Page 52 - EE|Times Europe Magazine

Page 52 - EE|Times Europe Magazine - December 2020

P. 52

52 EE|Times EUROPE

Data on the Edge: A Common Blind Spot in Industrial Security

SAFEGUARDING FOUR COMMON ATTACK SURFACES environment for performance purposes, the secu-
rity implications are large. Again, it is a mistake
Attack Surface Root Cause of the Problem Solutions and Alternatives to assume that your data and operational systems
Passwords Shared secrets can be harvested by attackers. • Client certificate authentication & PKI
Social engineering is unfortunately a reality. • Multi-factor authentication are protected by default. Thankfully, these
problems can be mitigated with better security
Cloud Configuration Lack of SSH key management, improper • SSH key management configuration and the use of encryption.
security settings in public cloud • Cloud security configuration diagnostics
implementations • Security reviews
CRITICAL IP ON YOUR EMAIL SERVER
CDN Improper security settings in CDN • CDN security configuration diagnostics
implementations • Security reviews Sony suffered a breach in 2014 during which
hundreds of terabytes of data were stolen. The
Email Critical IP and PII contained in emails, stored in • S/MIME certificates for small encryption, U.S. Democratic National Committee (DNC) also
email servers signing, and email server authentication suffered a data breach in 2016. Both breaches led
to sensitive emails being made publicly available
To securely protect data, developers need to be aware of four potential attack surfaces. by WikiLeaks. The implications were important
(Source: Sectigo) enough that Sony’s CEO was fired, and the DNC
suffered political bruises.
(IAM) standpoint, an important example of a needed change is VPN The same is possible for any organization, including industrial orga-
access in industrial environments. VPNs with weak credentials are nizations where critical operational information is shared. Thankfully,
usually “over-privileged,” and access to them is handed out willy-nilly modern email encryption using S/MIME certificates solves this prob-
to contractors. The principle of “least privileges” is a critical concept in lem. Certificate management and automation solve the problems that
cybersecurity. Not everyone should have full administrator privileges, used to be associated with S/MIME email encryption, including device
or lasting privileges, so it’s best to create IAM roles with only the min- provisioning and certificate escrow in case a certificate is lost.
imal privileges required to get a job done and then revoke them when On top of encryption, email signing is an important method of know-
it’s completed. This reduces the potential havoc an attacker can cause ing who emails are from, which can be of great benefit in defending
if credentials are stolen. If your company must utilize a VPN, consider against social engineering. Someone posing as a colleague who does
using credentials with only the necessary privileges, and ensure that not possess the S/MIME certificate will easily stand out from a properly
your VPN is using client certificates for authentication rather than just S/MIME-signed email. The security benefits are substantial.
username/password combinations.
Being diligent with security also requires managing Secure Shell ZERO TRUST: MODERN SECURITY PRINCIPLES
(SSH) keys carefully, which is rarely done. They don’t have expira- NIST recently published the final version of its Zero Trust Architecture
tion dates and often are stored in unsecured places. Consider using guide. All industrial organizations, OT organizations, and IoT vendors,
a commercial SSH management tool, which can wrap the keys into a as well as commercial IoT consumers, should become familiar with
certificate with policies and can be stored in highly specialized, secure the guide’s principles. Because of the trend toward the usage of public
computing environments. Don’t make the attacker’s job easy by leaving clouds and the shift toward resources outside of a traditional behind-
the keys to your kingdom lying around. the-firewall environment, it is best practice to consider every digital
Because of the trend toward using public cloud resources, security asset to be in a hostile network. This is especially important in this
discipline should be top of mind. It is a mistake to assume that your Covid-19 era of remote work.
data and operational systems are protected by default. Additionally, All of the data breaches mentioned above share a common problem:
consider encrypting the data, both at rest and in transit. By using too much trust.
public key infrastructure (PKI) encryption certificates, data can be From the 10,000-foot view, the Zero Trust model assumes that every
stored securely. Mutual authentication via the Transport Layer Security digital asset needs to be considered as its own network edge, with its own
(TLS) protocol accomplishes a secure assurance that your systems are identity that needs to be protected. This is where a confluence of technol-
talking to their intended destination but also creates an encrypted ogies is needed, from modern IAM and PKI for provisioning and managing
tunnel through which communication flows. The analogy is a VPN, but identities to policy engines that make authorization rules scalable.
TLS is lightweight and meant for API calls or communication between Zero Trust is ultimately an expression of the principle of least
devices and the cloud. privileges, which is vital for all organizations to embrace, including
industrial and OT. The traditional assumptions about the behind-the-
WHERE’S MY DATA? A CAN EXAMPLE firewall environment have gotten us into a lot of trouble, and it’s time
Controller area network (CAN) data is often moved to numerous edge to end that mentality.
servers for efficient and fast distribution. This technique has been used
for years, and it is now somewhat rare to see a busy website not using TIME FOR CHANGE
some form of CAN. This can enhance security in the form of distributed In OT environments, attackers have taught us that the concept of an air
DoS (DDoS) protection, but it can be a security risk in the form of less gap and “security through obscurity” are both myths. Are your systems
control over data. exposed to the public internet without your knowing it? It’s vital that
Recently, Intel reportedly suffered a breach of more than 20 GB of you find out before attackers do.
source code and proprietary data. According to the report, the attackers Do you have controllers in your operational network that are
obtained this data from a CAN, which Intel utilized to enhance web configured via a built-in web server? Is that web server exposed to the
application performance. Data is transferred from origin servers to public internet with a weak password? Take inventory of your digital
the CAN, making distribution of the data more efficient. It seems that assets. Where are your crown jewels, and how are they protected? Do
security configuration issues could have been the root cause of the not assume they are protected by default. Weak credentials, security
successful breach. misconfigurations, and lack of knowing what you have at risk are blind
Unfortunately, many organizations may not realize the security spots. Thankfully, they can easily be fixed. ■
implications of utilizing a CAN. If the data is considered secure because
it is behind a firewall but then is replicated outside of the enterprise Jason Soroko is chief technology officer at Sectigo.

DECEMBER 2020 | www.eetimes.eu

47 48 49 50 51 52 53 54 55 56 57