miguel garcia-menendez - ics.kaspersky.com · prof. thomas h. davenport ... costa rica croatia...
TRANSCRIPT
MIGUEL GARCIA-MENENDEZiTTi | The [Digital] Accountability Think Tank
Spain
➢ Former control engineer and management consultant for some 20
years
➢ Currently runs iTTi | The [Digital] Accountability Think Tank
➢ Former member of the Board of the Industrial Cybersecurity Center
(CCI)
@MGarciaMenendez
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Kaspersky Lab’s 6th Industrial Cybersecurity Conference
Sochi (Russia). September, 20th, 2018
Miguel Garcia-Menendez (ES)Co-Founder & Chairman
iTTi | The [Digital] Accountability Think
Tank
@MGarciaMenendez
2iTTi | The [Digital] Accountability Think Tank
iTTi
An [almost] global
Industrial Cybersecurity
regulatory landscape
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
iTTi | The [Digital] Accountability Think Tank
iTTi
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
A 2+ decades’ career veteran, Miguel’s first job was in the steel Industryas Head of MES & HMI at an engineering firm, where he soon becameCIO. This let him know, first hand, the problems bound toInformation/Operational Technology integration.
He has also been a consultant, auditor, lecturer and popularizer inmanagement consultancy firms, universities and forums from which hehas helped other executives to fulfill their digital obligations.
Today, Miguel aims to help corporate Directors & Officers tounderstand their digital | cyber accountability.
You can follow Miguel’s professional interests as well as his musings viahis Twitter account, @MGarciaMenendez.
Miguel Garcia-MenendezCo-Founder & ChairmaniTTi | The [Digital] Accountability Think Tank
iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 5iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 6iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Novorossiysk (RU)
7iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Novorossiysk (RU)
Gijon (ES)
8iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Gijon (ES) Novorossiysk (RU)
9iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 10iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Are we going to have a
digitally-transformed
industry to protect?
Musing #1
11iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 12iTTi | The [Digital] Accountability Think Tank
THE digital industrial company?
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Prof. Thomas H.Davenport
Prof. GeorgeWesterman
13iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
0,
8,
16,
24,
32,
9/19/11 1/9/12 4/30/12 8/17/12 12/10/12 4/3/13 7/23/13 11/8/13 3/4/14 6/23/14 10/10/14 2/2/15 5/22/15 9/11/15 12/31/15 4/22/16 8/11/16 11/30/16 3/23/17 7/13/17 10/31/17 2/22/18 6/13/18
GE's stock price 2011-2018 (USD)
12.5 12.6
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Mr. John Flannery Mr. Jeffrey R. Immelt
15iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Security is hardly
digitally-transformed
Industry’s 1st challenge.
[Neither yours].
Provocation #1
16iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
The economy,
the desirability of your
products & your
investors’ patience are.
Provocation #1(cont.)
17iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 18iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 19iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
digitalFragility
20iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
dF=f(digital Density) =
f(digital Dependence) =f(dD, lack of awareness)
21iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
digitalFragility Quality of an organization that determines its
susceptibility to suffer an incident, of digital nature,
which disturbs its activity (besides causing other
consequences for people, assets or the
environment); and of whose possible materializationthere is not always consciousness.
22iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Protection:
everyone’s primary
[& primitive] need.
Musing #2
23iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Fort Alexandria
24iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Australia
Austria
Bangladesh
Belgium
Canada
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Dominica
Egypt
Estonia
Finland
France
Gambia
Germany
Ghana
Hungary
India
Ireland
Italy
Jamaica
Japan
Jordan
Kenya
Latvia
Lithuania
Luxembourg
Mexico
Montenegro
Namibia
New Zealand
Nigeria
Norway
Paraguay
Peru
Poland
Qatar
Romania
Russia
Rwanda
Saudi Arabia
Singapore
Slovak Republic
South Africa
South Korea
Spain
Switzerland
The Netherlands
Trinidad and Tobago
Turkey
Uganda
UK
USA
Zimbabwe
Source: ENISA, European Network & Information Security Agency
“National” Cyber Security Strategies (CSS)
25iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
«NATIONAL»?
Think twice …
Provocation #2
26iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Australia
Austria
Bangladesh
Belgium
Canada
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Dominica
Egypt
Estonia
Finland
France
Gambia
Germany
Ghana
Hungary
India
Ireland
Italy
Jamaica
Japan
Jordan
Kenya
Latvia
Lithuania
Luxembourg
Mexico
Montenegro
Namibia
New Zealand
Nigeria
Norway
Paraguay
Peru
Poland
Qatar
Romania
Russia
Rwanda
Saudi Arabia
Singapore
Slovak Republic
South Africa
South Korea
Spain
Switzerland
The Netherlands
Trinidad and Tobago
Turkey
Uganda
UK
USA
Zimbabwe
Source: ENISA, European Network & Information Security Agency
“National” Cyber Security Strategies (CSS)
27iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
… and stop calling your
CSS «NATIONAL», in a
borderless [cyber] space.
Provocation #2(cont.)
28iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 29iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
[almost] global
COUNTRIES
BE
DE
ES
FR
IT
NL
PT
RO
TR
UK
ZA
CN
SG
US
RU[ ]30iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
not an easy task!
DOCUMENTS LANGUAGES
31iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
STRATEGIES REGULATIONS CODES
32iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
CS strategies analyzed
33iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
avoid the “I-want-my-own-strategy” presidential syndrome
Until recently [May, 15th, 2018], the US had no
specific formal cybersecurity strategy [despite
having been a CSS pioneer in 2003].
There have been several public policies, instead.
Russia started its InfoSec journey in 2000.
An updated doctrine was approved in 2016.34iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
an example for the rest of us
Germany, The Netherlands, Turkey, the UK and the US,
the most veteran countries (more than 1 iteration) in
developing CSS’s.
Russia introduced the concept of Cyber Security
Strategy for the first time in a draft released in 2014.
35iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
corporate directors are not in the policy-makers’ agendas
Only Spain, The Netherlands, Turkey and the UK
have specific objectives or actions targeting
BoD’s members w/in their CSS’s.36iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
ICS cybersecurity is not in the policy-makers’ agendas
The Netherlands, Romania, Turkey and the US’s
CSS do not include specific mention to Operational
Technology at all.
Russia’s InfoSec doctrine does not include any
reference to ICS cybersecurity, too.
37iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
CIP regulations analyzed [pre-EU NIS Directive]
38iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
“less regulation, better regulation” might apply here
A specific regulation rules CIP in every country, except for The
Netherlands and the UK. The EU NIS Directive has come to
change this.
Russia started its CIP journey in the early 2000s. Today
Russia’s CIP policy is part of its national security strategy.39iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
another example for the rest of us
Romania and Turkey (again) are among the most
veteran (2010) countries when it comes to
formally define their CIP policy.
40iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
would less disparity benefit interdependencies someway?
Italy and Portugal have opted for extrictly following EU’s
CIP Directive of 2008. Their critical sectors are only energy
& transportation. A situation that the EU NIS Directive has
come to change.
41iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
The post-EU NIS Directive picture
COUNTRIES
affected [w/in our study]
BE
DE
ES
FR
IT
NL
PT
RO
TR
UK
ZA
CN
SG
US
RU[ ]42iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
BE
DE
ES
FR
IT
NL
PT
RO
UK
The post-EU NIS Directive picture
as of May, 9th, 2018 COUNTRIES
complied [on due
date]
Source: European Commission
43iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
17 out of 28
The post-EU NIS Directive picture
Source: European Commission
COUNTRIES
were urged to transpose the NIS Directive [on July, 20th, 2018]
44iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
The post-EU NIS Directive picture
BE
DE
ES
FR
IT
NL
PT
RO
UK
… as of today.Source: European Commission
COUNTRIES
still pending45iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Are companies taking
cybersecurity seriously?
Musing #3
46iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Australia
Austria
Bangladesh
Belgium
Canada
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Dominica
Egypt
Estonia
Finland
France
Gambia
Germany
Ghana
Hungary
India
Ireland
Italy
Jamaica
Japan
Jordan
Kenya
Latvia
Lithuania
Luxembourg
Mexico
Montenegro
Namibia
New Zealand
Nigeria
Norway
Paraguay
Peru
Poland
Qatar
Romania
Russia
Rwanda
Saudi Arabia
Singapore
Slovak Republic
South Africa
South Korea
Spain
Switzerland
The Netherlands
Trinidad and Tobago
Turkey
Uganda
UK
USA
Zimbabwe
Source: ENISA, European Network & Information Security Agency
“National” Cyber Security Strategies (CSS)
47iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
out of
# of countries that already have their own CSS
Source: ENISA, European Network & Information Security Agency
48iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
25% of countries already
have a CSS!
Does companies have?
Provocation #3
49iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
iTTi | The [Digital] Accountability Think Tank
“Although ultimate responsibility for cyber security
within a company lies with the CEO, it would be highly
unusual for the CEO of a company to have to resign
over an attack”.
UK Parliament (@UKParliament)
House of Commons
Culture, Media & Sport Committee
“Cyber Security: Protection of Personal Data Online” report
#QuoteBroughtBySource: iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Oil & Gas
52iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Air Transport
& Aeronautics
53iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Digital Security
54iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Financial
Services
55iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Healthcare
56iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Public
Sector
57iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Retail
58iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Leisure &
entertainment
59iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Automotive
60iTTi | The [Digital] Accountability Think Tank
@info_CCI | CCI | Industrial Cybersecurity Center #1SevenDigitalSins
Policy Making
61iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
1999 2004 2010 2011 2011 2012
2012 2013 2014 2015 2015 2015
2015 2016 2016 2016 2016
62iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Digital is not my
biz!
63iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
?
Who’s been
next?
?64iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank 65iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
“… sometimes it's OK to admit to your
fallibility”.
66iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
“We thought we were taking it
[cybersecurity] seriously, outside experts
were telling us we were taking it seriously.
Patently we weren't taking it anything like
seriously enough.
One thing I think I know more keenly than
any other British CEO is that every single one
of us is underestimating the importance of
cybersecurity”.
67iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
CG codes analyzed
68iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
does it make sense?
Corporate Governance codes are
mandatory, while its
recommendations are not
(“comply-or-explain” principle).
Exception: US (the Sarbanes-
Oxley Act of 2002 is not a code, it
is a law).
69iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
shouldn’t every Audit/Risk Committee act early, too?
Risk oversight is BoD’s biz (usually through
an Audit or Risk Committee).
Turkish listed companies have an Early
Detection of Risk Committee.
In the case of Russia, its Corporate
Governance Code also reffers to an Audit
Committee.
70iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
this probably explains everything
Only The Netherlands and South Africa’s CG
codes make an explicit mention to cyber
[despite almost all of them were released
after the TARGET case (2013)].
Of course, none of them mentions industrial
cybersecurity.
71iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
Definitely, it seems that
companies are not taking
cybersecurity seriously.
Provocation #3(cont.)
72iTTi | The [Digital] Accountability Think Tank
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
a change of behaviour: the “Cybersecurity Disclosure Act”
Good news
Sen. J. Reed (D) Sen. S. M. Collins (R)
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
a change of behaviour: the “Cybersecurity Disclosure Act”
Good news
Sen. J. Reed (D) Sen. S. M. Collins (R) Sen. M. R. Warner (D) Sen. J. McCain (R)
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
a change of behaviour: the “Cybersecurity Disclosure Act”
Good news
Rep. J. Himes (D) Rep. T. Rooney (R) Rep. G. Meeks (D) Rep. D. Heck (D)
@iTTiresearch | iTTi | The [Digital] Accountability Think Tank
a change of behaviour: the “Cybersecurity Disclosure Act”
More good news