Skip to main content

Knowledge Hub

New page title image

The Cyber-First Blueprint: Reimagining Digital System Design

5 min read
The Cyber-First Blueprint: Reimagining Digital System Design

Digital systems drive our world today. From mobile apps and enterprise networks to the pumps in water treatment plants, these systems are integral to everyday operations and are found everywhere. As the threat landscape expands and cyber adversaries increase their attacks, defenders must step up their efforts.

To start, we need to integrate security into the heart of our digital systems from the beginning, not as an afterthought. The good news? Building cybersecurity into everything is feasible – the tools and knowledge to create a new generation of systems that prioritises customer protection are available today.
 

Protecting OT systems

Securing legacy OT systems is significantly more challenging than securing IT, notes Dawn Cappelli, Director of OT-CERT (Operational Technology - Cyber Emergency Readiness Team) at Dragos. This is because OT environments typically operate around the clock with little or no downtime, making proactive security measures like patching a more complex undertaking.

The fact that OT cybersecurity is littered with misconceptions doesn’t help, though. For instance, many believe their OT environments are safely air-gapped, unaware of the dramatic increase in remote access to both IT and OT systems for business continuity, says Cappelli. As a result, even organisations with strong IT security programmes often overlook their OT environments, putting them at risk.

Fortunately, Cappelli says securing OT systems is a solvable problem. “A foundational requirement for designing OT systems for the future is designing security into all industrial control and automation products. IEC 62443 4-1 certification is an important designation that asset owners and operators should look for when purchasing new equipment,” she said.

The next step in designing OT systems for the future is using OT-specific security standards and frameworks. Various standards are available, including those applicable to specific sectors. The Five ICS Cybersecurity Critical Controls by the SANS Institute offers a comprehensive framework tailored to the unique challenges of industrial control systems, she says.
 

Zero Trust with zero disruptions

IT systems that use traditional security models rely heavily on perimeter defences like firewalls and intrusion detection systems. However, this approach introduces vulnerabilities, according to Dr. Eng. Antonio Varriale, Chief Technology Officer of Blu5 Group.

Traditional networks often lack internal segmentation, so relying on perimeter security means adversaries that breach the outer defences can typically move freely within the network. This lateral movement widens the attack surface, increasing the risks of unauthorised access to sensitive data and critical systems.

To address this, Varriale recommends a zero-trust networking approach, which introduces several innovations to eliminate traditional attack surfaces. This includes closing inbound ports, adopting a client-to-client (C2C) topology where all devices act as clients, and implementing Layer 4 micro-segmentation with communication only through service channels.

Zero trust networking can be implemented without major infrastructure change or performance impacts, says Varriale. This is because micro-segmentation operates on top of the existing TCP/IP stack, ensuring stable network performance.

“Integrating Zero Trust principles into existing infrastructures is seamless and minimally disruptive,” he said. “Organisations do not need to replace existing routers, firewalls, or servers. Integration occurs by deploying agents on endpoints, transforming them into secure client-to-client nodes.”
 

New standards for cybersecurity

How can we build resilience into digital systems? According to Sudhir Ethiraj, Global Head of Cybersecurity Office (CSO) & Chief Executive Officer Business Unit Cybersecurity Services, TÜV SÜD, general and industry-specific cybersecurity regulations can push organisations to invest in cybersecurity and enhance customer protection.

"Regulatory frameworks on cybersecurity emphasise the need for embedding security right from the start of the development of digital systems. Harmonised regulations on cybersecurity and data protection ensure baseline cyber resilience and include cybersecurity and privacy considerations by default for customer protection,” said Ethiraj.

He cited the EU Cyber Resilience Act, Radio Equipment Directive (RED), EU NIS-2 and UNECE R155 as examples of regulations enforcing security considerations for manufacturers, infrastructure operators and suppliers, ensuring consumer protection.

“Organisations need to follow the principles of security by design and security by default, ensuring cybersecurity and data protection considerations are included from the start of a product’s design, process and organisational model.”
– Sudir Ethiraj, Global Head of Cybersecurity Office & Chief Executive Officer Business Unit Cybersecurity Services, TÜV SÜD

As industry standards and guidelines evolve, what best practices can organisations adopt to keep up and better protect users? “Organisations need to follow the principles of security by design and security by default, ensuring cybersecurity and data protection considerations are included from the start of a product’s design, process and organisational model.”

Some examples would be the incorporation of regular software updates, regularly auditing existing processes, and conducting cybersecurity drills and training within the organisation – as outlined in various global cybersecurity regulations and standards.

Ultimately, certification bodies have a societal responsibility to enable consumer protection by ensuring state-of-the-art security practices and procedures in line with regulatory requirements and standards, says Ethiraj.

As digital systems become increasingly entwined with our daily lives, the demand for robust cybersecurity measures will only increase, necessitating a proactive approach with cybersecurity integrated into every stage of development and operation. Success will depend on our collective efforts to prioritise cybersecurity and integrate it into the very fabric of all digital and operational technologies.
 

Join Sudhir Ethiraj, Dr. Eng. Antonio Varriale, and Dawn Cappelli at GovWare 2024! Don’t miss Sudhir's session on "Customer Protection by Design – Regulatory, Policy, and Technical Engineering Perspectives" and Dr. Eng. Antonio’s "Advancements in Zero Trust Networking: A Technical Deep Dive into Eliminating Traditional Attack Surfaces" on 17 October. On the same day, catch Dawn Cappelli in the expert panel discussion on "Securing Operational Technology and Building a Sustainable Resilient Strategy." Explore the full event agenda here.

 

 

View All Articles
Loading