The Role of Security in Automation

Prompted by a LinkedIn article written by our good friend James Chappell at Digital Shadows, entitled “The Role of Automation in Security” we thought that it would be a great idea to explore the converse of the concept and write about “The Role of Security in Automation” as this is exactly what we at Awen Collective are addressing.

Automation has almost always been for simplifying repetitive or dangerous tasks (or captivating imagination). This has been the case since the ancient Greek legends of automatons through to the contemporary physical robotics and digital assistants.

Homes, office buildings, factories, airports, national infrastructure, even entire cities are now being connected with systems providing advanced analytics to be able to enhance the efficiency of business and society, and to improve human-safety. However, with the inter-connectivity of physical systems comes the ever increasing ability to attack them. These systems are, for the most part, not IT-based technology (at least not entirely), they are Operational Technologies made with specific control and/or sensory processes in mind. Quite often there is a blend of legacy and contemporary technologies, often with no or limited embedded cyber-security out-of-the-box.

While some organisations are attempting to address this with active monitoring and intrusion detection technologies, they have had limited success due to the requirement of costly network reconfiguration to support these emerging technologies, and a lack of support for the legacy technologies still in use.

Awen Collective takes a different approach. With our experience performing digital forensics on these systems we have developed software (and accompanying techniques) which do not require a significant configuration overhaul. In fact, our software is specifically tailored to work on whichever network topology is in place, even if it is legacy, even if it is serial, even if it is messy and distributed. We give critical infrastructure, advanced manufacturers, smart cities and a whole load of other potential stakeholders the ability to understand the vulnerabilities of their operational networks and their cyber-physical systems. This allows them to better understand their cyber-risk and improve their cyber-security efforts, reducing their cyber-risk in a cost-effective manner and improving their compliance to a plethora of cyber-security related regulations & standards.

If you’re an owner or administrator of operational technologies or cyber-physical systems, ranging from industrial control systems (ICS, such as SCADA or IIoT), networked robotics, building control systems (including physical security and HVAC systems); then we are certainly able to help you improve your cyber-security, reduce your cyber-risks, and improve your compliance. We’re even able to assist post-incident with the necessary investigation and the reporting of the attack to relevant authorities.

Just get in touch, we’re always up for an exploratory chat. Email to schedule in a call or a face-to-face: hello@awencollective.com

We hope to hear from you soon.

Daniel - CEO & Cofounder, Awen Collective

Collaboration across EU helps cyber-security of society

wales-belgium.png

Awen Collective has produced a Software-as-a-Service product called Profile which makes it much quicker and easier for Critical National Infrastructure, their partners and their regulators to perform audits to ensure regulatory compliance to the NIS Directive. We are also actively working on other projects for some of our continental partners.

The NIS Directive is a European Union directive that has, as of 2018, been implemented in law in all 28 member states of the EU (including the UK). This regulation provides a much needed prompt to European critical infrastructure providers to improve the cyber-security policies, processes and technologies within their whole organisation – from board member to engineer, from IT to Operational Technologies (OT).

However, it is not the only good thing that the European Union has done or is doing in regard to cyber-security in general and industrial cyber-security in specific. We don’t even need to mention GDPR. This blog post outlines some of the other great initiatives.

Europe-wide Cyber-Security Initiatives & Programmes

European Union Agency for Network and Information Security (ENISA) – is a great organisation (or agency) which contributes to the network & information systems security across Europe, with a particular focus on ensuring the security and safety of European society, commerce and government. It is a very holistic organisation, very much worth checking out if you have not heard of them. ENISA has done so well over the years, that the EU decided to enhance the powers of ENISA through the Cybersecurity Act of December 2018.

The Computer Emergency Response Teams for the EU institutions, agencies and bodies (CERT-EU). It provides threat intelligence and assistance in the prevention, detection, mitigation and response to cyber-attacks by providing a cyber-security information exchange. It works closely with other CERTs in the public & private sectors across Europe.

The European Cyber Crime Centre (EC3) is a division of the EU agency for law enforcement cooperation (EUROPOL). EC3 assists with the law enforcement response to cyber-crime across the EU, with particular focus on strategy, forensics and operations/intelligence. EC3 publishes the Internet Organised Crime Threat Assessment report, which highlights some interesting information.

The European Cybersecurity Industrial, Technology and Research Competence Centre (ECITRCC) is a policy-driven centre focused on the European digital market. It will contribute to the deployment of the latest cyber-security technology, provide financial & technical support to cyber-security start-ups & SMEs, it will support industrial R&D, push high-levels of cyber-security standards and facilitate cooperation between civil & defence spheres in regard to cyber-security. It is too early to say how effective the Centre will be, but it seems to be very promising.

There is also a significant number of funded R&D initiatives across Europe through the Horizon 2020 framework, which require collaboration from different organisations in at least a few member states and typically support a mixture of SMEs, universities, larger organisations and the public sector across Europe.

Plus much more…

All of the above combine to help everyone to live and work in Europe safely and securely.

What are Awen doing?

Awen have built software to provide solutions to an international problem. One product, Profile, addresses the NIS Directive directly and is naturally a European-focused product. Contact us today to organise a demonstration of Profile. Email: hello@awencollective.com

Meet Awen Collective at InfoSec Europe - 4-6 June 2019

08E57519-45BE-44B4-AF47-CF93FC7F0E3B.JPG

The Awen Collective team will be at Information Security Europe (InfoSec) in London, at the Olympia, from the 4th to the 6th June 2019. You will be able to find out more about us, and talk with us, at the Welsh Government stand at Stand Q75. Tickets for InfoSec 2019 are free prior to the first day of the event, so book in advance. The event buzzes every year, with a passion for cyber-security, it is truly a must-see in the UK.

Our CEO & CTO will be around for meetings in the afternoon and evening of the 4th June, and the rest of the team will be able to answer any general questions on the 5th and 6th June. To set up a meeting in advance, please email hello@awencollective.com with the subject line InfoSec 2019 and we will confirm as soon as we can.

Cyber Attacks on OT on the rise, and why we should be concerned

Last week, cyber security experts Fortinet published a report on security trends within Operational Technology, again putting the spotlight on these highly vulnerable and increasingly attacked systems, many of which are responsible for providing critical services to society worldwide.

There was an indication that bespoke OT cyber attacks are on the increase, targeting specific vulnerabilities within SCADA and ICS systems. Whilst this is certainly a serious concern, almost more shocking is that the majority of attacks on OT systems are via IT-based legacy attacks which would no longer be effective on modern IT systems. These OT systems are comprised of aging hardware, running unpatched software, and leaving them highly vulnerable to even basic IT-based cyber attacks. This leads to an ability for bad-actors to be able to effectively disable an OT environment with no specialist or prior knowledge of the specific systems involved - leaving no specific ICS/SCADA devices secure, regardless of vendor, software or hardware involved.

There also seems to be continued ongoing neglect of basic cyber-hygiene within ICS and SCADA environments, with almost a third of OT devices directly connected to the internet, and another third accessible from the internet via the IT enterprise. Whilst there is an acknowledgement that there are many benefits from connecting the OT environment to the IT network to increase efficiencies and visibility, leading to optimisations and significant cost savings, these are in direct opposition to the increased security risk. These findings seem to point towards a scenario where potential cost savings are considered above the cyber-risk by the decision makers within these organisations, leading to the highly vulnerable situation that Fortinet are now reporting on.

To add to this, it is reported that more than 8 in 10 respondents to a survey stated that they are unable to identify all the devices connected to their OT and IT networks. How can OT operators begin to mitigate the cyber risk within their environments when they don’t even have the visibility into the devices they need to protect? This is something we are keenly aware of at Awen Collective, and we’re here to help. Our asset and risk discovery software, Dot, exists to provide a deep level of understanding of an OT environment, highlighting key concerns and helping cyber security, OT engineering and corporate compliance teams to manage their responsibilities with the best information available to them.

What the report doesn’t focus upon is the environments where these systems are operating, and the potential affects on the operators and their clients. Whilst many these systems exist within manufacturing facilities, and naturally there are huge costs associated with attacks within the manufacturing sector, there is more at play here than just monetary loss by large-scale manufacturers. ICS and SCADA systems are a key part of how providers of critical national infrastructure deliver their services to society. This includes the provision of electricity, water, sewerage, transportation and healthcare. If any of these services were interrupted or disabled due to a cyber attack, there’s a strong likelihood of widespread disruption, potentially leading to societal destabilisation and loss of life.

There has been an effort by EU legislators to address this concern, introducing the NIS Directive and ensuring that all EU states bring into law that critical national infrastructure operators are considering their cyber security across their entire IT and OT estates, and embedding good cyber security practice at all levels of their organisations. Based on this report, there should be some significant hurdles for CNI operators to overcome to get themselves entirely compliant with the directive. With fines of £17 million or 4% of annual turnover due to be levied against operators not found to be compliant, it should be a strong wake-up call for business decision-makers across CNI organisations. To help, Awen Collective offers Profile – a compliance checking tool for the NIS Directive, allowing a CNI organisation to easily and quickly determine their current compliance level, identify weaknesses to overcome and get advice on next steps.

We’re thankful to Fortinet for their report, and we’re looking forward to continuing to help ICS and SCADA operators solve the cyber security issues they have. If you’re looking for cyber security solutions for your OT environment, reach out to us at hello@awencollective.com.

Industrial communications at risk of cyber-attacks

There are 3 million companies using the WhatsApp Business app across the globe, and 1.5 billion individuals using the original WhatsApp app for a mixture of business and personal use [1]. Its ease of use combined with its advertised end-to end encryption and the fact that it is a subsidiary of Facebook mean that people trust it for their daily communication.

Unfortunately, an exploit was found in WhatsApp which led to a cyber-attack on a UK-based attorney on the 12th May 2019 [2]. The vulnerability allows malicious code to be deployed on the receiving device, which could lead to further exploitation, in this case spyware which allows read-write access to the device. The vulnerability was patched, and updates released on various mobile operating systems by Monday 14th May 2019. Always ensure that you regularly check updates to your mobile applications.

While WhatsApp is probably not being used for operational communication within Advanced Manufacturing & Critical Infrastructure, the culture of Bring Your Own Device (BYOD) is increasing. These devices may be used for a mixture of personal and business communications, which in some cases may lead to a conflict with GDPR [3]. They may or may not be connected to the business Wi-Fi, which in may mean that vulnerabilities and exploitations are present within the corporate networks. We urge organisations, especially those who use highly connected devices, such as automation devices, to look at their cyber-threat risks, and to mitigate them – not necessarily by banning devices, but by ensuring adequate education of staff and contractors.

Another option, of course, may be to avoid the use of WhatsApp within business altogether, perhaps using well-supported secure communications software such as Novastone [4], who are our fellows of the first cohort of the Tech Nation Cyber programme [5], or by promoting the use of an alternative secure communications system such as the open-source Signal [6]. Whichever communication technology is used, risks must always be considered, especially attempting to mitigate unknown-unknown vulnerabilities.

At Awen Collective we have developed our Dot software to specifically look for devices on an operational network within industrial control networks or building control networks. We use specially developed safety-critical techniques to automatically discover devices on the network, and assess their vulnerabilities. Find out more about Dot and contact us today.

Sources & Links – all last accessed 16th May 2019

[1] https://99firms.com/blog/whatsapp-statistics/  

[2] https://www.cityam.com/277567/whatsapp-hack-tech-giant-urges-15bn-users-update-app-after

[3] https://www.thebci.org/news/are-whatsapp-and-gdpr-on-a-collision-course.html

[4] https://www.novastonemedia.com/

[5] https://technation.io/programmes/cyber-security/

[6] https://signal.org/

[7] Official CVE from Facebook/WhatsApp: https://www.facebook.com/security/advisories/cve-2019-3568

Awen Collective wins a place on the Tech Nation Cyber programme

The 1st Cohort for the Tech Nation Cyber programme has been announced and consists of the 20 leading Cyber-Security companies across the United Kingdom. We have the pleasure to announce that Awen Collective is in this wonderful scale-up programme.

We are very excited about this opportunity, which will help us to build on the fantastic work that our team at Awen Collective have done so far, and to assist with scaling and growth, marketing and international expansion. This programme will help us to address Digital Forensics & Incident Response within Critical Infrastructure & Manufacturing, not just within the UK and EU, but across the whole world.

We are looking forward to the launch event in the Cotswolds at the beginning of May, where we will connect and re-connect with the other companies in this inaugural cohort, as well as the cyber-security leaders who will be assisting with the workshops and events.

We are looking forward to working with all of the cohort members, which include our fellow South Wales Cyber Cluster member Fortium Technologies, and the company that won the NCSC/DCMS Cyber Dragons Den the year before we did iProov.

The announcement has been made on the Tech Nation blog, and has also been published on Information Age. Plus you can follow the news on Twitter with the hashtag #TechNationCyber.

To learn more about the products and services at Awen Collective please visit the rest of our website. Or contact us directly by emailing hello@awencollective.com, we would love to hear from you.

“We are delighted to have been chosen for the first cohort of the Tech Nation Cyber programme. We are excited to get started and continue to grow with the support from this wonderful programme and we look forward to establishing new business alongside our fellow cohort members.”
— Daniel Lewis, CEO and Cofounder, Awen Collective
“Cyber security represents an increasingly important part of our daily lives, and Wales already plays a leading role in keeping our data and systems safe while training up the next generation of experts. This programme will initially support two Welsh companies in Caerphilly and Cardiff in developing their potential and I look forward to seeing other companies from across Wales getting involved in the future.”
— Kevin Foster MP, UK Government Minister for Wales
“In recent years the success for a handful of UK Cyber Security innovators is more than could be imagined. They have enhanced the nation’s reputation for producing world-class technology, while also helping to pave the way for many more startups hoping to follow suit. Concurrently the market for cyber security is continuing to grow at a rapid pace and this conspires to make our cohort of scaleups exciting ones to watch.”
— Ollie Bone, Cyber Programme Lead at Tech Nation
Follow the news about the programme on Twitter through #TechNationCyber

Follow the news about the programme on Twitter through #TechNationCyber

Our opinions on Davos 2019

The theme of the 2019 annual meeting of the World Economic Forum [WEF], colloquially known as Davos 2019, was “Globalization 4.0.”

Topics such as Industry 4.0 (or the “Fourth Industrial Revolution” [4IR]), Cyber-Security and Artificial Intelligence & Automation played a big part of the conversation at Davos this year. These are topics which are at the very core of our business at Awen Collective, and so we felt compelled to talk about these particular WEF discussions.

Industry 4.0

The article on “4 myths about manufacturing in the Fourth Industrial Revolution” is a good discussion on industry 4.0 technologies, and highlights that they are a good option for upgrading the factory floor to become more cost effective. It touches on the worries over replacing human workers with robotics. It discusses the need for thinking about business sustainability. It also discusses that industry 4.0 technologies are not just for large organisations, but can also be taken up by Small & Medium sized Enterprises [SMEs]. The associated whitepaper is also an interesting read (PDF).

While this is great - and detailing the uptake of industry 4.0 technologies is something that we applaud -  the article fails to mention that a combination of old and new technologies, and the convergence of information technologies [IT] and operations technologies [OT] can increase vulnerabilities. Often the risk associated with these vulnerabilities will need to be managed and mitigated by different teams within an organisation, and for all levels of an organisation, from factory floor workers through to board level directors. Awen Collective can assist with asset and risk discovery through Dot, which specifically supports industrial networks – regardless of whether the network of assets are old or new, IT or OT. At Awen Collective, we want old and new, IT and OT, to be connected - it leads to great insights and increased efficiency - but we want it to be done in a way that is secure and safe.

Cyber-Security

We are pleased to hear that among the top 3 priorities for CEOs in 2019 is cyber-security. This isn’t just because of the privacy and data protection requirements in Europe (from the General Data Protection Regulation [GDPR]), but is also because of the increase in publicised cyber-attacks which disrupt business continuity. One of the articles conclusions is that for business owners, there is a “near certainty of a cyber attack on their business”, which combined with other challenges will “stretch them more than any previous generation of business leaders.” At Awen Collective, we delight in hearing that board level executives are knowledgeable of the problem and are actively seeking solutions to mitigate their cyber-vulnerabilities. We work with all levels of an organisation to ensure that cyber-security policies are in place, and that an organisation is ready for incident response and digital forensics.

Ken Xie, of Fortinet, highlights to the WEF, the need for more cyber-security professionals and for increasing their skill capabilities to match the increase in cyber-threats. He suggests potential paths to take to ensure that the gap is filled. This is certainly a worry of every organisation within cyber-security, and we thank Ken for raising this issue at Davos.

Awen Collective is based in just north of Cardiff in South Wales. We have great access to graduates and staff of high quality cyber-security and digital forensics departments from the University of South Wales and Cardiff University. We are also not too far from Swansea University who are making great leaps in researching and commercialising the interdisciplinary aspects of computer science and law. Also, South Wales cyber-cluster is one of the strongest cyber-security clusters in the United Kingdom, and is well-known across Europe. The cluster has a great relationship with academia and industry, public and private sector – with particular geographical closeness to large organisations in aerospace, defence and the intelligence services. With such good access to talent - we are very well placed, for the foreseeable future, to provide good quality digital forensics & incident response software and services to the entire world.

 Artificial Intelligence

Artificial Intelligence is an interesting one, because it is increasingly powering technologies relevant to us, including robotics in assembly lines and predictive maintenance. It also includes the subject of data mining, which is one component of a future product of ours.

Davos 2019 has two particular AI related threads which are interesting to us:

 In conclusion

Globalisation 4.0 is a great theme. Even as an SME we are international-focused. To repurpose some of the points of the WEF article on “what the world thinks of Globalization 4.0”: We strongly believe that we need collaborate with other organisations (large, small, clients, partners, competitors, governments). We see ourselves as offering one part (a subset of solutions) in a larger puzzle (the problem of cyber-security in critical infrastructure & manufacturing). We believe that we have an internationalised solution to a global problem, and so international cooperation is not just beneficial but essential – we are doing it in the UK, we’re getting traction in the EU and we are working with potential partners internationally.

Contact us now if you would like to collaborate to solve a problem with Digital Forensics & Incident Response within industrial organisations such as critical infrastructures or manufacturing.