Could TIBER benefit other sectors?21st of August 2019
Opinion, by Philippe Roy, TIBER expert & Information Security Consultant @ FortConsult
TIBER-EU has been established with the aim of strengthening cyber security in the financial sector - and has so far been reserved for the financial sector alone. However, the TIBER framework can and should be an inspiration to other sectors, and to those that work with critical infrastructure in particular as a means to creating measurable improvements in their cyber security.
The basis for mandating financial institutions to carry out a TIBER test, is to ensure that an entire nation does not come to a standstill if one of its largest banks suffers a severe cyber attack.
As this is the logic behind the initiative, then why shouldn’t other critical sectors be inspired by this?
In Denmark, for instance, the previous government identified health, telecommunications, maritime, transport and the energy sectors as critical infrastructure together with the finacial sector. Large organisations in these sectors have a significant impact on the country’s stability.
It makes sense for these sectors, as well as other sectors, to draw inspiration from TIBER-EU, and create a similar framework of their own, tailored to their specific situation.
New opportunities for the interdependent sectors
There are already examples in the UK, where a similar framework from the financial sector has been adopted by other sectors. TIBER-EU is a framework based on TIBER-NL, which is based on CBEST from England. CBEST has spread in ever-widening circles to other sectors. I expect something similar to happen with TIBER-EU and TIBER-DK.
The strength of TIBER is that it does not focus on theoretical attack scenarios, rather emphasising real attacks that are aimed at the sector, at home or abroad. Attacks that have either had direct consequences for the sector in question, or have been inches from it.
Utilising TIBER as an inspiration create a similar standard tailored to each sector would go a long way in strengthening the resilience to attacks aimed at the sector in question.
This would also provide the opportunity to compare results within the sector once the tests have been standardised. And if multiple sectors use the same methodology, it would be possible to compare results across sectors. This is an even better scenario, as much can be learned from the critical sectors’ differences, creating opportunities for knowledge sharing.
So, implementing a TIBER-inspired framework in all of a nation’s critical sectors would strengthen the entire nation’s cyber resilience. It would develop knowledge sharing opportunities both within and across sectors. Finally, it could be used to create competitive advantage in the future, because who wouldn’t choose the most secure product available on the market? Which consumer isn’t worried about their private data being exposed as a result of one of the companies they use daily not having adequate security in place?
In other words, the spread of TIBER to other critical sectors would create nations that are less vulnerable to cyber attacks.