General considerations by Enzo M. Tieghi
Yesterday, with over 1000 people connected in streaming, the Clusit 2020 Report was presented: as always, a very interesting volume (over 200 pages) full of data, diagrams and information on the state of ICT security in Italy, drawn up by a group of Italian specialists of international significance.
Here you can ask for your copy
In the introduction it is emphasized as now the biggest cyber threats come from gangs of criminals (and state-sponsored) “engage in a no-holds-barred fight, which their battlefield, weapon and target are infrastructures, networks, servers, clients, mobile devices, IoT objects, social and instant messaging platforms (and the minds of their users), on a global scale, 365 days a year, 24 hours a day.”
And again: “Anticipating some of the conclusions … we can state that 2019 was the worst year ever in terms of the evolution of "cyber" threats and related impacts, both from a quantitative and a qualitative point of view, highlighting a persistent trend of growth in attacks, their severity and consequent damage.”
The bulk of the "accidents" were caused by Malware (for example ransomware), from the exploitation of known vulnerabilities, from phishing which in total make up almost 90% of the attack techniques. For all the details, I suggest consulting the very detailed pages of the Report.
Personally I still think that accidents affecting networks and systems that manage plants in industry and utilities, only a small percentage are determined by attacks aimed at these infrastructures, while in most cases they are "collateral damage" deriving from attacks on the web and IT infrastructure of the target organization (industrial or utility), which have not implemented adequate countermeasures to prevent the damage from spreading also to the OT infrastructure of the Operations.
OT Security
An interesting chapter in this Clusit 2020 Report is the one entitled "Industrial Safetyby theInformation Security & Privacy Observatory of the School of Management of the Milan Polytechnic, where the importance of OT/ICS security is underlined especially from an Industry 4.0 perspective.
In these pages we find the definition of OT Security: means the securing hardware and software components dedicated to monitoring and controlling processes and physical assets, mainly in the industrial sector or in sectors that manage critical infrastructures (Oil&Gas, Energy, Utilities, Telco).
The data base for this chapter comes from research done by consulting CIOs and CISOs of nearly 700 organizations and companies, 180 large and 501 SMBs.
From the analysis, it appears that i68% of the companies interviewed say they have the OT world under control and doing OT security assessments and 60% implemented specific countermeasures for the OT world.
Among the most popular techniques we have network segmentation and access control solutions and privilege management. Other techniques mentioned are: network monitoring, log analysis, vulnerability assessment and penetration test.
Un problem that emerges could be the lack of skills security specifications OT in more than 50% of the interviewees.
Later we find topics addressed in a workshop titled behind closed doors “Industrial Security4.0” ove some “concerns” have emerged by participants from industry, with some scenarios of cyber incidents on plants.
Here two critical issues have emerged: how to educate people to "virtuous" behavior and what countermeasures to adopt to stem any spread of problems.
The first scenario was about the propagation of malware in an industrial environment via a USB stick frequently used by employees at home or at work and improperly introduced into PCs of the process network (following the example of what happened in 2010 with the Stuxnet malware).
The second scenario of cyber incident concerned instead the propagation of malware in an industrial environment through an attack that exploited zero-day vulnerabilities of a software present on a browser or application, as well as security vulnerabilities or deficiencies in the implementation or configuration in the SCADA/ICS protocols.
Here again the lack of people skills and adequate policies for restarts after accidents have emerged, while technologies are available to monitor and stem what happens.
The third scenarioFinally, it was focused on a attack through access points remotely (RAT Remote Access Tool) protected by default passwords used by third party personnel assigned to maintain an OT system.
Also in this case the importance of people skills and adequate policies for the management of suppliers and external maintainers emerges, while there are tools and configurations recommended for remote access control management.
Operational Continuity
The Clusit 2020 Report also speaks extensively of Business Continuity & Resilience: Business Continuity (BC) is an essential practice to ensure the resilience of any organization and refers to ISO 22301:2019 (recently revised), which establishes the requirements for a efficient Business Continuity Management System (BCMS).
In the "BCI Horizon Scan Report 2019", published by the Business Continuity Institute (BCI), UK we find the scenario of the main real and perceived threats by organizations globally, as well as attesting how the BC contributes to developing business resilience.
The report identifies the 10 Top Risks that will characterize the coming months: the first four positions are respectively occupied by cyber attacks and data breaches (for the first time in first place compared to previous years), by IT and telecommunications systems interruptions, by extreme meteorological and geological conditions (e.g. hurricanes, earthquakes, etc.), followed by interruptions of the services provided by the Critical Infrastructures.
The data reveal how the BC culture is not yet widespread enough, even if it is believed that the ascertained data is destined to grow: in fact, certification is increasingly a parameter required to comply with mandatory regulations - especially after the advent of Industry 4 .0 – to participate in public and private tenders, as a demonstration of the ability to guarantee continuity in the supply of products and services, in the supply chain and in logistics in the face of accidents and adverse events.
Edge Computing
THE Edge Computing is deemed one of the enabling technologies to bet on for Industry 4.0 and IoT data management.
So how should we design the new Process Architectures? A schematic example…
Here are some points taken from the report, according to IDC:
– “In addition to material goods and services, Smart Factories will produce more and more data managed in Edge systems: the IT risk management related to operations will become an essential factor to ensure continuity of operations business and maintain the competitive capacity of the sectors in the new millennium.”
– It underlines "the relevance of Security with respect to technological-organizational models (from Digital Transformation to IoT/Edge to Artificial Intelligence)."
– “in IDC's mid-term forecasts, the development models linked to Edge and IoT architectures are emerging as one of the greatest opportunities for the development of the IT security, with many challenges, both technical and technological, still to be overcome, in order to fully implement the Security-by-Design principles
– the convergence between technologies of Security and Machine Learning algorithms it will allow to develop platforms and solutions that will allow to increase the capacity of Analytics and Security
Below an example of EDGE High Performance.
Considerations of a "vendor of Industrial Automation and OT Cyber Security solutions"
As already mentioned, we consider the accidents affecting networks and systems that manage plants in industry and utilities, in most cases, “collateral damage” resulting from attacks on the target organization's IT infrastructure (industrial or utility). Impacts that propagate to the OT infrastructure.
OT skills and skill building: for some time now we have been offering awareness meetings on the OT CyberSecurity theme for operators and managers, as well as holding specific courses on the OT/ICS Security theme, scheduled and on-demand (also via the web).
Regarding the three scenarios that emerged from the participants in the Observatories workshop of the Milan Polytechnic, we have a family of specific products and services as countermeasures (in addition to the already mentioned training for people in charge of Operations and IT/OT):
- study of networks and systems implementation projects according to “OT Security-by-Design” concepts, following IEC62443 standard and NIST CyberSecurityFramework compliant policy
WHAT IS MEANT BY SECURITY BY DESIGN?
- industrial asset discovery, vulnerability assessment, vulnerability mitigation, anomaly detection systems, with reference to Security-by-Visibility guidelines
- Systems for Change/Configuration Management, Versioning, Back-up and Recovery for ICS (PLC, HMI, SCADA, Robot, CNC, AGV, etc.)
– Configurations and Tools for controlled remote access (RAT)
Regarding Business Continuity and Edge:
– Edge designed to help companies increase operator efficiency, reduce costs and machine/plant/IoT downtime: This solution installs in less than an hour and can be managed completely remotely, significantly reducing effort typically required by IT to deploy an IoT and field data processing solution.
Self-protection and self-monitoring features help reduce unplanned downtime and ensure maximum availability in business-critical industrial applications.
WANT TO KNOW MORE?