Gabriel Álvarez Corrada

While some people were still sending out New Year’s wishes, one of Aristeo’s decoys was compromised by an unknown attacker in late January. In this post, we’ll walk through a brief analysis of that intrusion as an illustration of Aristeo’s capabilities and its ability to deliver valuable predictive intelligence to our clients. This is not a technical deep dive into a specific threat, actor, or APT group. Rather, it’s a snapshot of what Aristeo can do to detect actors and threats that had previously flown under the radar. If you’re not familiar with Aristeo, here’s a quick overview: Aristeo is a predictive intelligence platform purpose-built to combat industrial cyber threats. The industrial landscape today blends OT, IT, and IoT components, so any effective solution needs to natively understand and interpret data tied to those domains. Aristeo generates intelligence by deploying a network of honeypot sensors built with real industrial hardware. These sensors bait and capture real-world industrial cyber threats, learning from them and identifying those that pose the greatest potential risk. Using actual industrial hardware ensures authentic and contextual threats. And since the system is exposed 24/7 to global attack surfaces, the data remains both timely and highly reliable. The honeypot concept is like a Petri dish used to culture viruses and bacteria, studying threats in a controlled setting so we can build better detection tools, vaccines, treatments, and mitigation strategies. Aristeo threat dashboard. 1. Background It was a cold January morning when the Aristeo alert system flagged an issue. A subsystem inside one of our honeypots had gone down. We jumped on it immediately—was it a system glitch? An unexpected update? Did someone kick a cable loose? Nope. What actually happened was that someone had broken into the engineering bay of one of the Aristeo decoys and gone a bit too far, severing the connection and effectively cutting the incident short. That kind of network cutoff ensures the attacker can’t pivot or escalate beyond the honeypot. Nothing in Aristeo’s infrastructure can be weaponized for third-party attacks. 2. Post-mortem With the alert triggered, the real analysis began. On Aristeo’s end, we had logs showing multiple successful RDP logins to the engineering bay over several days. But when we checked the logs on the bay itself, nothing. Clean. The first inference: the attacker wiped the system logs to cover their tracks. We knew right away that this wasn’t some rookie. Our RDP service is hardened and patched, and the password is no joke—20 characters, not dictionary-based. Connections are encrypted using CredSSP over TLS 1.2 (preferably), leveraging elliptic curve cryptography. 2.1 How did this happen? As mentioned, Aristeo detected successful access attempts, but once we checked the actual machine, no trace. Nothing in the event logs. The breach might as well not have happened. Except… there was a folder sitting in the Recycle Bin. Inside was KPortScan, a well-known port scanner among cybercriminals. The folder, as seen in the screenshot below, also contained two text files: one in French, listing potential targets, and another named "results" showing the IPs the attacker scanned on January 27th. There were also a handful of Qt libraries (a dev framework), which aren’t malicious in themselves or necessarily indicative of a threat. Note the French-named file. Smart enough to scrub logs, sloppy enough to leave tools in the trash? Also worth asking: what other tools did the attacker download? None. No evidence of any typical hacking or audit tools. But they installed a common piece of software: Anydesk. It’s a legit remote access tool widely used by companies for IT support. Nobody blinks when it shows up on a device—could even be preinstalled on machines in offices or industrial plants. The problem? That’s all we had. No logs. No timestamps. No IPs. No usernames. We were stuck. 2.2 Aristeo, we need you At this point, a typical analyst would hit a wall. But once you put on Aristeo goggles, the picture changes. First, we checked whether the IPs that successfully accessed the machine (coming from Morocco) had any history with Aristeo or other major threat intel platforms. Nothing. Clean IPs. Then we tapped deeper into Aristeo’s intelligence and found related IPs showing activity a month before the intrusion. Not enough to brute-force anything, but there was coordinated probing. Here's a sample table of what we saw. IP addresses have been partially redacted to comply with EU data protection laws. We also built a timeline showing key interactions with the decoy leading up to and following the successful intrusions. Timeline of related activity You can see there wasn’t nearly enough traffic to brute-force the password. Public estimates suggest it would take 7 quadrillion years to crack it that way. But Aristeo was able to trace successful access attempts that weren’t in the host logs. When we pulled all the threads together, a picture started to form. It looked like we were dealing with two different actors—which would explain the odd switch between surgical precision one day and amateur missteps the next. One actor compromised the machine. We’re keeping the how to ourselves, but once they had access, they installed Anydesk to maintain persistence in case they lost the RDP session. Thanks to Aristeo—since local logs were spotless—we found clear traces of direct connections via Anydesk after the initial breach. A second actor most likely bought access to a bundle of pre-compromised machines. That French-language document with targets? Likely part of the package. These don’t seem to be high-profile or public targets, just previous victims of actor one (or someone else). But second actor never launched their plan. They tried scanning 621 IPs from a UK ISP—at which point their connection dropped. From their perspective, the internet just vanished. And with it, their access to our machine. 2.3 So... now what? Now comes the learning phase. We need to assess whether Aristeo or its honeypot network can be improved. We're happy with its performance, but there’s always room to push further. As for the intelligence generated, client protection kicked in immediately. As soon as the incident occurred, we passed the data in real time to our DOC (Digital Operations Center) to reinforce defensive postures across the board. 3. Appendix: IoC 3.1 Files Recovered from the System ______ AUTHORS GABRIEL ÁLVAREZ Head of OT Innovation SERGIO VIDAL OT Innovation Specialist Cyber Security Cloud Connectivity & IoT IA & Data Smart Data Path, the road to Industry 4.0 December 4, 2024

Although it comes in the midst of a major international storm, it's never too late if it's too late. The implementing regulation on the Cyber Resilience Law was published on December 1, the first step towards its final approval (by the European Parliament) and publication in the EU Official Journal. Once it enters into force, manufacturers, importers and distributors of software and hardware products will have 36 months to adapt to its application. It seems like enough time, but many will have to adapt, and a lot will have to change. It has not been an easy road, like any kind of standard or regulation that involves so many countries, but the road that started in 2020 has concluded just 3 years later with this regulation that we are going to review below. We will specifically review some important points for its application oriented to the EO field. Key aspects of the law: scope, responsibility, management, and notification As in any law, the fundamental aspects of the law are related to the concepts indicated in the title of this section, but to what extent? Scope: in addition to establishing the type of product to which this regulation applies (literally: "all connectable products consisting of hardware and software" or "products with digital elements"), several levels are established when classifying products according to their criticality and the associated cyber security risk. While criticality is determined by considering the impact of potential vulnerabilities present in the product, Cyber Security risk is determined by taking into account the Cybersecurity-related functionality of the product and its intended use in sensitive environments, such as, for example, industrial environments (explicitly mentioned in the document). Also, within the critical products, two classes are established to which they would belong: "Class I" and "Class II". The difference between the two is that within Class II are introduced those critical products that present a higher risk with respect to the impact of a vulnerability on essential services and critical infrastructures. This therefore implies that the same product can be found in both classes, which can lead to confusion and directly involves the user of these products (the customer). An example in reference to the industrial field is as follows: Clase I "Industrial automation control systems not included in Class II, such as programmable logic controllers, distributed control systems, computer numerical controllers for machine tools (CNC), and supervisory control and data acquisition (SCADA) systems." Class II "Industrial automation control systems intended for use by essential entities of the type referred to in [Annex I to Directive 2022/2555 (NIS2)], such as programmable logic controllers, distributed control systems, computerized numerical controllers for machine tools (CNC) and supervisory control and data acquisition (SCADA) systems." As we mentioned before, in the end the destination and use of this type of systems will depend on the customer, so this aspect will be of great importance for them. Responsibility: rules are established to rebalance the responsibility of compliance towards manufacturers, who must evaluate the status of their product (software or hardware). Risk assessments, declarations of conformity and procedures for collaboration with the authorities if required are examples of this. In addition, the supply chain is expressly mentioned and those involved in the supply chain are held responsible. Also, with regard to liability, this law complements EEC Directive 85/374. This directive establishes rules on liability for damage caused by defective products. The manufacturer of a product is being held liable for damages caused by the lack of security of its product, which is a remarkable leap from the current paradigm. ⚠️ In addition, the manufacturer's liability could be applied if the lack of security is considered to be related to the lack of updates. If these types of responsibilities and penalties are properly landed, we are talking about a before and after in this matter. All this is especially relevant the more critical the systems to be treated are, since they are more appetizing for a possible attacker and the damage caused by one of these systems would be greater (which equals a higher cost). Therefore, The industrial field seems to be one of the most affected by the new requirements regarding liabilities. Although industrial devices are usually robust, we must not forget that they are increasingly under attack and their manipulation, shutdown or deterioration leads to large losses in a few minutes. Management and procedures: taking responsibility for what happens to the products requires procedures and management that serve to allocate these responsibilities and possible penalties in the event that something is not in accordance with the standard. In this area, several concepts are indicated below: Lower limits are established for the (expected) useful life of the product. Specifically, we talk about 5 years in a generic way. The arrival of IT and IoT devices in industrial environments means that this type of measure reinforces the entire ecosystem, since industrial devices tend to have longer useful lives and support is always sought accordingly. The existence of management processes for vulnerabilities detected is required. This also affects importers and distributors, although manufacturers take the lion's share of this requirement. In this sense, more and more manufacturers of industrial devices have their own equipment to do this management. However, it is good news to stop taking it for granted and to make it the “norm”. Measures are regulated to improve transparency regarding the Cyber Security of products for consumers, which is a major step forward in all areas, but especially in the IoT and its industrial twin “Industrial IoT”. Notifications: in this aspect, the law reinforces the need to notify cybersecurity breaches already highlighted in the NIS Directive (and its subsequent versions). The procedure and need for notification, as well as the establishment of contact points at national and supranational level, are indicated in this section. All this strengthens the entire European cyber structure, which benefits us all. Also, requiring notifications allows earlier action on critical infrastructure protection, where, as we can all sense, industrial environments are often present. Other concepts: the importance of details In addition to all this, the law makes constant reference to other terms as cornerstones of European cyber security legislation. One of those cornerstones are references to other EU regulations, which serve to link this law to the rest of the European framework. The law, therefore, is not a whole, but is a column within a building with many neighbors (the EU). More columns, the stronger the building. Many or few columns, problems in sight. The essential services and critical infrastructures of the European Union countries are also mentioned throughout the document, making clear the more restrictive scope of this regulation and the relevance it acquires in the European Union area. Other terms and concepts such as “digital operators”, “digital infrastructure providers”, “supply chain” or “Cloud Computing” also make it clear that the intention is to introduce under the umbrella of this law access to the Internet and its services in a general way. References to security by design are also found in the document, recognizing the fundamental importance of this concept as an element of security in the face of the advance of time. The law also establishes the need for national and supranational bodies to ensure compliance with the concepts mentioned in the law. These bodies will have to have their own operating procedures and internal coordination so that there is standardization when evaluating devices and their suitability in each of the areas indicated in the law. Also, when notifying a vulnerability or threat since notification should only be the first step in the management of this type of incident. In short, the documents cover the current state of the art, giving a broad dimension to the law and providing it with mechanisms to regulate and transform itself to the new realities of the future. Haste makes waste The European Union has been working for years on cyber security regulations. Although it may seem to us that they are going slowly and late, the reality is that it is not easy to draw up regulations of this magnitude that positively affect countries as different as those that are part of the Union. It has been hard work and will continue to be so for years to come, because technology is advancing, the bad guys and the good guys are competing in an eternal race (it sounds familiar) However, it is critical to lay the groundwork for a legal framework in which regulations are related in a way that allows for the minimum number of holes through which anything can slip through. By establishing a general framework, the aim is to protect not only what is fundamental to the functioning of a country (or several countries), but also to protect those who make use of everything, which is the citizenry in general terms. The new rules will apply three years after the entry into force of the legislative act, which should give manufacturers sufficient time to adapt to the new requirements. However, a grace period of an extra 21 months is provided for with regard to the obligation for manufacturers to report incidents and vulnerabilities. ◾The law documents, and more information, are available here: EU Cyber Resilience Act. It looks like it's all done and we're just getting started. Cyber Security AI of Things Blockchain The (call it 'x') industrial revolution: Introducing new trends in industrial Cyber Security December 20, 2023

The eternal struggle The race between good and evil always starts the same way. The bad guy runs, because he needs it to exist, and does one of his own, which causes the good guy to start running after him. In the cyber world, everything remains the same. That cybercrime moves mountains of money is nothing new. We are not even surprised if we read an FBI report stating that these mountains can be greater than ten billion dollars. I'll put it in numbers, so we can see the magnitude: 10.000.000.000. However, when we review certain studies on the state of cybersecurity in companies, we find that there is more fear of receiving a cyberattack than willingness to spend to prevent it. Although the figures are frightening, they can be confusing because they are approximate and because no one knows what part of the ten billion dollar pie their company will have to pay. Moreover, money is only the vehicle for standardizing losses. Underneath the money lie moral, reputational, physical, psychological damages.... How can we anticipate the impact of this race on companies and society? Motivations are the important thing, or not Today we have many tools, many initiatives, many paradigms, and designs with safety as the basis of their development... but the bad guy always comes back to run... and to win. To start the race again requires solid motivations: Hatred: evil exists. Revenge: typically an insider. Money. More money. A lot more money (this is usually the most common). Political motivations. "Hacktivism", although if we call it "cybercrime", "espionage" or "cyberterrorism", we also get it right. In any case, whatever the motivation, the impact of a cyberattack on a company has a seismic effect. It spreads across the entire surface of the company and may even have aftershocks. The consequences, therefore, remain over time. What are they? Reputational cost: If your business ceases for an undetermined period of time, it is hard, but if your business takes a long time to return to pre-cyberattack figures, it is even harder. Material and immaterial cost (personnel, information, facilities...). This equals a lot of money. Potential victims (customers, patients, collateral damage): Companies are not beings. They are neither guilty, nor innocent, nor victims, nor executioners.... However, the people who work in them can be the victims in this case. And their customers as well. People related to an attacked entity may suffer moral damages, lose privacy, health, money... Some of these losses can never be recovered. Neither with insurance nor with compensation. ⚠️ Feelings and physical or psychological damage are more difficult to measure, which causes everything to be standardized with hard cash, even though there are unquantified but very real effects underneath. The IT world Information technologies were the first to be affected by the dangers of the cyber world. Also, perhaps, because they were the first to test the advantages that a connected world could offer. Let's imagine a situation that has to do with this area. If a company, for example, in the health sector, suffers a cyberattack that reaches all the data of its patients, let's say, more than two million people, we have the following figures: Number of victims: 2,000,000. Reputational cost: Very high and recurrent. It is not only the headline. Every day that a victim remembers what happened or suffers a problem because of it, he/she will again lose confidence in the entity and experience pain of some kind, which reinforces this negative feeling. Material cost: of the attack, relatively little. But it is going to be difficult to keep the 28,000 employees you have if the reputational cost is high and people stop trusting you, not to mention fines and other costs derived from a cyberattack. Profit for the attacker: according to our studies, the type of information that moves in a hospital would not be less than 50€. Doing the math... more than €100,000,000. Not bad for a few days of work. Is it a lot? Have we chosen a specific incident to make the numbers scary? According to several specialized media and cybersecurity companies, the healthcare sector suffered, every week, more than 1,400 cyberattacks on average in 2022 (and in 2023 the figure is no better). Other media indicate that this activity has led to 327 information leaks and 40 million patients affected by them. The source is from the industry itself: the Urology Times (big fan of the name). A quick count brings us up to $2,000,000,000,000 of direct (and tax-free, of course) profit. It is true that it may happen that the stolen information is "only" names and surnames, which leads to a lower value of the loot, but, surely, there will be something more in a hospital. And it is not even the sector that receives the most attacks. The academic sector, where research is included, is the most interesting for cybercriminals because of how lucrative it is to steal intellectual property or to get paid just for delaying someone else's research (country, business, research group, etc.). The industrial sector, on a terrible upswing Airgap is long behind us. Legacy" protocols, services and devices are not. Our beloved bad guys have been in the race for a long time. Having spent a few years training and testing, the number of attacks has skyrocketed. Our threat capture and analysis system for OT environments, Aristeo, captured over 300 million events against your network in the first half of 2023. The number of exposed devices continues to increase, and the vulnerabilities detected and exploitable continue to be "easy" to exploit. We implement security measures, but... "they" are always ahead of us. If we look at the automotive sector, it is possible that a company dedicated to the manufacture of automobiles could suffer a data leak, similar to companies in the IT field, or a stoppage in its processes... or both... Why not? If this happens, how many days does the recovery process take? How many vehicles may be affected? An attacker who leaves a single machine in the automotive manufacturing process unavailable can generate a loss of more than 20€ per minute on that machine for his victim. Another thing to keep in mind: nowadays, the assembly line manufacturing industry usually has just enough material to continue its processes for a day (there are no large warehouses with millions of parts). Logistics is more complex than calling to pick up or deliver a package. We are talking about the fact that a stoppage in a small part of the chain seriously damages the rest of the process behind and ahead of it. ⚠️ Recovering a machine from a breakdown is not the same as recovering it after a cyber-attack. It is usually not as "simple" as replacing or fixing the machine, because that does not address the underlying vulnerabilities. And how much is this in terms of money? Well, the question should be: is it better to pay the attacker and assume the losses (surely in the millions) for the damage caused or is it better to invest a lower amount in cybersecurity measures that minimize the risk of suffering a mishap? Stopping the manufacture of 13,000 vehicles, shutting down several plants globally, assuming fines and cost overruns for stopping logistics... all of that ends up being many more euros than what a company would spend on cybersecurity before suffering a cyberattack. Because after a cyberattack, of course, it's going to spend it too. The race is not over. Cybercrime is becoming more profitable and more secure (for the attacker) every day. The data is there. Should we run then? We must fly. Cyber Security How DRP (Digital Risk Protection) solutions protect your business from cyberthreats November 6, 2023

The future was yesterday We are not finished with the fourth industrial revolution, or Industry 4.0, and we are already defining and trying to implement new concepts that are growing in the heat of the so-called Industry 5.0 (and 6.0). The speed at which changes are happening, the advances in technology, the speed at which new terms are introduced to implement new concepts (or not so new...). Everything leads us to trivialize each change, without reasoning in depth about the pros and cons of each one of them. Clearly, the versioning system is "broken" from a human (not technical) point of view. However, the changes that cause this change of versions and nomenclatures do deserve an analysis. And the analysis cannot be a "new thing, good thing". In this article we are going to dwell on concepts that we have all heard at some time (a few), contemplating them as implementations aimed at the industrial Cyber Security ecosystem. In other articles we will refer to them as a holistic implementation within "the factory of the future”. The star of 2023 AI. Artificial Intelligence has clearly been the star of this year. It seems that it can do everything and what it cannot do is because it does not exist in this universe (and any day it surprises us...). Beyond what it really can and cannot do today, it's obvious that Artificial Intelligence is a paradigm (not just a technology as such) that is here to stay. Not surprisingly, it is a concept that has been around for more than 60 years and all computer engineers have studied it. Focusing on the world of cyber security, Artificial Intelligence is one more step in the application of rules, inferences, statistics... that have been used for years. One more step, but a very important step. Even with an ANI or Artificial Narrow Intelligence, the improvements are evident. The capacity for information ingestion and data relations, inferences... everything is more complete and faster. Cyber Security IA & Data Cyber Security Evolution: AI as a Tool for Attack and Defence June 28, 2023 Will it put an end to the work of analysts and cyber security professionals? I don't know. What is certainly sure is that being a very important element today, as AI capabilities advance and settle definitively at an AGI (artificial general intelligence) level, the ability to make autonomous decisions and make "analyst" associations and inferences will be greater. In short, in addition to working with information such as indicators of compromise or attack (that which is loaded in IPS, IDS...) the AI will work effectively with information related to an attacker's TTPs, his "modus operandi". This means a differential leap when it comes to finding patterns, anticipating campaigns, associating threats to APT groups, detecting these APTs when they "sleep" in the system, etc. These types of inferences are, until now, the responsibility of human intelligence, and now more help is on the way. The star of 2022 The metaverse, of course. Although out of focus and seemingly abandoned, the metaverse still has things to offer, though perhaps not what was expected and not now. But, as a concept, it has advantages if it goes hand in hand with improvements in connectivity (hello, 5G SA) and Edge computing. Perhaps the initial application should not be to establish an open, non-deterministic world where humans can wander. Surely, proposing much more closed, deterministic environments in which human influence is limited to certain actions is a humbler and more sensible step. Following this reasoning and relating it to industrial environments (and cybersecurity), deploying a controlled environment where we can begin to virtualize operations and behaviors (which are not the same thing) would be a good step towards the factory in the metaverse. The basic behaviors are fairly simple to virtualize, because these are machines in certain states. However, the operation is another story. It is not a matter of a machine saying "yes" or "no". It is a matter of the virtualized system taking into account how the real machine behaves at the level of the circuit, logic gate, electrical signal... and also taking into account the wear and tear of the system, the heat given off, the changing conditions of the environment... achieving this would mean the birth of the first real digital twin. Needless to say, having a virtual system that behaves like a real machine (or a real environment) is differential from a cybersecurity point of view. Being able to deploy such systems to run testbeds, Red Team activities or honeypot-like decoys would be very positive from the point of view of flexibility and availability of such systems. Unfortunately, this is not a reality. And, as long as it is not, the capture of real threats and the analysis of their behavior in industrial systems must be done on real hardware to guarantee real results and avoid the noise of virtual systems. Hello, Aristeo. Cyber Security Connectivity & IoT IA & Data Artificial Intelligence applied to industrial Cyber Security (OT) April 25, 2023 The Brown Dwarf Brown dwarfs are a type of stars so small that they cannot sustain the nuclear reactions that their larger siblings can. Therefore, they do not emit enough visible radiation for us to see them with the naked eye, but there they are… Web3 is that star that is not visible to the naked eye but has been with us for a long time. Why? Because its scope is so global that its application is much slower (and quieter) than that of other technologies and concepts. In other words, it is designed to stay with us for a long time. Regarding industrial Cyber Security, we must bear in mind the following: in an industrial process, the paradigm of security, the CIA (confidentiality, integrity and availability), emphasizes the integrity of information. This does not mean that the other two aspects are not important, but in an industrial process, "manufacturing" (food, electronic devices, drinking water) on the basis of constant and approved values is fundamental. Failure to do so could result in a health or safety issue. Benefits of Web3 That being said, let's talk about the benefits of Web3. Web3's ability to use Blockchain as a registry, encrypted, distributed, consensual and verified, allows for improved security, integrity and traceability of process and value information, as well as changes to it all. Web3 implies more robust industrial processes that are resistant to changes that can affect all of us in a negative way. In addition, the luxury of deploying humanly unattended systems is something that is not generally possible in the industrial ecosystem, so some of the efficiency and effectiveness gains that such systems bring are lost. Thanks to Web3, the autonomy of industrial systems is improved, establishing a layer of control over their processes with smart contracts that can be linked to events or conditions (changes in values, for instance) that limit their scope. Walking the way to the future This is a brief overview of technologies that are set to make a difference in the field of industrial Cyber Security. However, it should be noted that no technology is free of problems. The technologies mentioned here have their own challenges, such as the difficulty of transferring the interaction of hardware elements at the circuit and electrical signal level (or the action of the medium in which they are located) to a software world, or the 51% attacks that undermine the reliability of some Web3 features. Going back to the beginning of the article, the speed at which changes are occurring means that the concept of "obstacle" is now interpreted not as "impediment" but as "challenge". This leads us to contemplate the benefits far beyond these challenges, which moves us forward as a society and as individuals. There is no path, you build the path (and the future) as you walk. Cyber Security Blockchain Cryptocurrencies: the worrisome phenomenon of rug-pulling (and how to protect yourself) November 28, 2023

One of the factors that indicates the maturity of some branches of technology is the incorporation of improvements as this technology evolves, which are different from those considered at the beginning. Thus, for example, the beginning of the evolution of microprocessors was based on gross power and a progressive, and slow, miniaturisation (mainly due to heat generation and cost issues). As the technology matured, other improvements were introduced, such as the use of several cores within the same processor, power segmentation, reduction in consumption, more effort in miniaturisation... This indicator of maturity in the wireless connectivity of the mobile network has been the 5G standard: the commitment to other improvements with an impact above the usual increase in speed typical of each evolution. However, this post will not analyse the benefits of 5G connectivity. For that we already have some great articles on our blog. In this one we are going to talk about how this maturity impacts on the industry 4.0 environment. As we discussed in our previous article, in which we spoke about the approach to cyber security in Industry 4.0, in recent years industry has undergone an intense process of transformation that has been called the "fourth industrial revolution" or "Industry 4.0". This process of digitalisation and development of new technologies seeks to implement improvements such as real time access to data and business intelligence, which will transform the current perspective in which production processes are carried out, moving one step further towards the so-called "Smart Factories". Embracing Industry The new 5G standard proposes improvements in access to and communication between industrial processes, as well as in the creation of new models and use cases. According to ABI Research, these improvements could reduce maintenance costs by a 30% and increase overall efficiency by a 7%. This is not by chance. As can be seen in the image below, the 5G protocol stands on 3 basic pillars, which offer solutions to the great challenges and advances that the fourth industrial revolution poses. Image 1 – The triangle of the 5G in Industry 4.0. (Source: Spanish National 5G Observatory) What technologies do they apply in each pillar and what do they consist of? Let's get into it: High bandwidth: eMMB (evolved Mobile Broadband Communications), which enables high transmission speeds. It means that there are no bottlenecks in the transmission of large amounts of information. Low latency: URLLC (Ultra Reliable Low Latency Communications), which allows for low latency connections of less than 1 millisecond and high reliability, with a percentage of at least 5 nines (99.999%), equating in performance to connections only attainable through wiring. This is especially relevant in M2M environments, since it minimises the possibility of two machines working in synchronisation being blocked due to latency in the transmission of information or because the connection is not stable. High density: mMTC (massive Machine-Type Communications), which allows a high number of devices to be connected simultaneously. In cases where many devices requiring connection are deployed (e.g. sensors) this technology allows the control of the devices at the same time, without causing disconnections or exclusions of any of them. What about security? The heterogeneity of the OT ecosystem means that classic practices such as fault patching or network segmentation (restricting internet access to some of these segments) sometimes become ineffective or directly impossible in the face of the diversity of proprietary devices and protocols, or simply due to the peculiarities of each industrial process. In addition, a "Smart Factory" requires communication protocols ready to integrate IT, OT and IOT devices. This implies the implementation of different communication networks, both wired and wireless, with their own vulnerabilities and security challenges in an environment (once very isolated) that is not prepared to assume the sudden entry of several devices from other fields. However, 5G is the enabling technology for this hybridisation that will allow key communications in industry 4.0 to be unified. The great advantage of this generation, in addition to its adoption by all the areas involved, is the implementation of security from the design, as a fundamental point of this standard. Likewise, 5G security not only focuses on individual solutions, but also considers the main risks and environmental threats, analysing the scope of each threat and the cost of its mitigation and remediation. Some of the most relevant features implemented by 5G are the following: Radio interface: in order to prevent manipulation of user data, adaptive protection of user data integrity has been designed, in addition to end-to-end encryption. User privacy: unlike 4G, user identification information, such as IMSI (International Mobile Subscriber Identity), is not transmitted in plain text, but encrypted on the radio interface. Authentication: the 5G access authentication process is designed to support the Extensible Authentication Protocol (EAP) specified by the IETF, through a new version of the "Authentication and Key Agreement" (AKA) already used in other previous standards. Roaming Security: 5G's service-based architecture defines the security edge protection proxy to implement E2E (end-to-end) security protection for inter-carrier signalling at the transport and application layers. This prevents third-party operator devices from accessing sensitive data. Such practices are very important, but even more important is that 5G service providers are committed to maintaining a chain of reliability that strengthens the security embedded in the 5G standard. In this sense, Telefónica declares in its Digital Manifesto that security is primary. Its executive president, José María Álvarez-Pallete, declared regarding the "Clean Network" initiative that "Telefónica is proud to be a company with a clean 5G access route". Currently, both Telefónica España and O2 (United Kingdom) are totally clean networks, while Telefónica Deutschland (Germany) and Vivo (Brazil) will soon be so. This implies that suppliers throughout the supply chain will be reliable, thus minimising a common problem in the area of cyber security. To sum up… 5G connectivity is the necessary element to lead the "fourth industrial revolution". It is a strategic, well-planned standard that implements the necessary steps to demonstrate that it is a mature technology that is willing to facilitate that leap that makes the use of the technology transparent to the user. In this way, the paradigm of ubiquity in technology, of which Mark Weiser is the creator, will be fulfilled: "the most entrenched technologies are those that disappear". We are on track…