Industrial 4.0 and IT & OT Security.

Pierre Nanterme - CEO of Accenture has rightly said during World Economic Forum in Davos in 2016 on the Forth Industrial revolution that Digital is the main reason just over half of the companies on the Fortune 500 have disappeared since the year 2000.

Business today may it be Government, Mining, Energy, Oil & Gas or Public Utility, Manufacturing, Telecom, Retail, Banking, Healthcare, Insurance, Hitech, Pharma or travel are affected by security threats. Digital in opening the new markets, platform and better efficiency but the cyber threat looms large on business. How do we protect? Well to start with Cyber Security is constantly moving target and we need adapt. Primarily the threat can be segregated into IT threats and OT threats. With Industry 4.0 the fine line between IT and OT is further diminishing.

IT or Information Technology threat is primarily to do with the threats to Personal computer, Laptops, Server, Network Device, Data Centre, Mobile, Communication, Cloud security, Enterprise Resource Planning, (ERP) Application Security and Governance Risk and Compliance.

OT or Operation Technology threats are to do with the Internet of Things, Communication like Bluetooth, WIFI, Near Field communication, Machines, Pigs, Secure Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control System (DCS) Programmable Logic Controllers (PLC), Industrial Automation and Control Systems (IACS), Printers, Sensors, Electronic Control Unit (ECU) etc.

Some high-level steps that can be taken are to have an IT and OT Security Policy and make sure there are awareness and training about them and the awareness group should not just include employees but also the supplier, partner, distributor etc in the ecosystem. Have right tools like End Point protection, Email and Web protection, IPS & IDS, NAC along with Firewall in place, for insider threat and access control an Identity and Access management tool, Privilege assess management along with multifactor authentication and a password generation tool and for cloud CASB. In case of Critical Infrastructure, Banks, Government, Public sector and Energy Oil and Gas sector it is advisable to have an Advance threat protection and an endpoint detection and response as these are sectors prone to targeted state-level attacks.

For Operational Technology it is advised that a monitoring tool is deployed at the PLC – Programmable logical controller layer to monitor the threats to OT assets or any change in the configuration that can lead to accident, monitoring of compliance along with any device that is connected to the OT network which is not meant to be connected. Hence the Network discovery and assets management play a crucial role, it is critical to identify if all patches are up to date and there are trusted software and hardware in the network. The security threat needs to be monitored with Intrusion detection and prevention from HMI – Human Machine interface to OT or from OT to the IT network. Man in the middle attack and DDOS attack etc.

Behavior analytics and anomaly is an essential element for both IT and OT security.
Once the IT and OT network are appropriately secured one should target to set up a security operating centre and collect the IT logs in form of Event Per Sec – EPS and OT logs as Packet per Sec – PPS and monitor the threat and monitor them through the SIEM tool while integrating it to their call ticketing system and possibly with Artificial intelligence and SOC Orchestration.

Conclusion:
I have mentioned the high-level summary of steps that can be taken to secure your network and uphold the CIA – Confidentially, Availability and Integrity of your network. Other things that can be done as a Hygiene factor are to do a secure transaction with updated digital certificates both for IT & OT. The communication, especially via wireless LAN, needs to be secured and any communication which is critical, confidential, to the cloud or outside the network needs to be encrypted including email, messages, and documents. It's very vital that a standard operating procedure is put in place for any software installation or patch updates.

My message for companies that think they haven’t been attacked is: “You’re not looking hard enough”.

Cyber Security and Privacy in the Digital Age - 10 Threats and 10 Solutions.

Charles Darwin the famous English Naturalist and Geologist has said that

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change”

The digital age had uplifted human efficiency to a new level which has not been at any point in history. The digital age has provided real-time data which helps individuals and business, this data is at high velocity, varsity, and volume. At the same time data is getting originated by the internet of things, Mobile, tablets, Personal computer, laptops, servers. Along with the great benefits that come with digital there is also need for caution to protect personal data.

I am going to highlight 10 every day threat we face to our security and privacy and 10 Solutions.

Our Security and Privacy is threatened in the following Ten ways:

1.      Virus, Malware, and Ransomware in PC and computers.

2.      Outbound Spam emails.

3.      Mobile devices

3.1.   Mobile devices used in public unsecured network.

3.2.   Connecting Mobile device for power in public places using a data cable.

4.      Man, in middle attack like:

4.1.   Session Hijacking.

4.2.   SQL Injection.

5.      Sharing sensitive data over the phone.

6.     Sharing password, brute force attacks or being uncareful with a password like writing the password at the place where everyone can see or using a weak password.

7.   Social Engineering: Social media contacts with fake accounts or compromised social media accounts or bots.

8.      Identity Theft: Email or social media identity theft.

9.      Insider threat: the threat from disgruntled employees.

10.  Trusted software: We use many software and hardware, we need to be careful with corrupted or software with bugs in them which can affect data privacy.

The Ten Solutions are as follows:

1.      Use an appropriate antivirus software.

2.      Never use auto selected public network on your smart phone but instead manually choose a public network.

3.      Try to connect to a  public network on a WAP2 network protocol.

4.      Never transfer critical or confidential data in public network, especially banking information

5.      Always opt for an https rather than HTTP, this means is encrypted to help mitigate session hijacking to an extent. Hypertext Transfer Protocol (HTTP) for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL).

6.      Never share confidential information on Social media.

7.      Always use trusted software or hardware provided by the trusted source.

8.      Always download and use the trusted application on mobile phones.

9.      Configure you WIFI device on WAP2 protocol and have a strong password.

10.   Use a strong password for your social media or email accounts and be careful with your password, do not share or do not write your password on sticker note. If possible use anti-glare screen.

Baton Gellman the American Journalist and best-selling author has said 

‘Privacy and encryption work, but it's too easy to make a mistake that exposes you.’

Digital Certificates

Digital Certificates

We do most of our transaction digitally right from our Banking transaction to our Mobile eCommerce transaction, or IOT based transaction etc., hence to do a secure digital transaction we use the digital certificate. Digital Certificate is a certificate issued by a Certification Authority validating the individual or organisation. The Certificates validates that a website or mobile transaction platform is trusted and safe.

Some of the important things to look out are:

-  Who issued the certificate?

-  Who the certificate is issued to.

-  Valid to

-  Public Key 

-  Digital Signature.

Certificate are used for identification and encryption which grants the right to access information or other services online. It includes ensuring the identity of all parties involved. They include public key that is used of encryption of data like email document, secure web transaction etc.

Public Key Infrastructure (PKI): As mentioned above PKI is also known as trusted hierarchy, public key infrastructure is a system of Digital certificates, Certification Authorities (CA’s) and other registration authorities (RA’s) used to verify and .authenticate the validity of parties involved in an internet transaction.

Digital Signature: A Digital Signature is based on asymmetric cryptography. Digital Signature has a Hash function which represents the digital signature which is mathematical value for that certificate. It’s a one-way process using a private key to generate a digital signature, the same can be checked by using a public key for Decryption which again is a mathematical value and outcome should be the original Hash value which would ascertain that the certificate is not altered or damaged. If the hash value is not correct, it would mean that the certificate is corrupt or is tampered with. 

A private key is paired with the Public key; however, the private key is stored separately.

A certificate includes the certificate holder's public key, information about individual, computer, or organisation to which the certificate is issued, information about certification authority (CA), the date of issue and expiry of certificate and the serial number of certificate.

Certification Authority: Certificate is essentially a file with data in it. Hence the trust model work in certification to validate the data and Certification Authority role is important. The Certification Authority does the checks before issuing the certificate and that it’s trusted. The Certification authorities certify and create an electronic document that is a Digital certificate that verifies individuals and organization are who they say they are. Hence is also important that Certification Authority is also a Trusted Source. The organization can have an additional level of certification authority normally followed is Root SA and child SA trust model. 

A CA essentially is a hierarchical system composed of software, hardware, procedures, policies and administrators who validate the request and generates certificates. 

Now with sources of the transaction happening over Mobile & IOT apart from Web Digital Certificate has high importance for security while we do digital transactions.

Hardware Security Architecture.

Hardware Security Architecture.

Hardware security is an important aspect, firstly any one who is using machine today is getting some form of protection from hardware, secondly there are more security oriented properties that are coming in new chips in market in couple of years, and thirdly there are important properties that can only be build on hardware and software can build on those.

Machines today are connected and vulnerable to cyber threat. The type of threats we have are Memory corruption, data disclosure, code injection, control flow diversion, return oriented programming. The types of method attacker today can use are Type – Instruction, data, pointer, Extent – Base, Bounds and Ownership – component, access right. Architecture grantees that every thing would be right.

A lot of security issue we face today is because of the hardware security Architecture issues. Originally Multics was a machine designed for security, however machines that we have today security is an after thought. Multics was originally a project between MIT, which was designing things, General electric who was making hardware and Bell labs who was the user. However bell labs got little nervous and wanted some thing that work then and they designed a much simpler system on a less expensive piece of hardware and the system was called Unix, which was a trimmed down, lesser feature output of Multics. Unix was later widely used and is the predecessor of Linux and variety of system we used today.

In this transition what we lost was the idea of segmentation, we lost the idea of rings. What it carried forward was some ideas from Multics, ideas of permission and level of privileges, which in most machines that's just at the kernels as against user made distinction in Multics. Multics was programmed in a higher level language called PL/1, whereas Unix moved to a very low-level language called C, which is also the reason of lot of problem we face today.

Multics had some very important, very high leverage usage particularly in defense system. It work on fundamental three principles, first of these is of complete mediation, Secondly, separate privileges, and thirds principle is of least privileges. The fundamental principle was to do its job most of the time the Kernel does not need to read your data, segmentation at memory and use of access control rings.

Multics was much earlier a project in MIT, the idea of which was to develop a computer utility which could share its very expensive resources and people could access these resources. And the next leap today, which is now taking forward Multics is Cloud computing a network computing of all different kind of client server architecture.

The other things thats happening is at processor level it can make sure that only high users can access high data and thing that’s coming now is is fat pointer which means that every pointer to the memory is bounded above and below which bounds of the object which the pointer is pointing into and Intel has a feature MPX which helps enforce this property.

GDPR Summit London 2017

I today attended GDPR Summit 2017 in London, I am intrigued by GDPR as it gives power and rights to common citizens and many countries are following the same. As one of the speakers put it IT  has  led societies transformation and evolution however it has to now be balanced or normalized with other aspects of life. GDPR is primarily meant for the good of the citizen, and the society, the purpose of GDPR is to make sure that companies use personal information with the consent of individual which can be their employees (current, past or people they might have interviewed), suppliers and customers. The Individual would have the right to take back their consent as and when required and their data would be deleted from company’s system. 

The deterrent for GDPR non-compliance is not just the 4% or 20 million Euro fine but also the fact that the companies can also be barred by the regulator from processing data temporarily or even permanently. The positive side is making Data ethics a competitive advantage.

The stake holders in organisation GDPR implementation are Legal, Human Resource, Information Technology and Marketing. DPIA – Data privacy impact assessment under article 35 of GDPR is another aspect. High-risk processing activity under article 35(7)a of GDPR processing is an important factor. Employee consultation and survey for the customer is recommended. Also in case of cloud computing the responsibility would be with the controller. Some of the addition to Article 30 include article 7, article 15-19, article 20, article 32, article 44 – 46.

Data Privacy Officer is the mandatory position for all companies, and privacy officer and Data privacy officer is two different roles. Data Privacy officer can also be a part-time role. Another aspect was right to be forgotten, and the fact that ERP does not delete the data but red flags it and the data do not pop up in the system but resides in the system is understood. Hence analyzation and tokenization of data are recommended. In tokenization audit, trail and Login function match should be conducted analyzed and blocked.

Another aspect of data privacy came out on Application security and IoT – Internet of things. While Application security primarily included session hijacking, phishing, etc., IoT can also lead to a possible source of infiltrating into the network and accessing the data. Hence Application level and IoT security are an important aspect. Security monitoring is another key aspect function of data privacy. Cloud is another area where need for security  was  emphasized. While Ben Westwood - Data protection Officer of  eBay explained the complexity involved in data privacy management for an eCommerce company.

Marketing is further another function that gets impacted by GDPR, email campaign, cookies tracking, search engine optimisation can no longer be conducted without the consent of the customer, and customer consent form should be simplified for the understanding of an ordinary computer or smart phone user. It was also acknowledged that the Personal data of non-corporate users is almost around 80% of the data under GDPR which is processed by companies, while 20% is the employee data and hence solutions need to be planned and designed basis same. 

It was acknowledged that countries like India, Singapore, Hong Kong have also adapted data privacy apart from Europe. Countries like South Africa have their own data privacy law POPI.

The IT adaptation in every individual life has penetrated to a large extent, in fact, it has impacted the way we live our lives and conduct our business, and this has rapidly involved in past 15  to 20 years and needs some form of governance hence idea to bring principles and ethics into the equation. The intent and heart to introduce GDPR is in the right place and companies would need to live with this new reality and comply. However to over seeing GDPR regulation would require highly intellectual indivituals with high integrity and conviction as there is possibility of alternative narrative been given and they would have to distinguish between narrative in interest of people and society against vested interested.

Security Operations Centre (SOC)

Security Operations Center:

A Security operations center (SOC) is that facility or multiple facilities of an organization or an organization’s service provider having qualified people using string set of technology solution and a strong set of process. The operation conducted by a SOC is of continuous monitoring, analyzing and responding to security posture and the threat to an organization.

The Three tenant of a Security Operating Center are People, Process and System. The harmonic synchronization of the three provides the organization with Visibility, Analysis, and Action.

- People: Includes trained people with certification, knowledge and vendor specific experience and skills.

- Process: Includes preparation, analysis, recovery, identification, containment, learning and knowledge retentions & transfer.

- System: Includes the End Point Protection, Perimeter Security, Data Center Security, Forensics and Incident Detection Management.

This allows for Data Aggregation, Data Analysis and 360 degree real time dashboard for the organization to detect, prevent and respond to any threat at the same time to do Forensics.

https://youtu.be/uj8PuaXyygU

The SOC operation typically can be broken up into Monitoring, Analyzing and Responding to Insider threat and that too of outsider threat.

-    The insider threat would typically be from employees or value chain partner like supplier and buyers. And organization would want the SOC to monitor Identity & Access Manager (IAM), Privileged Access Manager (PAM), Active Directory, Data Leakage Prevention(DLP), Compliance tools, etc.

-    The Outsider Threat is monitoring of Network Security – Firewall, Network IPS, Network Security Appliance for Email, The Web, etc., End Point Security, Data Center Security, NAC, Network Access Control.

A typical SOC would have some form of SIEM – Security Incident Event Monitoring and a Log collector to collect log from various security tools at various sites and some for security intelligence.

However, the security landscape has changed SIEM alone is no more as effective since the security and digital landscape has evolved. The threat landscape now also includes Social Engineering, Mobile devices & BYOD – Bring your own device has new challenges and threat thrown at the organization for application and content security. IoT – Internet of things present new form of security challenges, Industrial Security & Physical Security are as important as IT- Information technology security. And cloud migration brings new form of security integration challenges at least in short term. There is a lot happening outside the organization echo system in their industry and deep dark web which can affect the organization, its IT & Industrial asset, intellectual property and bring down their operation.

An organization should look at the tool and solution that address these new challenges to security in their Security Operating Center. All this requires to look into various facets of security, and this would involve data monitoring inside and outside of organization which is structured and unstructured at the same time would be in high volumes, varsity, and velocity hence organization or their service provider would need Artificial Intelligence (AI) to help them.

Future looking SOC would not just monitor IT, but also OT  (Operational Technology /Industrial) asset should have various advance treat analytics solution embedded along with threat intelligence, Integrated real-time dash board along with Forensic capabilities to allows access to the SOC provider customer in case organization use a third party SOC. Most importantly the SOC should be global and be having redundancy. It is imminent that Artificial intelligence is plugged to the SOC and the organization ties up with the external academics research center to get updates on research being carried out in the Security landscape.

Operating System Security

Security is a negative goal, and an attacker can break the system by many ways like permissions, disk locks, reuse memory, backup, steal disk, attackers grades.txt. The goals of Policy goals of an organization are Information Security and Liveness, which are as follows:

Information security goals include: Privacy- Limit who can read the data & Integrity: limit who can write the data.

Liveness Goals are: Availability- which is to ensure services are operational.

Operating system Security (OS Security) is the process of ensuring OS integrity, confidentiality, and availability. OS security refers to specific steps used to protect the OS from threat, viruses, malware or remote hacker intrusions.

Risk model of assumption: Threat modeling is a process by which potential risk can be identified, enumerated and prioritized from a possible attackers point of view. An adversary can be inside the organization or can be outside the organization. The adversary can be a hardware vendor, software vendor, administrator, employee or competitor, enemy state etc someone outside the network.

The threat model in this case are:

-   Adversary control some computers or network.

-   Adversary controls some software on computers.

-   The adversary is privy to some information such as password or keys.

-   Social engineering attacks.

- Adversary trying to hack or attack the network or system from outside.

Guard model of Security:

Typically in a client-server architecture, we would have some resource (data) on a server which would be accessed by the client. In guard model, the server would consult a guard for all access control decision. Hence this model follows complete mediation as the only way to access the resources which are via the guard.

The design of the guard model is on two basic principles which are Authentication and Authorisation, and this simplifies security.

The model works on following principles.

1.   Complete mediation: All resources are accessed only via the guard.

2.   Policy and Mechanism: High level concise and clear policy and well lined up security mechanism.

3.   The interaction between layers and components.

4.   Taking into cognizance social engineering and phishing attacks.

The challenges with model are:

1.   Complete mediation is challenging: Backdoor access also needs to checked.

2.   Software bugs in mediation.

3.   The disparity between Policy and Mechanism.

4.   Difficulty in enforcing policy and getting the desired outcome.

The Guard model does not provide full prove solution to all security challenges, another option we have is the separation of privilege. We can split the system into modules and give each module the least privilege to do its job.

1.   Use multiple physical machines. Separate machines for database and websites.

2.   Use of virtual machine to split.

3.   Application to be split in components.

Challenges in the Privilege separation

1.   The need for modules to share.

2.   Performance.

3.   The configuration of privileges.

4.   Reduce trusted software.

Trust computing base (TCB)

TCB is the set of hardware, firmware or software components, which are critical to its security systems. The bugs or vulnerability might affect the security property of the entire system. The principle is that all software that must be trusted to achieve security. The another theory is that less software would lead to fewer bugs and this would eventually lead to fewer exploits.

Challenges in TCB:

1.   Undermining of privilege separation.

2.   New and undiscovered class of bugs.

3.   Many bugs.

We also face security challenges due to Program, Compilers, and codes. We would need to take measures like disabling certain optimization, use bugs finding tools, look out for undefined behavior.