Cyber Security Nordic 2024 Takeaways

Last week I joined the first day of the Cyber Security Nordic 2024 conference, held in Helsinki. It was an interesting day meeting lots of familiar faces and some new ones. The most important part for me though in these conferences has always been the talks, hearing how other people see the challenges we are facing, learn from their experience, and find out what solutions they propose. This is a summary of my takeaways from the the talks that I attended.

The Intersection of Exponential Global Change and Cybersecurity Threats

Professor Hiski Haukkala , the new leader of the Finnish Institute of International Affairs, kicked off the conference and introduced the context with his keynote on "Global Future at a Crossroads" arguing that our world was going through exponential changes due to climate change and transformative technologies, which the international Westphalian system, being the rudimentary operating system of global governance formed in the 18th and 19th centuries is ill-equipped to handle. Our “human hardware” is also not able to cope with the era of exponential change, we live in. The global competition and increasing tensions lead to international politics being mired in zero-sum games, but this global governance operating system and human hardware are the tools, we must use to solve the issues we face now, as our choices will determine our future in this critical juncture in human history.

Marcus Murray from Truesec provided a front-line perspective on the current cyber threats affecting organizations in the Nordics, underscoring the scale and intensity of cyber threats today, that also increasingly target cloud environments. He, for example, detailed sophisticated attack methods such as stealing SharePoint sessions by setting up proxies to intercept Multi-Factor Authentication (MFA) logins, and then proceeding to provisioning virtual machines in the target environment, which automatically inherit policies, certificates, and VPN configurations, allowing access to the corporate network, highlighting the persistent risk of phishing attacks and living off the land techniques. Mr. Murray also described how attackers use social engineering by first sending a flood of spam email to an employee and then reach out to them, over a platform like Teams, to impersonate Helpdesk staff to help the user solve the issue and, in the process, trick them into allowing the attacker access to their corporate computers.

Regarding nation-state backed threats, Mr. Murray, based on their experiences, highlighted Russian state-backed operations with new modes of data stealing, espionage, and stealing compute resources, leading to hefty cloud billing for organizations, and Chinese espionage activities particularly targeting the telecommunications sector. He also cited the PRC National Intelligence Law article 7, “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law”, article 10 "As necessary for their work, national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad" and a case of a Chinese state-owned enterprise employee persecuted in the US for conducting spear-phishing campaigns against US government, military, research, and education institutions.

Operational Technology (OT) and critical infrastructure were prominently present in the presentations. I was unfortunately unable to attend Teemu Salmi 's, Nixu CEO, presentation on his insights on the state of cyber security in critical infrastructure industries as he was on the stage on the second day. But I had a chance to see Anne Hautakangas from Insta delving into the vulnerabilities of OT systems, pointing out OT's role as the backbone of essential services like electricity, water, and healthcare, with countless unpatchable vulnerabilities and long lifespans, making them prime targets for cyberattacks. Aapo Cederberg from Cyberwatch Finland reinforced the theme by defining a hierarchy of critical infrastructure for a society in three concentric circles: The core of critical infrastructure consisting of electricity grid, communication systems, and satellite systems, the second layer, including defense, finance, management systems, and security, and the outer ring including healthcare, logistics, food supply, and again communication systems. He also shared lessons learned from Russian war on Ukraine regarding critical infrastructure. Cyber operations have become integral to modern warfare, but mainly targeting areas where hot war is not in progress and being therefore best understood as hybrid operations, conducted under the threshold of war.

Mr. Cederberg described two types of Russian cyber criminals targeting the Nordics:

1.???? Russian hacktivist and financially motivated criminals without proven direct connections to the Russian government, but which appear to often operate based on some kind of encouragement from the state, often targeting entities, that the Russian government has expressed dissatisfaction with.

2.???? Highly advanced APT groups operating directly under the Russian intelligence services and in line with state goals, attempting to maximize deniability and remain hidden. These APT groups focus on information acquisition and espionage but in Ukraine have also undertaken destructive and disruptive attacks. Dozens of such groups exist in Russia, making it difficult to distinguish them from each other. Attribution is based on identified operating procedures and information gathered from previous operations

Mr. Cederberg also described Russian cyber operations against Finland. Cyber criminals sometimes post about their operations on their own Telegram channels. In the beginning of 2024, the hacker group NoName 057(16) wrote on its Telegram channel that seven groups had united to attack Finland. These groups share target lists and denial-of-service attacks ensue. A major wave of cyberattacks against Finland took place in the beginning of the Russian invasion of Ukraine in 2022 and a second one during Finland's NATO membership application process in 2023, when hacktivists particularly attacked finance, logistics, transport and state administration targets. Common targets are telecommunication networks, city, municipality, and welfare area administration, state administration, education sector, banking and financial sector, critical energy infrastructure, companies, and other organizations.

The Need for Strategic, Unified Approaches to Cybersecurity and Compliance

Building upon the discussion of global threats, several speakers emphasized the importance of strategic, unified approaches to cybersecurity and compliance. New regulation, like NIS2 (Network and Information Security Directive 2), DORA (Digital Operational Resilience Act), CRA (Cyber Resilience Act), and the AI Act, featured in several presentations. The “regulatory storm”, which is not limited to EU regulation, is driving the urgency for organizations to adopt strategic and unified cybersecurity measures. Christoffer Callender from Broadcom highlighted that Cyber risk is not IT risk, but business risk, requiring strategic thinking, but often organizations struggle with piecemeal solutions, complex compliance requirements, lack of resources, and high pressure on operational teams. The view was echoed by Stijn Rommens from Vectra AI, who walked the audience through a modern cyberattack and showed how the siloed attack surfaces and fragmented defense, were a major hindrance to effective response, which attackers exploit to hide as the “needle in a huge pile of needles”. Ismo Paananen from Cyber Day, also noted that best practices were changing from optional to mandatory, while management teams lacked clarity on what actions to take and Pelle Aardewerk from HP, stressed the importance of supply chain security and compliance with EU regulations, arguing that the objective of the regulations is not just compliance but protecting people within the EU. He advocated for secure-by-design and zero-trust architectures, urging organizations to ask their suppliers about their security practices.

?

The Human Element in Cybersecurity and Transforming Organizational Culture

The conference had a huge selection of vendors presenting different services and security solutions, but speakers also emphasized that technology alone cannot address the cybersecurity challenges. The new regulation drives the cybersecurity risks to the C-Suite table, and we have the familiar frameworks to address the risks and improve organizational maturity. ISO 27001 was highlighted by Mr. Paananen as having the greatest overlap of 80% with the NIS2 directive, while also the NIST Cybersecurity Framework overlaps with the directive by 75%. However, the business risks require more investments than just compliance with regulations. Peter Strate from FS Group highlighted the need for continuous vigilance, timely updates, and continuous education and training to build a security-first culture, which was also the main thesis of Ilmari Luoma from CGI, who discussed the importance of changing organizational culture to enhance security, suggesting that instead of just leaving it to the security and IT teams, security should be marketed internally, similarly to a product, focusing on changing specific behaviors and leveraging early adopters to reach a critical mass for cultural shift. According to Mr. Luoma, regulatory compliance is just the baseline and if compliance requires 1,1 FTE (Full-Time Equivalent), distributing the information regarding the cybersecurity policies, and instructions requires 0,1 FTE more, changing everyday behavior of people further requires 0,2 FTE, and to actually change the way people react and behave when facing security challenges 0,6 FTE more is needed, meaning that meaningful change in culture requires double the effort of just meeting compliance targets.

Conclusion

In an era of exponential change and increasing cyber threats, what we in the cybersecurity field can do, is focus on improving the cyber resilience of our organizations and surrounding society. Organizations, and especially the ones involved in critical infrastructure, need a strategic approach to cybersecurity, driven by the top management. This requires understanding the evolving threat landscape and how it applies to your organization, crafting a cybersecurity strategy that enables the organization’s overall business strategy, understanding the risks facing your organization, not just now but continuously to proactively prepare for future ones as well, and transforming organizational culture to prioritize cybersecurity as a business enabler.

#CyberSecurity #CyberThreats #CriticalInfrastructure #OperationalTechnology #CyberRisk #CyberWarfare #CyberRegulations #NIS2 #CyberStrategy