The basis for the successful implementation of Industry 4.0 projects is the integration of information technology (IT) and operational technology (OT). This 'opening up' inevitably results in greater security risks for the OT area, which was previously separate from IT, as cyber attackers also gain OT access via IT vulnerabilities - with potentially fatal consequences for manufacturing systems or production processes.

A security solution must therefore render all IT vulnerabilities harmless. The current threat situation makes it clear that traditional security measures are no longer sufficient for this, even if they include new methodical or holistic approaches. While IT security primarily focused on the network infrastructure in the past, the end device is now also increasingly coming into focus - as a central weak point in the network. Common security solutions such as intrusion prevention systems, antivirus software or next-generation firewalls focus on the detection of attacks, for example using signatures, behavioral analyses or heuristic methods. The attempt to detect attacks and block them within the operating system in order to prevent access to system resources is now state-of-the-art in software solutions for securing end devices.

However, all these applications have a serious disadvantage: they cannot provide reliable protection against the growing number of polymorphic cyber threats, zero-day attacks and advanced persistent threats. The reason is clear: these solutions rely on the detection of malware and reach their limits when it comes to previously unknown, new malware.

This also applies to next-generation antivirus (AV) solutions. They promise to detect attacks using machine learning and artificial intelligence. They aim to detect potential malware by analyzing code before executing actions on the respective end devices, but this also means that next-generation AV applications are still all about detection. Although they are a further development, they are ultimately only antivirus solutions and therefore inadequate; after all, antivirus software manufacturers have never claimed that their solutions offer a 100% detection rate.

Virtualization as a way out

Traditional detection-oriented solutions therefore do not reliably rule out security risks. There is no way around new security concepts. Many software providers now see virtualization as a way out of the security dilemma. By isolating all activities that potentially endanger the company network, the security gaps that are inherent in traditional solutions can be closed.

Microsoft, for example, is taking this approach. The Redmond-based company offers Device Guard in the enterprise edition of its current Windows 10 operating system, which combines hardware and software security features. The central component here is Virtualization-Based Security (VBS). This isolates central operating system services so that no business-critical data can be stolen if the operating system is compromised.

Another example of the growing virtualization trend is encapsulated surfing environments, i.e. secure browsing solutions based on a dedicated web browser. However, such solutions, which completely encapsulate the browser from the operating system, only cover this gateway. They do not take into account other typical client security risks such as e-mails, downloads or USB storage media.

Isolation by means of micro-virtualization

The company Bromium is also pursuing a virtualization approach with its hardware-isolated micro VMs, but is going a decisive step further. The central solution components are a Xen-based hypervisor specially developed with security in mind and the integrated virtualization features of all current CPU generations. Micro-virtualization means isolating potentially dangerous applications. The Bromium solution creates micro VMs for all risky user activities with data from external sources. Each individual task runs in its own micro VM - strictly separated from the actual operating system and the connected network.

The Bromium solution encapsulates all user activities in its own micro VMs.

© Bromium

Bromium thus extends the operating system services-related VBS of Microsoft Windows 10. The Bromium solution can already be used under Windows 7 and 8.1 and also isolates common browsers as well as Office and PDF documents from email attachments or portable storage media. Compromising the end device and the corporate network via these attack paths is therefore impossible. This extended range of functions also distinguishes the Bromium solution from secure browsing variants.

In general, innovative approaches to endpoint security do not focus on detecting malicious code or tracking down attacks, but on targeted protection against malware without it necessarily having to be recognized as such.

This means that the new trend in IT security is isolation rather than detection of threats based on virtualization. And the associated protection of the IT world also directly ensures the trouble-free operation of networked production systems and industrial plants.

Author:
Jochen Koehler is Regional Director DACH at Bromium in Heilbronn.