In November, Natalya Kasperskaya, President of the InfoWatch group of companies and information security expert, spoke at the 2023 Global Smart Industry Conference at South Ural State University. We asked her for an interview for the university website.
– Natalya, please tell us about your speech at the conference.
– The report consisted of two parts, I gave examples of incidents related to information security of industrial enterprises, statistics, mainly global ones. There are very few statistics for Russia, and it is difficult to collect them, because enterprises are not always ready to talk about their failures. Then my colleague, Head of the InfoWatch ARMA product development department at InfoWatch Group of Companies, Aleksei Petukhov, outlined the principles of the approach to creating layered security of automated process control systems, and how this area needs to be developed.
– What are your impressions of Chelyabinsk and the conference?
– This is my first time in Chelyabinsk, but our group of companies has been working in the Urals for a long time now. We are interested in your region: where industry is developing dynamically, there is a field of activity for us. The speech at the conference sparked the interest of the audience, deep questions were asked, which means that people are in the know – that’s nice.
– What is unique about the approach to automated process control system security, and what comprehensive solutions for protecting industrial enterprises does the InfoWatch group of companies offer?
– The solutions are different, but our paradigm is to start with the firewall. The difference between an industrial firewall and a conventional firewall is that it may have lower bandwidth, but it must be able to analyse a large number of industrial protocols. Such unification in automated process control systems, as it is in the corporate segment, is not observed, which is why it is necessary to take into account a wide range of protocols. There are a number of other features.
The first, as already mentioned, is the network firewall. We place it at the centre of the safety concept. Firewalls can be used in different network segments. Or there are architectures in which firewalls are installed together with or instead of the central router, which "orchestrate" the entire network.
The second is an information security incident analysis system, also called an intrusion detection system (IDS).
The third element is the protection of SCADA end devices. In our case it contains only basic elements. If you properly organize security measures and use our Endpoint, then the likelihood of SCADA being compromised is quite low.
The fourth is a control element, a management console. This is a system that allows you to collect information from all our nodes and firewalls and display it on the monitor. Then the administrator looks at it and makes decisions. At the same time, we can manage not only our own components manufactured in the company, but also those security elements that are on the network in general.
I think this is very important, because now in Russia each manufacturer uses its own approach to information security, there is no unity.
For example, Kaspersky Lab comes from the end devices side, they consider this the most important. And they emphasize complexity. Other market participants focus on intrusion detection systems. We make the firewall as the central element. Ideally, we could all act as vendors together, putting together some kind of complete system, where everyone does their part – this would be a good breakthrough.
– Unification of the Internet of Things – is this more of a benefit or a threat? How to make the Internet and the Industrial Internet of Things secure?
– I am a sceptic and do not believe that it can be made 100% safe. A large amount of data, a large number of systems, each system collects and releases data, and in principle, every system can be hacked.
But the more distributed a system is, the more complex it is and the harder it is to cause widespread damage. In this sense, I am not a supporter of unification and a single data management centre, like probably all security specialists; I do not like single centres. A single centre is a single point of attack and, accordingly, makes the attacker’s task easier. A distributed system is more difficult to manage, but also more difficult to disable. Let's not forget about traps that create false targets, forcing an attacker to attack in the wrong place.
In general, my opinion is that with the increasing digitalization of industry, the level of its security is decreasing, and quite sharply.
– Can the Government take any effective measures, GOSTs (All-Union State Standards), laws to make the Internet of Things safe and ensure industrial safety in general?
– The Government is actively working in this direction. There are FSTEC (Federal Service for Technical and Export Control) regulations that are quite well thought out. If an enterprise simply follows the instructions of FSTEC, it will seriously improve its safety. The problem is that complying with them is quite difficult and expensive. That's why not everyone does this. But with the release of the 187th federal law on the security of the critical information structure (CIS) of the Russian Federation, the topic becomes of particular importance.
In fact, the number of attacks last year, which increased sharply with the start of a special military operation, greatly sobered up business. Before this, there had been an illusion that we would deal with digitalization now and take care of security later.
Most security specialists will agree with the statement that it is necessary to build a security system simultaneously with digitalization, and not later. Some things will simply be impossible to fix later.
About eight years ago, there was a Mirai virus − one of the first to attack Internet of Things objects, primarily video cameras. Consumers suddenly discovered that cameras do not have encrypted protocols, and that at any moment an attacker can infiltrate, change the image, or simply send many signals simultaneously until the cameras freeze.
There is only one solution to this problem: unscrew and throw away such cameras, replacing them with ones where the information is encrypted. So postponing security issues until later results in a rework of the entire system. And this is just one example.
– What issues did you discuss with the Governor of the Chelyabinsk Region Alexey Texler?
– Your governor is a very advanced person. We discussed specifically the security of automated process control systems. We had also spoken with Alexey Texler a month ago, and he had said that he had been very concerned about this topic. The South Ural region is developing dynamically, there are many industrial enterprises here, and protecting their information security is what the region needs. I see that here we have areas of common interest, and there are many of them.