column

Cybersecurity – a question of tackling the symptoms, not the causes?

26 February 2018 • 4 min reading time

Whether it’s about the vulnerability of vital infrastructure to foreign hackers, or about waterway locks that are monitored digitally, the message is the same – cybersecurity in the Netherlands is below par. In consequence, it receives extensive media coverage. Because we still do not realise that systems are infinitely interconnected, it amounts to no more than tackling the symptoms, rather than the causes. TNO has developed various methods for defeating the causes.

Andre Smulders, Senior Consultant Security

Where does the system start, and where does it end? When considering the cybersecurity of systems, we immediately think of securing a clearly defined object, such as a waterway lock, a smart fridge, or a driverless car. However, the boundary of a digital system does not end at the physical limits of the object in question. If the lock, fridge, or car is controlled and maintained remotely, then the systems that are needed for those purposes form part of the digital infrastructure.

Additional approach for digital security

An approach based on such an apparently stand-alone device is therefore not sufficient to gain a full view of the digital security risks. To prevent us from becoming bogged down – as a result of this approach – in an infinitely expanding network of interconnected devices, an additional approach towards digital security is needed.

“A modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods, such as networked risk management”

Everyone has a responsible part to play

In practice, the interconnected parts come under the control of various stakeholders, from Rijkswaterstaat to the Ministry of Justice and Security, and from car dealer to energy supplier. Each party – be it a company, consumer, or the government – has its own responsibility here. We should therefore view digital security not just from the perspective of technology, but also from the organisational position of the various stakeholders. It is only an approach of this kind that provides avenues for keeping this ever-more complex and dynamic issue manageable and controllable.

Gaining control of risks

Because technical components are increasingly controlled by different organisations, any modern approach towards dealing with cybersecurity has to be an integrated one. To this end, TNO has developed a range of methods. An example is that of networked risk management – a method with which we help businesses to regain control of their tasks and risks. Another is supply-chain resilience – a step-by-step plan that helps supply chain organisations strengthen their cybersecurity.

Safe removal from the digital domain

What we certainly still hear too little about is the possibility of removing products and services that can no longer be kept secure, out of the digital domain. The solution is ‘security by design’; that is, inherently secure designs, rather than resolving security issues as they occur later on. However, this does require some effort on the part of the parties involved. It is the task of the government to facilitate this in its security policies, as this concerns an overall problem that cannot be resolved by individual parties or any particular sector.

“Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex”

Secure system modification

And how can systems be tested and modified securely? Different application areas require a different approach. What may be a no-brainer in one environment may cause headaches in another. In a domestic setting (where the availability requirements are negligible), for example, it is easy to apply the principle that systems should have the most recent updates. But for a system that has to be available all the time, the decision as to whether to change it with a security update is often a real dilemma.

Testing effects

The dilemma becomes even more acute when the effect of a change cannot be tested, or tested in full. For consumer products, which are often made in large quantities, there are sufficient test copies available. However, setting up a testing system for a unique product such as a lock on a waterway is more of a challenge. What local authority can afford a ‘test lock’ in order to check updates? The fact that suppliers are also struggling with this issue is evident from the instability of systems of suppliers in the processing industry. This instability arose after systems were patched up against vulnerabilities to Meltdown and Spectre.

The focus on obvious measures is a good thing. Many weaknesses are resolved proactively. Nonetheless, we have to guard against blind spots from occurring in relation to the often specific conditions that systems owners have to deal with.

Differentiated cybersecurity approach

A large group of experts is hard at work, endeavouring to keep the Netherlands secure. But what is really needed is to get that knowledge and expertise applied more broadly, to prevent the experts from being overwhelmed. That requires a differentiated approach to cybersecurity, one that takes account of the increasing interconnectedness of technology and the growing number of stakeholders. Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security.

“Cybersecurity plays a part in every stage of the lifecycle of systems. One urgent issue is how to dispose of such systems at the end of their lives without compromising security”

TNO helps control the risks

At every stage of the life of digital devices – from design and use all the way to disposal – there are leverage points for helping improve security. If we fail to pay them sufficient attention, then we will soon be faced with a large quantity of non-secure digital infrastructure, and we will remain vulnerable at every level. Together with organisations in the critical sector, TNO is pleased to be helping identify and control supply chain risks, even if these chains are becoming more and more complex.

Author

Andre Smulders

MORE INFORMATION?

For more information, please contact Andre Smulders

Contact
innovation

Faster roll-out of flexible displays enabled by SALDtech

27 Mar '19 - 2 min
Yes, telephones with flexible displays do already exist. At the moment, however, producing display screens with the requisite flexibility is still a costly and time-consuming... Read more
innovation

Sharing data easily and controllably via IDS

26 Mar '19 - 3 min
The European International Data Spaces ecosystem (IDS) allows companies to easily and controllably share data in order to improve their competitiveness. For Dutch... Read more
customer experiences

"MPC helps us make marketing software privacy friendly"

22 Mar '19 - 3 min
The Dutch company Flytxt develops software products for marketing automation with machine learning and artificial intelligence. It does this for over one hundred... Read more
innovation

D-score: worldwide insight into the development of children

20 Mar '19 - 3 min
Many children around the world are still lagging behind in their first five years of life, due to poor nutrition, insufficient care, and too few learning opportunities.... Read more
future view

Artificial Intelligence for reliable infrastructure

5 Feb '19 - 3 min
When is maintenance of a bridge needed? How long does a dike remain reliable? Artificial Intelligence (AI) can improve the quality of control over large structures... Read more

FOLLOW TNO ON SOCIAL MEDIA

Stay up to date with our latest news, activities and vacancies

TNO.nl collects and processes data in accordance with the applicable privacy regulations for an optimal user experience and marketing practices.
This data can easily be removed from your temporary profile page at any time.
You can also view our privacy statement or cookie-information.