastructure.

Additional approach for digital security

An approach based on such an apparently stand-alone device is therefore not sufficient to gain a full view of the digital security risks. To prevent us from becoming bogged down – as a result of this approach – in an infinitely expanding network of interconnected devices, an additional approach towards digital security is needed.

“A modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods, such as networked risk management”

Everyone has a responsible part to play

In practice, the interconnected parts come under the control of various stakeholders, from Rijkswaterstaat to the Ministry of Justice and Security, and from car dealer to energy supplier. Each party – be it a company, consumer, or the government – has its own responsibility here. We should therefore view digital security not just from the perspective of technology, but also from the organisational position of the various stakeholders. It is only an approach of this kind that provides avenues for keeping this ever-more complex and dynamic issue manageable and controllable.

Gaining control of risks

Because technical components are increasingly controlled by different organisations, any modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods. An example is that of networked risk management – a method with which we help businesses to regain control of their tasks and risks. Another is supply-chain resilience – a step-by-step plan that helps supply chain organisations strengthen their cybersecurity.

Safe removal from the digital domain

What we certainly still hear too little about is the possibility of removing products and services that can no longer be kept secure, out of the digital domain. The solution is ‘security by design’; that is, inherently secure designs, rather than resolving security issues as they occur later on. However, this does require some effort on the part of the parties involved. It is the task of the government to facilitate this in its security policies, as this concerns an overall problem that cannot be resolved by individual parties or any particular sector.

“Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex”

Secure system modification

And how can systems be tested and modified securely? Different application areas require a different approach. What may be a no-brainer in one environment may cause headaches in another. In a domestic setting (where the availability requirements are negligible), for example, it is easy to apply the principle that systems should have the most recent updates. But for a system that has to be available all the time, the decision as to whether to change it with a security update is often a real dilemma.

Testing effects

The dilemma becomes even more acute when the effect of a change cannot be tested, or tested in full. For consumer products, which are often made in large quantities, there are sufficient test copies available. However, setting up a testing system for a unique product such as a lock on a waterway is more of a challenge. What local authority can afford a ‘test lock’ in order to check updates? The fact that suppliers are also struggling with this issue is evident from the instability of systems of suppliers in the processing industry. This instability arose after systems were patched up against vulnerabilities to Meltdown and Spectre.

The focus on obvious measures is a good thing. Many weaknesses are resolved proactively. Nonetheless, we have to guard against blind spots from occurring in relation to the often specific conditions that systems owners have to deal with.

Differentiated cybersecurity approach

A large group of experts is hard at work, endeavouring to keep the Netherlands secure. But what is really needed is to get that knowledge and expertise applied more broadly, to prevent the experts from being overwhelmed. That requires a differentiated approach to cybersecurity, one that takes account of the increasing interconnectedness of technology and the growing number of stakeholders. Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security.

“Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security”

TNO helps control the risks

At every stage of the life of digital devices – from design and use all the way to disposal – there are leverage points for helping improve security. If we fail to pay them sufficient attention, then we will soon be faced with a large quantity of non-secure digital infrastructure, and we will remain vulnerable at every level. Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex.

Author

Andre Smulders

MORE INFORMATION?

For more information, please contact Andre Smulders

Contact
future view

"We are in danger of falling behind worldwide"

10 Dec '18 - 4 min
For years artificial intelligence (AI) developed in the shadows. Now it is flourishing and has become today’s news. Three influential Dutch people give their views... Read more
future view

Artificial intelligence: fear, desire and application

26 Nov '18 - 7 min
The discussion about artificial intelligence (AI) ranges from the desire for smart machines that could be useful to us to the fear that our privacy and control over... Read more
future view

Building tailored 5G networks for vertical sectors

25 Oct '18 - 4 min
5G will not only deliver more data at higher speeds to mobile customers but also provide the Digital Society with innovative value-added applications and services.... Read more
future view

What will your life look like in 5G?

12 Oct '18 - 2 min
A minor technological revolution – that is the promise of 5G. The network of the decade after 2020 will affect how our food is produced, how we live our social lives,... Read more
future view

ICT important to the success of a self-driving car

31 Jul '18 - 5 min
How do you ensure that self-driving vehicles have the right information in good time, that networks are not overloaded and that the exchange of information is also... Read more

FOLLOW TNO ON SOCIAL MEDIA

Stay up to date with our latest news, activities and vacancies

TNO.nl collects and processes data in accordance with the applicable privacy regulations for an optimal user experience and marketing practices.
This data can easily be removed from your temporary profile page at any time.
You can also view our privacy statement or cookie-information.