There are three monitors on Raymond Frangie’s desk, each highlighting another front in his fight to support the cause of better cyber security.
But even that is a reduction, he admits: there used to be five screens, but he whittled down the number because even 20-year cyber security veterans have their limits.
Not that you’d know it.
As a senior cyber security consultant with global engineering company Norman Disney & Young, he has a box seat into the planning that goes into major building developments including prisons, hospitals, and “almost every single industry there is.”
And he isn’t sure he’s comfortable with what he sees.
Cyber security, he says, is filled with people who understand the risks of the new, connected way of working – and try their best to minimise those risks.
Engineering is also full of people who manage risk for a living but who are inadvertently leaving themselves exposed to a whole new breed of risk.
That risk comes from the increasing interconnectedness of things – both new devices being brought onto corporate networks, and building automation and other engineering systems whose increasingly automated nature makes them sitting ducks for malicious cyber criminals.
“We’re seeing smart buildings filled with sensors and the convergence of sensors,” Frangie explains, cautioning about the lingering risks of “non-existent” cyber security in an age where ever more sophisticated buildings are being constructed with high-tech features and filled with connected, potentially vulnerable devices.
“Many construction and engineering companies just don’t understand the implications. There is no real consideration for the security of these sensors and networks – and that’s where I come into play.”
Securing the unsecurable
As the firm’s lead cyber security consultant in NSW, Frangie’s plate is full most days – hence the multitude of monitors on which he works.
He has been heartened by a growing focus on improving cyber security compliance – most notably through new legislation such as the Notifiable Data Breaches (NDB) scheme and the EU’s General Data Protection Regulation (GDPR).
But just knowing something has to be done, and making sure it is actually done, are two very different things.
“If you want to be compliant, you have no choice but to follow these new regulations. All of them,” he says.
“But we also need to balance the business aspects and that’s where the complications come into play.”
Complications?
He’s talking about smart device manufacturers, for example, who are happy to build sophisticated control systems, voice-activated announcements, load balancing algorithms and many other sellable features into their products.
When it comes to security, however, the same vendors often balk at the expense.
“We see a lot of sensors going into buildings because they provide the availability and data that the buildings want. But they don’t understand the implications of having all this data.”
“Some vendors will say ‘why would we implement security when it’s too expensive?’ But when you’re constructing a building, you may put a device in it that’s intended to last 25 to 30 years – and if nobody is touching that and checking its security, hackers will see that as low-hanging fruit.”
Going off the rails
Builders might be able to get away with leaving temperature sensors exposed, but in other infrastructure-intensive industries, Frangie is seeing a worrying level of disregard for cyber security – and it could have significant consequences.
Even where there is recognition of the risks, the lack of industry-wide collaboration is leaving soft spots in industries that can’t afford them.
Rail networks, for example, have been rushing to develop cyber security standards – but each state has its own, and the level of collaboration between states is alarmingly absent.
“Everyone is rushing to meet standards and frameworks like ISO 27001, the NIST Cyber Security Framework, or even Australia’s very own Information Security Manual, but collaboration is non-existent,” Frangie explains.
“Unfortunately, it’s like other industries where they rush to do things and don’t actually understand the implications.
“Many of these standards come from business people, but don’t address technical controls.
“And different controls work with different industries.”
Education is critically important if these efforts are ever to bear fruit for the long term, Frangie says – and he has seen first-hand just how bad the situation is.
In a previous role doing security audits with an information-security consultancy, he says, “some of these companies just don’t actually understand what a cyber security attack is. They don’t have the education and awareness to understand that something could cause an attack later.”
These companies are generally focused on delivery – which invariably means storing mountains of confidential data in Microsoft Excel spreadsheets that remain non-password protected, unencrypted and freely distributed via email and USB stick.
Laptops loaded with confidential information go missing all the time, but most businesses don’t have a backup plan.
Even small amounts of information, if collected and cross-matched with other information, can become deadly for a company that finds itself defending an egregious breach of customer or partner data.
Building a solid foundation
In industries as critical as construction and engineering, that threat is a constant presence for specialists like Frangie, who sees the industry overwhelmed by insecurity that it doesn’t have the wherewithal – or the resources – to address meaningfully.
“I know of a hospital five minutes from here that has a chiller controller exposed to the Internet,” he says.
“If you look at the hacker search engines, you can see numerous building protocols just exposed online.
“And what will happen when a hacker takes that out?”
Fixing the problem requires a three-pronged focus – confidentiality, integrity, and availability – which is a lot more than most industries are giving at the moment, he warns.
“Cyber security and information security needs to be in every single part of the R&D project, and every single phase of the execution,” he says. “You need to review it before you hit every milestone, and confirm that you have good, dedicated cyber security staff dedicated to this.”
Few of those staff would have been in the game as long as Frangie, who has a list of industry certifications as long as your arm, including formal qualifications such as a Master of Information Systems Security, and the first person in NSW to be awarded the Australian Computer Society’s Cyber Security Certified Professional qualification.
He will also begin teaching Computer Security to undergraduates at Western Sydney University next semester and is looking forward to doing his part to help an industry that is crying out for qualified cyber security professionals.
Those professionals will face intimidating odds as the continuing explosion of the Internet of Things (IoT) – whether inside buildings or outside of them – promulgates new potential security breaches in their millions.
“We are moving towards a smart future,” he says, noting industry predictions that the world will have a trillion Internet-connected sensors within the next few decades.
“It’s inevitable. And we can’t stop the smartness of the world happening – so we need to make sure we have enough cyber security professionals out there.”
He’s certainly in it for the long run.
“I enjoy cyber security because I get to spread my wings,” he says.
“There are so many engineering aspects that I don’t think I’ll be be getting bored any time soon.”
Raymond Frangie is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.