08 February 2018

Protecting Critical Energy Infrastructure: Synack at Vienna Cyber Security Week


Vienna, dubbed one of Europe’s smartest cities, is a city with innovation at its core. With some of the world’s best public transportation, clean energy and smart buildings (just to name a few) – Vienna certainly has a strong infrastructure digitization strategy.

As cities continue to digitize, protecting critical infrastructure from cyber attack will continue to gain importance in the minds of government agencies, manufacturers, and even everyday citizens who utilize the benefits of public services. Synack was invited to join in on the conversations happening at Vienna Cyber Security Week 2018 and we talked about effectively securing critical infrastructure now and in the future.

The benefit of connectivity and smart technology in our infrastructure comes with the trade-off of making a system more difficult to secure. The process control systems that monitor and control infrastructure equipment often have a lifespan that lasts decades. Since “reliability” is chosen over frequent updates, it leaves systems open to vulnerabilities for months (maybe even years) at a time. Attackers always target the weakest systems first, and they are becoming increasingly aware that critical infrastructure is a poorly-secured target. This is a problem when even limited amounts of effort can produce a high reward. When an attacker hacks a process control network, they can steal proprietary data and trade secrets, cause millions of dollars of downtime, or with careful planning, cause irreparable damage to the process control system itself.

Synack was a keynote presenter at Vienna Cyber Security Week, an international multi-stakeholder conference, which hosted over 300 delegates from the energy, government and critical infrastructure sectors across the DACH region. The discussions and the debates on finding a solution to secure the energy economy and “smart city” technology will continue on past the conference, but we think the solution is two-fold: we need both technology controls and policy changes to make our critical infrastructure systems more secure. Companies should utilize technology controls such as one-way data transfer appliances and other “safety systems” that ensure limits to what can be controlled or connected on the network. We also need to define and implement policy that requires a more secure architecture across all critical infrastructure industries and drive budget towards solving the problem.

Synack’s own Ron Peeters, the Managing Director of EMEA, offered a new approach to securing critical infrastructure: outsmarting hackers with hackers. By utilizing a highly-vetted crowd of security researchers that can mimic the activity of criminal hackers, enterprises and governments can become increasingly resistant to cyber attackers over time.

The three main takeaways from Ron’s session:

  • Traditional security solutions, such as automated scanning and compliance-based penetration testing, aren’t working.
  • Cyber attackers have increasingly sophisticated tools and skill sets; they are persistent and always evolving.
  • The common approach to securing critical infrastructure has not kept pace with the threat – this will have to change. We need a pragmatic approach that integrates security across the organization with a dynamic defense system and security teams that scale.

If you’re interested in learning more about securing critical infrastructure and how Synack works, get in touch here.