Vicente Segura

A Mission Critical SOC is a concept that arises from coordinating all essential Cyber Security functions to maintain up-to-date knowledge of the environment and security posture, as well as react effectively to any incident. It is a vital resource to significantly increase the resilience of cyber-physical systems and ensure that the whole acts as a system with complete vision and comprehensive capability, E2E (end-to-end). As an entity, the Mission Critical SOC (Security Operations Center) integrates people, processes, and technologies to monitor, detect, analyze, and respond to cyber threats affecting an organization's critical systems. Characteristics and challenges of Cyber-Physical Systems (CPS) Cyber-physical systems, also known as Cyber-Physical Systems (CPS), are a combination of software components and mechanical or electronic parts that interact with each other and with the physical environment, including people. These systems integrate computing, storage, communication, and object control capabilities in the real world, connecting with each other as well as with communication networks and the Internet. The essence of cyber-physical systems lies in their ability to relate to physical objects, monitor, control and learn from the information available in the virtual world. These systems allow intelligent machines to coordinate and control operations in real time, sending operational information to skilled workers. In this way they can automate processes, perform predictive maintenance of machines and infrastructures, optimize operations, and learn from the experience shared among them. ✅ Concrete examples of cyber-physical systems include autonomous vehicles, drones, assisted medical devices, industrial robotics systems, connected home (home automation), among others. They are therefore very important systems for the economy and society, and in many cases, they manage systems that control critical infrastructures, such as water management and treatment systems, energy generation and distribution or seaports and airports. Cyber-physical systems improve productivity, efficiency, quality, and innovation in different sectors and fields. They have a direct impact on people's health, safety, welfare, or economy. As they rely on the interaction between physical and digital systems, such as power grids, industrial plants, autonomous vehicles, or modern hospitals, they pose complex challenges in terms of resilience and security. Cyber-physical systems: evolution and difference with IT systems Cyber-physical systems have evolved from completely isolated operating technology (OT) systems, known as fully air-gapped OT systems, to newly designed cyber-physical systems with increased connectivity. In their early days, OT systems were not connected to each other, nor were they connected to the Internet. Examples include SCADA systems, which monitor and control data, ICS systems, which control industrial processes, PLCs, which are programmable control devices, and PCN networks, which comprise SIS systems, which ensure safety, engineering workstations and the HMI, which is the user interface. OT systems eventually began to be partially connected to each other, leading to the creation of cyber-physical systems through IT/OT convergence. In their most evolved version, cyber-physical systems are based on completely new designs, intended to be fully connected. These systems include industrial robots, virtual reality manufacturing simulation systems, self-optimizing metal forming machines and adaptive production systems. They are designed to be flexible and adaptive, enabling greater efficiency and responsiveness in production and industrial environments. Some of the features that distinguish cyber-physical systems from conventional IT systems include: Convergence between IT and OT domains, which implies the integration of heterogeneous networks, protocols, standards, and devices, as well as different data models, applications, and security requirements. Dependency and mutual influence between the physical state and the digital state, which generates greater complexity and difficulty in predicting and controlling system behavior in the face of adverse events or malicious attacks. Importance of temporal and spatial aspects, which require ensuring synchronism, latency, and reliability of communications, as well as localization, tracking and mobility of system components. Distributed and autonomous nature of cyber-physical systems, involving coordination and cooperation among multiple agents and entities, both human and artificial, with different roles, responsibilities, and objectives. Direct and potentially critical impact of cyber-physical systems on the lives of people, the environment and infrastructure, which requires ensuring their availability, integrity, confidentiality, and security. Cyber-physical systems more vulnerable and exposed to cyber threats, which can have serious and damaging consequences not only in the digital realm, but also in the physical realm and in terms of human health and integrity. Most common threats and risks Some of the most common and significant threats to which cyber-physical systems are exposed, as identified by Gartner, include: Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, which consist of overloading or blocking access to system resources or services, preventing their normal operation, or affecting their performance. Spoofing attacks, which consist of falsifying or altering the information or messages transmitted by the system, deceiving the recipients, or inducing them to make erroneous or harmful decisions. Data manipulation or alteration attacks (tampering), which consist of modifying or deleting the information stored or processed by the system, affecting its veracity, integrity, or consistency. Attacks of unauthorized access or information theft (hacking), which consist of obtaining or disclosing confidential or sensitive information of the system, violating its privacy, intellectual property, or security. Attacks of sabotage or physical damage (physical attacks), which consist of causing damage or destroying the physical components of the system, such as sensors, actuators, devices, or infrastructures that may cause operational shutdowns, denial of service and financial losses. Cyber security strategies traditionally focused on information technology (IT) are not enough to protect cyber-physical systems. There is a need to address cyber security in critical infrastructures in a specific manner tailored to their unique characteristics to prevent potential risks, including: To the life, integrity, or health of people. Environmental damage resulting from system failures or malfunctions. Loss of customers due to damage to reputation, confidence, or ability to meet demands and expectations. Fines, lawsuits, or legal liabilities due to negligence, regulatory non-compliance, or errors. Loss of ability to properly monitor and manage production and safety protocols. Loss of control and ability to manage or influence the system or processes. Protecting these systems is essential to preserve security, business continuity and operations, and even the integrity of modern society. Cyber security of cyber-physical systems Cyber security of cyber-physical systems therefore requires a holistic approach that encompasses both the digital and physical aspects, as well as the interaction between the two. This is where the Mission Critical SOC comes into play, capable of understanding the operational context and the potential impact of cyber threats, as well as coordinating defense and recovery actions between the different actors involved. It must also take into account the specificities of each application domain, such as real-time requirements, device heterogeneity, user mobility or legal regulation. Mission-critical SOCs must address two key issues to achieve this objective: A set of countermeasures or core cyber security functions. Mechanisms for coordinating these core functions in order to increase the effective resilience of the system. Basic cyber security functions Cyber security managers in organizations need to represent their strategy using some framework in order to organize their plans and communicate their actions. This matrix (Figure 1) consists of a series of columns that refer to cyber security functions and a series of rows that represent the different types of assets that the organization must protect. At the bottom of the matrix, there is an additional graphic diagram that indicates the degree of dependence of each security function on the 3 components of any cyber security solution, i.e., dependence on people, dependence on technology and the need to define processes for the correct implementation of the cybersecurity function. Figure 1. Cyber Defense Matrix. Source: @SOUNILYU, cyberdefensematrix.com. It is appropriate to begin by describing the scope of each of the cyber security functions (columns): Identify and plan, whose fundamental objective is to achieve a level of organizational awareness sufficient to manage cybersecurity risks affecting the organization's systems, people, assets, data, and capabilities. Protect, focused on developing and implementing appropriate controls to ensure the delivery of the organization's critical services. Detect, focused on developing and implementing activities to monitor and identify relevant cybersecurity events. Response, focused on the development and implementation of response activities to security incidents detected through the previous functions. Recovery, focused on developing and implementing activities to ensure resilience, restoring any capacity or service that has been affected by a security incident. It should be noted that these cyber security functions are quite generic. In general, the technologies on the market do not cover them completely, but it is necessary to specify on which specific assets (and perhaps under which specific conditions) they work. The services that Telefónica Tech offers to its customers are usually based on a particular technology. Therefore, to represent the scope of these cyber security services on the reference framework, a rectangle is used to cover the cyber security function and the types of assets it applies to, as shown in Figure 2. Figure 2. Map of Cyber Security countermeasures (solutions) for industrial environments. The following is a description of some of the services that are part of the Cyber Security proposal depicted in Figure 2. Industrial cyber security assessments This is a service that is made available to customers to provide a clear idea of the status and level of cyber security maturity of customers with industrial infrastructures. To this end, a survey of the assets of the plant or plants under analysis is carried out by capturing traffic and analyzing it using tools capable of interpreting it, identifying the assets, their communication relationships, vulnerabilities in the configuration of the assets and the network, and possible malicious activity. IT/OT segmentation and OT segmentation This service focuses on responding to what is usually the first of the cybersecurity recommendations proposed. The scope of these projects can be divided into 2 or more phases, always starting with segregation to establish a clear perimeter protection barrier between IT networks and networks of an industrial nature (OT). In practice, a complete service should consist of the following phases: design of secure industrial network architecture, supply of the necessary hardware and software, typically NGFW (New Generation Firewalls), implementation and configuration of the NGFWs and other communication equipment (such as switches, routers, etc.) that implement the defined network architecture and operation of the technological equipment. OT Remote Access The purpose of this service is to provide a secure remote access mechanism to industrial environments, controlled by the client's cybersecurity managers and reasonably easy to use. The complete service consists of the following activities: design of remote access architecture, supply of the necessary hardware and software, implementation and configuration of the solution components and operation of the implemented technological equipment. Endpoint protection The purpose of this service is to implement and operate a solution for the protection of industrial environment endpoints. It should be noted that in these environments it is not unusual to find industrial equipment controlled by applications installed on operating systems that are no longer supported by their manufacturers. This means that these systems may suffer from vulnerabilities that cannot be corrected by upgrading to a new version of the operating system. Solutions specifically adapted to these cases are therefore required to prevent these vulnerabilities from being exploited. OT Cyber Security monitoring Managed security monitoring service for industrial environments consisting of the management of alerts generated by the detection of malicious activity in the industrial environment, health supervision of monitoring equipment and reporting on alert generation and processing activity, changes in assets and vulnerability mapping of the environment. Coordination of Cyber Security functions In its role of coordinating essential cybersecurity functions, a Mission Critical SOC can ensure that the set of cyber-physical systems acts as a system with E2E (end-to-end) vision and capability, considering both the lowest level of devices and networks, and the highest level of services and applications, as well as the interrelationship between them. In this way, protection, and access to cyber-physical systems, which are essential for sustainable development and the well-being of society, can be improved. This requires the establishment of procedures for orchestration and automation of the basic security functions outlined above. ____________ Integration of GRC profiles in Mission Critical SOC by ELISABET IGLESIAS HEAD OF CONSULTANCY A Mission Critical SOC also facilitate the integration of GRC (Governance, Risk and Compliance) profiles into cyber-physical systems projects that help define and enforce the most appropriate cyber security policies, regulations, and standards for each context. In this way, the Mission Critical SOC GRC office provides specialized, high-value consulting services for organizations operating in critical industrial environments. These services include: Industrial cyber security maturity analysis, which evaluates the level of protection of industrial assets and processes against cyber threats. OT (Operational Technologies) risk analysis, which identifies and prioritizes the most likely attack scenarios and their potential impact on business continuity. Master plans (PDS OT), which define the strategy, objectives, and actions to improve industrial cyber security in line with the business. Design and implementation of industrial cyber security management systems (CSMS), which establish policies, procedures, and best practices to ensure the security of information and the operation of industrial systems. This would include management systems such as, for example, IEC 62443, ISO/IEC 27019, ISO/IEC 27701. Awareness and attack prevention programs, which raise awareness and train personnel on industrial cyber security risks and measures. These services can be performed jointly and integrated with the Mission Critical SOC. In this way, a 360º solution is achieved that covers all the industrial Cyber Security needs of organizations, from the strategy and governance of cyber security to the design, deployment and even the operation of cyber security, and that allows control and a model for a system of continuous improvement of security. SOC. Telefónica Tech. In addition, the implementation of the NIS 2 Directive establishes Cyber Security requirements for high-criticality sectors and other sectors that provide essential services to society, with the aim of "improving the resilience and cyber incident response capability of the public and private sector in the European Union." These sectors include energy, transport, health, water, digital infrastructures, ICT services, public administrations, or aerospace services, among others. The NIS 2 Directive is both a challenge and an opportunity to improve the resilience of cyber-physical systems in these sectors, and a Mission Critical SOC can be a key tool to achieve this. ____________ Cyber Security AI of Things Cyber Security challenges and solutions for IoT medical devices September 7, 2023

The healthcare sector is immersed in an unstoppable process of adoption of medical IoMT devices (Internet of Medical Things) driven by the undoubted benefits they provide in terms of productivity, innovation, and improved service to patients. However, like with any new technology, its emergence comes with some challenges that must be addressed for its successful adoption. In this sense, this growing number of connected devices entails an increase in the number and diversity of the organisation's points of exposure, increasing what is often referred to as the "attack surface". Some reports point to continued growth of almost 20% per year in the number of IoMT devices in hospitals in the first half of the current decade. Source: Juniper Research. This requires enabling mechanisms to identify these devices, know their potential vulnerabilities, continuously assess the risk of their possible exploitation, and implement the necessary measures to keep the level of risk at reasonable levels. Specific challenges in the health sector A common problem in the healthcare sector, which is also replicated in organisations in other sectors, is the lack of complete visibility of devices connected to networks; a problem that is exacerbated in the case of IoTM devices, which are more heterogeneous than traditional IT systems. The organic and inorganic growth of these organisations, such as the addition of new healthcare facilities and healthcare units or mergers and acquisitions, results in a heterogeneous and constantly changing network and systems infrastructure, making it difficult to define and implement consistent governance models and security controls across the organisation. In addition, the uninterrupted availability of their systems and technologies is of vital importance to healthcare organisations, both because of the nature of their business and the need to provide a quality service and protect their reputation. The project: definition of the architecture, implementation, and operation In order to meet the usual requirements in projects of this type, different monitoring technologies specialised in healthcare environments are available. One of them is Medigate by Claroty. This technology takes as input a passive copy of the traffic and is able to identify the devices, their communication relationships with other equipment in the network and their potential vulnerabilities. To deploy this type of technology, it is necessary to implement a probe in each hospital (Medigate Collection Service) that communicates with the MAS (Medigate Analysis Server), a Cloud platform that provides centralised management of the deployment. In order to get the most out of the technology, integrations with other systems must also be carried out for two main purposes: Feed the monitoring solution with information from other network services to complement its deep packet inspection (DPI) capability. This is the case of network management systems (SNMP), active directory (AD) or asset repositories (CMDB). Feed other Cybersecurity solutions with the information that the monitoring solution is able to provide. This makes it possible to obtain greater performance from other cyber security solutions, allowing the application of more granular segmentation and filtering rules (FW, EDR) or access control (NAC) thanks to the greater capacity for device identification and recognition provided by the technology. Once the deployment architecture and the necessary integrations have been defined, the equipment is deployed and configured in each of the healthcare centres involved in the project. After the deployment, configuration and integration phase, an exploitation phase begins, which is a key activity in these projects to make the investment in technologies profitable, as it allows to continue obtaining value from their use. In fact, it is from this point onwards that activities with a significant impact on the cybersecurity posture begin to be carried out: Risk management: taking as a starting point information about each device, its vulnerabilities and its communications, an assessment is made of the level of risk in the initial circumstances and its potential reduction through the implementation of some countermeasures or remediation actions such as those described below. Supporting network segmentation to limit the exposure of devices: this is a basic measure but requires an analysis of the organisation's network segments (VLANs) and their proper management. Definition of network policies: In order to reduce the attack surface at the network level on medical devices, network policies are applied on communication flows, protocols and ports customised for the organisation. While the technology provides policies based on manufacturer's guidelines, these do not consider pre-existing communications characteristics and must be customised. Alert management: like any monitoring solution, it generates alerts which, in the case of healthcare environments, can be classified into two groups: specific alerts for medical environments (e.g., unencrypted patient data) and general alerts (e.g., communications with malicious IPs). Procedures in the form of playbooks have been and continue to be defined in order to automate the handling of alerts. Vulnerability remediation: some of the vulnerabilities trigger actions in the form of targeted projects to eliminate them or to mitigate the risk they pose. Examples are moving critical equipment to a specific network segment, studying SMBv1 communications per hospital, or addressing vulnerabilities per manufacturer to find a remediation mechanism. Conclusion The implementation of security monitoring solutions in healthcare environments responds to the demands and challenges associated with the construction of a better-quality healthcare model, focused on the patient. In this regard, Telefónica Tech's Cyber Security products and services, such as those described in this article, are key to tackling Cyber Security risks and increasing the resilience of healthcare infrastructures. AUTHORS VICENTE SEGURA, OT & IoT Cyber Security Product Manager & MIGUEL GARCÍA PARRONDO OT consultant ***