I reminisced with a friend yesterday about spending hours in my local Blockbuster store looking for the perfect video rental. Blockbuster had very little cybersecurity exposure, whereas Netflix could be brought down completely by a well planned and executed cyber-attack. CyberMDX, a healthcare-focused cybersecurity company reported earlier this year that 45% of connected medical devices are exposed to a single, well-known exploit known as BlueKeep – and there are many others. The companies that represent the emerging 4th Industrial Revolution, characterized by integration between physical, digital, and biological systems, demand a new set of requirements to protect their critical infrastructure from cyber threats.
Each of the previous industrial revolutions (steam, mass production, and computers) unleashed an era that dramatically inflated market capitalizations of companies that embraced change and tanked market caps of those that shunned it. There is no clearer illustration than the evolving Dow Jones Industrials components. The past decade has seen bellwethers from the early 1900s like Exxon Mobil, Pfizer, AT&T, Alcoa, Kraft Foods, Raytheon, United Technologies, and General Electric be replaced by 3rd Industrial Revolution companies like SalesForce.com, Amgen, and Apple.
We are at the dawn of what is called Industry 4.0 or the 4th Industrial Revolution (4IR). Klaus Schwab described the fourth industrial revolution as transforming the world is more significant ways with greater impact than the previous three. He argues that the transformation is happening faster and on a larger scale than the previous three. We are now seeing the rise of IoT sensors, actuators, nanotechnology, and machine learning/AI. 4IR unlocks tremendous productivity and efficiency gains by increasing connectivity and programmability across physical, digital, and biological systems. This is a double-edged sword. Benefits carry a heightened risk of cyber-attacks, because of the very connectivity that creates them. The global pandemic and desire to have remote connectivity and reduced labor costs have eliminated many of the human circuit-breakers that helped prevent runaway access and control by nefarious users (both insiders and outsiders). These dynamics aren’t theoretical anymore. Hackers employ a sophisticated suite of software and services to attack industrial control systems and other operational technology – the most vulnerable of which are legacy control systems. Hackers leverage techniques like network scanning, credential theft, lateral movement within a network, and social engineering to gain escalated permissions. Many leading cybersecurity companies thwart these tactics by delivering some version of detect and patch, increasingly with artificial intelligence as a key component. BlastWave turns this model on its head by aggressively segmenting the network down to the individual asset or small cluster and creates a single programmable overlay to protect that network. The underlying architecture is a peer-to-peer mesh network that dynamically creates, manages, and removes VLAN micro-segments and tunnels. The result is a network whose assets are invisible to outsiders, insiders, and even insiders who have access to the BlastShield network but not to a given high-value asset.
Up until recently, with systems relying on second and third industrial revolution technology, your security posture was readily visible to any would-be thief. With a house or factory, there are fences, gates, locks, security systems, guards, and even guard dogs. From a cyber perspective, things were dirt simple in that almost all of the critical infrastructure and assets were NOT connected to the Internet. That “air-gap” meant that employees needed to go to the facility to operate the equipment. Remote command and control wasn’t an option. As we move toward 4IR, the security controls simply aren’t visible, while the networks are. The new connected infrastructure is secured by things like the SSL/VPN stack, certificate authorities, and usernames/passwords. We know the countless vulnerabilities in these systems, yet, they remain the state of the art today, resulting in an acceleration of breaches and successful ransomware attacks.
From a networking perspective, visibility creates interest and intent. If a person can see something worth stealing, that person is more likely to do so than if he or she simply didn’t know that it existed. Many of the existing 4IR systems may protect certain ports and network segments, but the underlying network is still visible to scanning. Scanning allows hackers to gather reconnaissance and assess the nature of the network and it’s components. For example, if you scan a network and discover an apache server, you can simply locate apache server exploits and initiate the attack. Making the network invisible to outsiders and insiders eliminates both the intent and the ability to diagnose the easiest entry point.
BlastWave’s approach is to simply eliminate vulnerabilities by design. The clearest example of this is how we ensure identity and authentication to the network. Bar none, credential theft and phishing is the number one vulnerability that connected systems face today. Depending on the source, identity vulnerabilities comprise over 90% of the attack vectors in cyber attacks and breaches. Our approach is to simply eliminate credentials. BlastWave doesn’t use usernames or passwords to provide “security”. As such, there is no set of credentials to phish or steal. Instead, we replace this with our own triple factor authentication scheme that protects from replay attacks as well. If you don’t have secrets that can be exposed, insiders and outsiders can’t remotely obtain those secrets and use them for nefarious purposes.
Cyber attacks are accelerating in spite of increased spending on point solutions. Exposure of critical infrastructure and operational technology that is connected to the Internet and cloud services needs a more robust and different solution than is used for classic enterprise IT applications. The consequences of a critical infrastructure attack are more severe than leaking someone’s phone number or address from an insurance company. Additionally, air-gapping or not connecting devices is no longer an option in this 4IR wave of innovation. BlastWave has rethought and redesigned a network solution that can address these requirements.
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.