Details

Cyber security for cricital infrastructure Interview with Ryan Davidson, DNV

In the following interview Ryan Davidson from DNV talks about the company's efforts in the field of cyber security.

Cyber security for cricital infrastructure
DNV

REH: What is the main purpose of your newly opened cyber security center in Berlin?

Ryan Davidson: "The Cyber Arena in Berlin was opened with the primary goal of providing impactful hands-on cyber security training to make a noticeable and positive impact on the security of national critical infrastructure.  We wanted to do something different, to go a step further than traditional classroom based cyber security training.  We therefore partnered with CyberGymIEC to provide training that goes beyond seminars and lectures and gives participants the chance to learn by doing. They first learn the theory and then immediately apply this during exercises such as finding and eliminating malware on a workstation, responding to and evaluating security alerts, and even detecting and responding to a live cyber attack from our remote hackers on our model infrastructure in Berlin."

REH: Everybody knows that cyber attacks are getting more and more crucial for companies and especially for critical infrastructure. What are the main measure being taken and enforced right now?

Ryan Davidson: "Correct, no one would be surprised to hear that cyber security is a growing concern, both from a system resiliency and from a regulatory compliance perspective. The big buzzword on everyone’s mind in Europe currently is NIS2, the new regulation that greatly expands the requirements for cyber security. There is a lot of effort going into compliance both at a national and organizational level. But the specifics of what that means is complicated, it is not simply a check the box, audit type exercise. There are a lot of factors that influence the focus for any particular organization, that includes their current cyber security posture, industry, available resources, size, risk profile, etc.. However, there are some common topics that apply to most organizations, such as improving supply chain security, improving visibility into their OT environments, that being the control and protection systems for the physical industrial processes, and creating a more cyber aware and technically competent workforce."

REH: What is your personal background? How long have you been working in this field and why?

Ryan Davidson: "I have been in the power industry for 20 years now and focused on cyber security for the last 5.  I come from an OT background, having started as a power systems engineer for control and protection systems. My work has always focused on resiliency and safety for critical systems.  Working with governmental emergency response agencies, it became clear to me just how critical power, gas, water and other infrastructure truly is. As I worked more and more with IT/OT infrastructure and cyber security, it became clear, there is generally a disconnect between IT, engineering, operations, and security teams.  The communication between teams is difficult as they all have different priorities, different goals, and in many organizations, have very limited interaction with each other. With this perspective, and having worked closely with each, I find now I can have the most impact by bringing the various teams together through training. We can teach security teams about the consequences of a security incident, and engineering and operations teams to better understand cyber threats, vulnerabilities, and the potential impact of a cyber security event."

Im Interview

Cyber Security Expert Ryan Davidson, DNV

REH: What is your personal advice for companies in critical infrastructure?

Ryan Davidson: "Security managers are put into a difficult position these days, as they simultaneously face increasing regulation, greater system complexity, rising likelihood of attack, and a short supply of qualified cyber security professionals. At the same time, executives must balance managing many different types of risk, including cyber, with the financial stability of the organization.  Through DNVs annual Cyber Priority Report, we see there is still a gap in perceived cyber security posture between security teams and their executive leadership. This makes it difficult for security teams to get the resources they need, and in many cases, the limited resources that are available are not applied in the most effective manner. What I have seen to be very effective, is training and awareness for security teams and managers to better communicate risk to executives and make smarter risk-based security decisions.  Penetration testing has also proven to be very valuable in being able to clearly show vulnerabilities in company infrastructure and potential impacts of an attack.  The risk becomes more real when a penetration tester shows how easily you can compromise a single user’s credentials to get access to the corporate network. Or how physical access to a single wind turbine would allow a simple attack to take down an entire wind farm. Sometimes, an anecdotal storyline is needed to provide some context to security performance metrics like percentage of fully patched devices or vulnerability metrics."

Thanks a lot for the interview!

Über Astrid Dose

Profilbild zu: Astrid Dose

Reden, schreiben und organisieren – und das mit viel Spaß! So sehen meine Tage beim EEHH-Cluster aus. Seit 2011 verantworte ich die Öffentlichkeitsarbeit und das Marketing des Hamburger Branchennetzwerkes. Von Haus aus bin ich Historikerin und Anglistin, mit einem großen Faible für technische Themen.

von