[C.I.A. - these three letters stand for the classic understanding of cybersecurity: 'C' for 'Confidentiality' means that content may only be read by the authorized parties involved; 'I' for 'Integrity' means that the content of a message may not be changed. And 'A' for 'Availability' means that a message must be available for exactly as long as necessary. When it comes to IT security, these three aspects are considered equally important. In the area of OT (Operational Technology), however, availability is the top priority. This means that not only the threat must be evaluated, but also the effects of security measures.

In an OT network, Principle C (confidentiality) requires that the data flow between sensors, controllers and other devices in an OT network is encrypted, e.g. using TLS/SSL, so that no unauthorized party can access sensitive information. This could also include the encryption of firewall configurations that contain sensitive information about the security design of the network. Integrity requires that only subscribed or purchased operating systems and software are run on the hardware - also known as 'secure boot'. Availability means using a network concept that guarantees redundancy in order to rule out a single point of failure (SPOF).

Controlling access to information ensures confidentiality and integrity. A distinction must be made between authorization and authentication. Authentication is the process of checking whether a person or computer is actually who they say they are. This ensures with whom information is exchanged. Authorization, on the other hand, is about what access rights or privileges a person or software has. Both - clearly defined authorization guidelines and the systematic authentication of users - are crucial for preventing intrusions.

Threat types and vulnerabilities

The basis of a cybersecurity strategy includes defining possible threats. Obvious threats include powerful hacker organizations, international espionage and warfare. However, this does not mean that anything that is not connected to the internet or the company network is safe: around a fifth of threats arise from internal dangers. All it takes, for example, is a disgruntled, dismissed employee whose password has not been changed. In the Australian administrative region of Maroochy, for example, a worker connected the network of a water treatment plant to a WLAN router before changing jobs. Years later, when he was rejected for a position at the town hall, he flooded the park with 1,000 liters of wastewater.

But even with good intentions, employees can cause harm. In terms of security, it doesn't matter whether the intention is malicious or not - it's the result that counts. With the dramatic rise in sophisticated social engineering and deepfake phishing attempts, the risk of an employee trying to help their manager in a supposedly threatening situation that is actually fake and malicious is growing. A major American bank made headlines in 2019 when it accidentally exposed over 800 million private records, including driver's license data and bank statements.

Another myth is the idea that it takes powerful supercomputers and the latest technologies to cause significant damage. The reality is much simpler: crime is offered "as a service". According to Forbes, paralyzing an Internet-based asset for an hour on the Darknet costs just USD 165, and a valid credit card number linked to an account with at least USD 10,000 can be obtained for as little as USD 25.

The rapid development of criminal cyber attacks with ever more complex and precise forms of attack poses a challenge for protective measures. Ransomware continues to grow and social engineering is becoming more sophisticated, while brute force attacks are still common. Advanced persistent threats (APTs) are used to secretly collect private data over a longer period of time. Once an attacker has found a victim, it is quite possible that they will look for further vulnerabilities.

Dealing with vulnerabilities

According to market research, the annual damage caused by cyber criminals worldwide will rise to 23.82 trillion US dollars by 2027.

© Source: Statista

It takes some time to make a vulnerable infrastructure secure. However, even rudimentary cybersecurity measures significantly reduce the potential extent of damage and the consequences of a successful attack. In this context, it is important to know how vulnerabilities are currently being dealt with. During the development of a network component, they can be identified at an early stage with static tests or peer reviews. Automated tests are used to check the system's resistance to common attacks. Penetration tests are also common practice, in which a third party attempts to systematically bypass the defensive measures in an exploratory manner. If a vulnerability is discovered in a new product, the manufacturer can fix it immediately. If the product is already on the market, the person performing the test usually notifies the manufacturer and gives them time to create a patch before publicizing the problem through groups such as MITRE. Although such responsible disclosure is not required by law, it is standard practice in the security industry.

Not only are vulnerabilities publicly available, there are even freely usable search engines that can be used to search for network equipment based on vulnerabilities. This means that weaknesses in devices and software are known to the public and it is crucial to identify which ones require a firmware update and to carry this out promptly.

Possible protection mechanisms

Schematic representation of the 'Defense-in-Depth' method.

© Moxa

Encryption is a common form of protection against online threats. It prevents information from being intercepted during communication between two nodes. For example, a WLAN connection can be intercepted, but the transmitted content cannot be deciphered thanks to WPA encryption. Communication via open networks, e.g. in hotels or airports, must be encrypted in order to maintain confidentiality. However, even if the communication is private, such as in home offices, all intermediate networks that make up the Internet must be considered a threat.

Another encryption application is signatures. In contrast to symmetric encryption, which uses the same key for encryption and decryption, asymmetric methods use different keys. This means that a communication can be encrypted with a secret key and anyone who decrypts it with the publicly available key can read its content. In addition, the recipient knows that the document originates from the owner of the secret key because the document bears a signature. In this way, digital certificate authorities (CAs) can issue certificates to entities that certify the authenticity of this entity. This is the case, for example, with websites that use HTTPS (Hypertext Transfer Protocol Secure). If their certificate is invalid, it cannot be decrypted with the CA's public key. In this case, the browser cannot verify the identity of the website and does not display it. This is because the website could be an imitation of the original or a malicious intermediary between the user and the original website.

Security at network topology level

There are also measures that make network topologies resistant to cyber attacks. 'Air gapping' is frequently used in the OT sector. The internal network and the globally networked outside world are separated. However, air gapping is no longer considered sufficient because many potentially dangerous actors are located internally. If no physical access control is used in conjunction with air gapping - i.e. control over who can enter the building - anyone can join the network via USB stick or WLAN. And do the network engineers have a list of all the computers that have Bluetooth switched on? Most of them don't. This means the network is open and connected.

The expression 'castle and moat' uses a medieval metaphor to describe a network with extremely robust perimeter security. It is based on the assumption that the outside world is hostile, while the inside is secure. But this model no longer works. Since the Covid pandemic at the latest, many people have been using VPNs to work from home. This blurs the 'secure perimeter': Does it include the home network? And is it secure?

The author: Laurent Liou is Product Marketing Manager at Moxa.

© Moxa

A more advanced design is 'Defense-in-Depth'. It works according to the onion principle: each layer is slightly more secure than the last, with the most important operations and data, which must not be compromised under any circumstances, in the middle. The 'defense-in-depth' method forms the basis for the Purdue model, which is also recommended in EU cybersecurity guidelines.

One modern architecture is SASE (Secure Access Service Edge). All security functions, including authentication and authorization, are not located in a central system, but at the edge of the network.