Security challenges of modern cybersystems

Why cybersecurity risks are on the rise and building secure systems is expensive and challenging

Modern cybersystems are characterized by the interpenetration of information (IT) and operational (OT) technologies: industrial, transportation, financial, scientific, etc. Cybersystems are becoming increasingly complex, and the amount of program code that determines their operation is growing. For example, according to McKinsey & Company 1, today’s cars contain 10 times more lines of code than in 2010, and there are more than 100 million lines of code in premium brand cars.

This increasing complexity of systems is exacerbated by their growing heterogeneity, global availability and high-speed transfer of large amounts of data. For example, while mobile networks previously focused on user-to-service or user-to-user content delivery, 5G networks bring high-speed cybersystem-to-cybersystem communications to the fore.

The convergence of OT and IT has changed the very notion of security. In the past, cybersystems were used to process data, and security was understood to be the integrity, confidentiality and availability aspects of that data. Today, functional security, resilience, operational reliability, and other aspects of system security determined by data processing are also becoming important2.

Changing the concept and content of security

Cybersecurity problems directly impact the ability of systems to perform their critical functions, which has financial implications cybersecurity risks related to the development, maintenance and support of systems are on the rise. According to a Kaspersky study3, 53% of organizations have abandoned new business projects because of the inability to address cybersecurity risks, and 74% have been confronted with the lack of a suitable security solution.

The rise in cybersecurity risks and compensation costs is due to several factors, including:

  • a large attack surface and the speed with which attacks spread between system components;
  • the complexity of threat modeling;
  • a low level of confidence in the security of system components;
  • the high cost of a single (first) incident;
  • the high financial and time costs and sometimes the impossibility of updating software.

Developing and maintaining secure cybersystems presents a number of challenges, including:

  • the lack of a common understanding of business objectives: customers cannot describe the criteria for a secure system, and developers implement security measures without understanding their necessity and sufficiency;
  • high cost and complexity of proving security properties;
  • high cost of skilled personnel, especially at the intersection of industry disciplines and cybersecurity.

When developing software or hardware products, the issue of security arises near the end of the project because security requirements are typically viewed as non-functional. In this case, security measures implemented in isolation from the core functionality of the product often leave loopholes for an attacker and do not provide effective defense against attacks.

The most common approach to solving these problems is the use of additional security measures. Industry best practices also include security audits and update management of OT and IT network components, cybersecurity awareness training for personnel, and continuous monitoring of the changing threat landscape. These solutions and practices remain popular and in demand for systems and technologies that are being actively operated, but there is another way to strengthen defenses – at the architectural level.

We will discuss the practical implementation of architecturally secure systems in a series of articles. In the second part, we describe an alternative approach to building secure information systems – the concept of Secure by Design.


References

  1. McKinsey & Company — Rethinking car software and electronics architecture, February 2018 https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/rethinking-car-software-and-electronics-architecture ↩︎
  2. Industrial Internet of Things Volume G4: Security Framework, Industrial Internet Consortium, Security Working Group, 2016. ↩︎
  3. Kaspersky Global Corporate IT Security Risks Survey (ITSRS), 2021 https://www.kaspersky.com/blog/iot-report-2022/ ↩︎

Modern cybersystems are characterized by the interpenetration of information (IT) and operational (OT) technologies: industrial, transportation, financial, scientific, etc. Cybersystems are becoming increasingly complex, and the amount of program code that determines their operation is growing. For example, according to McKinsey & Company 1, today’s cars contain 10 times more lines of code than in 2010, and there are more than 100 million lines of code in premium brand cars.

This increasing complexity of systems is exacerbated by their growing heterogeneity, global availability and high-speed transfer of large amounts of data. For example, while mobile networks previously focused on user-to-service or user-to-user content delivery, 5G networks bring high-speed cybersystem-to-cybersystem communications to the fore.

The convergence of OT and IT has changed the very notion of security. In the past, cybersystems were used to process data, and security was understood to be the integrity, confidentiality and availability aspects of that data. Today, functional security, resilience, operational reliability, and other aspects of system security determined by data processing are also becoming important2.

Changing the concept and content of security

Cybersecurity problems directly impact the ability of systems to perform their critical functions, which has financial implications cybersecurity risks related to the development, maintenance and support of systems are on the rise. According to a Kaspersky study3, 53% of organizations have abandoned new business projects because of the inability to address cybersecurity risks, and 74% have been confronted with the lack of a suitable security solution.

The rise in cybersecurity risks and compensation costs is due to several factors, including:

  • a large attack surface and the speed with which attacks spread between system components;
  • the complexity of threat modeling;
  • a low level of confidence in the security of system components;
  • the high cost of a single (first) incident;
  • the high financial and time costs and sometimes the impossibility of updating software.

Developing and maintaining secure cybersystems presents a number of challenges, including:

  • the lack of a common understanding of business objectives: customers cannot describe the criteria for a secure system, and developers implement security measures without understanding their necessity and sufficiency;
  • high cost and complexity of proving security properties;
  • high cost of skilled personnel, especially at the intersection of industry disciplines and cybersecurity.

When developing software or hardware products, the issue of security arises near the end of the project because security requirements are typically viewed as non-functional. In this case, security measures implemented in isolation from the core functionality of the product often leave loopholes for an attacker and do not provide effective defense against attacks.

The most common approach to solving these problems is the use of additional security measures. Industry best practices also include security audits and update management of OT and IT network components, cybersecurity awareness training for personnel, and continuous monitoring of the changing threat landscape. These solutions and practices remain popular and in demand for systems and technologies that are being actively operated, but there is another way to strengthen defenses – at the architectural level.

We will discuss the practical implementation of architecturally secure systems in a series of articles. In the second part, we describe an alternative approach to building secure information systems – the concept of Secure by Design.


References

  1. McKinsey & Company — Rethinking car software and electronics architecture, February 2018 https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/rethinking-car-software-and-electronics-architecture ↩︎
  2. Industrial Internet of Things Volume G4: Security Framework, Industrial Internet Consortium, Security Working Group, 2016. ↩︎
  3. Kaspersky Global Corporate IT Security Risks Survey (ITSRS), 2021 https://www.kaspersky.com/blog/iot-report-2022/ ↩︎