As the lines blur between autonomous systems and critical infrastructure, enterprises must not lose sight of their unique risks. The consequences of a cybersecurity induced failure in a control system inside autonomous and critical infrastructure is far greater than the financial impact on the individual enterprise. Executives from OPSWAT, Fortinet, and SentinelOne, share their perspective.
The governments of the Gulf region have their eyes fixed on prosperous futures and through economic vision programmes, they continue to grow. To do so they rely upon their critical national infrastructure. If these facilities falter or collapse, economic growth halts. And so, these systems, whether information technology, IT, operational technology, OT, or a mixture, must be protected from a security threat landscape that is also evolving.
Any organisation that provides critical infrastructure will have cybersecurity and risk-mitigation strategies in place, but when budgeting for procurement it will be important to choose the right security partner: one who understands and aligns with the unique goals of the business. And enterprise goals are unique, determined by size, industry, regulatory ecosystem, technology stack, talent pool, and more.
Case for business
“Robust security requires that senior executives work closely and effectively with IT staff, security staff, and other department heads to ensure you can accurately communicate your unique requirements to cybersecurity providers,” says Rami Nehme, Regional Sales Director, OPSWAT.
“This includes your core processes, recovery point objectives, recovery time objectives, and a range of risk factors identified through formal frameworks,” he adds.
Business goals and strategies are just as significant as the current state of the threat landscape or any trends within the cybersecurity industry. A disciplined approach to evaluation must include these factors as well as the functionality of the solution and the viability of its vendor.
Never lose sight of your own unique risk and business objectives. This will help to keep you focused as you consider things such as pricing structure and functionality. A data-driven investment now will reap many benefits in the months and years ahead.
And then there is procurement itself, consisting of a series of assessments, from the solution and its capabilities to the vendor and all of its third-party risks. You should consider your organisation’s unique risk tolerance and ensure that the vendor partner you choose is one from which you can extricate yourself if it stops aligning with your needs.
Some vendors are in aggressive acquisition mode to shore up their capabilities in a changing threat landscape. It is important to remember that this can impact pricing and limit your options with regard to integration and support.
Source of threats
“Security threats and vulnerabilities in autonomous and connected vehicles, stem from various sources. These include potential cyber-attacks targeting vehicle software, communication networks, and data storage systems,” says Ezzeldin Hussein, Regional Senior Director, Solution Engineering, META, SentinelOne.
Vulnerabilities arise from insufficient encryption protocols, weak authentication mechanisms, flaws in software design and physical tampering, such as hijacking control systems or GPS spoofing.
As vehicles become data centres on wheels, they are susceptible to privacy breaches and data theft. Moreover, the interconnected nature of transportation ecosystems increases exposure to supply chain attacks and third-party vulnerabilities.
With 3D mapping, smart device integration, cloud-based services, advanced LAN, CAN networks, and autonomous driving defining the connected car of the future, the cyber risks are enormous. With IoT devices connecting to and accessing content and applications, the attack surface is even larger.
As the demand for electric vehicles, EV increases, so does the demand for a secure charging infrastructure. Threats across the digitally connected EV charging ecosystem are on the rise. Cybersecurity controls are a must-have to reduce risks and protect all concerned parties.
“A single compromised device, whether the EV itself, the EV charger, or any other device in the ecosystem, can be used to infiltrate all devices on the network. Security and segmentation features are critical to prevent widespread security incidents,” says Kalle Bjorn, Senior Director, Systems Engineering Middle East, Fortinet.
How to secure
Encryption, secure boot mechanisms, intrusion detection systems, and over-the-air update authentication are some of the methods. At the edge, solutions like firewalls, intrusion detection, and encryption are deployed within the vehicle’s onboard systems to safeguard against local threats.
In-cloud solutions include threat intelligence, anomaly detection, and centralised security management platforms, providing real-time monitoring, analysis, and response capabilities to mitigate network-based attacks and manage fleet-wide security measures.
“Security is part of the technology foundation for connected vehicles, providing a safe and enjoyable driving experience, and maintaining consumer confidence. As more data streams in and out of vehicles, communicating with the cloud, with infrastructure, and with other vehicles at different contact points, more of the vehicle network is exposed,” adds Fortinet’s Bjorn.
High speeds make security more complex because vulnerabilities need to be detected faster to keep the vehicle safe. Automotive cybersecurity must be both continuous and highly responsive to protect against malicious attacks as well as non-malicious incidents.
To be secure and efficient, connectivity for fleets must be part of a unified platform that integrates with other network components, such as back office systems, OT and IoT, and wireless access. FortiExtender Vehicle from Fortinet, offers a revolutionary way of ensuring vehicles stay connected resulting in greater efficiency, optimised operations and most importantly, improved safety.
Innovations
Recent innovations in autonomous, connected vehicles include advancements in sensor technology, artificial intelligence for decision-making, and enhanced connectivity for vehicle-to-vehicle and vehicle-to-infrastructure communication.
“Go-to-market timelines vary. They typically involve iterative releases of features, with basic autonomy and connectivity entering the market within 2-5 years, followed by more advanced capabilities over the next 5-10 years. Regulatory approval, infrastructure readiness, and consumer acceptance influence these timelines. Expect full autonomy and widespread connectivity within the next decade,” explains SentinelOne’s Hussein.
Required IT skills include proficiency in software development, cybersecurity, data analytics, and cloud computing to design, develop, and secure vehicle systems. Business acumen is essential for strategic planning, market analysis, stakeholder management, and regulatory compliance.
Additionally, expertise in project management, collaboration, innovation, and customer experience optimisation is important for driving adoption and ensuring sustainable growth. Combined, these skills empower organisations to navigate technological complexities, seize market opportunities, and deliver impactful solutions.
Running critical infrastructure is a responsibility that sits apart from other economic activities. The harm to your organisation, financial and reputational, pales in comparison to potential wider economic impact.
Selecting a partner to secure your control systems: The OPSWAT approach
The cybersecurity industry is currently in the midst of market consolidation. While fewer vendors may seem like a welcome simplification of the procurement and support processes, they may also bring more risk during a major incident. Look for records of innovation among vendors. Is the company financially stable? What is its reputation? How open and interoperable is it? Here are other parameters to consider.
Lifecycle
The procurement team must be sure of certain milestones regarding the product that will protect critical infrastructure from threat actors. Release schedules for updates, end of sale, end of support, and end of life are some examples.
Support
Just as the product must be a good functional fit, so should any service be a natural extension of your talent pool, dependable and backed by Service Level Agreements, and Experience Level Agreements.
Real world
Vendor sales teams may come at you with a lot of hyperbole to create a sense of urgency. Having established your own requirements, you can ensure your decision is based on real-world facts and that your return on investment emanates from real risk reduction.
Performance metrics
Your organisation’s operating goals, such as RTOs and RPOs, along with your budget, regulatory obligations, growth targets, and the ins and outs of your infrastructure, are data points that should be kept front of mind by your procurement team.
Licensing models
Make sure that you thoroughly review licensing models. They can have significant impacts on costs, but also on flexibility and scalability. Product bundles are only as viable as their cost-effectiveness and capability to fit requirements. There is no point in paying for features that will never be used.
Integration
If you find a partner you can really trust, you can strengthen your security posture by the integration of its team. You gain access to a wealth of solutions and expertise, and you can end up reducing costs and increasing efficiency because you have minimised the number of solutions in your stack.
Follow the data
The cybersecurity market is becoming more competitive by the month. Your procurement team faces a stiff challenge as it sifts through the many vendors, value-added distributors, resellers, and systems integrators for the one partner that can fulfil all the business’s needs. Always remember to agree internally on what is required before launching the procurement process.