1. What is the state of ICT security in Europe at the moment, also considering the threat to critical infrastructure resulting from the war in Ukraine?

In general, ICT security, in my opinion, is at a turning point.

It is time to look at the future by joining forces. Fighting in isolation is not effective and the events of recent months confirm this unequivocally. We need cooperation, empowerment, awareness. We must build a chain of people, companies, infrastructures oriented to the defense of critical infrastructures, and not only.

A law is not enough to change things, we need to work first of all on people and culture, only then will policies and measures make real sense and be used correctly. We are full of policies, procedures, tools etc. yet breaking into a company’s systems is still too easy. We are too focused on the physicality of security and do not look at the weaknesses of human beings, social engineering is always little known and studied.

Putting bans or having a sanctioning system has never stopped those who commit crimes. The system of laws should probably also be reviewed in the light of today’s facts. The Implementation of the 2000 Budapest Treaty on Cybercrime would need to be revisited, as some of the offences mentioned have far worse dimensions and effects than assumed over 20 years ago.

The war in Ukraine (and before Covid-19) have only highlighted with greater force what we already knew or supposed. What has happened and is happening is not new, but today we read it in the press and on social media. What is certain is that the attacks are becoming more and more aggressive. Ransomware attacks have gone from threatening to steal data to threatening to release them to the public, which is a significant escalation in less than 2 years. Political and economic interests, linked to war scenarios, are gradually merging, outlining a vast field that is difficult to control or predict. In fact, it is almost impossible to discern attacks linked to the war from those who are just exploiting the general chaos created by the conflict.

Here, too, the only solution is to join forces to stem (impossible to prevent) the thousands of daily attacks from the various fronts. In Italy, the National Agency for Cybersecurity seems to be in the best position to operate in this scenario, and the same applies to other similar bodies around the world.

  1. What international standards and guidelines can help companies become resilient to the threat to ICT systems?

Surely international standards (ISO) can support the adoption of common organizational models for computer security (ISO/IEC 15408), for information security (ISO/IEC 27001), for cyber security (IEC 62443 and ISO/IEC 27110), for business continuity (ISO 22301), for the management of IT services (ISO/IEC 20000-1) , for supplier and supply chain management (ISO/IEC 27036 and ISO 28000), for supply chain continuity management (ISO/TS 22318), risk management (ISO/IEC 27005 and ISO 31000), and incident management (ISO/IEC 27035 and ISO 22320), among others.

All these topics are now essential to deal with the current scenario. Boundaries in these areas are very thin and changing, especially in critical infrastructure. Since 2007, ISO standards have begun to outline management systems, based on risk management, which prepare for incident management, activating business continuity and disaster recovery where necessary. To date it seems sadly obvious but in 2007 it seemed almost unthinkable.

Furthermore, I would not leave out ENISA (The European Union Agency for Cybersecurity)’s contribution and role to resilience and related issues.

I often hear about other types of home-made standards, but some forget that “proprietary schemes” with limited territorial application are not international standards and they may not be applicable to different organizations.

To become resilient, it is necessary to adopt consolidated organizational models, based on shared and recognized best practices, with common languages. Otherwise, we risk a meaningless babel. And while we are there arguing about who is right, the attackers advance inexorably gaining ground and disintegrating companies and defense systems.

It is not the certification that makes the difference, but the adoption of standards. Maybe it’s a subtle difference for many, but I assure you that it makes an impact.

  1. Why is the role of auditor in ICT security important and what are its fundamental characteristics?

The role of auditors (internal and external) is of paramount importance. The main characteristic of an auditor is independence.

An auditor is like a photographer who takes a snapshot (audit) and analyzes its contents according to a matrix (criteria) to understand whether it is consistent (results) with how the company presents itself.

It is therefore essential that the photographer is not part of the picture to avoid the compromise of his objectivity.

Of course, there are ISO standards for audit management, as well as courses for the qualification of auditors against each standard. Anyone can attend these courses, the list of courses and authorized organizations is available on the web. These organizations are in turn certified for such activities by specialized certification bodies. These bodies are also available on the web through the Accredia website. In this way it is possible to choose between the recognized courses avoiding attending courses of dubious validity.

For professional auditors there are also registers (national and international), which are accessed by means of examinations and demonstrations of actual experience, which allow anyone to verify their skills and possibly start the practices for the engagement of these professionals. The logs can also be found on the web.

I would therefore say that independence and competence are the main characteristics, to which I would add a set of soft skills such as effective communication, management of critical or complex situations, the ability to work in a group, etc.

Another element, currently inevitable if coming from a non-English speaking country, is a strong knowledge of the English language.

Also, good familiarity with the ICT issues audited (e.g.: networking, software life cycle, physical security, logical security, encryption, cloud, etc.) is necessary. It is not uncommon to find yourself in front of extremely prepared companies. An auditor in these cases must be able to juggle between ISO standards, contracts, technical and technological aspects, and aspects related to human resources.

We have a delicate role, the client trusts us to verify a contract, a project, a standard. It is not trivial, you need preparation, technique, experience.

It is not a question of paperwork, but of knowing how to do a job, a work of relationship and comparison, with indispensable skills of various kinds and clear personal characteristics. Thus, it is no coincidence that there are specific standards, courses, registers.

For information security auditors, there is even an IAF document that describes the necessary standards and the minimum skills.

In my experience as a teacher, from 2002 to today, I can say that 2% of the participants in the courses for auditors will come to enroll in a register while 98% will use the course to do consulting or audits of various kinds. Enrolling in a register is not an obligation but gives an idea of the complexity of the topic.

  1. What is the relationship between business continuity and disaster recovery?

This is the most complex question. I would start from the basics to articulate a practical answer, simplifying as much as possible.

Let’s start with a clear point: business continuity refers to the continuity of an organization’s services/products, or rather the ability to continue to deliver/produce in the event of interruptions, according to pre-established parameters.

Business continuity does not refer specifically to ICT, it was created to be applied to any company, of any sector and size.

Disaster recovery refers exclusively to the ICT field, and must not be confused with other issues such as backup, restore, business continuity, etc.

Of course, all these can be coordinated in a system but they do not necessarily arise for the same purposes and above all they are not managed in the same way nor do they have the same reference standards.

There is a great deal of confusion in the market, precisely because there are no harmonized and shared standards, at least for disaster recovery. Often business continuity is confused with disaster recovery, creating not only confusion but above all damage, sometimes huge or irreversible.

Let me give an example to simplify. Suppose we suffer a cyber-attack on a factory’s production systems. Once we have identified the incident and understood that this impacts on production, we activate the response to the specific scenario to mitigate the damage, continue to produce and prepare the necessary actions for the return to ordinary conditions.

Obviously, every interruption has a “point of no return” (that is, that point beyond which the damages have reached such an extent as to make any action unjustifiable, difficult to imagine before Covid 19, today no longer), and a recovery point expected to comply with various criteria (laws, contracts, industry standards, internal needs, etc.).

Business continuity moves precisely in these spaces, guaranteeing minimum production pending the restoration of the initial conditions prior to the interruption.

Disaster recovery could be one of the actions put in place for the restoration of information systems, always assuming that these are critical for production purposes (they are not critical for all productions, some can survive even when information systems are turned off for a long time).

I would therefore say that business continuity can provide for disaster recovery, under certain conditions.

A company can have one, the other, or both. Much depends on the type of products/services and the criteria we have talked about.

It all depends on the company, what it does and the constraints to which it is subjected.

  1. Do you have any final comments for our audience?

A final emerging point: all these issues are gradually merging with broader and more complex topics, such as human resources, climate, gender equality, the economy, etc.

It seems very limiting to look at all these issues in a verticalized way, but instead we need to think more broadly, involving all the company’s skills to ensure the widest and most efficient coverage possible.

Here is an example that I think might help. Imagine a server room or a data center. It is natural to think of physical access, but we cannot forget energy consumption, safety in the workplace, environmental impact, business continuity, management of suppliers and supply chains, disaster recovery, staff training, and emergency tests. Interference and interdependence are inevitable.

A holistic or integrated approach is needed. Working in watertight compartments leaves exploitable gaps. Thinking vertically leaves too many spaces uncovered.

I recently heard a colleague of mine with great experience in the field who gave a very interesting example. Defending a company means doing rather boring work of analysis of logs and of the various monitoring and control systems, which requires extensive and consolidated knowledge / experience. On the contrary, organizations mainly hire individuals that are more dedicated to countering cyber-attacks in the moment, when the “alarm” goes off. While these are needed skills, they are not the only ones. It’s like saying that to play the final of the World Cup we play everyone in goal or in attack. There needs to be better balance.

As stated in the first question, we need to build a team, otherwise we won’t go very far, and once we have a team, we’ll need to make a plan.

Author: Gianluca Riglietti

If you liked this interview, you might also want to read this one.