Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/2/2015
12:20 PM
Lorie Wigle
Lorie Wigle
Partner Perspectives
50%
50%

No Silver Bullets for Security

A quick-fix security solution for cyberphysical systems doesn't exist.

Silver bullets are a simple solution to getting rid of various mythical monsters; one shot, and they’re done. Unfortunately, securing cyberphysical systems is not so easy. As Frederick Brooks wrote 30 years ago: “There is no single development, in either technology or management technique, which by itself promises even one order-of-magnitude improvement within a decade in productivity, in reliability, in simplicity.”

Cyberphysical systems, where computers and the Internet meet the real world, cover a wide range of devices. Industrial automation, home control, smart grids, and medical devices are just a few examples. These machines make decisions and take actions based on inputs from physical readings. Cybersecurity for these systems is an extension of reliability, protecting them from faults or damage introduced by cyberattacks.

The enemy of the silver bullet solution is complexity. Shooting one werewolf is easy compared to stopping a horde of monsters with different strengths and weaknesses. And the most difficult type of complexity is accidental complexity, which is a reality for many systems and networks. You may start with carefully planned architectures, but growth, acquisitions, crises, and understaffing all contribute to complexity.

Start With Hardware

If there is no silver bullet, what is the solution? It starts at the edge with the hardware. You need to harden the devices and build them on a root of trust. Newer devices can have this designed in, while older ones can be protected behind specially designed gateways. A trusted operating system that can containerize applications to prevent them from seeing all of the system and protect them from each other is a critical component.

The next element is secure communications, both between and within devices. Encrypted virtual private networks should handle all process-to-process communications, regardless of source or destination. This provides an additional layer of authentication, while effectively protecting the system from both eavesdropping and data tampering.

Finally, you have to monitor and manage what is happening, looking for signs of attack, intrusion, or aberrant behavior. There will eventually be far too many devices for humans to monitor, so the best way to handle the necessary scale is with careful establishment of policies, followed by automation to enforce them. Separate systems that have no reason to communicate with each other, restrict access to sensitive data, and lock down single-function devices.

Cyberphysical systems and the Internet of things have tremendous potential to increase our capabilities, improve productivity, and enable new business models. However, if you do not take security seriously from the outset, a few disastrous security breaches could set the industry back a decade or more. At risk are more than a few million credit card numbers. Attacks on physical systems could damage equipment, disrupt services like electricity, and even cause serious physical harm. What has been happening so far to secure computer networks is not good enough, and status quo is not the answer. This is an arms race with serious consequences, and you owe it to your customers and your company to get ahead of the enemy.

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rzw122
50%
50%
rzw122,
User Rank: Apprentice
3/10/2015 | 1:52:21 PM
No Silver Bullets
Another essential component is "buy-in" both from Senior Mgmt and end-users. Unfortunately at present, the majority of regular technology users have no clue of the concept of Info/CyberSecurity- professionals ranging from recruiters and mid & top-level managers to board members, attorneys and physicians give that slack-jawed look whenever the subject is mentioned- they simply do not understand.

And the InfoSec community hasn't necessarily done the best in marketing the concept of Information Security and secure systems, so there's been very little trickle down to average end-users (those most responsible to utilizing all business systems). Recently it seems the government has stepped up efforts in its cybersecurity campaign messages, but it will take a while before the larger community starts getting it.

InfoSec practitioners can't do it alone- we all must join the fight if we are to win this battle.

 

 
LoriWigle
100%
0%
LoriWigle,
User Rank: Strategist
3/5/2015 | 8:20:06 PM
Re: No Bullets for Security?

Yes, we agree. We certainly cannot keep doing things the way we have been and expect to maintain secure environments.

We believe you have to do three things: 1) Harden the Devices, 2) Secure the Comms, and 3) Manage & Monitor. Your suggestions are great examples of addressing the first two. 

In addition, I'd suggest we not forget how important the monitoring and managing aspects to security are. However, the way we monitor and manage our networks will need to be scaled as the number of devices grow – this is done at that onset, by establishing policies that can be automatically enforced.

In looking at how things stand today, there's work to be done. And it's not an option, it is our duty to our customers and company.

macker490
50%
50%
macker490,
User Rank: Ninja
3/3/2015 | 10:13:45 AM
No Bullets for Security?
the title of your essay would better be: "No Bullets for Security?"

the reason is simple: if we keep on doing things the way we have we will continue to get the same results: hackers will makes fools of us all.

the first change that must be taken is to insist on secure operating software.   the operating software must not allow itself to be modified by the activity of an application program -- whether by error or by intent .  product liability law will be needed to insure this .

the next change that must be taken is to adopt the general practice of authenticating transmittals using public key encryption.   transmittals include everything from software distributions, to e/mail, and critical web pages.

next: the current practice of broadcasting x.509 certificates is not secure.    every computer user should establish his|her own public key so that critical certificates can be counter-signed.     what this means is broadcast certificates will be assigned only marginal trust and as such are not acceptable for financial procedures.    you have to countersign the certificate yourself to validate it -- in much the same way we have to call to activate a new credit card.

Credit Unions and similar financial organizations should provide key services to members so that public keys can be countersigned and uploaded onto key servers.    this is necessary so that critical services -- such as the IRS -- can validate critical transactions -- such as Forms 1040.

there is much to be done but it is critical to start at the beginning.   if we have some who resist doing things the Right Way we need to root these out, and discredit them .

Secure Computing in a Compromised Environment

in the electronic network environment we all need an identity that we can produce in public that will verify our documents and identity -- but which cannot be controlled by an imposter or hacker.     to do it all you need is a secure O/S and either PGP/Desktop or the GNU/Privacy Guard (GPG) .    the tools are available and the methods are known. now the question: are we serious about solving the problem ?   I think we need to get serious.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2874
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2875
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2876
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2877
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...