Interview: Shaun Reardon, Control Rooms Summit Keynote

Shaun Reardon gave a keynote speech titled Protecting the 'Control Room: The need for cyber security' at this year's Control Room Summit. In this pre-show interview, he reflects on key moments throughout his career to demonstrate the importance of a holistic design approach to control room cybersecurity.

Shaun Reardon Cyber security will be a key area of focus during this year’s Control Rooms Summit, with the need to protect technology and the environment that it’s deployed into high on the agenda for many in the sector.

That’s why Shaun Reardon’s keynote, entitled ‘Protecting the Control Room: The need for cyber security’ looks set to be a highlight of the programme.

Reardon certainly has plenty of experience to draw on, not just from his current role as Principal Cyber Security Consultant at DNV, an independent expert in assurance and risk management, but also thanks to his 26 years as a detective at Scotland Yard, a role that was as varied as it was long.

“I did lots of things,” says Reardon. “I led the Counter Terrorism Command Digital Forensic Unit and all the cyber investigations that go with that. I was the lead investigator for the plot to blow up seven airliners in 2006. I was team lead for the London Olympics in 2012. I was involved in the Alexander Litvinenko poisoning, and many, many, many other jobs. The three themes I had throughout were cyber, intelligence and financial crime.”

During his career, Reardon has been involved in most areas of cyber, from audit to operational technology, digital forensics to IT cyber security, and has even been trained by GCHQ. Current projects with DNV include working with a global oil and gas company looking at security risk assessments and security plans including a cyber element.

When it comes to AV and cyber security, Reardon is quick to highlight multi-vendor supply chains as one of the biggest areas of concern, citing the recent example of a major maritime project he worked on that included penetration testing a setup that involved eight data centres and multiple vendors.

'There's no such thing as 100% cyber security, there's no 100% security. It is vital to put barriers in to mitigate consequences in a control room setting.'

“We found little bits and pieces, as you always do, but the absolutely critical, life threatening piece was where the two systems interfaced because it wasn't anyone's responsibility. When they had given out the scope to their two contractors, nobody had thought about the interfaces and the common shared services. So the key messages there are, take a holistic view of security and look at your supply chain.”

“Multivendor supply chains are where I see some of the biggest headaches in cyber security,” he continues. “So one of the key concepts I try and get across is that, in my personal opinion, there is no such thing, no separate discipline, of cyber security anymore. It is security. Because if you go to your light switch and you flick it, there's a massive amount of IT/OT control room sitting behind it; you go and adjust the thermostat on your wall, that's an industrial control system. It takes input, it takes output. So this is not about confidentiality and GDPR. When you’re looking at control rooms, industrial systems, it's about the integrity of the data – can you trust what you're looking at – and the availability of the data – how critical is that availability?”

When it comes to designing cyber security systems, the key is to prioritise, which means carrying out a criticality assessment. This involves looking at a complex system with all its display units, control panels and the like, and identifying which are the most important. You can then work out the criticality factor and focus spending on protecting those critical assets. Of course, this process is not fool proof.

“One overarching thing that I always bang on about is that you will fail. There's no such thing as 100% cyber security, there's no 100% security, but how do you put the barriers in to mitigate consequence? And in the control room scenario, it is vital,” he continues.

“Of course, there's risk in everything we do, so when businesses are looking at investment and putting in expertise, it’s got to be proportionate to the risks that they're working into. If they’re a supplier, it could be legal risk. If they're supplying to control rooms for smart buildings, I think there's a risk to security, but is there a life at risk? Potentially. If you're putting control rooms into maritime, into onshore or offshore installations, and you get it wrong and you can't get your engineers out there because there's a storm blowing outside, that’s critical. What I say to boards is how can you know your exposure if you don't know your risk?”

So, what is the single most important personal attribute of a security professional? “It’s mindset,” believes Reardon. “Don't set any parameters when you're looking at the threat picture, don't assume, don't project your ethics and morals onto other people, don't even put your own thoughts into it.”