Cyber threats should be tackled from the root of design, experts say…

Posted on

With British Airways losing 380,000 customer details earlier this month and 145 million social security numbers and 99 million addresses lost by Equifax in May, cyber-security is at the top of every country’s agenda.

The UAE is not immune to such threats, ranking as the second most attacked country in the world, just after Saudi Arabia.

“Cyber physical systems are based on computers and they have sensors,” said Dr. Stefano Zanero, Co-founder and Chairman at Secure Network S.r.l. “They are about creating technology that is smart enough to understand and reason about the world and operate on it. That’s the next frontier of how information technology will penetrate our lives. They have pervaded our societal sphere.”

Speaking during the second day of EmTech MENA in Dubai on Monday on Securing Our Future, Dr. Zanero said political discourse, family relationships and friendships now happen online more than they do offline. Cyber-security experts look at them as a set of challenges. “Cyber physical systems are by nature connected,” he said. “To get good results from their implementation, we must connect them and let them exchange data. Our cars are already piloted by modern computers working together, they’re interconnected among themselves and, as the future comes to us in the form of assisted driving or self-driving, they will be connected to other sensors and external entities.”

He pointed to a map by Shodan displaying oil plants, refineries, wind turbines, and other critical infrastructure that can be connected to. “Many of those are probably connected for a good reason but many are just connected because someone forgot something or assumed they would be secured,” he explained. “Each of them tells a story that we’re connecting our devices to the internet and, sometimes, we don’t think about how connected they are. It means being accessible by good and malicious entities.”

According to Dr. Zanero, cyber physical systems are sometimes a bit too liberally connected but they are also safety-critical as many protect lives. “As cyber security experts, we try to prize the findings of vulnerabilities,” he added. “However, if we focus only on finding them, we end up with the wrong results, where we just break into yet another thing. Finding a vulnerability and solving it leaves us in the exact same place as before, it’s an irrelevant waste of time, and we should focus on securing the systems, rather than solving them one by one – there is a threat model and security must be applied to that model.”

For Justin Fier, Director of Cyber Intelligence and Analytics at Darktrace in Washington, the world has become more connected than ever before. “The legacy approach to security is dead,” he said. “The community is finally adopting new ways of thinking and not repackaging the old.”

In the past year, the energy and utility sector has witnessed a massive spike in attacks. Mr Fier expects that number to double in a year or so. “Countries and nation states are targeting industrial control systems,” he said. “With all this innovation and forward-thinking comes additional risk and the question is are we prepared to address that risk?”

He explained that security teams do not look at everything with an IP address, rather, they look at what has been done in the past.

The last five years have witnessed significant security breaches in large organisations, such as Sony, the Panama Papers and the National Security Agency in the United States. “We’ve become so connected, everything has an IP address,” he said. “This increases risk and vulnerability. The mandate of security teams has not yet trickled down – in the past, it was protecting servers, desktops, laptops and printers. Today, it’s protecting everything with an IP address but it’s not a good position to be in this day and age because it’s impossible.”

He called on avoiding relying on the legacy approach and tackle matters differently. “Our founders took an inside-out approach using the human immune system,” Mr. Fier said. “Our system is built like the human immune system, it detects when there’s an anomaly and notifies you in a physiological way.”

The software uses many types of machine learning, which allows to deploy into the central nervous system, watch every device with an IP address and learn. “Over time, we’ll understand what normal is for the network and any deviation will be notified. Anomaly detection is the future.”

Identity theft was also touched on during the session, with 175 million records breached last year, exposing millions of people’s identities across the world. The US alone witnessed 1,339 breaches with respect to social security information and financial and medical records in 2017.

“Responding to that is very costly,” said Anthony Butler, CTO for IBM Cloud in the Middle East and Africa. “It costs 400 billion dollars a year to respond to cyber security attacks and banks spend a billion dollars annually on identity management solutions.”

The market for human data represents an estimated 150 billion to 200 billion dollars annually. “Our personal data is being bought and sold without our consent, authorisation, consideration or compensation,” he added. “Personal data is a big business. The five problems of identity schemes are proximity, scale, flexibility, privacy and consent. We need to regain control over our identity.”

He mentioned self-sovereign identity, which involves decentralised identification. “It’s a work in progress,” Mr Butler concluded. “Your identity will be issued digitally and that allows for a number of new possibilities.”