Whether it’s about the vulnerability of vital infrastructure to foreign hackers, or about waterway locks that are monitored digitally, the message is the same – cybersecurity in the Netherlands is below par. In consequence, it receives extensive media coverage. Because we still do not realise that systems are infinitely interconnected, it amounts to no more than tackling the symptoms, rather than the causes. TNO has developed various methods for defeating the causes.
Where does the system start, and where does it end? When considering the cybersecurity of systems, we immediately think of securing a clearly defined object, such as a waterway lock, a smart fridge, or a driverless car. However, the boundary of a digital system does not end at the physical limits of the object in question. If the lock, fridge, or car is controlled and maintained remotely, then the systems that are needed for those purposes form part of the digital infrastructure.
Additional approach for digital security
An approach based on such an apparently stand-alone device is therefore not sufficient to gain a full view of the digital security risks. To prevent us from becoming bogged down – as a result of this approach – in an infinitely expanding network of interconnected devices, an additional approach towards digital security is needed.
“A modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods, such as networked risk management”
Everyone has a responsible part to play
In practice, the interconnected parts come under the control of various stakeholders, from Rijkswaterstaat to the Ministry of Justice and Security, and from car dealer to energy supplier. Each party – be it a company, consumer, or the government – has its own responsibility here. We should therefore view digital security not just from the perspective of technology, but also from the organisational position of the various stakeholders. It is only an approach of this kind that provides avenues for keeping this ever-more complex and dynamic issue manageable and controllable.
Gaining control of risks
Because technical components are increasingly controlled by different organisations, any modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods. An example is that of networked risk management – a method with which we help businesses to regain control of their tasks and risks. Another is supply-chain resilience – a step-by-step plan that helps supply chain organisations strengthen their cybersecurity.
Safe removal from the digital domain
What we certainly still hear too little about is the possibility of removing products and services that can no longer be kept secure, out of the digital domain. The solution is ‘security by design’; that is, inherently secure designs, rather than resolving security issues as they occur later on. However, this does require some effort on the part of the parties involved. It is the task of the government to facilitate this in its security policies, as this concerns an overall problem that cannot be resolved by individual parties or any particular sector.
“Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex”
Secure system modification
And how can systems be tested and modified securely? Different application areas require a different approach. What may be a no-brainer in one environment may cause headaches in another. In a domestic setting (where the availability requirements are negligible), for example, it is easy to apply the principle that systems should have the most recent updates. But for a system that has to be available all the time, the decision as to whether to change it with a security update is often a real dilemma.
The dilemma becomes even more acute when the effect of a change cannot be tested, or tested in full. For consumer products, which are often made in large quantities, there are sufficient test copies available. However, setting up a testing system for a unique product such as a lock on a waterway is more of a challenge. What local authority can afford a ‘test lock’ in order to check updates? The fact that suppliers are also struggling with this issue is evident from the instability of systems of suppliers in the processing industry. This instability arose after systems were patched up against vulnerabilities to Meltdown and Spectre.
The focus on obvious measures is a good thing. Many weaknesses are resolved proactively. Nonetheless, we have to guard against blind spots from occurring in relation to the often specific conditions that systems owners have to deal with.
Differentiated cybersecurity approach
A large group of experts is hard at work, endeavouring to keep the Netherlands secure. But what is really needed is to get that knowledge and expertise applied more broadly, to prevent the experts from being overwhelmed. That requires a differentiated approach to cybersecurity, one that takes account of the increasing interconnectedness of technology and the growing number of stakeholders. Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security.
“Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security”
TNO helps control the risks
At every stage of the life of digital devices – from design and use all the way to disposal – there are leverage points for helping improve security. If we fail to pay them sufficient attention, then we will soon be faced with a large quantity of non-secure digital infrastructure, and we will remain vulnerable at every level. Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex.
For more information, please contact Andre Smulders