IT security in a digital age - can we connect everything and protect ourselves at the same time?

Digitization is finding its way into more and more areas. Industry is no exception. Automation and streamlining of businesses aim to increase the industrial production with the goal of strengthening the country's competitiveness in the world market, creating employment and increasing income. Sweden will be the best in the world at taking advantage of the opportunities of digitalisation. That is the government's strategy.

Production facilities are constantly connected, machines can be controlled remotely via the internet and data can be exchanged within a few seconds. In step with digital development, we see more and more examples of recurring, frequent and more or less sophisticated cyber attacks. That's the new normal.

In many companies, employees struggle with a high workload and a limited budget and have neither the time nor the task to listen to the good advice that comes from IT security experts. We are often reminded of this, for example in February this year when an intruder gained access to a remote system and tried to spit drinking water with lye in a municipal water treatment plant in Florida. Employees at the facility used the same TeamViewer password and had not protected the system properly.

An attack in May 2021 on the Colonial Pipeline, the largest fuel line in the United States, forced them to shut down their pipeline for several days after being hit by ransomware, in order to reduce the risk of the OT (operational technology) part being affected. They paid about $ 5 million in ransom (of which, with the help of the FBI, they managed to get back 3.5). Colonial Pipeline transports petroleum products throughout the southern and eastern United States, approximately 2.5 million barrels per day through a 55,000-kilometer pipeline and supplies 45 percent of all fuel consumed on the U.S. East Coast.

These two events describe only too well the vulnerability of critical infrastructure and production facilities of various kinds.

Today's IT environments consist of a jumble of systems, applications and programs, each maintained by one or more vendors. Often an entire industry uses the same vendor and the same type of system, application or software. Updates must be done regularly and quickly. Frequent shortcomings in the controls of what you put into production, there is no longer any test environment, and most things go automatically. A clear example of this was the update of software from Kaseya that affected thousands of companies globally, including Coop in Sweden.

Many businesses outsource their operations to so-called cloud service providers. It does entail certain risks, such as the lack of competence internally, but it adds to others. This should not be overlooked. Cloud service providers often have plenty of resources and do good security work, but they are not immune. On the contrary, they have become an increasingly popular target for attacks. If you, as an attacker, succeed in taking down a cloud service, you have taken down several connected businesses at the same time.

Not taking IT security very seriously already at the idea and design stage will lead to large costs once they are to be handled. It's like ignoring a toothache and hoping it will go away, while eventually it becomes a painful treatment and maybe even a root canal.

There are three important design principles to take with you:

1: Minimize the attack surface

The attack surface represents all the entry and communication points that an information system has on the outside. The attack surface can be related to a software (operating system, library, read / write access), a network (open ports, active IP, network flows, used protocols), a human (phishing, social engineering) or a physical intrusion (such as inside the building).

An information system with a wide attack surface is more vulnerable to attacks. In fact, filtering and controls make systems more complex to configure and organize. Once all entry points on the attack surface have been identified, both monitoring and protection tools must be implemented. Highly exposed systems should undergo regular security analysis.

Among possible solutions to reduce an attack surface for the operating system, hardening is a well-known, but all too rarely used principle. It is about identifying components that are not or to a small extent used in the system. The purpose is to close services and gates to limit the possibilities for remote interaction with the system.

2: Restrict permissions

According to the French Cyber Security Agency (ANSSI), this principle specifies that an administrator should only have access to administration zones where there is an operational need, without any technical possibilities to access any other zone.

This principle is inseparable from security by design. A clear distribution of assigned tasks, roles and access rights is achieved through partitioning. Once the principle of limited privileges is implemented, it is more difficult to access a subsection of the environment because the attack surface is significantly reduced. Even if the accident occurs, an attack will only have limited consequences.

3: Defense in depth

The term Defense in depth comes from the military, and the purpose is to slow down the enemy. Threats are countered with coordinated and independent lines of defense. In the same way as a gate, security must be monitored, protected and have a continuity plan in the event of an incident.

Putting these three principles into practice already at the idea stage of an application, a system, a connected object or a software does not of course guarantee full resistance to attacks or intrusions, but it creates an environment where you do what you can based on the risks that exist. The model for security by design must be included throughout the product life cycle and must be a common concern for all parties affected by and working with system and software development.

In the end, all security work is about addressing risk. Without risk assessment and measures, you put your head in the sand, and this applies to both IT and OT security. OT security has more similarities to IT security than one might think.

Risk management is based on an assessment of what is worth protecting and from what, in order to build its strategy based on protection needs and then design technology and processes according to needs. It may look different depending on what the threats to the business look like, but in both environments, there is support in standards and practice. In the world of OT, people talk about ISO / IEC 62443 and in the world of IT and information security it is called ISO 27000 (which is a whole family of standards).

Although the benefits of the Internet of Things, or IoT, are undeniable, the truth is that security does not keep pace with innovation. As we increasingly integrate network connections into the country's critical infrastructures, important processes that were once performed manually (and thus enjoyed a degree of immunity to attack) become vulnerable to cyber threats. The increased dependence on networked technology has grown faster than the ability and willingness to secure it.

The IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from networked devices or manipulating the devices themselves, which can lead to theft of sensitive data and loss of consumer privacy, business interruptions, or disruptions in communication through large-scale distributed denial-of-service attacks and thus potential disruptions to critical infrastructure.

When we connect something to the internet, it is visible on the internet. And if it is visible, it is reachable and if it is reachable, it is a potential target for attacks, unless we do something to prevent it. Your TV, your refrigerator, your webcam, your toaster, your electricity meter, your power plant, your factory or whatever you now have, can both be attacked and used to carry out attacks on others.

Security cannot be handled with optimism and prayers, it requires systematic work, so I leave some advice along the way:

1. Competence is required both breadthways and in depth, designated resources and a broad participation within the entire business. The management must take the lead and show the way. Adapting efforts and clearly pointing out responsibilities is fundamental to success. A mixed team that encompasses a whole spectrum of perspectives has better conditions for solving problems and sharing information that is crucial for digital defence.

2. Including IT and OT security as a design parameter and as part of the corporate culture helps to improve results. It is not possible to add security afterwards, it will be both expensive and inefficient.

Sophisticated, frequent threats are likely to continue to increase, so each business needs to analyse its risks and take action to mitigate them.

4. Like other risks, cyber risk management requires mandates, resources and responsibilities. It is the management's task to ensure that it exists.

5. Find ways to share information about cyber threats, practices and increase IT security maturity across the sector, increasing stability across the industry. Collaborate with others. The weakness may lie outside one's own organization.

The realization that cyberattacks will continue to occur requires plans that help alleviate damage from fully or partially successful attacks. Practical exercises of such plans make it possible to test and improve both one's own defence and cooperation with others in the sector.

At the same time as the internet and network-based technologies are changing society in a hopefully positive direction, development creates new risks, threats and challenges. A cyber attack on, for example, energy infrastructure, food production, water purification or transport in Sweden can cause serious damage. No single player can handle these challenges on their own. We must work together to create insight, increase awareness and reduce complexity in the field.

Creating a strong security culture among our staff makes all the difference. We will strive to achieve this culture through, among other things, security training, phishing exercises and company-wide preparedness exercises. We also need to introduce new processes and routines for procurement and improve our agreements with suppliers and other business partners in order to strengthen our partners' security posture as well.

Together we make a difference.

Anne-Marie Eklund Löwinder, IT-Security Expert. Internet Hall of Fame inductee since 2013.