Cloud Hosting

Paid Feature If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who's going to protect it all?

Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend 'ICSaaS'. "ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.

This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.

The move to cloud-controlled ICS took this long to begin in part because of the cultural differences in the ICS world. One mistake configuring the operational technology (OT) underpinning ICS can have profound effects, Masson says. Opening this infrastructure up to access from the internet was a bold enough step on its own, and took a big cultural shift. Putting the means of control in the cloud takes a further shift in mentality.

"Although there are positives, it will still impact reliability," says Masson. "There are ramifications for ICS performance, security, and therefore safety." Many of these environments can't tolerate any downtime at all.

Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they're attracted by the potential benefits, Masson asserts. The pandemic has been a strong driver, allowing operators to remotely control industrial systems when they haven't been able to come on-site.

Organizations could enable remote access without cloud-based systems by punching holes in on- premises firewalls, but doing so made cloud-based access more plausible, opening up the conversation.

If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces, Masson says. These make the management infrastructure cheaper and easier to operate. He points out the arguments now familiar to IT decision makers, including the opportunity to reduce operators' own hardware investments and potentially cut their data center real estate. Companies are now seriously considering taking advantage of these operational benefits for the first time.

In this scenario, the hardware components that make up ICS stay where they are. We're not talking about virtualizing programmable logic controllers here. It's the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly. Instead of handling planning and scheduling using on-premises data, they'll do it using cloud platforms that then tunnel communications to those legacy systems in the field - which still expect to be spoken to via specialized protocols like Modbus.

Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT, explains Masson. OT is now part of what looks increasingly like a common IT network.

"Now, anybody can access this network from anywhere, so you've got to make sure you have good controls around who's got permission," he says. "This raises questions about data security, compliance, and regulation."

Security teams grappling with this face challenges including more complexity in their infrastructures as they bring different devices and protocols into the fray, with traffic running through different gateways. The number of OT devices can be staggering, far outnumbering the number of servers or endpoints that an IT security team has dealt with before.

OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control, warns Masson. He calls the people looking after this management data in an ICS setting data historians.

"That data is now over the horizon and you need to know what people are doing with it in the cloud," he warns, pointing to a litany of problems with misconfigured databases and storage resources. The prospect of exposing ICS management data to the general public due to a dashboard misstep would turn most data historians grey.

There are organizational worries to consider beyond the technological ones, Masson adds. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both? Do they speak the same language? Will the organization have to contend with political strife and territorial battles?

When all these challenges combine, it's easy for security problems to slip through the gaps. It takes a cohesive approach with multiple checks and balances to ensure protection that extends from the physical equipment in the field through to the infrastructure that controls it in the cloud. It takes a sharp focus on access controls and permissions at all points in the ecosystem.

This new, more complex environment demands a new approach to security, according to Masson.

Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important, he says. Its focus on identity-based access, backed by account controls like multi-factor authentication, is valuable. "But that won't tell you when you've misconfigured something providing you with access to your ICS from the cloud," he points out.

He warns that IT teams can't rely on the same protective measures they used in the past. "They'll have one product for this and another for that, all using hard-coded predefined rules and signatures that aren't really designed to adapt with sudden transformation. The rules-based firewalls that might have offered some protection in the past will no longer cut it in a converged IT/OT cloud-based environment.

Darktraces AI technology flips this narrative, evaluating threats to complex systems not using a rigid set of rules, but instead leveraging unsupervised machine learning to constantly understand an organizations 'pattern of life'.

Instead of running every traffic pattern against a complex and often outdated series of signatures to detect malicious behaviour, Darktrace's tools look for activities that deviate from this pattern of life. If it detects communications between ICS systems that don't usually communicate, for example, or unusual access to ICS control systems in the cloud, its AI will investigate the activity in real time.

If granted permission, Darktrace's Antigena product will also take its own steps to contain the threat. It uses an AI-powered Autonomous Response mechanism that takes measured steps to neutralize malicious behaviour, all while allowing normal business operations to continue to run smoothly.

This approach has the advantage of not relying on deep packet inspection for its results. That's a big plus in an environment where tunnelled communications between cloud-based management systems and ICS components are often so obscure that they're effectively encrypted.

"There are tons of these protocols, some invented by people who are now dead," Masson says. "So we stay protocol agnostic."

While the company is learning some of the protocols for clients that demand it, the AI technology doesn't need to understand what's happening in a packet. Instead, Darktrace looks at what the packet is doing within the broader infrastructure, using its self-learning AI to assess deviations from the norm.

A number of cloud-first critical infrastructure organizations use Darktrace to defend their cloud environments one being Mainstream Renewable Power, a major player in wind and solar energy.

ICSaaS is only one part of a broader shift towards OT/IT convergence, says Masson. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.

"Right now people focus on protecting the data that's in the cloud, but with 5G and edge computing that data won't always stay there; it will be on the edge where the computation is actually taking place. Masson argues that self-learning AI, built to maintain a picture of normality in volatile environments, will be well-placed to cope with the speed and complexity of edge-based scenarios.

ICS will be deeply ingrained in this new computing model, which will see local 5G-based networks supporting edge facilities and sensors with software-defined network functions including network slicing. With the world on the cusp of this change, new approaches to protecting it all from attack will be crucial.

Masson is certain that AI will be squarely in the middle of the picture, protecting the network from logic controllers in the field through to virtual servers in hyperscale cloud architectures - and everything in between.

This article is sponsored by Darktrace.

Excerpt from:
The future of OT security in an IT-OT converged world - The Register

Marcella Arthur, Vice President Global Marketing, Unbound Security explores using smarter key management in the cloud

Cloud computing remains a dominant trend in global business, boosted by the mass shift to remote working during the pandemic. A report from Deloitte highlights how investment in cloud infrastructure increased through 2020 with the scale of mergers and acquisitions indicating significant expectations of further growth.

Yet as organisations migrate workloads to the cloud in search of greater agility and innovation and reduced costs, they are facing serious security challenges that conventional approaches fail to meet, particularly if they adopt hybrid approaches. By 2022, analysts IDC estimate more than 90 per cent of enterprises worldwide will be relying on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As companies become more distributed and more complex than ever through their entry into the hybrid cloud, they find themselves with massively extended security perimeters while constantly exchanging high volumes of data.

Combined with the imposition of stricter demands by regulators, these developments make control of encryption keys used to protect data more important than ever. For those with heavy investments in on-premise infrastructure, hardware security modules (HSMs), or apps partially in the cloud, the inability to secure and manage the cryptographic keys that protect their data across a multitude of scenarios has the potential to bring their organisations to an extremely costly standstill.

Whenever IT managers decide on a cloud shift that requires some existing hardware to remain intact, among the problems they face are the time-consuming task of maintaining multiple systems, implementing key management solutions, and the creation of multiple keys depending on the application supported and authentication path. Developers and solution architects take on the biggest migration risk, because the painstaking work that it took to develop an application once, may now have to be repeatedly refactored to ensure that keys work anywhere in the cloud, at any time.

For key management, organisations may feel they can rely on the solutions provided by the major cloud service providers (CSPs), who have made encryption simple to activate. Sadly, however, there is a basic security flaw in having the keys held by the same entity that holds the data. It is not just penetration by criminals we should worry about in this respect, it is the government warrants and subpoenas that may force CSPs to open up what they hold. Alongside this vulnerability is one of management. It becomes much harder to achieve consistency of data governance across an organisations entire and varied infrastructure including on-premises hardware when keys are managed by the cloud provider. The way CSPs solutions deliver a segmented picture of the key logs and usage reports makes it impossible for enterprises to manage their entire range of keys in one place with full visibility across all sites.

Time to market for new and existing applications suffers as they require keys to ensure the requisite security policies are met in each case. Security is potentially compromised when organisations are unable to manage keys across disparate sites because of dependencies on the applications they are looking to authenticate, each having been written to specific cloud requirements.

The way out of this tangle is to nail down security with a third-party solution that overrides the complexity of refactoring applications to ensure they work in each cloud environment. Enterprises need to write and manage their own keys on a separate, one-stop platform, using multiparty computation (MPC). MPC splits a secret key into two or more pieces and places them on different servers and devices. Because all the pieces are required to get any information about the key, but are never assembled, hackers have to breach all the servers and devices. Strong separation between these devices (different administrator credentials, environments, and so on), provides a very high level of key protection.

Adopting this approach gives enterprises using hybrid cloud or multi-cloud infrastructures the single-pane-of-glass visibility that is essential for security and surveillance, providing information about all keys and digital assets, how they are stored, who is using them and how they are programmed. The use of cloud crypto keys is no longer a leap of faith.

When organisations are moving into the cloud for greater innovation and efficiency, an MPC platform provides the most effective means of securing and managing encryption keys, being highly agile, adaptable, and easy to use without any compromise of safety.

Read the latest edition of PCRs monthly magazine below:

Like this content? Sign up for thefree PCR Daily Digestemail service to get the latest tech news straight to your inbox. You can also follow PCR onTwitterandFacebook.

See the original post:
Use smarter key management to secure your future anywhere in the cloud PCR - PCR-online.biz

Jointly US-Dutch owned Booking.com was illegally accessed by an American attacker in 2016 and the company failed to tell anyone when it became aware of what happened, according to explosive revelations.

The alleged miscreant, named as "Andrew", is said to have stolen "details of thousands of hotel reservations in countries in the Middle East," according to a new book written by three Dutch journalists.

Their employer, Dutch title NRC Handelsblad, reported the allegations this week, claiming that Booking.com had relied on legal advice from London-based law firm Hogan Lovells saying it wasn't obliged to inform anyone of the attack.

The breach was said to have occurred after "Andrew" and associates stumbled upon a poorly secured server which gave them access to personal ID numbers (PINs), seemingly unique customer account identifier codes. From there the miscreants were able to steal copies of reservation details made by people living and staying in the Middle East. NRC Handelsblad linked this to espionage carried out by the US against foreign diplomats and other people of interest in the region.

Although the accommodation booking website reportedly asked the Dutch AIVD spy agency for help with the breach after its internal investigation identified "Andrew" as having connections to US spy agencies, it did not notify either its affected customers or data protection authorities in the Netherlands at the time, the newspaper allged.

When we asked for comment about the allegations, a Booking.com spokesperson told us: "With the support of external subject matter experts and following the framework established by the Dutch Data Protection Act (the applicable regulation prior to GDPR), we confirmed that no sensitive or financial information was accessed.

"Leadership at the time worked to follow the principles of the DDPA, which guided companies to take further steps on notification only if there were actual adverse negative effects on the private lives of individuals, for which no evidence was detected."

The breach predated the EU's General Data Protection Regulation (GDPR), meaning data protection rules everyone's familiar with today, which (mostly) make it illegal not to disclose data leaks to state authorities, did not exist at the time.

Booking.com was fined 475,000 earlier this year by Dutch data protection authorities after 4,100 people's personal data was illegally accessed by criminals. In that case employees of hotels in the UAE were socially engineered out of their account login details for the platform.

The apparent online break-in once again raises the spectre of European countries being targeted by Anglosphere intelligence agencies. The infamous Belgacom hack, revealed by Edward Snowden in 2013 and reignited in 2018 when Belgium attributed it to the UK, was carried out by British spies trying to gain access to data on people of interest in Africa.

Almost exactly eight years ago, Snowden also revealed the existence of a British spy-on-diplomats programme codenamed Golden Concierge, which on the face of it looks remarkably similar to the Booking.com breach reported this week.

While some readers might shrug and mutter "spies spy," evidence of the theft of bulk data by third parties who may or may not be subject to whatever lax controls spy agencies choose to create for themselves will be cold comfort to anyone who made a Booking.com reservation in the Middle East at the time.

Read more from the original source:
Dutch newspaper accuses US spy agencies of orchestrating 2016 Booking.com breach - The Register