CS1907

More documents

Recommendations

Info

industrial cyber security supply chain, as it is a more general problem about our outdated security mindset. "For years, we've thought that, if we only build perimeter walls that are strong enough, we'll be safe. Then again, 12-foot concrete barriers don't count for much, if they come with an unlocked door. Considering the herculean task of trying to police every device, let alone components within that device, organisations are thinking about defence in new ways. Zero Trust architecture is just one of them." Knocking down the tired inside/outside dichotomy of traditional network security, Zero Trust does not automatically trust any device, system or user, states Gordon. "Any that want to gain access must be verified according to the resource they want to use or communicate with, leveraging factors like user and location to authenticate. Instead of one wall around the city, Zero Trust builds walls - and, perhaps more importantly, watchtowers - around each Nigel Stanley, TUV Rheinland: to build cybersecurity into the supply chain, it needs to be written into contracts with suppliers. constituent building, further complicating an attacker's job, providing visibility and preventing the lateral movement that is so critical in the cyber kill chain." This matters more when we realise how the perimeter is changing, he continues. "New ways of working, such as BYoD [Bring Your own Device] are making the perimeter line on which older generations of security depended less and less clear. We can no longer say that a network perimeter ends at the office door, so it makes sense to employ strategies which accommodate these new realities." Moreover, he points out, we are just now getting regulations that will force security into the design stage for many of these devices. "The UK government, for example, will finally make its 2018 IoT guidelines mandatory. While commendable, they won't necessarily secure those supply chains entirely and the insecure components that are already floating around the IIoT will continue to pose threats. It will never be good enough to have insecure components within a device; but it's almost impossible to make sure of. Trying to wish away that reality is another version of the security wall fallacy: 'If I can stop it from getting into my environment, I'll be safe'." For the moment, IIoT users simply have to accept that there will always be a risk with these devices and start thinking about how they're going to respond, once that insecure component is already in their environment. "Until IoT users can rely on these complex supply chains, "enterprises can look to concepts like Zero Trust to tackle these unfortunate realities within the supply chain, " Gordon concludes. SECURITY MYTH The number of cybersecurity- related incidents in industrial control networks has risen in every region in recent years, and there have been well publicised reports of sophisticated malware and threat actors disrupting safety instrumented control systems. On the back of this, says Nigel Stanley, CTO - Global OT and Industrial Cyber Security CoE at TÜV Rheinland Group, organisations operating industrial facilities have a responsibility to "monitor, detect and mitigate cybersecurity attacks in order to maintain the safety, integrity and availability of their site which, if compromised, may have a severe and detrimental impact on society". HOW SAFE IS ‘SAFE’? But this is no straightforward task, he concedes, given that safety-critical systems can contain thousands of hardware components and millions of lines of software code. "When it comes to securing individual components, there is no such thing as absolute security. In terms of cybersecurity, products cannot be proven to be secure, or measured against an industry accepted Safety Integrity Level (SIL). Therefore, if a manufacturer claims their product is 'cybersecure', this should be taken with a large pinch of salt. "To satisfy cybersecurity concerns, the most astute manufacturers or operators tend to seek security assurance - for example, three levels down their supply chain. While a good idea on paper, in reality this is a complex and time-consuming process for all parties. A detailed questionnaire can confirm whether suppliers are compliant with cybersecurity guidelines, but this is never the full picture." To really build cybersecurity into the supply chain, it needs to be written into contracts with suppliers, states Stanley. "Obliging software code or a piece of hardware to undergo official certification against an accepted standard - such as IEC 62443 - can be helpful. However, this still doesn't guarantee that a product is secure; just that it has met the requirements of a particular standard at a particular time." 32 computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
endpoint detection and response GETTING TO GRIPS WITH ENDPOINT DETECTION AND RESPONSE KEITH MASKELL, HEAD OF CYBERSECURITY, TITAN DATA SOLUTIONS, TAKES A CLOSE-UP LOOK AT WHAT HE SEES AS AN IMPORTANT NEW CONCEPT IN DISTRIBUTION - EDR AND PACKAGED SOC SERVICES As companies of all sizes come to grips with the responsibilities defined by GDPR, as well as the everworsening threat landscape in IT security, the conversation inevitably moves to 'EDR' - endpoint detection and response. No longer can antivirus protection be considered a sufficient solution on the endpoint - on workstations, servers, mobile devices. When a company realises it is time to be able to detect the IT security breaches which may happen at any time, regardless of the layers of defence implemented, then it is time for them to consider an EDR solution. For very many companies, of many different sizes, that time is right now. But the world of EDR is not simple to get to grips with. At the heart of the problem is the fact that EDR is often dealing with complicated technical situations which may be the work of very capable individuals who have possibly, so far, outwitted the network and endpoint defences that were put in place. An EDR solution typically gathers large amount of highly detailed event data from the monitored endpoints and uses analytic processes to extract combinations of events that, when taken together, are suspicious. Then the race is on, to determine whether this particular alert is really an attack, or perhaps else a 'false-positive'. No-one wants to be responsible for shutting down services or raising alarms, which may cause the business substantial cost, based on a false-positive alarm. ISSUES IN EDR MONITORING So, there are two tough requirements for EDR monitoring: firstly, having the right technical expertise available at the right time, to make the right decision based on the EDR alert, and secondly, having people with the courage to take responsibility for making the decision, within a suitable work process framework. Especially taking into account that this cover has to be on a 24/7/365 basis to be effective, this challenge is one step too far for the vast majority of companies to solve in-house. If these problems are not truly solved, then EDR is relegated from being a monitored alarm system that can help see off attacks, possibly before any real damage is done, to being a forensics tool that can help analyse what happened weeks or months ago, when an attack took place that was missed at the time. This is the difference between stopping the burglar before he can open the office safe and arriving after the event to take fingerprints. One potential solution is the use of managed services of an external, independent 'SOC' - security operations centre. Experts at the SOC can monitor your EDR system and alert you when potential breaches are detected. This may solve the monitoring problem, but there are three questions: how do you select the SOC, is it too expensive, and how do you manage incident response activity when an alert is received? www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security 33
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment NATION IN TRANSFORMATION In
Page 5 and 6: p ent est INFORMATION SECURITY ASSU
Page 7 and 8: editor's focus from the public and
Page 9 and 10: True multi-factor authentication wi
Page 11 and 12: GDPR fine is preliminary," states A
Page 13 and 14: case study "Equally, it does not he
Page 15 and 16: product review WEBROOT BUSINESS END
Page 17 and 18: financial focus an online banking u
Page 19 and 20: inside track EDUCATION, EDUCATION,
Page 21 and 22: Webroot empowers businesses with pr
Page 23 and 24: threat intelligence have seen an im
Page 25 and 26: 12th edition of the most recognized
Page 27 and 28: cyber espionage a "sobering story"
Page 29 and 30: CYBER SECURITY europe 9-10 October
Page 31: industrial cyber security MULTIPLE
Page 36: Brookcourt Solutions (A Shearwater

CS1907

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?