All change: Acting CISO Tim Moorey reveals how the Met Office is remodelling its security
How new, big-data-led business models at the Met Office are driving a top-to-bottom change in IT security
There's scarcely an organisation of significant size anywhere around the world that isn't either rolling out, or considering, a programme of digitalisation: that is to say, completing the end-to-end transformation of business processes with always-on, internet-connected computerisation.
Yet one factor that is often overlooked, or little discussed, is security and the transformation to security that needs to take place in order to support any programme of digitalisation.
But not at the Met Office. Since Tim Moorey joined last year as acting chief information security officer (CISO), the Met Office's security posture has undergone a top-to-bottom transformation.
"Before I joined the Met Office, we had a fairly 'singleton' security team that was fire-fighting a lot of the issues that arose. [They were] multi-hatted individuals who had a broad understanding of security, but weren't necessarily able to drive the strategic stuff through," says Moorey.
In response, Moorey not only restructured the team, but has shifted the way in which the Met Office approaches and handles IT security. "The team has evolved, broken down into the core streams of delivering the information assurance and cyber resilience across the organisation," says Moorey. It has also expanded, taking on security staff with a wider variety of skills in order to handle some of the new core tasks.
"Originally, the security team depended entirely on, for example, the networks team so that people looking after the networking infrastructure would have monitoring capabilities for service monitoring. We'd have infrastructural desktop people that would do monitoring of desktop infrastructure. There was no real central coordination," says Moorey.
He was originally brought in to help establish the Met Office's Security Operations Centre as the organisation seeks to make its data and know-how more widely and easily available.
As CIO Charles Ewen explained to Computing earlier this year, the Met Office is considering ways of, for example, running algorithms from commercial and other organisations against its own datasets, or subsets of its data. But such an approach will require a very different approach to IT security - focusing, at the Met Office, on protection of information assets, rather than maintaining a highly secure perimeter fortified by firewalls.
The trouble with the old approach, continues Moorey, is that "each team was looking at it from a service-monitoring or service availability perspective, specifically from a security or cyber-threat perspective".
Drawing these functions into the Security Operations Centre hasn't necessarily driven a concomitant reduction in network monitoring and systems management, he argues.
"They are still monitoring for service availability and so on, but [also] looking at the feed from all of the monitoring systems we've got, plus specific security controls, and looking at those in a cyber context and then providing packages of work out to the business, as necessary to remediate or react to," says Moorey.
It has also taken on a number of other tasks as it becomes more embedded in the business.
One of those new tasks is accreditation - certifying systems and applications deployed in-house for security. "The accreditation assurance side helps information-asset owners to understand where the risks to their information lie so that they can take those risk-management decisions," Moorey says.
He continues: "We have gone through a programme of doing legacy accreditation on all of our core systems. That's about going through them, looking at them in a way broadly similar to ISO 27001, and doing a risk-assessment against all of our core systems, and providing a risk-assurance level that the business can then decide whether that meets its risk appetite.
"If not," he says, "we need to instigate a programme of work to remediate, patch, or replace. That work has been really useful to help the business understand where its risks lie."
It has also helped demonstrate the importance of IT security to the business and, indeed, elevated its role to one of business partner - not just a function of IT that only ever surfaces when something appears to have gone wrong.
[Please turn to page 2]
All change: Acting CISO Tim Moorey reveals how the Met Office is remodelling its security
How new, big-data-led business models at the Met Office are driving a top-to-bottom change in IT security
Security begins at home
Internally, Moorey is hoping to bake-in security from the earliest stages in new application development with specialist information-security architects. "Their role is to sit in on projects at the earliest possible stage and provide guidance and advice to help a project be accreditable," says Moorey.
Instead of security being something that gets considered in earnest only towards the end of a project, Moorey hopes that the security architects can shift it to the top of the agenda.
"Traditionally, security has been a sticking plaster approach. This has happened in various businesses I have been involved in: it's right at the last minute when there's some sort of compliance objective that's discovered, deep within the governance, and then the project is either fighting with the change-advisory board or whoever's trying to get it through despite the compliance issues.
"The whole idea of the security architects is to ensure that they are in the project right from the beginning and that they are making the right decisions, risk-management decisions, or at least documenting them so that the asset owner can ultimately say whether he or she accepts [their advice] or otherwise," says Moorey. They are, he adds, "extremely busy because everybody at the Met Office is developing new stuff".
Knitting the new security posture together is the Met Office's Cyber Security Operations Centre itself. "This is where we are focusing resources on the alerting, monitoring, and incident response and investigation side. It's about monitoring our perimeters, security systems and other systems, taking feeds in from various government bodies and commercial threat bodies to ensure that we can provide a decent situation awareness to the business."
This encompasses two broad new initiatives.
The first is the development of a self-learning security system intended to monitor the Met Office's internal network for signs of abnormal activity. A self-learning system based on an Elasticsearch NoSQL database system, the aim is to automate network monitoring activity so that security staff can focus on potential or likely intrusions, rather than spending their days poring over mundane network traffic logs.
This has been developed to support the Met Office's shift in security strategy based on "trust zones", a strategy that involves identifying core information that requires toughened defences, but which also accepts that security based on rigid outer defences will almost certainly be breached.
Second, is the cyber-weather concept, intended to spread security awareness across the organisation, especially to non-IT staff (and therefore, perhaps, less security aware staff).
"With weather being our business, it's useful to speak a similar language to the rest of the business. We're producing situational awareness reports that go to the business - our cyber-weather reports. [The idea is that] we can help the business and staff know that if the threat level increases, or there are specific threats, issues, and vulnerabilities, we can share them in a manner that means they can see how it affects their [part of the] business and react accordingly," says Moorey.
In essence, this means communicating potential threats in plain language that ordinary staff can understand and act upon.
Going for gold
"In the last year, we've also run some exercises to test how the business responds to cyber threats, including one that instigated a 'gold' scenario, so the gold team got involved," says Moorey. That is to say, an exercise involving everyone from senior management downwards, "where maybe the organisation needs to consider communicating directly with customers or shutting down services or evacuating buildings".
Moorey and the Met Office's senior management has also given deeper thought to how best to respond to an attack. "There is a tendency to try to recover as quickly as possible. In some cases with a cyber attack it's probably best not to recover quite so quickly if you can, or do any immediate containment actions that might alert an attacker who might be in the early phases of a larger attack.
All change: Acting CISO Tim Moorey reveals how the Met Office is remodelling its security
How new, big-data-led business models at the Met Office are driving a top-to-bottom change in IT security
"So it's about deciding at what point to put in containment measures and recovery mechanisms, before you start to risk the attack being escalated, or losing forensic evidence," says Moorey.
In addition, the Met Office's exercises have also stimulated thought around communication with staff in the event of a cyber attack. "In some cases there can be a tendency to disclose a virus attack or a hack in the spirit of being open and transparent. But, again, there's the [risk of] reputational damage. Therefore, it's around exploring better ways of saying that there's a technical issue - which, of course, it is - but not disclosing too much," says Moorey.
"Tying into all of that, there's a team of people responsible for delivering business continuity management across the Met Office. They're heavily involved in the business impact assessment work because, although we might know the value of our information assets and the associated risks, we need to map those to systems and services so that when a disaster occurs the business knows which to recover most urgently and in which order," says Moorey.
"Equally, in the event of a cyber attack there's a tendency to go into a mad panic in order to bring things back online, when it should be the focus on which systems you can leave offline for a bit longer in order to help us detect and prevent," he adds.
In terms of more blue-sky thinking, Moorey is also keen to explore the idea of applying some of the predictive analytics that the Met Office does everyday in its core business to security.
"How can we turn the model that we do for weather, which is about taking observations, running mathematical models, historic analysis against those observations to be able to provide predictions... to see whether we can add some more certainty as to the nature of an attack based on observations on the network?" asks Moorey.
The Met Office is also looking to see whether it can add more visualisation to cyber diagnoses too, in order to make potential vulnerabilities and threats quicker and easier to absorb, although the mainstay of the organisation's security technology remains standard off-the-shelf or open-source software.
So, with a Security Operations Centre that is expanding, what does Moorey look for in prospective team members?
"They need to have experience in the technical aspects. So they would come from a traditional IT background, with on-the-ground IT experience and would be strong in networking and supporting operating systems. Beyond that, they need to have gone through a journey of investigating faults and resolving issues... whereby they have built up an intuitive response to faults," says Moorey.
But in addition, they also need to demonstrate that they can think like a hacker, too.
"I think it's really important that, if you have got an understanding of the mindset of an attacker, you can show that you have an understanding of the reconnaissance, discovery, testing, escalation or right and then the payload - all of that. If you've got that mindset, you can look into and investigate the idea that what you are seeing could potentially be an attack and understand the steps that an attacker may take or has taken, so you can make recommendations and contain them.
"You can send people on courses and they can get certified as 'ethical hackers' and all of that stuff, but what's more important is the journey they've gone on to create that intuitive brain. Security people are not just techies who fix things - it's more than that," says Moorey.