Posts

White House Pushes for Security

Since the ransomware attack on the Colonial Pipeline last month, the US government has become more vocal on the need for industrial cybersecurity. A recent memo from the White House to corporate executives and business leaders across the country urges them to protect their companies against hackers. Among the action items is the need to segment networks, to isolate OT from IT.

“It’s critically important that your corporate business functions and manufacturing/production operations are separated,” the memo states, “and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.”

The memo says that although the government is leading the fight against cyber attacks of all kinds, the private sector is also expected to play their part. They are urged to back up data, update systems, and test response plans and implementations. The memo also listed five best practices from the president’s Improving the Nation’s Cybersecurity Executive Order, including:

  1. Multifactor authentication
  2. Endpoint detection
  3. Response to an incursion
  4. Encryption
  5. A capable security team
Isolate Control Networks

Most of the recommendations could apply to any system or network exposed to the Internet, but the White House also included one directly related to industrial systems: Segment your networks to protect operations. Industrial control system networks, it says, should be isolated so they can continue operating even when the management network is compromised.

This was the case with the Colonial Pipeline incident last month. Although the hack caused turmoil in the company and a week of problems for the whole East Coast of the US, it could have been much worse. If the hackers had been able to take control of the pipeline itself, we might have witnessed physical damage both to property and the environment.

To avoid such problems, isolating control networks is critical. This is best accomplished using a DMZ, a “demilitarized zone” that separates control systems from management systems. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection. Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

We are pleased to see support for securing industrial control systems coming from the White House and US government, as well as governments and agencies throughout the industrialized world. A more secure environment will keep costs down and production running smoothly by keeping hackers out of our control systems.

Case Study: City of Montreal, Canada

The City of Montreal uses DataHub for data connectivity in 10 billion dollar project to upgrade the quality of drinking water production and distribution.

Is Your Country Cloud-Ready?

Just as the clouds in the sky have no geographic limits and glide over all borders, we might hope that cloud computing would also be an international phenomenon. At the very least, as the various countries around the world go increasingly digital, cloud computing and real-time data interconnectivity should begin to take on a greater significance worldwide. The question then comes to mind: Which countries are best prepared for cloud computing?

A few weeks ago the BSA Global Cloud Scorecard was released, the first report of its kind. The BSA (Business Software Alliance) positions itself as an advocate for the software industry, and its membership is made up of many leading firms such as Micrsoft, Apple, Oracle, Intel, Siemens, Sybase, and Dell. The Global Cloud Scorecard is an attempt to rate the top 24 ICT (Information and Communication Technology) countries in the world in terms of their readiness for cloud computing.

GlobeFlagsThe results are interesting, indeed surprising in some ways. Although we would expect the more “developed” countries to be more advanced in their ability to support cloud computing, “troubling obstacles emerge when you examine the lack of alignment in the legal and regulatory environments in many of those advanced countries,” according to the report. At the same time, the strong desire for ICT in advancing countries like China, India, and Brazil doesn’t necessarily make them ideal environments for cloud computing either. Each country has its own legal dynamic that plays out in unique ways.

The 24 countries were evaluated in three broad areas:

1. The legal environment that ensures privacy and security, defines and restricts cybercrime, and upholds the rights of intellectual property.

2. Policies and support for international standards, e-commerce, and free trade.

3. ICT readiness of the general infrastructure, and policies for broadband Internet support.

The printed report provides the detailed scorecard for each country, by category, as well as some graphs for making quick comparisons. The website also features a page in which you can get a verbal summary of the situation, country by country.

Some of the trends that caught my eye included:

Japan is at the top of the chart, as the country is active in cybercrime treaties, IP laws, and international standards. They also have high broadband penetration, and plan to provide access to 100% of households by 2015.

Most European countries scored reasonably well. Germany is near the top, but may drop in the standings if they begin interpreting laws to restrict the flow of data across borders.

The USA is a leader in cybercrime laws, privacy protection good at the individual level, but inconsistent at the state level. The country has high Internet use, but broadband coverage is not consistent.

China, India, Brazil, and Thailand all exhibit a strong and growing interest in ICT, but some significant gaps in privacy protection and cybercrime legislation.

Although there may be a few setbacks, my guess is that all of the countries in the report will have made substantial improvements in their scores in the next few years, and there may be new ones added. We look forward to seeing next year’s report.