[C.I.A. - these three letters stand for the classic understanding of cybersecurity. Even if others are sometimes added, these three form the core. The C stands for confidentiality. This means that only the authorized parties involved are allowed to read the content. The I stands for integrity, which states that the content of a message may not be changed. In addition, the A is availability: a message must be available for exactly as long as necessary, neither longer nor shorter.

When it comes to IT security, these three aspects are considered equally important. In the area of OT, though, availability is the top priority. After all, if there are interruptions in a production line, this can result in vast financial costs. In an operating theater, it can even be a matter of lives. This means that in the area of OT, not only the threat must be evaluated, but also the effects of security measures.

In an OT network, Principle C (confidentiality) requires the data flow between sensors, controllers and other devices in an OT network to be encrypted, e.g. by using TLS/SSL, so that no unauthorized party can access sensitive information. This might also include the encryption of firewall configurations that contain confidential details about the network's security design. I for integrity demands that only subscribed or purchased operating systems and software are run on the hardware - also known as secure boot. Furthermore, A for availability refers to a network concept that guarantees redundancy to rule out a single point of failure (SPOF).

Controlling access to information ensures confidentiality and integrity. Here, it is important to distinguish between authorization and authentication. Authentication is the process of checking whether a person or computer is actually who they say they are. This ensures everyone knows with whom they are sharing information. Authorization, on the other hand, regulates the access rights or privileges of a person or software. Both - clearly defined authorization guidelines and the systematic authentication of users - are crucial for preventing intrusions.

Types of Threat

The basis of a cybersecurity strategy also includes defining possible dangers. Obvious examples are powerful hacker organizations, international espionage and warfare. Still, this doesn't mean that anyone who isn't connected to the internet or company network is safe: around a fifth of threats arise from internal hazards. All it takes, for example, is a disgruntled, dismissed employee whose password hasn't been changed. In Maroochy, an administrative area of Australia, for example, a worker hooked up the network of a water treatment plant to a Wi-Fi router before switching jobs. Years later, when he was rejected for a position at the town hall, he flooded the park with 1,000 liters of wastewater.

Yet, even with good intentions, employees can cause harm. In terms of security, it makes no difference whether the intention is malicious or not - it is the result that counts. With the dramatic rise in sophisticated social-engineering and deepfake-phishing attempts, the risk of an employee trying to help their manager in a supposedly threatening situation that is actually fake and malicious is growing. In 2019, a major American bank made headlines when it accidentally exposed over 800 million private data records, including driving license details and bank statements.

Another myth that needs to be invalidated is the idea that it takes powerful supercomputers and the latest technology to cause significant damage. The reality is much simpler: crime is already offered "as a service". According to Forbes, paralyzing an internet-based asset for an hour on the darknet only costs USD 165, while you can obtain a valid credit card number linked to an account with at least USD 10,000 for as little as USD 25.

The rapid development of criminal cyberattacks with ever more complex and precise forms of intrusion poses a challenge for protective measures to keep pace. While brute-force attacks are still common, ransomware continues to grow and social engineering is becoming more sophisticated. Advanced persistent threats (APTs) are used to secretly collect private data over a longer period of time.

Once an attacker has found an easy victim, it is quite possible that they will look for further vulnerabilities. It is a well-known fact that it takes some time to make a weak infrastructure secure. However, even rudimentary cybersecurity measures can significantly reduce the potential extent of damage and the consequences of a successful attack.

Dealing with Vulnerabilities

According to market researchers, the annual damage caused by cyber criminals worldwide will rise to 23.82 trillion US dollars by 2027.

© Source: Statista

In this context, it's important to know how weak points are currently handled. During the development of a network component, they can be recognized at an early stage with static tests or peer reviews. Automated tests are used to check the system's resistance to common attacks. Intrusion tests are also common practice, in which a third party attempts to systematically and exploratively circumvent the defense measures. Should a vulnerability be discovered in a new product, the manufacturer can fix it immediately. If the product is already on the market, the person carrying out the test usually notifies the manufacturer and gives them time to create a patch before publicizing the problem via groups such as MITRE. Although such responsible disclosure is not required by law, it is standard practice in the security industry.

Not only are vulnerabilities publicly available, there are even free search engines that can be used to look for network equipment based on vulnerabilities. This means that weak points in devices and software are known to the public. It is crucial to identify which ones need a firmware update and to execute it in a timely manner.

Protection Mechanisms

Schematic illustration of the 'Defense-in-Depth' method.

© Moxa

One common shield against online threats is encryption. It prevents information from being intercepted during the communication between two nodes. For example, a Wi-Fi connection can be tapped, but if it uses WPA encryption, the transmitted content cannot be deciphered. Communication via open networks, e.g. in hotels or airports, must be encrypted to maintain confidentiality. However, even if the communication is private, e.g. between employees working from home, all intermediate networks that make up the internet must be considered a threat.

Another encryption application is signatures. In contrast to symmetric encryption, which uses the same key for encryption and decryption, asymmetric methods use different keys. This means that a communication can be encrypted with a secret key and anyone who decrypts it with the publicly available key can read its content. In addition, the recipient knows that the document originates from the owner of the secret key as the document bears a signature. This way, digital certificate authorities (CAs) can provide entities with certificates certifying the authenticity of this entity. This is the case, for example, with websites that use HTTPS. If their certificate is invalid, it cannot be decrypted with the CA's public key. In this situation, the browser cannot verify the identity of the website and doesn't display it. The reason is that the website could be an imitation of the original or a malicious intermediary between the user and the original website.

Security at Network Topology Level

There are further measures that make network topologies resistant to cyberattacks. In the OT sector, air gapping is frequently found. The internal network and the globally networked outside world are separated. Nevertheless, air gapping is no longer considered sufficient because many potentially dangerous actors are located internally. If no physical access control is used in conjunction with air gapping - i.e. control over who can enter the building - anyone can join the network via a USB stick or the Wi-Fi. And do the network engineers have a list of all the computers that have activated Bluetooth? Most of them do not. This means the network is open and connected.

The expression "castle with moat" uses a medieval metaphor to describe a network with extremely robust perimeter security. It is based on the assumption that the outside world is hostile, while the inside is secure. Unfortunately, this model is no longer up to date. Since the COVID pandemic at the latest, many people have been using VPNs to work from home. This blurs the "secure perimeter": Does it include the home network? Is that secure?

The Author: Laurent Liou is Product Marketing Manager at Moxa

© Moxa

A more advanced design is "defence in depth" with a multi-layer principle: each layer is slightly more secure than the last, with the most important operations and data that must not be compromised under any circumstances in the middle. The "defense in depth" method is the foundation for the Purdue model, which is also recommended in EU cybersecurity guidelines.

One modern architecture is SASE (Secure Access Service Edge). Here, all security functions, including authentication and authorization, are not located in a central system, but at the edge of the network.