Protecting National Infrastructures against Cyber Threats
At the national level, the option of patching together a random collection of cybersecurity solutions is not enough. We are required to come up with a holistic solution, effectively adapted to the specific operational and business process it should protect
Michael Arov
| 21/06/2018
Illustration: Bigstock
The range of cyber threats facing national infrastructures does not consist of standard cybercrime only, but also includes terrorist groups and states using cyberspace as an arena for a political and military confrontation.
The complexity of the task of protecting these infrastructures stems from such characteristics as the amount and diversity of the information categories (big data), compartmentalization, privacy between the individual citizen and the government, etc. The issue of accountability hovers above it all. The damage that might result from an information leak or from reduced availability far exceeds the potential economic or statutory damage, and might affect large segments of the public and even lead to severe disruptions in the state's ability to function and conduct its operations normally, naturally, in addition to sensitive issues associated with national security.
At the national level, the option of patching together a random collection of cybersecurity solutions is not enough. We are required to come up with a holistic solution that is effectively adapted to the specific operational and business process of the organization we should protect. As an equal priority, we are also required to deal with the “attack surface,” namely – the potential points through which an attacker might be able to attack the organization.
Acquiring and implementing the best security tools on the market does not guarantee effective protection against cyberattacks. In some cases, the user may employ unsuitable tools, make implementation errors or assign unskilled personnel to assimilate the cybersecurity solutions. When you search for the common denominator, you will reach the conclusion that the organization that sustained the attack did not have a holistic overview of the cyber issue, namely – some element within the technology-methodology-skilled personnel-awareness quadrate was missing or incomplete.
Every cybersecurity project must begin with a vulnerability assessment and a risk assessment, intended to unveil the weaknesses we would like to address in the context of the project. For the national level, a complementary process ensures that the attack surface is minimal as far as the required organizational functionality and the attacker's ability to penetrate the organizational security mechanisms are concerned. This process addresses the risks and weaknesses identified at the outset of the project, and in addition – it minimizes the attacker's ability to spot weaknesses and risks in the future as well.
A primary emphasis of the holistic cybersecurity solution involves the aspect of system engineering in a complex world. On the one hand, the system should be able to balance between all of the project needs vis-à-vis the problem space and the complex operational and business process, and on the other hand – it should be able to deal with the threatening elements at the national level while still enabling smooth, efficient and convenient system operation.
Another aspect of the effort to protect national projects, which normally receives less attention even in the civilian world, is the task of protecting the Operational Technology (OT) infrastructures. This category includes all the infrastructure systems without which our computer infrastructures will not be able to function: air conditioning, fire extinguishing, power supply and so forth. Attacking these systems could inflict severe and long-lasting damage on the computer infrastructures, to the point that they would have to be replaced.
The realization that the OT infrastructures require protection and that the protective effort required for this category is essentially different from standard IT security is not yet a part of the actual awareness. Many of the companies currently offering solutions for the OT world actually adopt existing solutions from the IT world and, following minor adaptations, present them as solutions for the OT world. This approach misses the primary problems of protecting OT systems. For example, the availability and safety of electromechanical processes. In a world where IT and OT operate closely together and are interconnected for operational and economic reasons, disconnecting them is no option and this important connection must not be neglected, as an attacker that starts out in the IT network will very quickly migrate into the OT network, and vice versa.
All of the cybersecurity products currently available have failures and weaknesses. Even if those failures and weaknesses are not yet visible and/or well known, they will definitely be revealed in the future. The right thing is to combine different security solutions, so that in case of failure, it will be a local one and would not shut down the entire organizational security solution. In some cases, this will necessitate the development of additional, specific solutions to complete the jigsaw puzzle. Generally, the cybersecurity solution should deny any attacker attempting to neutralize the organization's defenses in order to access its critical assets the feeling that he is walking on firm, solid ground.
Cybersecurity projects for the business world present different complexities. First and foremost – classic security problems such as privacy and maintaining the confidentiality of the information in view of evolving regulation. These challenges are a matter of routine, but the complexity level increases even further when national projects are involved.
Defense industries enjoy a substantial advantage in protecting national projects, as they offer proven development capabilities, integration capabilities and extensive experience gained in the world of classic security, which calls for a multi-layered, interdisciplinary overview. In the cyber world, the classic concepts remain valid and central. The change is visible in the cyber-warfare tools and in the language of the solution.
***
Michael Arov is the Cyber Technologies Line Manager at Rafael
At the national level, the option of patching together a random collection of cybersecurity solutions is not enough. We are required to come up with a holistic solution, effectively adapted to the specific operational and business process it should protect
Illustration: Bigstock
The range of cyber threats facing national infrastructures does not consist of standard cybercrime only, but also includes terrorist groups and states using cyberspace as an arena for a political and military confrontation.
The complexity of the task of protecting these infrastructures stems from such characteristics as the amount and diversity of the information categories (big data), compartmentalization, privacy between the individual citizen and the government, etc. The issue of accountability hovers above it all. The damage that might result from an information leak or from reduced availability far exceeds the potential economic or statutory damage, and might affect large segments of the public and even lead to severe disruptions in the state's ability to function and conduct its operations normally, naturally, in addition to sensitive issues associated with national security.
At the national level, the option of patching together a random collection of cybersecurity solutions is not enough. We are required to come up with a holistic solution that is effectively adapted to the specific operational and business process of the organization we should protect. As an equal priority, we are also required to deal with the “attack surface,” namely – the potential points through which an attacker might be able to attack the organization.
Acquiring and implementing the best security tools on the market does not guarantee effective protection against cyberattacks. In some cases, the user may employ unsuitable tools, make implementation errors or assign unskilled personnel to assimilate the cybersecurity solutions. When you search for the common denominator, you will reach the conclusion that the organization that sustained the attack did not have a holistic overview of the cyber issue, namely – some element within the technology-methodology-skilled personnel-awareness quadrate was missing or incomplete.
Every cybersecurity project must begin with a vulnerability assessment and a risk assessment, intended to unveil the weaknesses we would like to address in the context of the project. For the national level, a complementary process ensures that the attack surface is minimal as far as the required organizational functionality and the attacker's ability to penetrate the organizational security mechanisms are concerned. This process addresses the risks and weaknesses identified at the outset of the project, and in addition – it minimizes the attacker's ability to spot weaknesses and risks in the future as well.
A primary emphasis of the holistic cybersecurity solution involves the aspect of system engineering in a complex world. On the one hand, the system should be able to balance between all of the project needs vis-à-vis the problem space and the complex operational and business process, and on the other hand – it should be able to deal with the threatening elements at the national level while still enabling smooth, efficient and convenient system operation.
Another aspect of the effort to protect national projects, which normally receives less attention even in the civilian world, is the task of protecting the Operational Technology (OT) infrastructures. This category includes all the infrastructure systems without which our computer infrastructures will not be able to function: air conditioning, fire extinguishing, power supply and so forth. Attacking these systems could inflict severe and long-lasting damage on the computer infrastructures, to the point that they would have to be replaced.
The realization that the OT infrastructures require protection and that the protective effort required for this category is essentially different from standard IT security is not yet a part of the actual awareness. Many of the companies currently offering solutions for the OT world actually adopt existing solutions from the IT world and, following minor adaptations, present them as solutions for the OT world. This approach misses the primary problems of protecting OT systems. For example, the availability and safety of electromechanical processes. In a world where IT and OT operate closely together and are interconnected for operational and economic reasons, disconnecting them is no option and this important connection must not be neglected, as an attacker that starts out in the IT network will very quickly migrate into the OT network, and vice versa.
All of the cybersecurity products currently available have failures and weaknesses. Even if those failures and weaknesses are not yet visible and/or well known, they will definitely be revealed in the future. The right thing is to combine different security solutions, so that in case of failure, it will be a local one and would not shut down the entire organizational security solution. In some cases, this will necessitate the development of additional, specific solutions to complete the jigsaw puzzle. Generally, the cybersecurity solution should deny any attacker attempting to neutralize the organization's defenses in order to access its critical assets the feeling that he is walking on firm, solid ground.
Cybersecurity projects for the business world present different complexities. First and foremost – classic security problems such as privacy and maintaining the confidentiality of the information in view of evolving regulation. These challenges are a matter of routine, but the complexity level increases even further when national projects are involved.
Defense industries enjoy a substantial advantage in protecting national projects, as they offer proven development capabilities, integration capabilities and extensive experience gained in the world of classic security, which calls for a multi-layered, interdisciplinary overview. In the cyber world, the classic concepts remain valid and central. The change is visible in the cyber-warfare tools and in the language of the solution.
***
Michael Arov is the Cyber Technologies Line Manager at Rafael
