The ART of Cyberwar

THE ART OF
Unleash your cyberwar strategy
Unleash your knowledge

Common forms of attacks
Unleash your weapons

Designing a secured cyber environment
Unleash your allies

Leveraging the ecosystem
SAMIR BAGGA
CHIEF MARKETING OFFICER
L&T TECHNOLOGY SERVICES
THE ART OF CYBERWAR The History
What is of the War between Operation and Disruption
THE HISTORY OF THE WAR BETWEEN

OPERATION AND DISRUPTION
Cybersecurity at the Core of so have the cyberattack patterns. Crude and

Operation sophisticated targeting attempts continue to try
to breach the walls of enterprise security. They
Although the purview of cybersecurity has exploit potential threat vectors present in the
evolved over the years, its core definition overall connected enterprise ecosystem that
and function remains to protect programs, is poised to expand going forward. Research
processes, networks, and systems from cyber reveals that by 2025, there are expected to
miscreants. However, organizations must view be 41.6 Bn connected devices generating 79.4
cybersecurity not just as a process but also as zettabytes of data and by 2024, Internet of
a science. It must involve assessing the system Things (IoT) technology and services market is
from all possible angles and then designing an expected to grow to USD 460 billion from USD
approach that ensures foolproof cybersecurity. 177 billion in 2019. Multiple industry verticals,
such as transport, manufacturing, and energy,
With time, the ways and means of securing are leading this adoption to leverage the growth
the network and devices have evolved, and potential offered by IoT.
IoT Technology and

Services Market Growth
In 2025
USD 460 Billion
41.6 Billion
Connected Devices CAGR ~21%
ZETTABYTE USD 117 Billion

79.4 OF DATA
2019 2024
Page 6
THE ART OF CYBERWAR The History
What is of the War between Operation and Disruption
1988
Robert Tappan Morris and the Morris worm
The first-ever malware attack in history. It cost
about USD 10-100 million in damages.
2000
Mafia Boy DDoS attack
Attack on eCommerce websites, including
Yahoo, CNN, Amazon, and eBay, resulting in a
2002 USD 1.2 billion damage.
Internet attacked
Distributed Denial-of-Service (DDoS) attack on
all 13 domain name systems' (DNSs') root
servers located in the US. 2008
Hacker targets Scientology
A DDoS attack against the Church of Scientology
website that lasted several days.
2009
Google China headquarter hit by cyberattack
Intruders accessed many corporate servers and
stole files containing Google’s intellectual
property. 2011
Government agencies infiltrated
The Department of Defense (DoD), Pentagon,
NSA, NASA, US Military, Department of the
2012 Navy, Space, and Naval Warfare System
Command, and the other UK and US
Foxconn hacked government websites breached.
Released email and server logins and bank
account credentials of some of the large
companies like Apple and Microsoft. 2013
Target targeted
40 million users’ credit and debit card numbers
and personal details breached, resulting in a
loss of USD 162 million.
Page 8
THE ART OF CYBERWAR Stepping
What is into the Cyber Battlefield
STEPPING INTO THE CYBER BATTLEFIELD
Building Bases: Digitalization The four key priorities for enterprises are:
Changing business needs and user preferences Leveraging data for

are pushing organizations to reinvent their decision-making
products and processes to remain competitive.
Unconventional times call for unconventional
shifts in business operations. In this new Product innovation
normal, what enterprises need is the ability to
do more with less, deliver services remotely
through data and cloud platforms, reduce
delivery timelines, and increase efficiency. Operational excellence
However, remote access to enterprise networks
has thrown open a plethora of security
challenges for companies. Sustainable growth
The use of increased technology or All these priorities have one thing in common;
automation adds more complexity, they drive enterprises towards digitalization.
which, in turn, increases exposure
By implementing digitally connected solutions
to cyber threats. and leveraging analytics, businesses want
Frederic Thomas, CTO, Kudelski IoT to capture more data to understand their
customers, build better products, improve
their operations, deliver customer experience,
There has to be a balance between facilitate decision-making, and ease the
security and functionality. regulatory reporting requirements.
Dr. Eric Cole, World-Renowned Cybersecurity

Expert
Page 10
THE ART OF CYBERWAR Stepping
What is into the Cyber Battlefield
Securing Boundaries: learning and artificial intelligence such as user

Cybersecurity behavior analytics (UBA), AI-based packet
analysis, Advanced Threat Detection System,
It comes as no surprise that digitalization etc. These next-gen technology solutions can
has increased enterprise exposure to cyber aid businesses to shift their cybersecurity
threats. While attacks such as ransomware stance from reactive to agile. To counter the
have increased substantially, there are also growing threats, businesses need to proactively
targeted malware attacks on OT systems embrace cybersecurity “best practices” while
endangering physical assets. designing, developing, and implementing
digitalization of their operations or products.
In the last few years, cyberattacks have
become more intense across industry verticals,
including previously untouched domains such With increasing digital adoption, the purview
as energy, healthcare, automotive, etc. The of security parameters now goes beyond IT
lack of process standardization and security and encompasses product and operational
awareness exacerbates this problem. technologies. A strategic focus on delivering
superior products at low cost is leading
Hackers are getting more innovative every day enterprises to focus on OT and product
and raising the security stakes and damage digitalization. This has led to more penetration
potential with each attack. To deal with routes for cyberattacks with the latest threats
this, businesses need to focus on building emerging in areas such as product and OT
a robust security strategy that is central to security. It is thus imperative for enterprises
the organization and start using next-gen to be aware of various vulnerabilities that
technology solutions empowered by machine exist in OT and product systems.
Page 12
Cybersecurity awareness is the first step
towards creating a secure organization.
Awareness is what drives the change
in the behavior of how people operate.
Max B. Wandera, Director, Product Security COE, Eaton
Page 13
THE ART OF CYBERWAR KnowisYour Weakness: Common Vulnerabilities
What
KNOW YOUR WEAKNESS: COMMON VULNERABILITIES
Network Systems and Devices Weak Passwords
Malware can infect systems, including web or Cybercriminals often steal secure login
mobile applications, embedded devices, and credentials of legitimate users and use them
even cloud configuration to block or restrict to gain system access, cause disruptions,
user access to products. Hackers covertly install malware, or snip information. Hackers
obtain and transmit proprietary information. can exploit vulnerabilities such as firmware
This is more prevalent for organizations, such dumping, hard-coded credentials, insecure
as pharmaceutical firms and companies or encryption, or brute-forcing.
departments heavily engaged in R&D services.
The knowledge of technology, like anything else, can be used for

both good and evil. If you look at it, doing any harm depends on
the person’s intent. That’s why I think “Humans” are the biggest
threat to cyber infrastructure.
Ricardo Giorgi
Security Faculty and Infosec Expert, FIAP University
Page 14
THE ART OF CYBERWAR KnowisYour Weakness: Common Vulnerabilities
What
The Ps of Product Security
Embedded Device
Product Technology: • Tampering • Insecure encryption
Digitalization of products, through • Storage security • Man-in-middle threat
the use of embedded systems, providing • Malware infection • Denial-of-service attack
a front-end user interface and back-end • Firmware dumping • Hardcoded credentials
infrastructure such as the cloud. • Serial port exposure • Authentication compromise
Web and
Mobile Application
• Cross-site scripting
• XML external entities
• Broken authentication
• Sensitive data exposure
• Insufficient logging and monitoring
• Security misconfigurations
Product
Technology • Insecure deserialization
• Broken access control
• Known vulnerabilities
• SQL injection
Product Security: Cloud

Product hardware and software • Insecure API • DDoS • Unaccounted exploits
Securing data at rest and transfer • Brute forcing • Privilege user abuse
Web and mobile application • Account hijacking • Credential hijacking
Back-end security • Request forgery • Advanced persistent threat
Cloud security • Malware or ransomware such as spectre and meltdown
Page 16
THE ART OF CYBERWAR Knowisyour Enemy: Common Forms of Attacks
What
KNOW YOUR ENEMY: COMMON FORMS OF ATTACKS
The usual targets in any cyberattack are an

organization’s three pillars: Status-quo: A significant proportion
• Confidentiality of cybersecurity efforts are spent on
• Integrity day-to-day tasks and compliance,
• Availability (service availability) weakening the business’ capability to
Hackers design attacks to exploit the following stay agile on emerging threats.
vulnerabilities that can facilitate entry into
these three parameters:
Network: Industrial networks
User management: Owing to produce a large amount of data.
legacy hardware and protocols Conventional network analysis may
such as Modbus, device and user not be the best solution for such high-
authentication is not very common volume data and abstract activities.
in organizations.
User behaviour: In many cases, Security response: Traditional

the intruders exist in the system, threat-detection methods are often
collecting confidential information, reactive to in-coming threat analysis
long before the attacks are noticed and are not able to anticipate
by an administrator. common attacks.
THE OPPORTUNITY OF DEFEATING THE ENEMY IS

PROVIDED BY THE ENEMY HIMSELF.
Sun Tzu,
The Art of War
Page 18
THE ART OF CYBERWAR A Thousand
What is Cyberbattles, a Thousand Victories...
A THOUSAND CYBERBATTLES, A THOUSAND VICTORIES

INDUSTRY-SPECIFIC SECURITY BREACHES
A Thousand Cyberbattles
Manufacturing
With the gap between IT-OT blurring, the For a period of two years (2017 to 19),
attack surface for hackers has increased. WannaCry disrupted the manufacturing
They can now exploit vulnerabilities in operations of multiple organizations, such as
both systems in a manufacturing Nissan, Renault, Mondelez, Merck, Hexion,
environment. . TSMC, and Hayward Tyler.
Energy and Utilities
Energy companies have seen the highest In 2017, Triton was used to attack a
number of ICS-targeted malware attacks, petrochemical plant of Tasnee to bomb the
such as Black energy, Havex, Industroyer, and facility, but the attack was unsuccessful
Triton. Boasting high infrastructure value, due to a code error. Triton malware was
oil & gas companies are potential national again encountered in 2019 when it aimed
security targets, while utility companies are at disabling the ICS security features of an
targeted to bring down critical infrastructure undisclosed energy company. The malware
availability in the area. leveraged vulnerabilities in Triconex
industrial safety technology.
Page 20
Semiconductors
It is impossible to visualize day-to-day life Taiwan Semiconductor Manufacturing

without the use of electronic devices. The brain Company (TSMC) witnessed the biggest
that controls these devices is built using the information security breach ever
physical hardware of the semiconductor chips. experienced in Taiwan. The WannaCry
Chip technology has advanced rapidly and ransomware attack highlighted serious weak
enables the rise of artificial intelligence, IoT, and points existing in information security at
autonomous systems. These advancements production plants. It happened just as the
have also led hackers to seek vulnerable points manufacturing industry the world over is
and carry out cyberattacks against systems implementing the Fourth Industrial Revolution
containing these chips. (Industry 4.0), which implies an increase in
automation and data exchange.
Hardware attacks also take advantage of the
Source: https://english.cw.com.tw/article/article.ac-
vulnerabilities| in hardware-manufacturing tion?id=2194
supply chains.
Consumer Electronics
This sector is very attractive to cybercriminals More than 143 million malware targeted
because of two major factors: They create consumer smart-devices in Q2, 2020, mainly in
and run extremely complex networks and the form of coronavirus-themed attacks.
store a large amount of sensitive data to meet Source: https://ciso.economictimes.indiatimes.com/
customers’ communication requirements. news/143mn-windows-malware-hit-consumer-smart-
devices-in-q2-report/77995908
Page 22
A Thousand Victories
With the evolving cyberattacks, cybersecurity

KNOW THY SELF,
too is evolving at a rapid pace, and there is no
KNOW THY ENEMY.
slowing down. The number of data breaches
A THOUSAND BATTLES,
continues to increase every year, complete
A THOUSAND VICTORIES.
fortification is no longer realistic. New attack
vectors continue to emerge each day. Sun Tzu,
The Art of War
1980
to
2000 From the beginning of the cyberbattles, government regulatory bodies and
Computer Emergency Response Teams (CERTs) were established to deal with virus
and malware attacks.
2001
to
Antivirus companies started to take the center stage in cybersecurity and were able
2005
to slow down known malware attacks. Yet, intruders used newer techniques such as
phishing to spread virus and malware
2006
to
2015 By 2015, there were 0.5 new malware samples created every day. This was a threat
level that antivirus companies couldn’t keep up with. Hence, sophisticated new
systems that monitored network traffic anomalies and end-point threat detection
became popular during this period. This era also saw the beginning of the use of
creative new technologies like AI, Machine Learning (ML), and behavioural detection
in threat detection and prevention.
2016
to
2019 While IT security was a long-followed process, growing exposure from industrial IoT
led to an enhanced focus on new practices involving OT and product security.
Page 24
THE ART OF CYBERWAR Designing
What is Your Invincible Defense: Secure the Enterprise
DESIGNING YOUR INVINCIBLE DEFENSE:

SECURE THE ENTERPRISE
Situational Awareness Situational Awareness

Components
Cybersecurity awareness is the first step
towards securing your organization. It is
the perception of environmental elements
within a business environment applicable
to all stakeholders, including employees, Knowing what should be
management, vendors, and others. Having
situational awareness can lend much-needed
information and understanding to facilitate
better decision-making and help people and
organizations protect assets in the cyber realm.
There are four basic components of situational Tracking what it is
awareness.
Identifying discrepancies
Awareness is the need of the day as it between “should be” and “is”
would help make informed decisions
from a security perspective.
Frederic Thomas, CTO, Kudelski IoT
Acting on the discrepancies
Page 26
THE ART OF CYBERWAR What is
The key motto of cybersecurity is

Prevention is ideal,
but detection is a must.
Dr. Eric Cole,
World-Renowned
Cybersecurity Expert
Page 28
THE ART OF CYBERWAR KnowisYour Weapons: Design a Secured Cyber Environment
What
KNOW YOUR WEAPONS:

DESIGN A SECURED CYBER ENVIRONMENT
Factoring in security at every layer – Product and product, and how can the level of security be
OT, through every stage of the development evolved throughout the product lifecycle?”
lifecycle (design, implementation, deployment,
and operation) of a product or system is the Create a holistic approach by enabling a multi-
most effective way to foster a secured cyber layered security ecosystem with a rigorous
environment. review process, including code review, internal
scanning, third-party penetration testing, and
Design for Security so on. Within this strategy, ensure to have
alternative plans to manage any potential risks
Design is the most important phase for found, with steps to counter them.
imbuing security in products or systems.
Device manufacturers must consider security Including experts at the beginning of the
aspects right from the design phase – Secured product design process ensures inclusion of
by design. Ask questions like, “what security intrinsic security in the development process.
features should be an inherent part of the
Companies must stay in touch with their customers and

stay true to their commitment to security. Commitment
to security must be communicated upfront, delivered
seamlessly, and upheld sincerely.
John McClure, Vice President, Global Information Security, Laureate University
Page 30
Companies’ first priority must be to safeguard

their manufacturing ecosystem from individual
components to the entire plant coverage area,
including the supply chain and third-parties.
Companies must follow zero-trust architecture
while building their cyber defenses.
Ricardo Giorgi
Security Faculty and Infosec Expert,
FIAP University
Page 32
THE ART OF CYBERWAR Best Practices
What is to Secure Your War Fronts
BEST PRACTICES TO SECURE YOUR WAR FRONTS
According to Max B. Wandera, Director, Product Security COE, Eaton
Inventory all connected hardware and software to know what is

connected to your network.
Collaborate with vendors and internal stakeholders to review

roles and responsibilities and identify gaps in governance
(for example, disaster recovery and incident response).
Integrate cybersecurity into overall lifecycle maintenance -

Look for overlap in activities, skillsets, and competencies.
Train staff on OT specific cybersecurity considerations,

including best practices and policies.
Assess facility OT networks and assets to evaluate the attack

surface and discover known vulnerabilities and weaknesses.
Page 34
Page 36
OT Security
Asset and Data Inventory

An OT system has a network of heterogenous connected devices on
different software. Therefore, it is crucial to constantly monitor inventory
on all devices, drivers, and information flow throughout the system. Asset
inventory must be maintained regularly, and a security assessment must
precede any additions.
Robust Network Architecture

The network design must incorporate defense in depth architecture
with network segmentation, industrial firewall, secure zones, secure
communication protocols, and secure remote access. For additional safety,
use uni-directional gateways that mimic the ICS data on IT networks.
Device Configuration
Configure devices on a secure network using the defined standards.
Configuration must ensure identification and authentication control, data
integrity and confidentiality, restriction on data flow, and response to attacks.
Enable all embedded security features on the device before usage.
Page 38
THE ART OF CYBERWAR KnowisYour Allies: Leverage the Ecosystem
What
KNOW YOUR ALLIES: LEVERAGE THE ECOSYSTEM
Build Your Cybersecurity Corporate Collaboration and

Ecosystem Mergers
Businesses, in their effort to secure
Businesses are increasingly forging In their effort to secure themselves, businesses
partnerships with cybersecurity companies, areexperts andwith
tying up also start-ups
investing in
and experts and
start-ups, and universities to enhance their eco-systems
investing to expand their
in ecosystems to expand their
security capabilities. They are also exploring cybersecurity
cybersecurity capabilities.
capabilities.
the acquisition of cybersecurity companies as a
Examples
solution to ensure holistic enterprise security.
Volkswagen collaborates with
Governments and freelance ethical hackers
three Israel cybersecurity
are also playing their part in establishing a experts and their teams to
secure infrastructure for businesses to operate establish a new company –
CYMOTIVE to build cybersecuri-
without security concerns.
ty solutions for connected and
autonomous cars.
In 2017, Honeywell acquired

Nextnine, an Israel based OT
security company, to augment
its cybersecurity capabilities.
ON THE GROUND OF
INTERSECTING HIGHWAYS,
JOIN HANDS WITH YOUR ALLIES.
Sun Tzu, Claroty, an OT security start-up,

The Art of War was infused with a capital of USD
60 million by equipment
manufacturers Rockwell,
Siemens, and Schneider-Electric.
Page 40
What
Build a Cybersecurity CoE Global Center of Excellence (GCoE)
Cybersecurity professionals often attribute Global unit housed together and

security failures to the culture where multiple centrally responsible for ensuring
business units, closely connected in the value product and OT security across the
chain, are out of sync and non-collaborative organization; well-connected across
on each other’s security needs and practices. departments and geographies.
Establishing a Security Center of Excellence
(CoE) is a tried and tested method to help Talent commonly shared
companies mitigate and overcome this failure. cybersecurity talent from IoT
It can help them develop a coordinated, security, product security,
common, all-encompassing approach for the automation, information security,
entire organization’s cybersecurity needs. network security, training, and
compliance resources.
Joint and collaborative unit with

buy-in from senior leaders across
functions.
Organizations Leveraging GCoE for Cybersecurity
Page 42
What
Battle the Talent Shortage
Security talent shortage and burnouts are key issues in the security industry both in the IT and OT
sector. Companies are using innovative hiring, upskilling, and outsourcing to overcome this.
Cybersecurity is a rare career choice.

By
cybersecurity jobs At least it was until recent past,
2021
will be unfilled, with
less than 1 in 4
so the talent pool is limited, and it
application being aptly is always difficult to get the right
Million qualified for such roles. resources.
According to John McClure, Vice President, Global Information Security, Laureate University
“Another challenge of dealing with talent is retention! Once you get the
right, skilled professionals, how do you retain them? You must keep people
challenged, give them the right tools, ensure good leadership, and continue
training.”
Page 44
THE ART OF CYBERWAR Counter
What is Your Enemy: Deploy Tactics
COUNTER YOUR ENEMY: DEPLOY TACTICS
• User Behavior Analytics: This can help

reduce time to detect threats and provide
THE SUPREME ART
OF WAR IS TO insights into common security errors. It
SUBDUE THE ENEMY involves big data-enabled peer behavior
WITHOUT FIGHTING. analysis and deep learning-based system
Sun Tzu, behavior analysis. It can fasten the threat

The Art of War eradication, and such data can provide
Organizations can take certain steps to insights into common user mistakes
safeguard themselves from well-known observed by the system, enabling targeted
cyber threats. These steps must be carefully cybersecurity training for employees.
formulated to ensure enterprise security
across operations involving people, processes, • Managed Security Services: This
and technology. involves 24*7 prevention, detection, and
remediation services. It creates a complete
• Identity and Access Management: This threat management platform used to
involves device authentication through counter the latest threats in the industry.
unique symmetric or asymmetric keys, use of It can provide round-the-clock monitoring
unidirectional gateways, and implementing and response and enable businesses to use
robust communication protocols. It can the latest security solutions without heavy
facilitate mutual authentication, encryption, investments associated with the in-house
and safe storage. Organizations can bridge development of such solutions.
the IT-OT gap using unidirectional gateways
that replicate servers and emulate industrial
devices to translate data in the cloud.
Page 46
THE ART OF CYBERWAR Simplify
What is Your War Strategy: Stay a Step Ahead
SIMPLIFY YOUR WAR STRATEGY: STAY A STEP AHEAD
In the modern business landscape, weak All stakeholders involved in enterprise

cybersecurity threatens not just the cybersecurity initiatives can begin with some
infrastructure that keeps a business running basic steps to address cybersecurity concerns.
but the security and well-being of all the They must first assess the organization’s
stakeholders involved. To be genuinely robust, security stance through vulnerability scanning,
security measures cannot be retrofitted into malware scanning, and static code analysis.
systems as an afterthought – they must be These methods have been proven to help
deeply ingrained in every part of the system enterprises identify and address software
lifecycle. vulnerabilities and weaknesses, fix malware
issues, review security controls, and create a
more robust security architecture. Stakeholders
Cybersecurity cannot be an can also leverage the expertise of organizations
afterthought because you cannot who are working directly on solutions for such
retrofit cybersecurity in a process threats and collaborate to fight present-day
that was not designed with challenges and pre-empt future ones.
cybersecurity in mind.
Frederic Thomas, CTO, Kudelski IoT As digitalization grows in enterprise delivery
systems and information technology
becomes more pervasive, the need for robust
cybersecurity in devices and systems will only
grow. Cyberattacks worldwide are increasingly
becoming more sophisticated and lethal, and
thus security measures need to constantly
evolve to stay a step ahead.
Page 48
THE ART OF CYBERWAR Partner
What is with a War Veteran: LTTS
PARTNER WITH A WAR VETERAN: LTTS
We form strategic partnerships with best-in-breed technology companies to

bring the entire value chain together. For example, we partner with companies
like LTTS that understand cybersecurity and our industry equally well to help
us put that platform in place for our customers.
A leading cybersecurity expert
Partner with a War Veteran: LTTS
Ideal partner to create and implement

product or IoT and IT-OT security strategy.
Hardware security expertise and security solutions for

smart connected products and IoT ecosystem to secure
your hardware platform and reduce time-to-market.
IT-OT security experts quickly find vulnerabilities in

your plant network and remediate and define
processes to maintain continuous security posture.
24x7x365 Managed Security Services aligned to different

attack stages
(pre-breach, breach, and post-breach)
A robust partner ecosystem gives LTTS an edge in terms of

technology and workforce coverage across the globe.
Page 50
THE ART OF CYBERWAR BattleisReferences: Industry Perspectives
What
BATTLE REFERENCES: INDUSTRY PERSPECTIVES
LTTS IAM Safeguarding Maritime Engine for WinGD
Delivered an Identity and Access Management (IAM) solution to protect

and control access to the ECS gateway onboard the vessel from the
service-pc. This included support for offline periods where service needs
to be done at sea or inside a disconnected engine room.
LTTS IAM, PKI and Secure Storage Protecting Device

Genuineness in the Supply Chain
Secured the end-to-end manufacturing and production of products

that require Device Genuineness using LTTS Security Framework
components: LTTS IAM, PKI and Secure Storage microservices.
Compromise Detection and Attack Containment

for OT Security
Delivered SOC to detect compromise, attack containment, and remediate

FMCG plants. The solution contained an attack within 12 hours and the
infected system rapidly returned to normal status.
Page 52
Page 54
Any systems accessible from the internet must be patched

and never contain critical data. If there are systems that
can’t have patches or have critical data, those systems
cannot be accessible from the internet.
Page 56
THE ART OF CYBERWAR Decoding
What is Cybersecurity
CYBER ATTACK IS NOT A MATTER OF “IF” BUT “WHEN”
When it comes to cybersecurity, in any practical that’s providing value at some level, it cannot
sense, a hundred percent security doesn’t be 100% secure. If you have a system with
exist. The only way to be 100% secure is to turn functionality, then risk and vulnerabilities will
off and destroy the computer, to have zero always be there; at some point, your system
functionality. Similar to the laws of gravity and will be compromised. It’s not a matter of “if” but
laws of other areas of our lives, there are laws “when.” So over your lifetime, you, your family,
of security. The law of security states that every and the company you work for are almost
time you add functionality, you’re decreasing guaranteed to be compromised.
security. Anytime there’s a functional system
Core Principles of Security
100% Security 0% Functionality
Whenever you add functionality

you ALWAYS decrease security
0% Security 100% Functionality
Page 58
THE KEYS TO CYBERSECURITY IN MANUFACTURING
Cybersecurity is all about understanding the some computer parameters are altered, it
risk of what could happen to your critical data if could be detrimental. If the systems are not
it is being disclosed, altered, or denied access. available, if they were denied access to, then
the manufacturing production line can be
Cybersecurity completely shut down, impacting the business.
Most security personnel are trained on
Risk
confidentiality, keeping a secret secret, basically
making sure the data is protected, secured,
Critical Data and locked down. However, in manufacturing,
not some, but a lot of information being stored,
CIA processed, and sent is not very confidential,
but it must be accurate and available. If you
have a manufacturing floor and an adversary
• Confidentiality - Protecting against is viewing the data being transmitted across
unauthorized disclosure of information. networks, it will not cause a big risk. But if they
can alter that information or deny access with
• Integrity - Preventing unauthorized ransomware or denial of service attacks, then
alteration of information that’s where it becomes impactful.
• Availability - Preventing denial of access It’s very important in manufacturing and control
systems that you have security people who
The CIA have worked with and understand that domain
because if they only ensure confidentiality,
The biggest cyber threats in manufacturing that will not provide the protection needed.
are the threat to confidentiality, integrity, So, manufacturers must ensure that they’re
and availability. In manufacturing, there is validating the integrity and their systems are
sensitive data, but there’s also integrity. If available when and where they need it because
Page 60
TO SPEND OR NOT TO SPEND – CYBERSECURITY BUDGET V/S

BREACHES
The organizations don’t realize that even after 1. Critical Assets (Business Processes) column:
spending millions and billions in cybersecurity, Identify three to five of your top priority critical
they’re fixing the wrong problem. The reason assets or business processes.
they’re doing it is they’re getting the equation 2. Threats (Likelihood): Identify the top three
backward. The way the equation works is to five threats (ransomware, denial of service,
quite simple before you spend an hour of your exfiltration of data or information, etc.) that
time or a dollar of your budget on anything may harm your top priority critical assets.
in the name of security, you always ask three 3. Vulnerabilities (Impact): Identify the
questions: vulnerabilities that would allow those threats to
have the biggest impact on your critical assets.
• What is the risk?
• Is it the highest priority risk? With this prioritization, you have created your
• Is your solution the most cost-effective cybersecurity roadmap. You have identified the
way of reducing it? highest risk to your critical assets, and that’s
what security is all about. Organizations that
Whether you work in IT or OT security, make can fix the identified issues within a month can
sure you understand your highest priority risks conduct the assessment every month. Those
(threats and vulnerabilities). To do this, conduct who can fix issues in three months can do this
a mini risk assessment which takes about 10 quarterly. I recommend that organizations
minutes. It will ensure that you’re aligned and must conduct this assessment at least every six
fixing the correct problem. The first thing to months.
remember is everything starts with your critical
assets or business processes. Now, here’s the Evaluate your organization to find the top
trick, you need to prioritize. Get a piece of risk, look at solutions, and say which of these
paper and create three columns: solutions is the most cost-effective way of
Page 62
BREACH DETECTION AND THE ENDGAME
Most attacks go undetected for over 21 months. Another powerful way to detect attacks is
However, the detection period is 31 months to do a geolocation plot of the outbound
in manufacturing and critical infrastructure connections. It may not be 100% accurate, but
due to the complexity of those systems. So, it’s pretty accurate. You can find out where in
if organizations want to win at cybersecurity, the world those connections are going. In the
they have to focus on timely detection and past, I was working with a manufacturing entity
controlling the damage. that mainly worked within the United States.
They did some business in Canada and Mexico
The focus must be on detection. However, today as well. We monitored all their outbound
most companies are only performing inbound connections for six months and plotted them on
prevention. They’re looking only at the inbound the world map to show where they go, with the
traffic, trying to prevent, prevent, prevent. thicker lines showing the biggest connections.
Prevention is ideal, but you can’t prevent all It was interesting to note that, for six months,
attacks. Instead, companies add detection in they had no clue that 15% of their traffic was
place, but they’re looking only at the inbound going to China and 17 to Russia, where they did
traffic, which is way too noisy. Now, if you want no business. This revealed multiple points of
to catch data exfiltration, command and control compromise. We then created a visibility chart.
channels, and external connections to the
adversary, none of this occurs during inbound. It is interesting to note that most of the major
It occurs during outbound. So, the real trick is breaches were detected due to anomalies in
for companies need to continue doing inbound performance. Monitoring such anomalies is the
prevention and add outbound detection. This most effective way of catching attacks. In short,
was the key to catch the SolarWinds attack. All it is not hard to catch the adversary. You just
outbound connections must be proxied as they have to look in the right spot, create the right
leave an organization. data, and look at the outbound information.
Page 64
CYBERSECURITY IN THE NEW NORMAL
In the current pandemic situation, we have it’s completely isolated. Unless somebody
witnessed an increased number of attacks in physically breaches your facility and breaks in,
phishing and targeting individuals. One of my they can’t attack an air gap system from the
favorite questions to ask is how many offices did internet. However, because of functionality
your organization open in 2020? Organizations interconnectivity and the epidemic, many of
respond by saying they have increased work these air gaps are going away, and many of
from home and closed some of their offices. these systems are not up-to-date. They were
The truth is that each work from home location never built with security in mind and thus,
now becomes the organization’s remote office removing the air gap creates a huge exposure
location. However, unlike traditional offices, point.
organizations do not go into each work from
home location and add security and protection. Many manufacturing systems aren’t patched
Due to this, the threat vectors have increased and organizations rely on vendor configuration
exponentially, and organizations are more with default installations that tend to be prone
exposed. The remote workforce has completely to denial of service. They don’t have a lot of built-
changed the threat landscape. in error checking. And then, with the use of IoT,
which increases functionality by connecting
Currently, connected systems and smart all your devices to the internet, their devices
factories are one of the top attacked industries. can be monitored, tracked, and controlled.
One of the big reasons is that their systems are However, many IoT devices don’t have a lot of
critical and need uptime availability, making security error checking or mechanisms; they’re
them a big target for ransomware. Another very small, with very specialized processors
big threat vector for connected systems, smart that do specific tasks. As long as you give them
manufacturing, and critical infrastructure is the data they’re expecting, they work like a
traditionally the lack of air gaps. An air gap is champ. Still, when they start being exposed
a system that’s not connected to the internet; to adversaries where they can alter, modify,
Page 66
The Balancing Act Between Security and Functionality
Four Main Targets in a Manufacturing Organization
1 2 3 4
A server that is A client that An internal resource A supply chain

accessible from the checks email or that can be vendor that has
internet surfs the web compromised a system within
the organization’s
environment
The servers accessible from the internet have out that it takes only takes an average of 2 and
been the source of all major data breaches in the a half minutes for such systems to be pinged,
past. The systems accessible from the internet probed, and attacked once they are online.
with missing patches containing unencrypted or
partially encrypted critical data are the easiest
targets. We conducted an experiment and found
Page 68
To protect against phishing, organizations Protect Against Known Vulnerabilities:

end up restricting functionality by disabling • Correlate exploits to vulnerabilities to
attachments, links, etc., but that actually prioritize patching
prevents people from doing their jobs. • Work with a third-party vulnerability
Organizations must treat cybersecurity as a management vendor to scan and patch
business enabler. What we do is that we enable • Assign patch priority based on prioritized
a separate device for people, which can be their patching process score
smartphones or iPads. They use their Windows
computer to work and use their separate
devices that do not contain any critical data to Protect Against Phishing and Malicious
access the internet. This creates a solution that Website Attacks:
doesn’t restrict people but enables them while • Use antispam, phishing, and malware
balancing security and functionality. control tools; consider block isolation
• Encourage the human firewall
To protect the supply chain, an organization • Don’t blame the victims; give them the
that allows connections from a third-party right tools
vendor or anyone else must always isolate and
segment that connection.
Put a Proper Endpoint Protection in
Place for Home Systems:
• Go beyond the traditional blacklist-based
endpoint security for maximum
protection
• Focus on attack surface reduction
• Detect and block malicious behavior
Page 70
CYBERSECURITY
IS A CATCH-UP GAME
WELL ALMOST!
Ricardo Giorgi
Security Faculty and Infosec Expert, FIAP University
Ricardo Giorgi is a Brazil-based cybersecurity Ricardo holds Master’s in Computer Engineering

expert and academician. He is a cybersecurity and has done multiple certifications including
faculty at the FIAP University, FIA, EDP, and CISA, CISSP-ISSAP, CISM, CRISC, CGEIT, CDPSE,
OBAC and a speaker at various cybersecurity ISO 27001 LA, VCP, CCSI, SSCP, GREM, CEH,
seminars and industry events. He has appeared ECSA, Security +, RHCE, and Instructor of CISSP
on TV Interviews on subjects like Ransomware and SSCP CBK. Ricardo is the Relator of CEE/078
Attack and Mobile Security, and has presented from ABNT regarding cloud health privacy and
at several industry forums in Brazil. Electronic Health Records (EHR) and is the
Founder-Member of ISSA Brazil Chapter.
Page 72
THE ART OF CYBERWAR Cybersecurity
What is is a Catch-up Game, Well Almost!
THE GOOD, THE BAD, AND THE UGLY OF CYBER THREATS
Today, almost everyone is fully connected to If you look at it, it depends on the person’s
the web, and every day more and more people intent, right? That’s why I think “Humans” are
are getting unrestricted access to the internet. the biggest threat to cyber infrastructure. On
par with humans are malware attacks based
The knowledge of technology, like on the huge number of malware created every
anything else, can be used for both good day and their impact potential, and then comes
and evil. zero-day vulnerability attacks.
With internet access, it has become very easy Apart from these, I think all companies in the
to learn the techniques to invade a computer world are vulnerable to Distributed Denial
system. For instance, on the deep web, users of Service (DDoS) and Distributed Reflection
may not even need to have cyber expertise to Denial of Service (DrDoS) attacks.
invade a company. All they need is to pay and
hire a cyber attacker. And that’s it! They will be
able to do any kind of harm to a company they
want to attack.
Cyber Threats
Human error Malware attacks Zero day vulnerability DDoS and DrDoS
Page 74
DEFENDING THE ‘ALMOST’
Technology to the Rescue
Cloud migration
The best strategy today is migration to the cloud environment. By choosing a

cloud service provider, you get access to the best security money can buy because
these CSPs (Azure, AWS, GCP IBM, etc.) have invested billions in cybersecurity and
information controls. They certainly are better prepared to face these malevolent
elements than any individual organization.
Advanced technologies
Advanced technologies play a huge role in aiding cybersecurity. AI and ML have been
evolving at a rapid pace to complement cybersecurity professionals. User Behavior
Analytics (UBA) is an artificial intelligence-based effective technique to predict user
behavior and weed out the miscreants from the work environment. Similarly, AI-
based impact analysis can be extremely important to monitor and analyze the
baseline of traffic to identify threat or attack signatures. It enables threat intelligence
and proactive action.
Page 76
Equipping the Talent of about cybersecurity. But this is really a very

Tomorrow with Required Skills recent adoption in the universities. In the
past, even four-five years ago, universities
At FIAP, we have partnered with other didn’t accept this reality and did not teach the
international universities and organizations. mandatory technology skills required for the
We see organizations enabling student job market, because they thought teaching
exchange programs for skill development. It is about the hacker mentality was unethical.
definitely a step in the right direction, but these
programs’ duration is so short that there is more I teach my students how to bypass
left to learn than what is learned. However, the security controls and how hackers
universities are becoming more and more or cyber attackers use it as a kind of
hands-on and are teaching the skills needed methodology, to break systems, to break
by the students to become relevant for the controls. And I believe the right posture,
corporate requirements. They are approaching the right mindset, and the right approach
the corporate needs and the marketing needs will help students do more good for the
society and build a more protected and
better world.
Page 78
Zeroing Down on the IT-OT Cybersecurity Conundrum
Industrial companies are often plagued how are they to protect it? So, the IT and the
by legacy infrastructure and a lack of OT teams must start to work together to close
skill or resources to manage a cyber risk these gaps.
properly. Cyber attackers are aware of these
vulnerabilities and the resultant damage they According to the SANS OT-ICS 2018 survey,
can cause with an attack on such companies. the top three threat categories to OT security
Most industrial automation environments are are devices and things added to the network,
poorly structured. The cyber experts in these internal threats (accidental), and external
companies are not even aware of what is threats (supply chain and partnerships).
connected in their company environment, then
What are the top three threat categories you are most cocerned with?
Rank the top three, with ”First” being the threat of highest concern.
First Second Third
Devices and “things” (that cannot protect 21.1% 11.6% 9.1%

themselves) added to network
12.4% 14.0% 13.2%
Internal threats (accidental)
9.5% 15.3% 12.8%

External threats (supply chain or partnerships)
15.3% 10.7% 8.7%

External threats (hacktivism, nation-states)
9.5% 13.2% 9.1%

Integration of IT into control system network
Extortion, ransomware or other financially 9.5% 8.7% 8.7%

motivated crimes
5.4% 10.3% 10.7%
Malware families spreading indiscriminately
6.6% 4.5% 12.4%

Phishing scams
6.6% 6.2% 6.6%

Internal threats (intentional)
3.7% 4.1% 5.4%

Industrial espionage
0% 10% 20% 30% 40%

Source: https://www.forescout.com/company/resources/2019-sans-state-of-ot-ics-cybersecurity-survey/
Page 80
INTERESTING (PROBABLY UNKNOWN) FACTS ABOUT RICARDO
Favorite tech gadget or book The most used app on your smartphone
Well, I love all the Dan Brown books, especially This is easy. WhatsApp, Telegram, and Waze.
Digital Fortress. I love those kind of book
because there are a lot of amazing takeaways One advice to a budding cybersecurity
in them. engineer
Study and learn as much as you can because
Favorite department in an organization the world has many opportunities for you.
Information security and risks and ethical Leave your comfort zone and choose an area
hacking. to specialize and get all the certifications and
knowledge in that area.
One quality you always look for in an
engineer or a leader
Ethics, self-motivation, passion for learning,
and leadership.
Page 82
UNLOCKING THE
TRUE POTENTIAL OF
CYBERSECURITY
Max B. Wandera
Director, Product Security, COE, Eaton
Max provides leadership and oversight for including the Cybersecurity and Infrastructure
the research, design, development, and Security Agency (CISA), to shape the future of
implementation of security technologies for cybersecurity and trusted connectivity. In this
products, systems, and software applications. article, he throws light on how digitalization
In his current position, he is also responsible for impacts and drives cybersecurity, Eaton’s
Secure Product Development Lifecycle Policy cybersecurity approach, and how globalizing
and compliance. He leads cross-functional the cybersecurity standards is the next step in
collaboration with corporate officers, cybersecurity transformation.
industry leaders, and government entities,
Page 84
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
THE INDUSTRY OUTLOOK ON IT AND OT CYBERSECURITY
The industry outlook towards cybersecurity is who understand how OT products and services
changing, there is no doubt about that. But it operate. At the same time, the people who
is changing at a very slow pace, and it is mostly manage OT are relatively new to the topic
focused on the IT side of operations. With of cybersecurity. Eaton has embarked on a
advancements in digital technology, managing program with universities to help develop
digital solutions has become much easier and these skill sets. For example, we have
cheaper in the IT world. But when it comes to partnered with Rochester Institute of
OT, the industry moves at a very slow pace in Technology (RIT) to develop a lab to help build
adopting cybersecurity measures to secure the talent pipeline for the industry.
these environments.
There are two important aspects that
The primary reason for this is that there is a manufacturers of critical infrastructure
shortage of skilled cybersecurity professionals products should undertake to help improve
cybersecurity in the OT network.
1 First, if I could use Eaton as an example, we are an intelligent power management

company. Our customers depend on our products and solutions to make critical
decisions on how they manage their power more efficiently. Therefore, the
cybersecurity of these products in very important. At Eaton, we have established a
Cybersecurity Center of Excellence organization that helps drive secure by design
principles across all our product development. This centralized organization is
tasked to ensure that our products are compliant with Industry Cybersecurity
standards. This is critical to the digital transformation and industry 4.0 drive that
is happening across the globe.
Page 86
Eaton’s Cybersecurity Enablers
Awareness
Cybersecurity awareness is the first step towards creating a secure organization.

Awareness is what drives the change in the behavior of how people operate. Each
and every employee in an organization must understand the security implications of
their behavior. At Eaton, we have done a very good job in driving awareness across
the organization. We ran a security campaign and went through all the divisions
explaining the importance of cybersecurity, the value that it adds to our customers,
and what happens if we don’t adopt it. Because as we all know, cybersecurity
cannot be an afterthought. As far as the question of cybersecurity being a central
function or being product-centric is concerned, I believe it goes both ways.
Security Standards and Governance Policy
We have taken a leadership-pro role and were the first company to have dual
certification - International Electrotechnical Commission (IEC 62443-4-1) and
UL 2900-1. We have embedded cybersecurity in our product development
lifecycle and set up a robust governance policy across all our products.
Page 88
Globalizing the Cybersecurity We’re working with leaders across the industry
Standards – The Need of the to do just that. For example, we recently
Hour joined the International Society of Automation
(ISA) Global Cybersecurity Alliance as a
As more industries deploy IIoT devices, the founding member to advance advocacy for a
security and safety of systems providing global cybersecurity standard and industry
essential operations become more important collaboration.
and more difficult to manage. These
complexities are due, in part, to a lack of a Championing the Cybersecurity
global, universally accepted cybersecurity Approach
standard and conformance assessment scheme
designed to validate connected products. There are proponents of both a centralized
and decentralized approach towards
There is currently a multitude of different cybersecurity. Both approaches have their
standards and regulations created by various pros and cons. I believe a hybrid approach
organizations, countries, and regional alliances works best for cybersecurity. You want to
across the globe. All of these standards and centralize the governance and policy aspect
regulations address the urgent need to secure of the cybersecurity program and decentralize
our connected world; however, they also create the actual implementation and assessment of
the potential for confusion and the possibility of cybersecurity requirements. This model allows
weak links in critical infrastructure ecosystems. an organization to focus on building a pool of
security experts within the divisions who are
The time to drive for a common close to the products.
conformance assessment for IIoT
products is now.
Page 90
Building the Talent Pool Building a training program for engineers

is critical. At Eaton, we have partnered with
Experienced talent is available on the IT side. universities like RIT and created curricula
However, it’s more challenging on the OT side that enable future talent to graduate with the
because not only do you need people with the right skills required in the industry. As new
right cybersecurity expertise, but you also need technologies continue to evolve, we also need
somebody who possesses domain knowledge to keep up with new ways of protecting them.
and understands how products operate. Therefore, continuous learning is critical to our
success.
The solution to this problem is to hire
people who have product and domain One way to ensure that the people are
expertise and train them on cybersecurity up-to-date is certifications. At Eaton, I
principles. This path is much easier than encourage my team to continue getting
trying to train cybersecurity experts in industry certifications.
electrical engineering.
The OT part of the industry is still 10 years behind IT. The

complexity of these networks that consist of legacy and new
devices makes it very complex to manage.
Page 92
CHALLENGES AND BEST PRACTICES IN

CYBERSECURITY IMPLEMENTATION
Challenges
Remote working Legacy device management
With people being forced to work remotely We have devices that were developed 20-30
due to the global epidemic, cybersecurity has years ago with no security in mind. The idea
become a key priority and concern globally. at that time was to deploy them in an air gap
Critical systems are now being managed network. But with digitization, we are now
remotely and therefore, the opportunity for deploying intelligent devices and solutions into
hacking into these systems has increased. We this network and connecting them with the
are now seeing a lot of security enhancement outside world to leverage the data. Because
on applications that support remote working. of these integrations, the legacy products are
The dependency of these solutions and becoming the weakest link in the ecosystem
enhancements that are being done to make and could potentially become an attack vector.
them secure will drastically change the At Eaton, we are continuously assessing these
industry perspective on how we view the OT products and coming up with mitigation
network. The threat vector has now increased; strategies for our customers to minimize their
therefore, companies will be forced to create vulnerabilities as we further advance security.
more policies and governance to ensure the
cybersecurity of these systems.
Page 94
DIGITALIZATION IMPACTING THE CYBER THREAT LANDSCAPE
Increased digitalization leads to data deluge and the consumer to figure out how they can
information overflow, which is the key driver for manage them securely. Therefore they are
an intense and critical focus on cybersecurity. operated with inadequate security. Because
Customers across industries have now become of how they are connected, it’s very easy for
consumers of digital products and are using a skilled attacker to access these devices and
them a lot more than earlier. control them. We have seen recent attacks
on hospitals and manufacturing industries as
There is an average of 10 connected devices per a result of vulnerabilities triggered from these
home in the US based on various studies that devices.
have been conducted. Studies also have shown
that by 2030 the number of connected devices So, yes, digitalization is great, and as we
will reach 125B. Some of these devices are used expand connected solutions everywhere,
to connect to critical personal information or we must be mindful that the threat
company networks. Some of these devices do surface has significantly increased.
not have a standard user interface to enable
Projected Connected Devices

125B
130 Billions
75.4B
31B
8B
0 2018 2020 2025 2030
Source: https://www.eaton.com/us/en-us/company/news-insights/what-matters/enabling-powerful-cybersecurity/cybersecuri-
ty-trends-infographic.html
Page 96
INTERESTING (PROBABLY UNKNOWN) FACTS ABOUT MAX
Favorite book The most used app on your phone

The World is Flat by Thomas Friedman I use LinkedIn a lot to track what is going on
in the industry.
One technology you are most excited
about or you’re betting on One ambition
Machine Learning Be one of the critical drivers that help lead
the efforts to develop a uniform global
Your favorite department in an conformance assessment standard for
organization cybersecurity.
It has to be cybersecurity! If I must choose
besides my own department then it will be
IoT.
The most important characteristic you

look for in an engineer or a leader
I like people who are open to new ideas
and willing to try them and learn from the
experience if the ideas don’t mature.
Page 98
Cybersecurity cannot be an afterthought because you

cannot retrofit cybersecurity in a process that was not
designed with cybersecurity in mind.
Page 100
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
INDUSTRY-AGNOSTIC CYBERSECURITY – A MYTH OR REALITY

The Kudelski Approach
At Kudelski, we provide the security layer to
our customers irrespective of their domain or Threat analysis
industry. The reason why we can offer solutions
This is always the first step, and it comprises
to all the verticals is that the technology that
identifying a few basic things that help us
is embedded in your heart (a pacemaker) or
understand the system, moving parts, system
your car (ECU) is the same chipset, and we
constraints, boundaries, etc. We interview the
know how to embed security for chipsets. As
client to get these details.
for the industry and domain knowledge, we
partner with companies such as LTTS that have
Threat matrix
core vertical and design expertise. We leverage
their expertise, along with our cybersecurity Based on the information, we provide
technology, to design secure pacemakers for our inference as a matrix detailing the
the Medical Devices industry and design secure vulnerabilities, impact, mitigation strategies,
communication protocols for the automotive and security priorities. We detail the possible
industry. attacks from the perspective of the attacker’s
mindset.
Devising an Industry-Agnostic Solution

Security Solution
Based on the matrix, we propose solutions for
the easiest and most impactful vulnerabilities.
When a company in any given vertical comes
The solutions vary with regards to a specific
to us, they typically have a fair idea of the link
environment and security relevance. If there
between their business and security, and this
are specific variables such as regulatory
link is our interface.
standards or compliance that come into play,
we also provide workarounds based on the
problem’s complexity.
Page 102
Fool-proofing the Cyber This is how we keep track of the latest trends
Infrastructure in the industry, anticipate threats, and then
incorporate features in our products to beat
At Kudelski, we believe that being prepared is vulnerabilities. To some extent, this is why our
the best way to mitigate the trouble. solutions are a bit more mature because all of
this knowledge is put into the solution so that
We have an attack lab; whose core we stay ahead of the curve by at least 10 years.
function is to identify and discover
new threats and their sources We have also set up an intellectual
(Black Hats). collaboration process with our partners,
whereby their security experts review our
products. We ensure a Chinese Wall between
We do the threats analysis, research, the people who make or know the product
devise mitigation solutions, and the people who evaluate the product to
and publish papers based on ensure a foolproof and solid development
our findings. ecosystem. The same applies if we work with
partners, we ensure strict work-standards for
them too.
We also have cryptographers who
work in the field and represent us Security is always a trade-off. I mean,
at various forums where security nothing is invulnerable. Through the
is discussed on complex topics lab, through activities, we try to give
such as the length of the key that transparency on that trade-off.
you should put if you want your
device to resist for the next 20 years
and so on.
Page 104
CYBERSECURITY CANNOT BE AN AFTERTHOUGHT
The use of increased technology or automation

adds more complexity, which, in turn, increases Finding a good reason to adopt
exposure to cyber threats. We all know that new technology
AI operates on the data provided, and if this
data is not trustworthy, the AI outputs cannot The first is finding a good reason to use
be relied upon. So, unless you trust the entire technology. This is where organizations
system from your sensors to the gateway to answer questions like, yes, I can automate a
the network, through your IT, you cannot trust coffee machine and connect it to the internet,
the data. but what’s the benefit?
When you add more automation and 1

complexity, you increase the stress on
cybersecurity as now nobody is checking
the validity and trustworthiness of data. 2
You have inadvertently increased the threat Making it work
landscape, and thereby the threat, whether it
is a malevolent attack or it’s just a mistake. In The second hurdle is how to make it work?
short, it doesn’t change the problem; the more Organizations answer questions like How do
of those automated things you have, the more I get my entire organization to accept, use,
difficult it is to trust the results of what you and manage this new technology? Who is
have put in place. responsible for implementing and managing
this technology, and which budget is to be
During the digital transformation, an utilized? How do we transition from this
organization usually passes three hurdles. one single shot firing at this sort of circular
However, by that time, it is generally a little too thing where you have to manage devices and
late for cybersecurity. products over time?
Page 106
IT AND OT ARE THE SAME,

YET REQUIRE DIFFERENT CYBERSECURITY STRATEGIES
There has been a technology shift that team is to select a few or all the checkboxes
everything today is more or less a computer. that apply the security level as required. On the
You don’t buy an oven; you buy a computer other hand, when we consider an IoT device or
that happens to have a heating thing attached OT, all the security needs to be embedded by
to it. You don’t buy a car; you buy a computer the OT cybersecurity team because you don’t
that has wheels attached to it. All of these have an Apple or Microsoft to design the whole
modern equipment use the same chipsets, thing for you.
communication protocols, and technology.
From a structural design or principal view, it is From a security perspective, the
all the same IT, OT, or IoT, it’s the same product. technology is the same; however, the
Therefore, the attacks and tools to mitigate approaches and effort involved for both
those attacks are the same too. IT and OT are a bit different.
There used to be a difference in how you Today, for example, all the companies that
manage that, I think, that we are converging manufacture robotic things or their likes want
slowly. In IT security, the work of device to connect the robots to their factories so that
security, to a fairly large extent, is managed by all of the machines on the factory floor will be
Windows, Microsoft. If you look at an iPhone or connected to their backends. And this is just
a modern Windows laptop, it has all the bells making the attack surface enormous because
and whistles, BitLocker, and certificate chain, the attacker may come from the backend to
perfectly managed by Apple or Microsoft. All your PLC in your factory and impact you. This
that needs to be done by the IT cybersecurity makes OT security very complex in practice.
Page 108
Legacy Systems – A Mixed Bag As far as securing legacy systems is concerned,

we don’t have a lot of choices. If a company
The experience of working with a legacy wants to improve its legacy systems’ security,
system is a mixed bag. But, I believe the diversity today’s only practical way is to monitor it using
of protocol is actually an asset. If someone an AI tool to detect functional and behavioral
wants to disrupt the OT technology, their anomalies in communication protocols. It
obvious target would be to attack something provides inferences and insights that can be
on Ethernet because everybody uses acted upon and assures transparency and
it. Therefore, it provides a huge base to visibility into legacy protocols that nobody
attack compared to a legacy device with a knows anything about anymore. Of course,
complicated protocol and is used by only a few providing security updates is another option,
people in the world. So, to some extent, the and we are fairly advanced in that area too.
diversity of protocols and the fact that it’s a This is apparent from the fact that Nagra had
legacy system with no central wired thing is an the capabilities to provide OTA updates back in
asset. It makes attacks more complicated and 1995 when I joined the company.
difficult to launch.
Lastly, the best option is to create impenetrable
On the other hand, the number of people who devices; a few of our smart cards are 10 years
understand the legacy systems is limited. So, old and are still working okay because nobody’s
if attackers were to attack it, they may not be cracked them yet!
detected for a long time. Hence, it is a mixed
bag.
Page 110
INTERESTING (PROBABLY UNKNOWN) FACTS ABOUT

FREDERIC
One technology that excites you the most The most important characteristic you
I would say automation, which would look in an engineer or a leader
include AI, Machine Learning, and all other Curiosity
technologies that help you automate or
optimize processes. The most used app on your phone
Outlook
Your favorite book or gadget
Dune by Frank Herbert One ambition for the coming year,
especially post COVID
Your favorite department in your To improve security awareness
organization
I have a slightly different take on this. My
favorite department, which I realize is not
a real department, would be the collection
of tools (videoconference, email, etc.) and
places (workplace, closest bar) people use
to interact together. When this work, you no
longer worry about it, but the most important
thing is for people to interact, collaborate,
and bring good ideas together. And this how
you achieve progress; this is how you make
things better.
Page 112
Commitment to security must be communicated upfront,

delivered seamlessly, and upheld sincerely.
Page 114
THE ART OF CYBERWAR Security
What is Commitment: Communicate upfront, deliver seamlessly...
IT’S NOT DIGITALIZATION,

BUT IT’S COMPLEXITY THAT DRIVES CYBERSECURITY
In your opinion, is increasing digitalization

one of the factors for increasing cyber risks?
Increased
In today’s world, more things are going
digitalization
digital, and then there are these larger IT
transformation projects that create a larger
digital footprint and just by definition,
this increases risk exposure. Many
organizations have taken complex approaches
Increased
to digitalization, perhaps when they’re not
complexity
always needed. And that in itself introduces
additional challenges in terms of defense.
So, I think what is driving cyber threats
is the complexity introduced due to
digitalization.
Increased
attack surface
Page 116
Speaking of digitalization, what are your We do need to continue to make smart

views on the role of new-age technologies investments. But we need to make sure
like AI in cybersecurity? that they are actually smart investments
and not unfocused investments with
I think AI has some way to go before we see it very little value on return.
being strongly leveraged in most organizations.
We have been automating security, explicitly Whether we’re looking at automation or looking
focusing more on the SOAR space to create at AI or ML solutions, their success, efficiency,
security orchestration and automation than and effectiveness must be well measured. We
around the Robotic Process Automation (RPA) can measure meantime to detection, meantime
space. Speaking about AI and ML, in the past, to response, time allocated to an analyst,
I have been a part of very large projects where reduction in error rates, etc. The markets are
data deluge amounted to petabytes of data. flooded with many startups who have many
Looking for statistical outliers and anomalies good ideas; evaluating these new solutions and
was just an unrealistic human problem at that companies and selecting the right ones and
point. We were able to build and leverage investing in them can be challenging.
algorithms and apply some other level of
intelligence or methodologies to help reduce I believe that organizations need to
that burden resulting from the large data take time and develop clear metrics
volume and velocity. to determine a viable and worthy
investment in some of the products
available today.
Page 118
What are the best practices for an have a dotted line into their regional CIOs
organization to manage security across their to help support local projects and initiatives.
global locations? Should it be done centrally, These personnel and functions are ultimately
or should the control rest with multiple tied back to our central model to help
security functions across geographies? reduce organizational, technological, and
standardization complexity. This same model
Over the years, Laureate grew through or a very similar model is adopted by many
acquisitions. We acquired universities and other organizations having global operations.
companies that already had IT organizations.
They all had different levels of security maturity What about the companies that have
and functions – this created a real challenge for multiple products? Should they follow
us to apply standards across the organization. a centralized approach, or should they
This decentralized model and approach were also adopt the hybrid approach that you
not as efficient or effective as we required. mentioned earlier?
After careful evaluation and consideration,
we centralized our security functions and Let’s take an example of the education sector,
capabilities while retaining personnel at our where I operate. I suppose even if there are
global locations to support security initiatives. multiple areas like education delivery or the
process of checking books out of the library,
To manage our high level of complexity, campus mobility, etc., then at least from the
with 71 different Laureate entities security perspective, it still makes sense to
having their own firewalls, technologies, have a centralized model. But clearly, there
etc., we created a centralized model that would be this local flavor that you’d have to
is in some sense a hybrid model. account for that may require a decentralized
or local team. While we’ve standardized a lot
All security personnel have a direct line across security, we do have different models
through the CISO position, but they also in some of these regions for region-specific
Page 120
I don’t think there is a secret sauce that I can legacy systems, nor do they have vendors doing
share, but I think a company must show a level it for them. There are plans to move away from
of commitment to security from the beginning these ultimately, but they are yet to transition
and be clear and transparent. Obviously, to more modern services for several different
companies must embed security in the actual business reasons. These organizations must
product lifecycle, use secure protocols and start communicating the risk to their business
methodologies, conduct standardized testing leaders rather than communicating the threat.
and frequently release results of those tests, In my opinion, it is a business problem.
and release fixes or patches regularly to
maintain a level of confidence in their Historically, the security leaders have been
customers. poor in communicating risk in a language
that the business leaders understand.
In short, the security commitment must This reluctance and inability of security
be communicated upfront, delivered leaders in communicating the risk is the
seamlessly, and upheld sincerely. primary reason for some of those legacy
systems staying deployed longer than
Losing focus on legacy systems adds to the required.
threat landscape. What do you think are
some of the common vulnerabilities that For example, communicating that an application
the industry is not paying attention to? has access to all these records that can be
attacked is not impactful and doesn’t resonate
Legacy systems have a huge risk potential. with business leaders. Instead, stating, “there
Organizations may run non-supported software is a USD 13 million risk that can be mitigated
and a large amount of older solutions without by investing USD 200,000” is a more palatable
security due diligence. Many organizations do decision that is easily understood by the
not have a security framework to support their business.
Page 122
TALENT SHORTAGE ISN’T THE CHALLENGE
Do you believe there is an intense skill shortage in the cybersecurity market? What are some of
the ways that you have tried to overcome it?
Yes, we have encountered it. I think the challenge isn’t that there is a talent shortage; it’s just that, for a
skilled person, you’re surely going to pay top dollar. There are most certainly some fantastically skilled
people out there, but they are also very expensive. We’ve addressed this challenge in a number of ways.
We’ve addressed this challenge in a

number of ways.
Internships are a brilliant way Third-parties and contactors Startups

We work with some universities, We work with a few security We are also on a constant lookout
particularly people pursuing a experts who are third-parties, for startups with some unique
master’s degree who have spent talent agencies, and contractors. discriminators and keep an open
at least some time in school mind towards technologies,
learning about IT and product such as automation, to assist
security. We onboard them us in addressing personnel and
on paid internships and then skill gaps.
ultimately absorb some of them
as employees.
Page 124
INTERESTING (PROBABLY UNKNOWN) FACTS ABOUT JOHN
Your favorite tech gadget or book The most important characteristic you
I think it’s my iPhone and iPad when it comes look for in an engineer or a leader.
to gadgets. In terms of books, I spend a lot The ability to uniquely solve problems under
of time reading leadership books. One of the stress. Especially in cybersecurity, when
books that I really liked is Good to Great by you need to properly perform your best, it’s
Jim Collins, and one that I recently finished under stress during an incident or event. And
is the Power of Positive Leadership. I also being able to manage that and think clearly is
have one that I haven’t started yet called The critical for both a leader and an engineer. The
Inspirational Leader by Gifford Thomas. second quality is integrity for anybody that I
work with. Being able to trust somebody that
Your favorite department in your they are doing the right thing is an important
organization attribute. Integrity is something that I think
Well, of course, the security department, everybody should strive for, including leaders.
but I suppose quickly followed by the HR I believe that it should be inculcated in an
department, or the talent acquisition team, organization’s culture.
whom I lean on heavily to help me find the
right experts to support our mission.
The most used app on your phone

Email, News, and Twitter are my top three.
Page 126
A ROBUST, MATURE SECURITY

RISK MANAGEMENT PRACTICE
IS THE NEED OF THE HOUR
Michael Khroustalev
R&D Process Manager, SCIEX
Michael Khroustalev is responsible for In this article, he sheds light on the industry
implementing best practices and tools into aspect on cybersecurity approaches,
the software development process, designing solutions, limitations, and talent. He further
new products and tools, and adopting product shares cybersecurity best practices to embed
security and privacy considerations for new throughout the product development lifecycle
product development and maintenance at and post release.
SCIEX.
Page 128
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
INDUSTRY CYBERSECURITY APPROACH
As an industry expert, what strategy do you think an organization should adopt to manage its
product security?
As an industry best practice, unless an organization has a super diverse business with many products,
a centralized approach may be the best. The reason being that the centralized approach allows
establishing consistency, ownership roles, and responsibilities and avoid any gaps that could potentially
fall into a grey area within the organization divisions.
On the other hand, if an organization has a diverse business with multiple businesses and products, a
centralized approach may not work. In such a case, you need a hybrid approach, where there is:
Hybrid Cybersecurity Approach
A centralized cybersecurity function that provides expectations and

guidance on cybersecurity for the organization. It defines the centralized policy,
roles, and responsibilities to outline clear accountability and direction.
Business-level cybersecurity functions to cater to the business-

specific cybersecurity requirements like customizing the policy and processes.
Page 130
Robust,
CONSTANT CHANGE AND CHURN IN TECHNOLOGY IS

A CHALLENGE FOR CYBERSECURITY
What is the impact of digitalization on think from the motivation and vulnerability
cybersecurity in your industry? Are there perspective. From that perspective, a major
any other drivers that are impacting driver is people becoming more aware of
cybersecurity? how much they can gain (monetarily or
political influence) from these attacks. It’s just
We’re already in the digitalization business pure greed and pure awareness about the
as our organization essentially has digital business and its performance that is driving
products. So, as an organization, our business cyberattacks. Another driver is the constant
has always been digitalized. churn and change in technology, which makes
it difficult to stabilize it and say that this is a
For us, it is not digitalization per se, but proven safe and secure technology. These
the introduction of new technologies and constant changes in the technology landscape
new systems that introduces new threats. will make it extremely challenging to develop a
robust and stable cybersecurity solution.
When it comes to other drivers, we need to
Cybersecurity Drivers
New technologies New systems Human greed and Constant change

awareness
Page 132
Robust,
SECURING PRODUCTS DURING

DESIGN, DEVELOPMENT, AND POST-RELEASE
What would be some of the cybersecurity customers with updates, patches, or security
best practices during the design phase (pre- guidance.
release phase) for new products?
For both IT organizations and product
It is critical to embed security as a consideration organizations, a robust, mature security
throughout the product development lifecycle. risk management practice should be a top
Security shouldn’t be an afterthought; it priority.
shouldn’t be something that you think about
after releasing the product.
During product development, how should
Cybersecurity should be an integral part of an organization bridge the gap between the
the whole product development lifecycle. IT and product security functions
Through all activities, starting from the
design phase to implementation, you As a starting point, the organization
must carefully think about the security should create a general organizational
considerations and potential threats. cybersecurity policy. Further, they can
Based on these, you must define the customize the general policy to create
security requirements that would mitigate policies for specialized areas.
the risks.
So, by taking the overall company policy and
Security considerations and risk assessments direction into consideration, you can derive the
should be an integral part of all activities product and IT security policies. You can assign
leading up to the release, and even after the the right roles and responsibilities, provide
release, your maintenance must follow the them the right guidance, and allow them some
same concept. You must continuously monitor flexibility to customize. However, all this must
threats, and if you discover vulnerabilities be aligned to the top-level goals.
or threats, then you must react and provide
Page 134
Robust,
RATING CYBERSECURITY, ITS LIMITATIONS AND ATTACKS
What rating would you give to the On a scale of one to five, with five being
importance of cybersecurity in business as the highest, how effective do you think the
well as product, with 5 being the highest existing cybersecurity solutions available
and 1 being the lowest? in the market are? Also, what is the most
critical cybersecurity limitation according
When we consider the full scale of a business’ to you?
overall priorities, I would say cybersecurity
stands at four. Ultimately, in terms of a I would rate it at four, so it’s relatively effective.
business and its mission, objectives, and Regarding the limitations, I think the biggest
survival, generating money while engaging the one is time-to-market. Whosoever wants
customer and satisfying the business mission to break through the cyber defenses could
and objectives takes the highest priority. potentially be one step ahead. So, identifying
Cybersecurity comes a close second as it is the vulnerabilities and effectively mitigating them
supporting pillar to enable an organization to becomes a competitive game. Moreover, you
achieve its mission and objectives. can never be certain that you mitigated all
vulnerabilities before they were identified by
the attackers.
Importance of cybersecurity in Effectiveness of existing

business as well as product cybersecurity solutions
4 4
Page 136
Robust,
CYBERSECURITY TALENT
Talking about talent, there is always What would be the top two or three skills
dearth of cybersecurity professionals in the that you would look for in a cybersecurity
industry. What is your take on the issue and professional from a product development
how do you address it? perspective?
Talent availability is an issue in cybersecurity and Michael’s Top Skills for

how you counter it depends on a combination Cybersecurity Professionals
of factors, such as what is your core business,
what can you outsource, where should you
outsource, etc.? From this standpoint, I don’t
1
Risk assessment and
think there is one perfect solution. threat modeling
This is the most important skill and the
An organization must constantly think
cornerstone of any risk management program.
about structuring the workforce so
It entails properly analyzing threats and
that the cybersecurity work is balanced
vulnerabilities and assessing them in terms of
through a mix of in-house expertise and
severity and prioritizing them and coming up
outsourced expertise.
with appropriate countermeasures.
In our experience, this has been the best

and practical approach where we perform
certain cybersecurity-related tasks ourselves 2
and adopt external expertise when required. Technical skills
This approach is embedded in our product I would look for a technical specialist who
development lifecycle and constantly present knows what kind of technical security controls
throughout our processes and data operations. can be added to the products. A deep
We partner with organizations and resources understanding of encryption, authentication,
with proven expertise who provide in-depth authorization, etc.
knowledge, best practices, and best tools.
Page 138
INTERESTING (PROBABLY UNKNOWN) FACTS ABOUT MICHAEL
Your favorite tech gadget or book The most important characteristic you
I usually read technical books. Currently, I am look for in an engineer or a leader
reading “Threat Modeling.” Desire and passion to learn new things
because it’s the era of the evolving landscape.
One technology you are most excited So it no longer matters how much a person
about or you’re betting on knows if they do not have the passion or
I like robotization. So, I saw the robots from desire to learn to enhance their knowledge.
Boston Dynamics and it’s exciting and scary
at the same time. On the one hand, they are The most used app on your phone
going to automate many manual tasks, which Outlook
is excellent. However, on the other hand, they
could potentially create security and privacy Your ambition for years ahead
issues if misused. I’m looking forward to bringing the company
to the next level of security maturity. It’s really
Your favorite department in an important for us as security professionals to
organization continuously improve our security program’s
Software development, of course. maturity and stay up-to-date with the best
practices in the industry.
Page 140
Page 144
THE ART OF CYBERWAR Acknowledgements
What is
ACKNOWLEDGEMENTS
This initiative to decode the art of industrial cyberwarfare would not have been possible without the
dedicated support and guidance of some of the leading cybersecurity war veterans.
We are immensely grateful to all the industry experts who spared time from their busy schedules to
share their strategies, perspectives, and experiences on cybersecurity. Their insights have shaped and
enriched this book, so our sincere gratitude to the following:
Dr. Eric Cole , World-Renowned Cybersecurity Expert
Ricardo Giorgi, Security Faculty and Infosec Expert, FIAP University
Max B. Wandera, Director, Product Security COE, Eaton
John McClure, Vice President, Global Information Security, Laureate University
Michael Khroustalev , R&D Process Manager, SCIEX
Our vote of thanks to Amit Kulkarni, Associate Director, Zinnov Management Consulting. Amit’s
understanding of IT-OT cybersecurity and its trends gave a unique edge and depth to the project.
Page 148

The ART of Cyberwar

Uploaded by

Copyright:

Available Formats

You might also like

The ART of Cyberwar

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The ART of Cyberwar

Uploaded by

Copyright:

Available Formats

THE ART OF

Unleash your cyberwar strategy

Unleash your knowledge

Unleash your weapons

Unleash your allies

THE HISTORY OF THE WAR BETWEEN

Cybersecurity at the Core of so have the cyberattack patterns. Crude and

IoT Technology and

ZETTABYTE USD 117 Billion

STEPPING INTO THE CYBER BATTLEFIELD

Changing business needs and user preferences Leveraging data for

Dr. Eric Cole, World-Renowned Cybersecurity

Securing Boundaries: learning and artiﬁcial intelligence such as user

KNOW YOUR WEAKNESS: COMMON VULNERABILITIES

Network Systems and Devices Weak Passwords

The knowledge of technology, like anything else, can be used for

The Ps of Product Security

Digitalization of products, through • Storage security • Man-in-middle threat

the use of embedded systems, providing • Malware infection • Denial-of-service attack

a front-end user interface and back-end • Firmware dumping • Hardcoded credentials

infrastructure such as the cloud. • Serial port exposure • Authentication compromise

Product Security: Cloud

KNOW YOUR ENEMY: COMMON FORMS OF ATTACKS

The usual targets in any cyberattack are an

User behaviour: In many cases, Security response: Traditional

THE OPPORTUNITY OF DEFEATING THE ENEMY IS

A THOUSAND CYBERBATTLES, A THOUSAND VICTORIES

Energy and Utilities

It is impossible to visualize day-to-day life Taiwan Semiconductor Manufacturing

With the evolving cyberattacks, cybersecurity

DESIGNING YOUR INVINCIBLE DEFENSE:

Situational Awareness Situational Awareness

Acting on the discrepancies

The key motto of cybersecurity is

KNOW YOUR WEAPONS:

Companies must stay in touch with their customers and

Companies’ first priority must be to safeguard

BEST PRACTICES TO SECURE YOUR WAR FRONTS

According to Max B. Wandera, Director, Product Security COE, Eaton

Inventory all connected hardware and software to know what is

Collaborate with vendors and internal stakeholders to review

Integrate cybersecurity into overall lifecycle maintenance -

Train staff on OT specific cybersecurity considerations,

Assess facility OT networks and assets to evaluate the attack

Asset and Data Inventory

Robust Network Architecture

KNOW YOUR ALLIES: LEVERAGE THE ECOSYSTEM

Build Your Cybersecurity Corporate Collaboration and

In 2017, Honeywell acquired

Sun Tzu, Claroty, an OT security start-up,

Build a Cybersecurity CoE Global Center of Excellence (GCoE)

Cybersecurity professionals often attribute Global unit housed together and

Joint and collaborative unit with

Organizations Leveraging GCoE for Cybersecurity

Battle the Talent Shortage

Cybersecurity is a rare career choice.

COUNTER YOUR ENEMY: DEPLOY TACTICS

• User Behavior Analytics: This can help