Critical infrastructure will fall to hackers if companies continue to view cyber security as a contained and purely IT problem, according to the head of cyber security at National Rail.
Peter Gibbons made the claim during a panel session at Infosec attended by V3, arguing that critical infrastructure defence will be too big a task for IT departments to handle alone in the very near future.
"I have an aspiration: to stop talking about cyber security and just talk about security," he said.
"We need to stop looking at cyber security workers as magical people and help the train drivers and oil workers to see an issue and respond to it, viewing security as a part of their job and calling in the expertise when they need it.
"We need to stop thinking about cyber security as a specialism. It's something everyone should know about and view as part of their job."
He added that the move would simply require employees to think of cyber security in the same way as they think of physical security.
"[For example] we have a site outside Paddington and we don't have to tell the team to monitor the site to see if someone's climbing over the barrier to steal the copper cable. The team knows that's their responsibility," he said.
"I want the same in cyber so that people know the risk and view handling it as part of their job."
Gibbons cited the Internet of Things movement as another problem, arguing that many technology firms fail to make their products secure by design.
"We see a future in the next five to 10 years when temperature monitors may be making decisions about train running and speeds. In the future we're also looking at things like getting the red signal sign on tracks and putting that information into the trains," he said.
"Traditionally we've bought products that aren't secure and bolted a load of things on top to try and make them secure. We need secure products."
Gibbons maintained that industry needs a common set of standards that places security at its core.
"Software development happens outside my business and a lot of products I see aren't secure. [Suppliers] need to know to build security in," he said.
"We need secure standards on the provisioning of products for when we connect it all together. If we don't start with a secure product built on a common set of requirements we're in trouble."
Gibbons added that the need for better security strategies is pressing as the connected nature of critical infrastructure means that a successful attack could have disastrous knock-on effects.
"What's important for me is not just the service we directly deliver to our customers but how they relate to the rest of the critical infrastructure," he said.
"We move a lot of items about for critical infrastructure. If we fail, chemical plants don't get chemicals, food stores don't get food, power stations don't get coal. Critical infrastructure is connected. If we stop delivering there will be real problems in the UK."
The comments follow concerns about targeted attacks on critical infrastructure. The US Department of Defence said in May that China is developing cyber attack tools that could knock a nation's infrastructure offline using data stolen during previous hacks.
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'
And all for less than £150, according to Keith
Chambers joined Cisco in 1991 after leaving ailing Wang Labs