CS4CA Europe Summit 2023: Addressing cybersecurity challenges in Europe’s critical infrastructure sector

The Cyber Security for Critical Assets (CS4CA) Europe Summit, held in London in September, brought together over 150 IT and operational technology (OT) security leaders from Europe’s critical infrastructure sector. The CS4CA Europe 2023 event aimed to facilitate knowledge exchange, strategic planning, and valuable insights through panel discussions, roundtables, and networking breaks. The summit spanned two days, providing ample opportunities for in-depth discussions and building connections.

Organized by QG Media, the CS4CA Europe Summit, provides a platform for cyber security experts to address the challenges faced by the region’s critical infrastructure community and find effective solutions. With increasing geopolitical tensions in Europe, the risks to critical infrastructure are growing. State-sponsored threat actors are becoming more sophisticated and determined to disrupt OT networks and cause physical harm to critical infrastructure, economies, and societies. This compounds the existing threats posed by cybercriminal groups responsible for the proliferation of ransomware. 

In this hostile threat environment, it emerges crucial for industrial stakeholders to leverage available skills, processes, and resources to ensure the continuity of societies and the safety of populations, amid rising adversarial threats and attacks.

Industrial Cyber had an opportunity to catch up with a couple of speakers from the CS4CA Europe 2023 conference. They began by providing a sense of the atmosphere at the recent CS4CA Europe 2023 event in London.

At the CS4CA event in London, there was a very professional atmosphere with a great amount of curiosity, experience sharing, and caring for each other’s digital well-being as organizations, Thomas Mørtsell, CISO at Aneo, told Industrial Cyber. “The participants and sponsors seem to have the same understanding of the challenges we face in a world affected by war in Europe, challenging economic times as well as an emerging convergence of IT and OT.”

Tony Proctor, a security and information risk adviser at West Midlands Authority, described the event as convivial and collaborative. 

Taffy Chikandwa, an OT cybersecurity expert, found the atmosphere vibrant and thought-provoking. 

Addressing how crucial are specialized events like CS4CA for the industry, Mørtsell identified it as a “meeting place for key stakeholders representing digital security amongst organizations in critical sectors that are important on many levels; especially related to sharing threat understanding, successful protection barriers, smart and effective ways to mitigate risk, test out ideas, and hypothesizes related to risk management. It is also very crucial to meet vendors and potential partners to learn about their products and services relevant for actual risk management and mitigation.”

Proctor told Industrial Cyber that he thinks “they are essential for the security community. The trick is to identify from a plethora of events, what is relevant for you?”

“Events like CS4CA are vital for networking and introducing new OT vendors to asset owners and overall providing an opportunity for people to learn about new products,” Chikandwa told Industrial Cyber. “They propagate thought leadership for me as I get inspired and when I get back to my organization, I am an advocate for new processes or doing things differently.”

The executives shed light on the major moments and conversations both on and off the stage at the event. 

“The panel debates caused a lot of great questions and perspectives that made it clear that we are facing the same types of challenges and concerns. One of the major moments for me was the effect the panel debate related to NIS2 seemed to have on the audience,” Mørtsell said. “We got a lot of great questions and discussions after the panel, so it certainly was a topic that engaged and challenged organizations on many levels.” 

Mørtsell added that “one of the most surprising discoveries was that the need for competence development both in width and depth for each of us is increasing in a speed and complexity that most organizations are not well rigged to manage efficiently.”

Proctor pointed to “meeting and talking with people you didn’t know before. Hearing from a few presenters who took a different approach.”

Chikandwa highlighted that one of the asset owners based in Europe, they were looking for a password vaulting solution for legacy devices. “I shared with them my experience and the solutions that I had come across with regards to password security for assets in level and below.”

She also added that she had a fantastic chat with someone working on a project in the Middle East which is about smart cities and what OT security for these needs to look like in the future. “Meeting someone who works on this kind of project given the billions of dollars being invested and how the world is watching was a once-in-a-lifetime opportunity.”

The executives looked into the main cybersecurity issues in critical infrastructure sectors that industry experts highlighted at the gathering.

“The third-party risks combined with the emerging convergence between IT and OT is a major issue,” Mørtsell said. “This seems to be caused both by threat actors combining forces as well as a traditional separation between IT and OT resources. The actual blind spots of risks and threats seem to expand in a severe manner worldwide.”

As Proctor is an IT rather than OT security person, he said “It was interesting for me to learn from and understand the differences. I enjoyed a roundtable that I was part of on testing which highlighted OT/IT differences.”

“Some considerations that folk need to take into account about the NIS2 Directive and how it impacts the Cyber Assessment Framework,” Chikandwa said. “Considerations about using data diodes to secure OT with use cases such as transferring of data from the lower levels of the Purdue (level 3 and below) to the cloud for data insights. Web 3.0 will have an interesting impact on cyber security,” she added.

The executives provide insights or lessons that the manufacturing sector can derive from this event. 

“One of the most important lessons is that most organizations today need smaller sprints for risk mitigation. With that, I mean that the traditional project implementations are way outdated and that smaller deliverables with a low investment and rapid deployment are required to keep up with both threat landscape and available attention span,” according to Mørtsell. “It is also extremely important that the service providers and manufacturers understand that investments are much harder to defend, and that procurement time is way longer in several countries due to European central regulations – resulting in that expensive solutions and costly implementations are not able to compete with lightweight and agile sprint-based modules. I would say it is close to the end of an era for large sales and big projects within digital security.”

Declining to comment on manufacturing specifically, Proctor said that “for the OT community, they looked engaged and interested in the latest information and for many, they had attended previously.”

“Think Global and Act Local. Have an asset inventory that is contextual,” Chikandwa said. “Maturity shouldn’t be based on the deployment of technology but on the maturity in risk management and implementation of controls. Understand how threat actors think, anticipate threats based on the context of your environment.”

“At the end of the day, whether you’re in a utility or any business involving operational technology (OT), there’s a fundamental understanding that should be embraced. I often refer to it as my motto: Operational technology is at the heart of the business,” according to Chikandwa. “It’s irrelevant what your role is – if you’re in operations, your primary objective is clear: to maintain seamless operations. This understanding is increasingly recognized, leading to greater cooperation and collaboration across various sectors. People are definitely becoming more aware of the critical role OT plays and are working together more effectively to support it.”

Lastly, the executives focused on the lessons that the manufacturing sector can draw from the CS4CA Europe 2023 event. They also address the issues the industry needs to tackle before CS4CA Europe 2024. 

“The supplier and partner landscape should pay much more attention to regulations and market expectations than they have been doing until now,” Mørtsell detailed. “I think they will greatly benefit from linking their solutions to regulations and small-footprint deliverables. It will also be beneficial for those that move away from lock-in with their own ecosystem but rather integrate with others – one example would be security monitoring and logging into a cloud provider’s native SIEM operated by the customer, rather than the vendor’s proprietary and locked-in solution.”

He added that value is built on integration and ease of operation across teams and standard components.

Proctor said that “for me, from (and presenting on security in local Government) I came to see what I could learn from the OT community. I was asked by one attendee, ‘So why are you at an OT conference?’ But I did learn (and I understand that my presentation was also well-received).”

“Giving endpoint security a focus vs passive detection could allow you to demonstrate a bigger risk reduction,” according to Chikandwa. “Vulnerability management should never be a separate conversation from security monitoring.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.