Image: © Askhat/Stock.adobe.com
Trinity College Dublin’s Dr Stephen Farrell discusses the benefit of moving away from homogenous systems when it comes to security.
While CIOs, security analysts and infosec experts have been talking about the need to bolster security teams, close the skills gap and increase security spending for years, nothing has quite brought cybersecurity to the forefront more than the growing list of high-profile attacks.
The last year alone has seen countless attacks, breaches and text scams, all of which have heightened public awareness and put the importance of securing data, technology systems and public infrastructure into the spotlight.
The ransomware attack on the Irish Health Service Executive (HSE) in particular brought the subject to the top of many agendas in Ireland.
And while advice around increased resilience and being prepared for such attacks is an important part of the discussion, Dr Stephen Farrell, a computer science research fellow at Trinity College Dublin, said that’s easier said than done for a large public service organisation such as the HSE.
“They probably have funding limitations and also … they have a lot of 24/7 systems that can’t easily be turned off and on as part of a test,” he said. “I have a lot of sympathy for those who built, ran and now have to re-construct the HSE’s systems.”
However, Farrell did raise an interesting question on cybersecurity for all businesses and organisations to consider, which is whether or not homogenous technology systems are the most effective route to take.
The danger of homogenous systems
According to a blogpost from Robert M Lee, CEO and founder of industrial cybersecurity company Dragos, there has been an increasing trend of homogenous infrastructure in recent years as industrial control and automation vendors acquire one another and settle common technologies and operating platforms.
“This isn’t a vendor issue. The pressure comes from customers, and a vicious circle forms,” he wrote.
Homogenous systems come with many benefits such as easier integration, more efficiency and possibly lower costs. However, there is an increased risk in terms of security, especially now that virtually every system connected to the internet is constantly under attack – a fact that Farrell said is not likely to change any time soon.
“Vendors, open-source developers and system operators all do their best to counter and deflect attacks. However, at some point, it’s pretty much inevitable that some attack will succeed in affecting any system,” he said.
“At that point, if one has a very homogeneous system (eg almost all from one vendor or service provider or very highly centralised) then the impact of the attack can be much worse than if a mix of different technologies and different administrative boundaries had been in place.”
‘Adding “cyber” in front of anything adds nothing to understanding’
– DR STEPHEN FARRELL
One example of homogenous systems is email. Google and Microsoft are the two major players in the email market right now. “Whenever either of those have a bad day (and they will) the consequences are going to be much worse, compared to the email ecosystem we had, say, 20 years ago where there was much, much less centralisation,” said Farrell.
He added that having technological diversity is good for complex systems, but also acknowledged the “tussle” that sometimes occurs between such diversity and the usual goals of efficiency, cost reduction and centralised control.
Speaking more broadly about the cybersecurity industry, Farrell said the industry skills shortage has been around for decades and is likely to continue.
“We need security, privacy and risk management to be considered a core part of everyone’s job in IT,” he said. “While there will still be a need for specialists, the idea that only some people need to care about security, privacy and risk is bogus.”
He also said he dislikes the term cybersecurity. “Usually adding ‘cyber’ in front of anything adds nothing to understanding, so we’re better off to think about security, privacy and risk management and not use ill-defined terms like cyber.”
