Cyber Resilience @ Industry 4.0: Strengthening Standards & Embracing Emerging Tech

hi everyone gosh thank you all for coming today so um today we're going to be talking about s resilience in Industry 4.0 strengthening standards and embracing emerging Tech classic page so a little bit of background about myself is well hi I'm shaza um I currently work as a security innovation and development engineer over at Fujitsu um prior to that I graduated back in 2022 with a degree in cyber security digital fics during that time I was a programming tutor did my security internship with the home office and the most fun one was um working as a junior information security consultant over at the Northwest cyber resilience Center where we were helping local smmes um in

order to build up our um cyber resilience on a regional [Music] level so without further Ado um getting into uh cyber resilience and industry 4.0 just a side note before we do get you know fully into this this is a part of a really big research project I was undertaken at the time this is all kind of my personal opinions and conclusions and research um and I've tried my best to do it in about 15 minutes so hopefully you guys can take something away so industry 4.0 um refers to the for for industrial revolutions and one of the best ways to describe it is the current mass digitalization movement you guys are across the board they're often

specific to um en like Industries like manufacturing or industries that are often um have been traditionally physical or network isolated and it's referring to their movement um into um the Advanced Technologies we're seeing at the moment so things like Internet of Things um machine learning and our of course our beloved Cloud so it's that involvement in these kind of sectors and the the rapid advancements that sometimes security isn't necessary at the Forefront of now it sounds like absolutely amazing news to see the advancements um for these companies and industries across the board but the slight downside of this thing is our attack surface area has increased significantly so if you think about you know prior to Industry

4.0 for the sake of Simplicity we've had about perhaps T doors that um an attacker or a threat actor could come and cause any you know militia um or create any attacks and now because of Industry 4.0 and so many you know the internet things and so many things being connected we have a million doors to a million doors for them to attack and actually 10 to a million is a big jump and how do you take care of all of those million after all they always say security is never 100% so the interesting thing about this is well if you have a million doors which ones are you going to prioritize in this scenario so I had the very same

question I was thought which ones would I prioritize if I had to take care of security on a national level and and the answer to that is critical National infrastructure so critical National INF infrastructure is probably one of the most important things um currently across the UK now um cyber resilience in critical National infrastructure so if you guys don't know what critical National infrastructure and you may have heard it being referred to as cni or CI sometimes critical National infrastructure is defined as um critical infrastructure that could be the information systems processes networks people that the disruption of them or compromise or loss of them could cause um a significant a loss to a significant

disruption to our essential Services which in turn could lead to um severe economic or social or even loss of life at times so that's all really fancy words to essentially say something happens our critical National infrastructure we're kind of screwed so preferably to stay safe and resilient uh now our critical National infrastructure it sounds like really big and almost um a really far away concept from us especially as the general public or security people where it sounds like it has nothing to do with us and it sounds like something to do with the government it's National has and it's really far away but the reality is it hits much closer to home for some people

so and I know it's a classic example but I'm sure lots of you here have heard of one the one cryan somewhere and I know it's an overused example but I think it's the best example to use in this scenario because one cry ransomware is one of the few uh hits to our critical infrastructure that not only the security people knew about but the general public is one of the few things that the general public actually understood and impacted them on that level so this happened back in 2017 and I wasn't even in security at that point and I heard of one cry around somewhere and it's that kind of level where it's not just you've gone on have I been

porned and you thought oh my gosh you know my email has been leaked again this is actual essential Services being impacted and as a reminder the want to cry around somewhere cost us about 92 U million to recover from and it had 19,000 Health cancellations across the board so it actually affected Healthcare on a national level now you're probably thinking 2017 SS like a long time ago we've Advanced since then it's probably not as much of a issue or we have security measures in place and that's not necessarily true so our in fact our national cyber security Center has reported a 64% increase from last year in terms of national cyber threats being detected Bridewell Consulting also uh

conducted a survey back in 2021 regarding rcni operators across the UK and 86% of them reported that they detected cyber threats and 93% of those said they've had at least one successful attack and again these are the things that are just being detected at the moment so many things are happening under the layer and so when I was reading this I thought okay all these scary stats are alongside the fact that the the UK is the third most targeted country in the UK when it comes to critical infrastructure I decided that I wanted to know more about the security measures that have been in place how secure is our critical infrastructure and what's going on now why just decided to do is

research our cyber security standards our Frameworks our policies our um not just for cyber security but for threat modeling and simulation now the interesting thing about critical infrastructure is because it's so critical you can't really take these systems offline so what happens when you need to SEC when you need to test the security of something that you can't really take offline for periods of time and you you don't really want to be the person testing on a life system either and then answer to that is simulation so simulated environments of that of the original process or system that you're creating that's what needs to be done to have a simulated environment and test it on that

simulated environment so I thought fantastic I want to see what security measures are being talked about in these legislations and standards in regards to that so this is just a snippet of some of the um uh standards regulations Frameworks across the board I've had I've had um a deep into and I specifically looked at security assessments um in particular um simulation so I wanted to know if the secur security assessment sections of these actually spoke about critical National infrastructure or if they talked about simulations and how those simulation environments should look like the answer to that is almost none of the standards made any reference to critical infrastructure and none of them at all talked about

simulation either not basic level simulation let alone high level simulation let alone the standards that that should include none of the standards analyzed made a clear or distinct separation in either the security assessments on simulation environments to even introduce address or differentiate how simulated security assessments should look like in those environments you're probably think okay fantastic we've we've ID identified a bit of a problem why aren't why isn't there a conversation about how these simulated environments look like and when I read all those re research and read all those policies and things I thought one either all those all those critical National operators either aren't doing security assessments which is unlikely or two they are doing security testing but

in their own interpretation of what those policies should look like in those environments and that's fantastic that's great but the whole point of policies and Frameworks is to have a base level standardization across the board to ensure that there is a minimal amount of security and an ability to measure from that point so digital Twi technology now I don't know if any of you guys here have heard of digital tun technology but is it is a form of um simulation environment where you are essentially copying something you're becoming its digital twin so in this case you know a smart City you're taking that City and you're emulating it as closely as possible to the original

thing and the difference between that and normal simulated environments is simulated environments are often static so they're limited to a designer capabilities uh their scope and um a limited amount of information that simulated simulations sometimes deal with the original um the the original version of it rather than the current current version of it so 3 weeks ago can look quite different to today and digital swin technology actually deals with realtime data which is the the key difference between this so digital twin technology in this case takes real time data from the physical thing hands it over to the digital twin that in turn matures adapts the environment it takes that information in and in turn allows people to actually

make inform decisions it allows for monitoring and it and it allows for Real Time access and knowledge as to the current security um the security environment in that time so it's my um so once reading all of this I thought okay it sounds like The Simple Solution or even just a suggestion that not only should we really be talking in those standards um talking about critical infrastructure and not in any detail that could give away to our critical infrastructure structure but to talk about how you should be testing for these environments and not only talking about simulation but how that simulation should look like to what level that simulation should be for example Fidelity is a term often

used when talked about simulations and that is regarding how closely something is related to the original so it could be 50% similar could be 60 70 80 100 well not quite 100% but as closely as possible and what is that measure what is that Baseline of how closely something should be related to for it to qualify and how realistic is it to ask for it to be a certain level of percentage for example and how real time is Real Time data and so I believe these things should be included in our legislation not only talk about simulation but talk about this the standards of simulation used to ensure a baseline so yeah to summarize all of

this cyber resiliance is incredibly important particularly in our critical National infrastructure which relates on which are which are involved in Industry 4.0 it's so important to take to want to advance and continue our advancements as a country however to make sure that we are being safe and secure and as resilient as possible to foreign threats and attacks and one of the ways to do that is to ensure um a baseline standardization and regulation across the board and one of the formats this could look like is by suggestion suggesting that they use high level simulations and and specifying how that should look like this this is all from the research I've done but is also reflected in the

Cyber strategy annual review of 2022 where the government themselves admit that cni is now becoming a major concern and are actively trying to hold cni operators more accountable and how they do security testing and have potentially raised the subject of adding to legislation so hopefully I've covered everything for you today and maybe you know some of this maybe you don't but I want to thank you all for listening if anyone does have any questions um yeah it's my LinkedIn over there and I made a Twitter and it looks like a bot cuz it's new I promise uh that's real but thank you all for listening so

[Applause] much [Music]

questions um because the guys that work within this area struggle to actually just meet within their physical environment these standards that is somehow a little bit challenging for them to then when they do a simulated environment to then implement the standards that are already there for their existing environment but then another Viewpoint of you saying about Fidelity and those sort of things are like having a look towards those sort of areas do you think that that might put them off a little bit might give them an additional challenge when they're already like dealing with stuff within their physical environment that's a fair enough question of course maintaining security is difficult for people across the board even with you know big

corporations that aren't you know as physical as some of these industries are however if you're choosing to adapt these technologies that comes at risk and in some situ they have more to lose so as challenging as it is it is essentially worth it and um I definitely do think it should be more accessible on what um and the government is is saying they're committing to doing that by introducing you know tools that are more accessible maybe more affordable or cost effective in this sense I think the conversation should be more about this needs to happen how can we make this more accessible affordable and easy to kind of monitor rather than oh this is too difficult let's not do that

thanks good thank you