Cyber-Informed Engineering (CIE) is an initiative by Idaho National Laboratory with funding from the Department of Energy (DOE). The goal of CIE is to secure physical operations through the combination of cybersecurity and engineering approaches. Today, engineering mitigations are used from time to time to address cyber risks but are used neither universally nor systematically. CIE recognizes the importance and necessity of using both engineering tools and conventional cybersecurity designs to secure operational technology (OT) networks.
Protecting Critical Infrastructure
Access to OT information in IT networks, very often through PI servers, is essential to many kinds of business automation, such as automatically ordering spare parts or scheduling maintenance crews. However, because all modern automation involves computers, as businesses continue to automate processes more targets for cyberattacks are created. In addition, data in motion is the lifeblood of modern automation, but all cyber-sabotage attacks on OT systems are information, and every connection between systems and IT/OT networks is an opportunity for attacks to spread. Thus, the more automation is deployed, the more opportunities are created to attack the ever-increasing number of targets. Cybersecurity is an issue that becomes steadily more pressing as businesses automate.
The IT/OT boundary, where PI servers tend to be deployed, is very often a consequence boundary. Worst-case consequences on the OT network are very often dramatically different and more severe than consequences on IT networks. Worst-case business consequences often include expensive incident response costs, such as businesses having to buy identity fraud insurance for customers whose information was leaked into the Internet. On the other hand, worst-case consequences for OT networks in a power plant or a high-speed passenger rail switching system often include threats to worker and public safety, or to the availability of critical infrastructure services to the nation. When worst-case OT consequences are unacceptable, engineering-grade protections must be deployed at the IT/OT interface to prevent worst-case scenarios from being realized.
Conventional OT Security Programs
Using exclusively IT style mitigations to protect critical OT networks is often not enough—when public safety or critical infrastructures are at risk, it is not enough to hope that cyberattacks can be detected before they compromise critical infrastructure. It is not enough to hope that if detected in time, an incident response team can be assembled fast enough to prevent consequences. Engineering-grade designs are expected to reliably perform critical physical operations within a specified threat environment until the next scheduled opportunity to upgrade defenses, with a large margin for error.
The Threat Landscape
Remote-controlled attacks are the modern attack pattern used by hacktivists, ransomware criminals and nation-states. Modern remote-controlled attacks use social media research and clever phishing emails to trick potential victims into revealing passwords or opening malicious attachments. Once remote attackers gain a foothold in their target network, they control the compromised machine remotely, using it to attack other machines through layers of firewalls, including the IT/OT firewalls deployed to send OT data into PI servers to enable IT/OT integration. Attackers then repeat, spreading further until they reach essential OT systems or valuable information that a business would be willing to pay to recover.
‘Living off the land’ is another type of remote-controlled attack seen recently. After gaining a foothold in an IT network, attackers erase all hint of their presence, including any malware that was used to gain their foothold. Eventually compromising the IT domain controller, attackers create their own remote access and credentials. These new accounts look like a normal employee logging in; no alarms are raised as the attackers use normal operating system tools in their attacks, making them extremely difficult to detect.
Unbreachable Protection with Unidirectional Gateways
In the face of sophisticated remote-control attacks, safe integration of critical OT networks with PI servers and other business automations must involve network engineering. The most common approach to network engineering is to protect the IT/OT consequence boundary with a Unidirectional Gateway. The gateways are a combination of hardware and software; the software makes copies of PI and other OT servers from OT networks, while the hardware allows information to travel in only one direction, from the OT network out to the IT network. The gateways move OT data out to where the enterprise can use it while preventing any remote-control attacks or attack information getting back through into the OT network. Even if a deceived insider carries a piece of malware into an OT network and inadvertently activates it, that malware cannot connect out to the Internet through the gateway, much less receive any attack commands from the Internet.
Increasingly, critical infrastructures are expected to have OT networks that operate reliably and independently of the IT network, even when the IT network is compromised. A Unidirectional Gateway provides OT data to PI servers and other business automation, with no ability for malware, remote-control commands or other attack information to penetrate the gateway into operations. By eliminating the risks associated with firewalls at the IT/OT consequence boundary, industrial enterprises can be confident of the integrity of their OT systems, even in the face of the most sophisticated of modern, network-based attacks.
As Cyber-Informed Engineering emerges as the most important change in OT security in a decade, Waterfall Security’s Unidirectional Security Gateways, certified to be truly unidirectional, are leading the world in safe IT/OT and OT/cloud integration, even in the face of the most sophisticated of cyber threats. Watch Waterfall’s webinar “Cyber-Informed Engineering for OT Security and AVEVA PI Users” (May 14, 2024) to see how Waterfall’s solutions enable safe IT/OT integration and protect safe and reliable physical operations, especially for AVEVA PI installations.
Education institutions face a myriad of cybersecurity challenges such as ransomware, third-party access to school systems, internal bad actors and stolen credentials. One of the most impactful vulnerabilities is a lack of awareness across school communities regarding security. For example, individuals who are unable to recognize a phishing text message that asks the receiver to click on an unsafe link because an account has been frozen may potentially put their own data and their school’s data at risk of exposure.
Generative AI is still fairly new to the education space and educators are on both sides of the spectrum of acceptance—some prefer to erase it from their schools while others are open to embracing the up-and-coming technology for use cases not only in the classroom, but also to prepare students for the future workforce.
The DoD aims to refresh technology and standardize user experience across the department as a response to employee feedback. These standards are partially inspired by Zero Trust models and codifying existing standards. Through the implementation of office management and hiring defense digital service experts, agencies will update hardware and endpoints, refresh outdated technology and enhance overall IT capabilities. Executing these standards will require time and financial resources, and to properly utilize all acquired resources, a new generation of industry professionals will need to be onboarded. By building off effective processes from previous initiatives and hiring new talent that is optimally suited for these processes, the department can make strides in software such as cloud computing, generative AI and Zero Trust. The introduction of the Joint Operational Edge Cloud (JOEC) is also critical in accelerating cloud computing for combat tactical edge usage during the interim shifts in technology. At record speeds, the DoD must move from hardware defined enterprise towards modifying software.
With a strong cybersecurity base, universities can reap the benefits of both external and internal digital services. External market data can be used to predict internal performance. Data can help define popular markets, from student demand for majors, future employment opportunities and university competitor information. Educational institutions can utilize technology to analyze data and make millions of calculations in a minimal amount of time. With these predictive analytics, education administrations can make informed decisions when forecasting program sizes, enrollment numbers, scholarships and revenue margins.
Not only will you want to identify where the attack originated, but you’ll also need to quickly ascertain where it has or could spread. This requires finding gaps and vulnerabilities in your network where a virus or piece of malicious code could take root. Unfortunately, network complexity gives attackers better cover and more opportunities to hide.
Last year set a landmark standard for innovation in artificial intelligence (AI). Federal, State, and Local Governments and Federal Systems Integrators are eager to learn how they can implement AI technology within their agencies. With the recent Presidential Executive Order for AI, many Public Sector-focused events in 2024 will explore AI modernizations, from accelerated computing in cloud to the data center, secure generative AI, cybersecurity, workforce planning and more.
Addressing these questions and acting on them means committing to fostering a culture of security and secure best practices. There are many technologies that can aid in this endeavor including artificial intelligence (AI) Ops, which assesses system patterns and behaviors to identify and surface anomalies; IAM, which provides an extra layer of authentication through biometrics and contextual authorization; and cloud and virtual environments, which agencies can employ in combination with infrastructure-as-a-service to enhance security.