Category: Technology

DMZ becomes the de facto standard for network segmentation. It is used to control network traffic across trust and untrusted network zones. Network traffic is used instead of network connection because the latter is not precise. A network cable is connected across components but what does matter is the traffic flowing thru. The network zoning is typically implemented by network firewall. More functions like anti-malware protection, site filtering, application requests screening are adding to the network firewall making it the so-called next generation (NG) firewall. To enhance customer confidence, there are 3rd party accredition for firewall cybersecurity. No matter how secure the component is manufactured and deployed, the important aspects to maintain a secure network perimeter are: Proper design, i.e. placing the firewall(s) at the correct network nodeProper configuration, i.e. device management and least privilege firewall rulesPeriodic assessment, i.e. validate if the configuration is still valid (don't retain the associated firewall rules when system has retired)Proper maintenance, i.e. update firmware...

A deployed function looks not elegant. Is this due to design problem, or deployment is not in accordance to the design? Fixing it will be costly without retrofit. Similarly, this happens to cyber protection. Protection effectiveness will be degraded or even none if improper design, or incorrectly deployed. To address this pitfall, comprehensive assessment from design, configuration check before commissioning and regular health check at O&M stage are necessary. Even if the system has not been changed, the external threat landscape has evolved and need to strengthen control to protect. ...

Controlling cyber (or network) access is always a main concern to limit threat vectors for lateral movement once they have gained a stepping stone within the infrastructure. The physical access aspect must not be forgotten. No matter how sophiscated controls are implemented and in place, if the core equipment is exposed to access at wish, this will defeat all these cyber controls. Bear in mind that all controls are to defer the access as much as possible. There is no bullet proof solution. A comprehensive risk assessment against the target of evaluation is very important to develop effective compensating controls. ...

Privacy is a major concern nowadays. Sensitive info need to be tokenized or masked while leaving functional info unchanged during business analytic or conducting system tests. Nevertheless, a function might be uniquely provided by a particular individual within the information sample. In this case, even if the identity is masked, the functional aspect can also traced back to that particular individual. This is something like weak hashing function subject to reversible attack. This is the situation to watch out and need to voice out the limitation to data subject and data owner. ...

Like in physical world, automation components do have life time. Example is mechanical attributes of traditional hard disk drive, they are also subject to wear-and-tear during operating life. Storage technology now uses solid state without mechanical portion, we must not forget the underlying platform and applications. Apparently they won't have wear-and-tear operating condition, but the advancement of technology adoption will introduce obsolescence of the platform and applications. From vendors perspective, they will retire products not longer fit for purposes in the market and therefore drop resources to support. Hence, even if your automation components are still operating with minimal wear and tear condition, these components will still need to be refreshed for new version, bugs / vulnerabilities fixed, continuous vendor support in order to maintain the business outcome. Proper life cycle management of the ICT/ICS components cannot be overlooked. ...