Professional Documents
Culture Documents
The ART of Cyberwar
The ART of Cyberwar
The ART of Cyberwar
41.6 Billion
Connected Devices CAGR ~21%
Page 6
THE ART OF CYBERWAR The History
What is of the War between Operation and Disruption
1988
Robert Tappan Morris and the Morris worm
The first-ever malware attack in history. It cost
about USD 10-100 million in damages.
2000
Mafia Boy DDoS attack
Attack on eCommerce websites, including
Yahoo, CNN, Amazon, and eBay, resulting in a
2002 USD 1.2 billion damage.
Internet attacked
Distributed Denial-of-Service (DDoS) attack on
all 13 domain name systems' (DNSs') root
servers located in the US. 2008
Hacker targets Scientology
A DDoS attack against the Church of Scientology
website that lasted several days.
2009
Google China headquarter hit by cyberattack
Intruders accessed many corporate servers and
stole files containing Google’s intellectual
property. 2011
Government agencies infiltrated
The Department of Defense (DoD), Pentagon,
NSA, NASA, US Military, Department of the
2012 Navy, Space, and Naval Warfare System
Command, and the other UK and US
Foxconn hacked government websites breached.
Released email and server logins and bank
account credentials of some of the large
companies like Apple and Microsoft. 2013
Target targeted
40 million users’ credit and debit card numbers
and personal details breached, resulting in a
loss of USD 162 million.
Page 8
THE ART OF CYBERWAR Stepping
What is into the Cyber Battlefield
Building Bases: Digitalization The four key priorities for enterprises are:
The use of increased technology or All these priorities have one thing in common;
automation adds more complexity, they drive enterprises towards digitalization.
which, in turn, increases exposure
By implementing digitally connected solutions
to cyber threats. and leveraging analytics, businesses want
Frederic Thomas, CTO, Kudelski IoT to capture more data to understand their
customers, build better products, improve
their operations, deliver customer experience,
There has to be a balance between facilitate decision-making, and ease the
security and functionality. regulatory reporting requirements.
Page 10
THE ART OF CYBERWAR Stepping
What is into the Cyber Battlefield
Page 12
Cybersecurity awareness is the first step
towards creating a secure organization.
Awareness is what drives the change
in the behavior of how people operate.
Max B. Wandera, Director, Product Security COE, Eaton
Page 13
THE ART OF CYBERWAR KnowisYour Weakness: Common Vulnerabilities
What
Malware can infect systems, including web or Cybercriminals often steal secure login
mobile applications, embedded devices, and credentials of legitimate users and use them
even cloud configuration to block or restrict to gain system access, cause disruptions,
user access to products. Hackers covertly install malware, or snip information. Hackers
obtain and transmit proprietary information. can exploit vulnerabilities such as firmware
This is more prevalent for organizations, such dumping, hard-coded credentials, insecure
as pharmaceutical firms and companies or encryption, or brute-forcing.
departments heavily engaged in R&D services.
Page 14
THE ART OF CYBERWAR KnowisYour Weakness: Common Vulnerabilities
What
Embedded Device
Product Technology: • Tampering • Insecure encryption
Web and
Mobile Application
• Cross-site scripting
• XML external entities
• Broken authentication
• Sensitive data exposure
• Insufficient logging and monitoring
• Security misconfigurations
Product
Technology • Insecure deserialization
• Broken access control
• Known vulnerabilities
• SQL injection
Page 16
THE ART OF CYBERWAR Knowisyour Enemy: Common Forms of Attacks
What
Page 18
THE ART OF CYBERWAR A Thousand
What is Cyberbattles, a Thousand Victories...
A Thousand Cyberbattles
Manufacturing
With the gap between IT-OT blurring, the For a period of two years (2017 to 19),
attack surface for hackers has increased. WannaCry disrupted the manufacturing
They can now exploit vulnerabilities in operations of multiple organizations, such as
both systems in a manufacturing Nissan, Renault, Mondelez, Merck, Hexion,
environment. . TSMC, and Hayward Tyler.
Energy companies have seen the highest In 2017, Triton was used to attack a
number of ICS-targeted malware attacks, petrochemical plant of Tasnee to bomb the
such as Black energy, Havex, Industroyer, and facility, but the attack was unsuccessful
Triton. Boasting high infrastructure value, due to a code error. Triton malware was
oil & gas companies are potential national again encountered in 2019 when it aimed
security targets, while utility companies are at disabling the ICS security features of an
targeted to bring down critical infrastructure undisclosed energy company. The malware
availability in the area. leveraged vulnerabilities in Triconex
industrial safety technology.
Page 20
THE ART OF CYBERWAR A Thousand
What is Cyberbattles, a Thousand Victories...
Semiconductors
supply chains.
Consumer Electronics
This sector is very attractive to cybercriminals More than 143 million malware targeted
because of two major factors: They create consumer smart-devices in Q2, 2020, mainly in
and run extremely complex networks and the form of coronavirus-themed attacks.
store a large amount of sensitive data to meet Source: https://ciso.economictimes.indiatimes.com/
customers’ communication requirements. news/143mn-windows-malware-hit-consumer-smart-
devices-in-q2-report/77995908
Page 22
THE ART OF CYBERWAR A Thousand
What is Cyberbattles, a Thousand Victories...
A Thousand Victories
1980
to
2000 From the beginning of the cyberbattles, government regulatory bodies and
Computer Emergency Response Teams (CERTs) were established to deal with virus
and malware attacks.
2001
to
Antivirus companies started to take the center stage in cybersecurity and were able
2005
to slow down known malware attacks. Yet, intruders used newer techniques such as
phishing to spread virus and malware
2006
to
2015 By 2015, there were 0.5 new malware samples created every day. This was a threat
level that antivirus companies couldn’t keep up with. Hence, sophisticated new
systems that monitored network traffic anomalies and end-point threat detection
became popular during this period. This era also saw the beginning of the use of
creative new technologies like AI, Machine Learning (ML), and behavioural detection
in threat detection and prevention.
2016
to
2019 While IT security was a long-followed process, growing exposure from industrial IoT
led to an enhanced focus on new practices involving OT and product security.
Page 24
THE ART OF CYBERWAR Designing
What is Your Invincible Defense: Secure the Enterprise
Identifying discrepancies
Awareness is the need of the day as it between “should be” and “is”
would help make informed decisions
from a security perspective.
Frederic Thomas, CTO, Kudelski IoT
Page 26
THE ART OF CYBERWAR What is
Page 28
THE ART OF CYBERWAR KnowisYour Weapons: Design a Secured Cyber Environment
What
Factoring in security at every layer – Product and product, and how can the level of security be
OT, through every stage of the development evolved throughout the product lifecycle?”
lifecycle (design, implementation, deployment,
and operation) of a product or system is the Create a holistic approach by enabling a multi-
most effective way to foster a secured cyber layered security ecosystem with a rigorous
environment. review process, including code review, internal
scanning, third-party penetration testing, and
Design for Security so on. Within this strategy, ensure to have
alternative plans to manage any potential risks
Design is the most important phase for found, with steps to counter them.
imbuing security in products or systems.
Device manufacturers must consider security Including experts at the beginning of the
aspects right from the design phase – Secured product design process ensures inclusion of
by design. Ask questions like, “what security intrinsic security in the development process.
features should be an inherent part of the
Page 30
THE ART OF CYBERWAR What is
Ricardo Giorgi
Security Faculty and Infosec Expert,
FIAP University
Page 32
THE ART OF CYBERWAR Best Practices
What is to Secure Your War Fronts
Page 34
THE ART OF CYBERWAR Best Practices
What is to Secure Your War Fronts
Page 36
THE ART OF CYBERWAR Best Practices
What is to Secure Your War Fronts
OT Security
Device Configuration
Configure devices on a secure network using the defined standards.
Configuration must ensure identification and authentication control, data
integrity and confidentiality, restriction on data flow, and response to attacks.
Enable all embedded security features on the device before usage.
Page 38
THE ART OF CYBERWAR KnowisYour Allies: Leverage the Ecosystem
What
Page 40
THE ART OF CYBERWAR KnowisYour Allies: Leverage the Ecosystem
What
Page 42
THE ART OF CYBERWAR KnowisYour Allies: Leverage the Ecosystem
What
Security talent shortage and burnouts are key issues in the security industry both in the IT and OT
sector. Companies are using innovative hiring, upskilling, and outsourcing to overcome this.
According to John McClure, Vice President, Global Information Security, Laureate University
“Another challenge of dealing with talent is retention! Once you get the
right, skilled professionals, how do you retain them? You must keep people
challenged, give them the right tools, ensure good leadership, and continue
training.”
Page 44
THE ART OF CYBERWAR Counter
What is Your Enemy: Deploy Tactics
Page 46
THE ART OF CYBERWAR Simplify
What is Your War Strategy: Stay a Step Ahead
Page 48
THE ART OF CYBERWAR Partner
What is with a War Veteran: LTTS
Page 50
THE ART OF CYBERWAR BattleisReferences: Industry Perspectives
What
Page 52
THE ART OF CYBERWAR What is
Page 54
THE ART OF CYBERWAR What is
Page 56
THE ART OF CYBERWAR Decoding
What is Cybersecurity
When it comes to cybersecurity, in any practical that’s providing value at some level, it cannot
sense, a hundred percent security doesn’t be 100% secure. If you have a system with
exist. The only way to be 100% secure is to turn functionality, then risk and vulnerabilities will
off and destroy the computer, to have zero always be there; at some point, your system
functionality. Similar to the laws of gravity and will be compromised. It’s not a matter of “if” but
laws of other areas of our lives, there are laws “when.” So over your lifetime, you, your family,
of security. The law of security states that every and the company you work for are almost
time you add functionality, you’re decreasing guaranteed to be compromised.
security. Anytime there’s a functional system
Page 58
THE ART OF CYBERWAR Decoding
What is Cybersecurity
Cybersecurity is all about understanding the some computer parameters are altered, it
risk of what could happen to your critical data if could be detrimental. If the systems are not
it is being disclosed, altered, or denied access. available, if they were denied access to, then
the manufacturing production line can be
Cybersecurity completely shut down, impacting the business.
Most security personnel are trained on
Risk
confidentiality, keeping a secret secret, basically
making sure the data is protected, secured,
Critical Data and locked down. However, in manufacturing,
not some, but a lot of information being stored,
CIA processed, and sent is not very confidential,
but it must be accurate and available. If you
have a manufacturing floor and an adversary
• Confidentiality - Protecting against is viewing the data being transmitted across
unauthorized disclosure of information. networks, it will not cause a big risk. But if they
can alter that information or deny access with
• Integrity - Preventing unauthorized ransomware or denial of service attacks, then
alteration of information that’s where it becomes impactful.
• Availability - Preventing denial of access It’s very important in manufacturing and control
systems that you have security people who
The CIA have worked with and understand that domain
because if they only ensure confidentiality,
The biggest cyber threats in manufacturing that will not provide the protection needed.
are the threat to confidentiality, integrity, So, manufacturers must ensure that they’re
and availability. In manufacturing, there is validating the integrity and their systems are
sensitive data, but there’s also integrity. If available when and where they need it because
Page 60
THE ART OF CYBERWAR Decoding
What is Cybersecurity
The organizations don’t realize that even after 1. Critical Assets (Business Processes) column:
spending millions and billions in cybersecurity, Identify three to five of your top priority critical
they’re fixing the wrong problem. The reason assets or business processes.
they’re doing it is they’re getting the equation 2. Threats (Likelihood): Identify the top three
backward. The way the equation works is to five threats (ransomware, denial of service,
quite simple before you spend an hour of your exfiltration of data or information, etc.) that
time or a dollar of your budget on anything may harm your top priority critical assets.
in the name of security, you always ask three 3. Vulnerabilities (Impact): Identify the
questions: vulnerabilities that would allow those threats to
have the biggest impact on your critical assets.
• What is the risk?
• Is it the highest priority risk? With this prioritization, you have created your
• Is your solution the most cost-effective cybersecurity roadmap. You have identified the
way of reducing it? highest risk to your critical assets, and that’s
what security is all about. Organizations that
Whether you work in IT or OT security, make can fix the identified issues within a month can
sure you understand your highest priority risks conduct the assessment every month. Those
(threats and vulnerabilities). To do this, conduct who can fix issues in three months can do this
a mini risk assessment which takes about 10 quarterly. I recommend that organizations
minutes. It will ensure that you’re aligned and must conduct this assessment at least every six
fixing the correct problem. The first thing to months.
remember is everything starts with your critical
assets or business processes. Now, here’s the Evaluate your organization to find the top
trick, you need to prioritize. Get a piece of risk, look at solutions, and say which of these
paper and create three columns: solutions is the most cost-effective way of
Page 62
THE ART OF CYBERWAR Decoding
What is Cybersecurity
Most attacks go undetected for over 21 months. Another powerful way to detect attacks is
However, the detection period is 31 months to do a geolocation plot of the outbound
in manufacturing and critical infrastructure connections. It may not be 100% accurate, but
due to the complexity of those systems. So, it’s pretty accurate. You can find out where in
if organizations want to win at cybersecurity, the world those connections are going. In the
they have to focus on timely detection and past, I was working with a manufacturing entity
controlling the damage. that mainly worked within the United States.
They did some business in Canada and Mexico
The focus must be on detection. However, today as well. We monitored all their outbound
most companies are only performing inbound connections for six months and plotted them on
prevention. They’re looking only at the inbound the world map to show where they go, with the
traffic, trying to prevent, prevent, prevent. thicker lines showing the biggest connections.
Prevention is ideal, but you can’t prevent all It was interesting to note that, for six months,
attacks. Instead, companies add detection in they had no clue that 15% of their traffic was
place, but they’re looking only at the inbound going to China and 17 to Russia, where they did
traffic, which is way too noisy. Now, if you want no business. This revealed multiple points of
to catch data exfiltration, command and control compromise. We then created a visibility chart.
channels, and external connections to the
adversary, none of this occurs during inbound. It is interesting to note that most of the major
It occurs during outbound. So, the real trick is breaches were detected due to anomalies in
for companies need to continue doing inbound performance. Monitoring such anomalies is the
prevention and add outbound detection. This most effective way of catching attacks. In short,
was the key to catch the SolarWinds attack. All it is not hard to catch the adversary. You just
outbound connections must be proxied as they have to look in the right spot, create the right
leave an organization. data, and look at the outbound information.
Page 64
THE ART OF CYBERWAR Decoding
What is Cybersecurity
In the current pandemic situation, we have it’s completely isolated. Unless somebody
witnessed an increased number of attacks in physically breaches your facility and breaks in,
phishing and targeting individuals. One of my they can’t attack an air gap system from the
favorite questions to ask is how many offices did internet. However, because of functionality
your organization open in 2020? Organizations interconnectivity and the epidemic, many of
respond by saying they have increased work these air gaps are going away, and many of
from home and closed some of their offices. these systems are not up-to-date. They were
The truth is that each work from home location never built with security in mind and thus,
now becomes the organization’s remote office removing the air gap creates a huge exposure
location. However, unlike traditional offices, point.
organizations do not go into each work from
home location and add security and protection. Many manufacturing systems aren’t patched
Due to this, the threat vectors have increased and organizations rely on vendor configuration
exponentially, and organizations are more with default installations that tend to be prone
exposed. The remote workforce has completely to denial of service. They don’t have a lot of built-
changed the threat landscape. in error checking. And then, with the use of IoT,
which increases functionality by connecting
Currently, connected systems and smart all your devices to the internet, their devices
factories are one of the top attacked industries. can be monitored, tracked, and controlled.
One of the big reasons is that their systems are However, many IoT devices don’t have a lot of
critical and need uptime availability, making security error checking or mechanisms; they’re
them a big target for ransomware. Another very small, with very specialized processors
big threat vector for connected systems, smart that do specific tasks. As long as you give them
manufacturing, and critical infrastructure is the data they’re expecting, they work like a
traditionally the lack of air gaps. An air gap is champ. Still, when they start being exposed
a system that’s not connected to the internet; to adversaries where they can alter, modify,
Page 66
THE ART OF CYBERWAR Decoding
What is Cybersecurity
1 2 3 4
The servers accessible from the internet have out that it takes only takes an average of 2 and
been the source of all major data breaches in the a half minutes for such systems to be pinged,
past. The systems accessible from the internet probed, and attacked once they are online.
with missing patches containing unencrypted or
partially encrypted critical data are the easiest
targets. We conducted an experiment and found
Page 68
THE ART OF CYBERWAR Decoding
What is Cybersecurity
Page 70
THE ART OF CYBERWAR What is
CYBERSECURITY
IS A CATCH-UP GAME
WELL ALMOST!
Ricardo Giorgi
Security Faculty and Infosec Expert, FIAP University
Page 72
THE ART OF CYBERWAR Cybersecurity
What is is a Catch-up Game, Well Almost!
Today, almost everyone is fully connected to If you look at it, it depends on the person’s
the web, and every day more and more people intent, right? That’s why I think “Humans” are
are getting unrestricted access to the internet. the biggest threat to cyber infrastructure. On
par with humans are malware attacks based
The knowledge of technology, like on the huge number of malware created every
anything else, can be used for both good day and their impact potential, and then comes
and evil. zero-day vulnerability attacks.
With internet access, it has become very easy Apart from these, I think all companies in the
to learn the techniques to invade a computer world are vulnerable to Distributed Denial
system. For instance, on the deep web, users of Service (DDoS) and Distributed Reflection
may not even need to have cyber expertise to Denial of Service (DrDoS) attacks.
invade a company. All they need is to pay and
hire a cyber attacker. And that’s it! They will be
able to do any kind of harm to a company they
want to attack.
Cyber Threats
Human error Malware attacks Zero day vulnerability DDoS and DrDoS
Page 74
THE ART OF CYBERWAR Cybersecurity
What is is a Catch-up Game, Well Almost!
Cloud migration
Advanced technologies
Advanced technologies play a huge role in aiding cybersecurity. AI and ML have been
evolving at a rapid pace to complement cybersecurity professionals. User Behavior
Analytics (UBA) is an artificial intelligence-based effective technique to predict user
behavior and weed out the miscreants from the work environment. Similarly, AI-
based impact analysis can be extremely important to monitor and analyze the
baseline of traffic to identify threat or attack signatures. It enables threat intelligence
and proactive action.
Page 76
THE ART OF CYBERWAR Cybersecurity
What is is a Catch-up Game, Well Almost!
Page 78
THE ART OF CYBERWAR Cybersecurity
What is is a Catch-up Game, Well Almost!
Industrial companies are often plagued how are they to protect it? So, the IT and the
by legacy infrastructure and a lack of OT teams must start to work together to close
skill or resources to manage a cyber risk these gaps.
properly. Cyber attackers are aware of these
vulnerabilities and the resultant damage they According to the SANS OT-ICS 2018 survey,
can cause with an attack on such companies. the top three threat categories to OT security
Most industrial automation environments are are devices and things added to the network,
poorly structured. The cyber experts in these internal threats (accidental), and external
companies are not even aware of what is threats (supply chain and partnerships).
connected in their company environment, then
What are the top three threat categories you are most cocerned with?
Rank the top three, with ”First” being the threat of highest concern.
First Second Third
Page 80
THE ART OF CYBERWAR What is
Favorite tech gadget or book The most used app on your smartphone
Well, I love all the Dan Brown books, especially This is easy. WhatsApp, Telegram, and Waze.
Digital Fortress. I love those kind of book
because there are a lot of amazing takeaways One advice to a budding cybersecurity
in them. engineer
Study and learn as much as you can because
Favorite department in an organization the world has many opportunities for you.
Information security and risks and ethical Leave your comfort zone and choose an area
hacking. to specialize and get all the certifications and
knowledge in that area.
One quality you always look for in an
engineer or a leader
Ethics, self-motivation, passion for learning,
and leadership.
Page 82
THE ART OF CYBERWAR What is
UNLOCKING THE
TRUE POTENTIAL OF
CYBERSECURITY
Max B. Wandera
Director, Product Security, COE, Eaton
Max provides leadership and oversight for including the Cybersecurity and Infrastructure
the research, design, development, and Security Agency (CISA), to shape the future of
implementation of security technologies for cybersecurity and trusted connectivity. In this
products, systems, and software applications. article, he throws light on how digitalization
In his current position, he is also responsible for impacts and drives cybersecurity, Eaton’s
Secure Product Development Lifecycle Policy cybersecurity approach, and how globalizing
and compliance. He leads cross-functional the cybersecurity standards is the next step in
collaboration with corporate officers, cybersecurity transformation.
industry leaders, and government entities,
Page 84
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
The industry outlook towards cybersecurity is who understand how OT products and services
changing, there is no doubt about that. But it operate. At the same time, the people who
is changing at a very slow pace, and it is mostly manage OT are relatively new to the topic
focused on the IT side of operations. With of cybersecurity. Eaton has embarked on a
advancements in digital technology, managing program with universities to help develop
digital solutions has become much easier and these skill sets. For example, we have
cheaper in the IT world. But when it comes to partnered with Rochester Institute of
OT, the industry moves at a very slow pace in Technology (RIT) to develop a lab to help build
adopting cybersecurity measures to secure the talent pipeline for the industry.
these environments.
There are two important aspects that
The primary reason for this is that there is a manufacturers of critical infrastructure
shortage of skilled cybersecurity professionals products should undertake to help improve
cybersecurity in the OT network.
Page 86
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
Awareness
We have taken a leadership-pro role and were the first company to have dual
certification - International Electrotechnical Commission (IEC 62443-4-1) and
UL 2900-1. We have embedded cybersecurity in our product development
lifecycle and set up a robust governance policy across all our products.
Page 88
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
Globalizing the Cybersecurity We’re working with leaders across the industry
Standards – The Need of the to do just that. For example, we recently
Hour joined the International Society of Automation
(ISA) Global Cybersecurity Alliance as a
As more industries deploy IIoT devices, the founding member to advance advocacy for a
security and safety of systems providing global cybersecurity standard and industry
essential operations become more important collaboration.
and more difficult to manage. These
complexities are due, in part, to a lack of a Championing the Cybersecurity
global, universally accepted cybersecurity Approach
standard and conformance assessment scheme
designed to validate connected products. There are proponents of both a centralized
and decentralized approach towards
There is currently a multitude of different cybersecurity. Both approaches have their
standards and regulations created by various pros and cons. I believe a hybrid approach
organizations, countries, and regional alliances works best for cybersecurity. You want to
across the globe. All of these standards and centralize the governance and policy aspect
regulations address the urgent need to secure of the cybersecurity program and decentralize
our connected world; however, they also create the actual implementation and assessment of
the potential for confusion and the possibility of cybersecurity requirements. This model allows
weak links in critical infrastructure ecosystems. an organization to focus on building a pool of
security experts within the divisions who are
The time to drive for a common close to the products.
conformance assessment for IIoT
products is now.
Page 90
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
Page 92
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
Challenges
With people being forced to work remotely We have devices that were developed 20-30
due to the global epidemic, cybersecurity has years ago with no security in mind. The idea
become a key priority and concern globally. at that time was to deploy them in an air gap
Critical systems are now being managed network. But with digitization, we are now
remotely and therefore, the opportunity for deploying intelligent devices and solutions into
hacking into these systems has increased. We this network and connecting them with the
are now seeing a lot of security enhancement outside world to leverage the data. Because
on applications that support remote working. of these integrations, the legacy products are
The dependency of these solutions and becoming the weakest link in the ecosystem
enhancements that are being done to make and could potentially become an attack vector.
them secure will drastically change the At Eaton, we are continuously assessing these
industry perspective on how we view the OT products and coming up with mitigation
network. The threat vector has now increased; strategies for our customers to minimize their
therefore, companies will be forced to create vulnerabilities as we further advance security.
more policies and governance to ensure the
cybersecurity of these systems.
Page 94
THE ART OF CYBERWAR Unlocking
What is the True Potential of Cybersecurity
Increased digitalization leads to data deluge and the consumer to figure out how they can
information overflow, which is the key driver for manage them securely. Therefore they are
an intense and critical focus on cybersecurity. operated with inadequate security. Because
Customers across industries have now become of how they are connected, it’s very easy for
consumers of digital products and are using a skilled attacker to access these devices and
them a lot more than earlier. control them. We have seen recent attacks
on hospitals and manufacturing industries as
There is an average of 10 connected devices per a result of vulnerabilities triggered from these
home in the US based on various studies that devices.
have been conducted. Studies also have shown
that by 2030 the number of connected devices So, yes, digitalization is great, and as we
will reach 125B. Some of these devices are used expand connected solutions everywhere,
to connect to critical personal information or we must be mindful that the threat
company networks. Some of these devices do surface has significantly increased.
not have a standard user interface to enable
31B
8B
Source: https://www.eaton.com/us/en-us/company/news-insights/what-matters/enabling-powerful-cybersecurity/cybersecuri-
ty-trends-infographic.html
Page 96
THE ART OF CYBERWAR What is
Page 98
THE ART OF CYBERWAR What is
Page 100
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
Page 102
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
Fool-proofing the Cyber This is how we keep track of the latest trends
Infrastructure in the industry, anticipate threats, and then
incorporate features in our products to beat
At Kudelski, we believe that being prepared is vulnerabilities. To some extent, this is why our
the best way to mitigate the trouble. solutions are a bit more mature because all of
this knowledge is put into the solution so that
We have an attack lab; whose core we stay ahead of the curve by at least 10 years.
function is to identify and discover
new threats and their sources We have also set up an intellectual
(Black Hats). collaboration process with our partners,
whereby their security experts review our
products. We ensure a Chinese Wall between
We do the threats analysis, research, the people who make or know the product
devise mitigation solutions, and the people who evaluate the product to
and publish papers based on ensure a foolproof and solid development
our findings. ecosystem. The same applies if we work with
partners, we ensure strict work-standards for
them too.
We also have cryptographers who
work in the field and represent us Security is always a trade-off. I mean,
at various forums where security nothing is invulnerable. Through the
is discussed on complex topics lab, through activities, we try to give
such as the length of the key that transparency on that trade-off.
you should put if you want your
device to resist for the next 20 years
and so on.
Page 104
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
Page 106
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
There has been a technology shift that team is to select a few or all the checkboxes
everything today is more or less a computer. that apply the security level as required. On the
You don’t buy an oven; you buy a computer other hand, when we consider an IoT device or
that happens to have a heating thing attached OT, all the security needs to be embedded by
to it. You don’t buy a car; you buy a computer the OT cybersecurity team because you don’t
that has wheels attached to it. All of these have an Apple or Microsoft to design the whole
modern equipment use the same chipsets, thing for you.
communication protocols, and technology.
From a structural design or principal view, it is From a security perspective, the
all the same IT, OT, or IoT, it’s the same product. technology is the same; however, the
Therefore, the attacks and tools to mitigate approaches and effort involved for both
those attacks are the same too. IT and OT are a bit different.
There used to be a difference in how you Today, for example, all the companies that
manage that, I think, that we are converging manufacture robotic things or their likes want
slowly. In IT security, the work of device to connect the robots to their factories so that
security, to a fairly large extent, is managed by all of the machines on the factory floor will be
Windows, Microsoft. If you look at an iPhone or connected to their backends. And this is just
a modern Windows laptop, it has all the bells making the attack surface enormous because
and whistles, BitLocker, and certificate chain, the attacker may come from the backend to
perfectly managed by Apple or Microsoft. All your PLC in your factory and impact you. This
that needs to be done by the IT cybersecurity makes OT security very complex in practice.
Page 108
THE ART OF CYBERWAR Making
What is Cybersecurity Industry-Agnostic: A Kudelski Perspective
Page 110
THE ART OF CYBERWAR What is
One technology that excites you the most The most important characteristic you
I would say automation, which would look in an engineer or a leader
include AI, Machine Learning, and all other Curiosity
technologies that help you automate or
optimize processes. The most used app on your phone
Outlook
Your favorite book or gadget
Dune by Frank Herbert One ambition for the coming year,
especially post COVID
Your favorite department in your To improve security awareness
organization
I have a slightly different take on this. My
favorite department, which I realize is not
a real department, would be the collection
of tools (videoconference, email, etc.) and
places (workplace, closest bar) people use
to interact together. When this work, you no
longer worry about it, but the most important
thing is for people to interact, collaborate,
and bring good ideas together. And this how
you achieve progress; this is how you make
things better.
Page 112
THE ART OF CYBERWAR What is
Page 114
THE ART OF CYBERWAR Security
What is Commitment: Communicate upfront, deliver seamlessly...
Increased
In today’s world, more things are going
digitalization
digital, and then there are these larger IT
transformation projects that create a larger
digital footprint and just by definition,
this increases risk exposure. Many
organizations have taken complex approaches
Increased
to digitalization, perhaps when they’re not
complexity
always needed. And that in itself introduces
additional challenges in terms of defense.
So, I think what is driving cyber threats
is the complexity introduced due to
digitalization.
Increased
attack surface
Page 116
THE ART OF CYBERWAR Security
What is Commitment: Communicate upfront, deliver seamlessly...
Page 118
THE ART OF CYBERWAR What is
What are the best practices for an have a dotted line into their regional CIOs
organization to manage security across their to help support local projects and initiatives.
global locations? Should it be done centrally, These personnel and functions are ultimately
or should the control rest with multiple tied back to our central model to help
security functions across geographies? reduce organizational, technological, and
standardization complexity. This same model
Over the years, Laureate grew through or a very similar model is adopted by many
acquisitions. We acquired universities and other organizations having global operations.
companies that already had IT organizations.
They all had different levels of security maturity What about the companies that have
and functions – this created a real challenge for multiple products? Should they follow
us to apply standards across the organization. a centralized approach, or should they
This decentralized model and approach were also adopt the hybrid approach that you
not as efficient or effective as we required. mentioned earlier?
After careful evaluation and consideration,
we centralized our security functions and Let’s take an example of the education sector,
capabilities while retaining personnel at our where I operate. I suppose even if there are
global locations to support security initiatives. multiple areas like education delivery or the
process of checking books out of the library,
To manage our high level of complexity, campus mobility, etc., then at least from the
with 71 different Laureate entities security perspective, it still makes sense to
having their own firewalls, technologies, have a centralized model. But clearly, there
etc., we created a centralized model that would be this local flavor that you’d have to
is in some sense a hybrid model. account for that may require a decentralized
or local team. While we’ve standardized a lot
All security personnel have a direct line across security, we do have different models
through the CISO position, but they also in some of these regions for region-specific
Page 120
THE ART OF CYBERWAR Security
What is Commitment: Communicate upfront, deliver seamlessly...
I don’t think there is a secret sauce that I can legacy systems, nor do they have vendors doing
share, but I think a company must show a level it for them. There are plans to move away from
of commitment to security from the beginning these ultimately, but they are yet to transition
and be clear and transparent. Obviously, to more modern services for several different
companies must embed security in the actual business reasons. These organizations must
product lifecycle, use secure protocols and start communicating the risk to their business
methodologies, conduct standardized testing leaders rather than communicating the threat.
and frequently release results of those tests, In my opinion, it is a business problem.
and release fixes or patches regularly to
maintain a level of confidence in their Historically, the security leaders have been
customers. poor in communicating risk in a language
that the business leaders understand.
In short, the security commitment must This reluctance and inability of security
be communicated upfront, delivered leaders in communicating the risk is the
seamlessly, and upheld sincerely. primary reason for some of those legacy
systems staying deployed longer than
Losing focus on legacy systems adds to the required.
threat landscape. What do you think are
some of the common vulnerabilities that For example, communicating that an application
the industry is not paying attention to? has access to all these records that can be
attacked is not impactful and doesn’t resonate
Legacy systems have a huge risk potential. with business leaders. Instead, stating, “there
Organizations may run non-supported software is a USD 13 million risk that can be mitigated
and a large amount of older solutions without by investing USD 200,000” is a more palatable
security due diligence. Many organizations do decision that is easily understood by the
not have a security framework to support their business.
Page 122
THE ART OF CYBERWAR Security
What is Commitment: Communicate upfront, deliver seamlessly...
Do you believe there is an intense skill shortage in the cybersecurity market? What are some of
the ways that you have tried to overcome it?
Yes, we have encountered it. I think the challenge isn’t that there is a talent shortage; it’s just that, for a
skilled person, you’re surely going to pay top dollar. There are most certainly some fantastically skilled
people out there, but they are also very expensive. We’ve addressed this challenge in a number of ways.
Page 124
THE ART OF CYBERWAR What is
Your favorite tech gadget or book The most important characteristic you
I think it’s my iPhone and iPad when it comes look for in an engineer or a leader.
to gadgets. In terms of books, I spend a lot The ability to uniquely solve problems under
of time reading leadership books. One of the stress. Especially in cybersecurity, when
books that I really liked is Good to Great by you need to properly perform your best, it’s
Jim Collins, and one that I recently finished under stress during an incident or event. And
is the Power of Positive Leadership. I also being able to manage that and think clearly is
have one that I haven’t started yet called The critical for both a leader and an engineer. The
Inspirational Leader by Gifford Thomas. second quality is integrity for anybody that I
work with. Being able to trust somebody that
Your favorite department in your they are doing the right thing is an important
organization attribute. Integrity is something that I think
Well, of course, the security department, everybody should strive for, including leaders.
but I suppose quickly followed by the HR I believe that it should be inculcated in an
department, or the talent acquisition team, organization’s culture.
whom I lean on heavily to help me find the
right experts to support our mission.
Page 126
THE ART OF CYBERWAR What is
Michael Khroustalev
R&D Process Manager, SCIEX
Michael Khroustalev is responsible for In this article, he sheds light on the industry
implementing best practices and tools into aspect on cybersecurity approaches,
the software development process, designing solutions, limitations, and talent. He further
new products and tools, and adopting product shares cybersecurity best practices to embed
security and privacy considerations for new throughout the product development lifecycle
product development and maintenance at and post release.
SCIEX.
Page 128
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
As an industry expert, what strategy do you think an organization should adopt to manage its
product security?
As an industry best practice, unless an organization has a super diverse business with many products,
a centralized approach may be the best. The reason being that the centralized approach allows
establishing consistency, ownership roles, and responsibilities and avoid any gaps that could potentially
fall into a grey area within the organization divisions.
On the other hand, if an organization has a diverse business with multiple businesses and products, a
centralized approach may not work. In such a case, you need a hybrid approach, where there is:
Page 130
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
What is the impact of digitalization on think from the motivation and vulnerability
cybersecurity in your industry? Are there perspective. From that perspective, a major
any other drivers that are impacting driver is people becoming more aware of
cybersecurity? how much they can gain (monetarily or
political influence) from these attacks. It’s just
We’re already in the digitalization business pure greed and pure awareness about the
as our organization essentially has digital business and its performance that is driving
products. So, as an organization, our business cyberattacks. Another driver is the constant
has always been digitalized. churn and change in technology, which makes
it difficult to stabilize it and say that this is a
For us, it is not digitalization per se, but proven safe and secure technology. These
the introduction of new technologies and constant changes in the technology landscape
new systems that introduces new threats. will make it extremely challenging to develop a
robust and stable cybersecurity solution.
When it comes to other drivers, we need to
Cybersecurity Drivers
Page 132
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
What would be some of the cybersecurity customers with updates, patches, or security
best practices during the design phase (pre- guidance.
release phase) for new products?
For both IT organizations and product
It is critical to embed security as a consideration organizations, a robust, mature security
throughout the product development lifecycle. risk management practice should be a top
Security shouldn’t be an afterthought; it priority.
shouldn’t be something that you think about
after releasing the product.
During product development, how should
Cybersecurity should be an integral part of an organization bridge the gap between the
the whole product development lifecycle. IT and product security functions
Through all activities, starting from the
design phase to implementation, you As a starting point, the organization
must carefully think about the security should create a general organizational
considerations and potential threats. cybersecurity policy. Further, they can
Based on these, you must define the customize the general policy to create
security requirements that would mitigate policies for specialized areas.
the risks.
So, by taking the overall company policy and
Security considerations and risk assessments direction into consideration, you can derive the
should be an integral part of all activities product and IT security policies. You can assign
leading up to the release, and even after the the right roles and responsibilities, provide
release, your maintenance must follow the them the right guidance, and allow them some
same concept. You must continuously monitor flexibility to customize. However, all this must
threats, and if you discover vulnerabilities be aligned to the top-level goals.
or threats, then you must react and provide
Page 134
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
What rating would you give to the On a scale of one to five, with five being
importance of cybersecurity in business as the highest, how effective do you think the
well as product, with 5 being the highest existing cybersecurity solutions available
and 1 being the lowest? in the market are? Also, what is the most
critical cybersecurity limitation according
When we consider the full scale of a business’ to you?
overall priorities, I would say cybersecurity
stands at four. Ultimately, in terms of a I would rate it at four, so it’s relatively effective.
business and its mission, objectives, and Regarding the limitations, I think the biggest
survival, generating money while engaging the one is time-to-market. Whosoever wants
customer and satisfying the business mission to break through the cyber defenses could
and objectives takes the highest priority. potentially be one step ahead. So, identifying
Cybersecurity comes a close second as it is the vulnerabilities and effectively mitigating them
supporting pillar to enable an organization to becomes a competitive game. Moreover, you
achieve its mission and objectives. can never be certain that you mitigated all
vulnerabilities before they were identified by
the attackers.
4 4
Page 136
THE ART OF CYBERWAR AWhat
Robust,
is Mature Security Risk Management Practice...
CYBERSECURITY TALENT
Talking about talent, there is always What would be the top two or three skills
dearth of cybersecurity professionals in the that you would look for in a cybersecurity
industry. What is your take on the issue and professional from a product development
how do you address it? perspective?
Your favorite tech gadget or book The most important characteristic you
I usually read technical books. Currently, I am look for in an engineer or a leader
reading “Threat Modeling.” Desire and passion to learn new things
because it’s the era of the evolving landscape.
One technology you are most excited So it no longer matters how much a person
about or you’re betting on knows if they do not have the passion or
I like robotization. So, I saw the robots from desire to learn to enhance their knowledge.
Boston Dynamics and it’s exciting and scary
at the same time. On the one hand, they are The most used app on your phone
going to automate many manual tasks, which Outlook
is excellent. However, on the other hand, they
could potentially create security and privacy Your ambition for years ahead
issues if misused. I’m looking forward to bringing the company
to the next level of security maturity. It’s really
Your favorite department in an important for us as security professionals to
organization continuously improve our security program’s
Software development, of course. maturity and stay up-to-date with the best
practices in the industry.
Page 140
THE ART OF CYBERWAR What is
Page 144
THE ART OF CYBERWAR Acknowledgements
What is
ACKNOWLEDGEMENTS
This initiative to decode the art of industrial cyberwarfare would not have been possible without the
dedicated support and guidance of some of the leading cybersecurity war veterans.
We are immensely grateful to all the industry experts who spared time from their busy schedules to
share their strategies, perspectives, and experiences on cybersecurity. Their insights have shaped and
enriched this book, so our sincere gratitude to the following:
Our vote of thanks to Amit Kulkarni, Associate Director, Zinnov Management Consulting. Amit’s
understanding of IT-OT cybersecurity and its trends gave a unique edge and depth to the project.
Page 148