Understanding Cyber Security Threats and Challenges in Protecting Critical Infrastructure

it's been great to see some of my old friends and also to meet some of the new ones here uh as you heard the good news is that i'm the last speaker for the day so you get to go home after this the bad news is that first edition of besides pristina is coming to an end and with that said i would like to thank the host university of christina organizers who did the logistics behind it but most importantly i want to thank you all of you especially the international speakers that we had that they took their time and effort to come here to share their knowledge so thank you and let's give yourself a

round of flowers [Applause] so before i get started let me just maybe briefly introduce myself uh i lived abroad for 17 years i moved back to kosovo about six years ago i don't have formal uh informational cyber security education initially i was into systems networks and then i decided to go to the business side of it and i went into it audit grc i used to work for pwc for deloitte before and then transitioning to information security was kind of natural and i've been enjoying it since then um today um by the way i'm the last speaker so i got to choose like my topic i didn't want to repeat myself i wanted to touch on something

that is a little bit different in critical infrastructure and what are some of the threats what are some of the challenges and this presentation it's tailored more for kosovo situation and circumstances and where we are and what we need to do so the pictures that you are seeing here this is taken i believe in 2021 in geneva summit president biden and putin it was then that president biden handed a list of some of the critical infrastructure sectors that are off limits according to to cesar agency the federal agency u.s federal agency there are 16 sectors and we're going to be looking at those later on but before i get into any further uh let me maybe just uh briefly uh to those

that are not very familiar with what a critical infrastructure is it's basically systems and assets that are vital to national defense to national security economic security public health and everything else and these can be either public or private institutions cyber security [Music] infrastructure agency u.s agency has identified 16 critical sectors i have listed over here um only a few of them telecommunication financial services energy sector water management and and so on and so forth so now that uh we know what critical infrastructure is let's uh dive into deeper and let's look like why they are prone what are the risks what are the challenges so mostly but not necessarily as geopolitical tensions rise then there's

escalation and you see that hike of a number of attacks lately we have seen with russian invasion of ukraine but honestly uh attacks uh of cyber attacks in in in critical infrastructure they go way back uh maybe the most or perfect example that we can give it's stuxnet uh it's pretty old it happened about 12 years ago but it's still very important and i like to take this an example of how prone and all sectors are due to such attacks so for those that are not familiar uh in 2010 it was discovered that uh iran's uranium enrichment plant was attacked at that time obviously these are all plans that are isolated you don't have direct internet

access to those mostly they have this air gap this buffer zone with physical security so somehow a usb got smuggled in it was a windows os zero day vulnerability exploded and then from there on they could control the siemens system by changing the centrifuge speed a very sophisticated cyber weapon when you think about it and this happened like 12 years ago at least uh we know about it since 2010 uh 2010 and most likely this happened even earlier than that another may be a recent case it's colonial oil pipeline which happened last year it's one of the largest pipeline systems in u.s and it was a victim of ransomware and 11 000 gas stations were without the gas

what that created was uh the prices went up there was a panic for those that live in u.s or have family in us they can maybe have like more vivid memory

so why now operational technology which by the way refers to computer systems that are used to manage these in plants are separated from i.t and then as we go on uh before they were in silas now with uh evolution of industry especially with a 4.0 technology uh we start to see this convergence of putting additional devices that are linked to network and all of a sudden this buffer this air gap is starting to fade till there's no more actually like any any segregation between ot and it today uh not today but for a very long time now we live in a digitized world a world where we have like complex software networks etc things are coming more like integrated

and what that means is that as the complexity grows then the risk is going to grow as well at the same time this is the industry evolution and one of the reason why this is happening right now when we are seeing more attacks is that we are seeing at least this is in in developing countries where they are moving from industry 3.0 to industry 4.0 uh industry 4.0 refers to new phase in industrial revolution that focuses heavily on on disk of interconnectivity automation machine learning and and so on so now the businesses are feeling this pressure of keeping up maximizing their profits and they go in and without realizing the full risks challenges that they're going to be facing and what

it takes in order to mitigate some of those risks threat actors they remain the same some of the challenges or at least some of the main challenges is that awareness so there's a limited knowledge uh the ots these are like old systems that they are vulnerable and we don't even know that they are vulnerable and what it takes in order to fix them second is visibility so there's little insight on how to protect these ot systems what does it take and because they play critical role in our lives mostly these people who operate them they tend more to go or stability will take priority over security if it's not broken don't fix it leave it

there i already mentioned that the segmentation but let me go back maybe maintenance so these are legacy systems that at that time when they were built they were not built with security in their mind there are no passes or maybe if there are patches as i said they might think that oh this is going to affect our stability and let's leave them let's like postpone them obviously the speakers before they talked about the incident response so they're talking about the i.t modern id uh but think about like if you are operating a energy plant and you want to conduct a a for example an exercise of how you're gonna respond to a incident do they have any playbooks do they have

any processes in place in place for those things maybe they do in some of the countries uh in here in kosovo we're gonna look later um how that plays out uh overall it's a lack of governance of how ot and it are gonna play together are going to come together so let's look at the kosovo critical infrastructure as of april 2019 critical infrastructure law was passed it was enforced but implementation in practice it's quite challenging remained still it's a challenge we have one strategy and two laws that they are still in draft for example we have a cyber security strategy which it's outdated and this was outdated three years ago so can you imagine a gap of three years

we don't have a strategy and again strategy is something that you can easily put it on a paper but then going and implementing and executing it it's quite challenging so we do have the critical infrastructure law however we do have law cyber security which is still on draft and then the other law on security of networks and information systems that is also still in in draft version uh i'm not sure at least i'm i'm i'm not aware that uh if government of kosovo has harmonized them or there are groups that i know that there are groups for each of like strategy and two laws but i don't know if they are like talking to each other to see like how

can uh harmonize this laws so if we don't have laws in place uh i don't think that anybody is gonna go on their will and and then take all the effort to go so kosovo uh has 11 sectors um danger goods energy financial services food facilities healthcare is ict national values public services transport and then water supply i did look at the law and then something that really stands out from the list i don't know if you can see it well do you guys think that anything stands out from the list maybe it's just me but i was looking at the national values number eight like what that is like what does that entail there was no explanation in the law it

was just listed as a national values whereas we are talking about the critical infrastructure something that is critical and if it's hit then we're going to suffer but it's still there so for good or for bad majority of ci sectors in kosovo are not yet digitized and i'm saying for good or for bad because if they were digitized i'm not sure if we have enough resources whether human resources whether enough like budget allocated in order to address some of the challenges that we are facing today but for how long i know that there is a pressure on us not only as a country but a couple of years ago there was a new energy plant that was going to build i

don't know what happened to it but we as a society as a newborn country when we are like putting them out for procurement we should know like what are we requiring what does it take for those plants uh whatever sectors it is to maintain them who's going to maintain them how much is going to cause them like how we're going to like fine-tune them and everything else we know well that nothing is out of the box for those that are very technical they know like you don't have a solution that comes out of the box so today i'm going to focus on only two other sectors uh financial services and the telecommunication the isps so in comparison with other critical

infrastructure sectors financial services and it's overall like more resilient in terms of its ability to to prevent and to respond to these cyber incidents why maybe it's just because of its nature some of the banks most of the banks all of the banks in cost of at least heavy banking once you have a e-banking you open yourself up to to all of these threats so even if you don't want to you are like forced to take action some of the banks in kosovo are part of the international groups i have listed some of them so they do help to implement some of the policies procedures in place they have a bigger budget to spend and they bring this

cyber security culture with them and they instill that into banks here in kosovo and then let's not forget the cbk has a i.t regulation that was enforced a couple years ago on march of 2020 and then there was a six months like a grace period for um banks to adopt it and to to go by it and once in a while cbk will go around the banks and will uh perform assessments whether they are in compliance with this regulation so i think for financial sector uh in comparison like to to other sectors a financial sector like it stands much more like better off than the rest of the sectors on the other hand we have um smaller

banks which have budget constraints and it's challenging like to to give information security a priority there's a huge staff turnover rate usually people go from one institution to another institution and then let's not forget we have like these international companies that they come in and good that they come in we want them to come in but then they can afford better wages and then the staff uh it's normal uh they get paid more they go there and then lastly it's brain drain it's not only the kosovo it's it's experiencing that but most of the balkan countries where people will choose would rather choose to go and live and work in in western europe in us rather than stay

here in kosovo um banks at least although i know that uh in and and like some of the government authorities they are like uh these bodies uh but mostly like private sector does not count on on government authorities or they don't see them as a strong partner simply because the the government authorities again they don't have enough like uh budget in order to hire and to retain that talent so in most of the cases if they come across like an incident security incident they will report it to to government authorities but it's not something that government authorities like can can offer to to private sector and then telecommunications sector so maybe from architecture uh what's like uh been pretty good about

kosovo is that the internet penetration rate it's above 90 percent and that's great and that's thanks to isps that they have like the the backbone infrastructure and international connectivity is diversified so they are not going like all in in one line um isps don't rely on the same transition lines and then they have developed national fiber infrastructure that is largely independent from each other on the other hand most of them or most of the isps are still in the early age of stage of readiness to cope with potential disruptions i know that some of the isps are going and and getting the one of the iso standards 27 0001 the standard is great but then again

that standard has to be maintained and not just have it there in paper and then once a year look at it most of isps do not possess advanced capabilities uh required to to manage risk and then none of the isps are have fully implemented the cyber security audit requirements uh as they were like given from their regulator so with that said we conduct all of our business online and we do so up through isps so if the isp is the weakest like link uh just think about it like a couple of months ago or so i was in my hometown i'm from pear and then my cell phone my isp my cable tv are all

from same provider and for some reason the provider was done for five hours it was during the weekend uh you are used to have these like cell phones and then check our email check alerts what's having like what's going on can you imagine like during the daylight on saturday uh being disconnected so you don't have internet no like isp at home was down your phone was down and then even the cable tv so at that point i was thinking is it a good thing to have everything through one provider maybe i should have like diversify them a little bit you know at least like if if one of them goes down i have another isp to

fail over so let's look at or maybe let's just like these are just very like overall high level how and we can build resilience or at least start to think about building resilience so there's this triangle of people processes and technology and i think if one of them falls then everything is going to go like fall down you're going to have great people but if you don't have processes or either way around if you have processes and people but you don't have technology so for people let's start by educating them uh and this is from whatever the highest level is the board level and then down about what are the cyber security risks uh usually the board level likes to hear

what is going to cause them and maybe you need to find that language and talk about like use these metrics then define roles and responsibilities for your workforce and then establish this cyber security training process on the other hand with the processes you need to define them well before you define them you need to design them and then you need to test them and see like how these processes are operating whether they are operating uh effectively sometimes you have that process is operating effectively but it was designed badly so you want to look at the design of those processes of high dose design and everything else i'm not going to go through the list because the previous uh speakers were

already covered most of this stuff about like developing the incident response plan having the playbooks and like doing these regular simulation scenarios uh in place and then obviously you need a technology like part of the architecture infrastructure that uh you need some sort of technology in order like you cannot just remain solely on on people and and processes and other way around you can not only rely on technology uh for example to leave a cm there and to hope that you're gonna get some sort of alerts or antivirus that you're gonna get these alerts you wanna also have people there skilled people trained people but they are going to do some threat hunting rather than like wait if

they are going to get any any alerts so going further into this mindset of building resilience into critical infrastructure uh i have put down a list of things that i think at least these are like overall only few of them i know that this can be like much longer but maybe to start the few of them first one public sector and private sector they need to work together closely one with the other when it comes to public sector to government we need to pass the laws uh on on cyber security critical infrastructure and then not just have something on paper because as you know you can put everything on paper but then when it comes to

implement it maintain it support it it's either like expensive you don't have people and then once you have it in place not just leave a piece of paper somewhere down there and then wait when the time comes like to to review it but be like more proactive look at these laws review them like not wait for another five years i know that strategy is three years five years but it's not something set in stone that cannot be changed um mandatory adoption of some of the cyber security standards for for at least ci sector i have put there two standards uh 62 443 and then also the nest the national institute of standards uh for u.s agency cyber security

framework for critical infrastructure if you're not going to make them mandatory i highly doubt that companies are going to go there and implement them on their own at least at least like not all of them or not majority are not even half of them uh who's going to go and invest or only like proactive companies that they have budget they can like i uh sense the risk and then they can invest but if you're gonna leave them without like if if the market is not regulated then nobody's gonna go on volunteer bases and implement these standards because uh they are quite expensive and they require like a very like special skill set and then if needed as i said like for these laws

uh strategies whatever let's like act fast and review them continuously not only on whatever annual basis uh for example we have us uh obviously their government it's structured differently where they can go and they can a president can issue an executive order and so far i think president biden has issued one executive order about improving the national the nation's cyber security and then the sisa the federal agency has mandated a two-week window for passing serious vulnerabilities for federal agencies this is like serious vulnerabilities within two weeks and that's huge here in kosovo for those that have like experience in a public sector it's not that we have a something like centralized uh one ministry can be good

the other one not that good so we need something that more like a centralized body and we do have a centralized body which i'm going to come like uh to the next point but uh maybe let's add a legal requirement to report cyber security incidents uh the previous speaker mentioned one of the agencies that we have the agency for uh information and privacy they do require the law that if you they do require by the law that if any of the data it's leaked then you have a time frame to to report them but obviously like they are understaffed and they cannot go and investigate every every single thing what's going on without a doubt for both sectors

this cannot be done if we don't increase the cyber security like spending budgets and then either private sector within the private sector or public sector or even like as a joint venture to facilitate these strategic discussions um about cyber security like either workshops such as this maybe more like a cyber security conferences and then last but not least maybe to look into i know that we saw before that we have this national cert but maybe let's look at creating the like search for a specific sector and then let's the institutions of that sector get together uh exchange their like uh know-hows their experiences and then learn from from each other um this is a picture that i saw in my

presentation uh the list of uh 16 critical infrastructure sectors that was handed into putin by president biden i don't really believe that by saying that something is off limit they're going to say okay no problem don't worry about it because there's a famous saying from niccolo machiavelli and the prince it says the end justify the means so in the end of the day especially in nowadays in like cyber warfare that we are living if something if you want to do something you want to get something then they will justify and we have seen some horror scenes and stories uh from ukraine so by handing in that list i don't think that whoever it is russia will have it china

iran they're going to stand back and obey that order with that being said uh i don't want to keep you any longer i know that it's been a very long day but enjoyable day at least for me i know that you guys want to get out some of you are fasting you want to break the fast so i'm going to stop here uh if you guys have any question i can be i'm happy to answer them