IT security challenges 2023: Network security a central component of IT & OT security concepts
January 2023 by
IDC surveyed security executives across industries in September 2022 to gain detailed insights into the challenges of building and operating security concepts. It was found, that for the second year in a row, security solution complexity was the most frequently cited challenge. Therefore, it is important to pay attention to the compatibility of the selected solutions when choosing IT partners, because stand-alone solutions increase the administration effort and reduce efficiency. Interfaces between security solutions reduce complexity, confirms Tobias Waltemode, IOK - IT System House, describing an example: "We use a powerful combination of software solutions for threat detection and isolation of affected devices with low administration effort. The optimization of security processes was an important factor in the decision of our industry customer KRAFT Maschinenbau GmbH, for a leading NAC solution. In more than 200 years of company history, the Kraft Group has grown from a medium-sized, owner-managed company into a major international manufacturer of specialized machines.”
Shortage of skilled workers is bottleneck factor
Nearly two-thirds of respondents are already experiencing an acute security specialist shortage or expect one in 2023. That’s why solutions that reduce the administrative workload of complex networks are popular with IT teams. Florian Renner, Chief Information Officer, is responsible for all network related issues at Hagleitner Hygiene International GmbH. The challenge of his job lies in the constant change and growing complexity of the expanding company, with familiar challenges of access control and time-consuming administration of device management. This includes devices from OT- and IT-networks, for example, production machines, security cameras, maintenance routers, time recording systems and, of course, classic office hardware such as PCs, printers, or IP telephones. Renner: "By using Network Access Control, we can save between 5-10% working time in our team. And since time is the limiting factor, this represents significant added value for our team."
Industry expects rise in cyber attacks
More than half of respondents to the IDC study are concerned about the current risk landscape. Forty-three percent of businesses saw an increase in cyber-attacks over the past 12 months, and 51 percent expect a further increase in the future. 47 percent of organizations surveyed are adjusting their cyber preparedness and defenses because of the geopolitical fallout from the Ukraine war. Good for those who have acted with foresight and, like German chocolate manufacturer Ritter Sport, are already securing their network. The tradition-steeped company has grown continuously over the course of its business activities. More than 1,000 employees work at the company headquarters alone, a total of around 1,700 people at nine locations, whose devices and their activities in the company network must be monitored securely, because the processes surrounding the chocolate production must function smoothly. Michael Jany, Team Leader Infrastructure and Security: "The aim of our NAC project was to provide complete and secure monitoring and to ensure the basic security of the company network, which is a central task with 3,400 network nodes, in order to manage operations without disruptions.”
KRITIS - Critical infrastructures to be better protected in the future
The hacker attack on the Lake Constance Medical Campus, Germany, is just one of countless examples of targeted attacks on critical infrastructures. Earlier this year, the IT network was hacked. Noteworthy is, that IT networks that integrate medical devices are becoming medical networks - meaning that in almost all hospitals, the IT networks are now also medical networks. The requirement that modern devices have network connectivity and the request from the doctors to be able to access the digital results of the Magnetic Resonance Imaging (MRI) systems (anytime, anywhere) usually forces the IT departments to integrate formerly separate networks. The focus of IT managers in hospitals is therefore on the security solution for the hospital network and the protection of sensitive patient data.
Energy, water supply, the transport infrastructure - these areas are also part of the critical infrastructure. The German government has set itself the goal of creating improved security. To this end, in December 2022 the German cabinet approved the key points of the so-called KRITIS umbrella law. With this law, the German government intends to respond to incidents that have occurred in recent months. It is also intended to implement the requirements of the Critical Infrastructure Resilience (CER) Directive. The CER Directive is designed as complementary legislation to the also revised Network and Information Security Directive (NIS2), which recasts cybersecurity requirements for critical infrastructures and is also to be transposed into German law in 2023.
Finance & insurance industry needs protection locally, and in the cloud
Banks, credit institutions, financial service providers and insurance companies are among the institutions with the highest information security requirements. The growing vulnerability and danger increase the pressure to act for active IT security management in the finance and insurance business. For example, the Börsenzeitung headlined in 2022: "Banks increasingly threatened by cyberattacks". Cyber experts and bank supervisors fear increased attacks on financial institutions by Russian hackers because of the Ukraine war. Thomas Schumacher, Head of IT Security at Accenture in DACH, warns of increasing activities by Russian hacker groups. Attempts to attack companies and banks with ransomware are widespread. In just over one in three cases, such malware is used to encrypt computers and data and demand money to release them again. One in two extorted financial service providers has already paid a ransom, according to analyses by the British IT provider Sophos. On average, a ransom of more than $800,000 is due - usually to be paid in bitcoins. Most banks and financial institutions today work with hybrid solutions, a mix of traditional IT systems and cloud applications. The combination of NAC and Secure Defined Perimeter (SDP) offers optimal security solutions, high and global availability, flexible and adaptable implementation of compliance requirements and the fulfillment of verification obligations in accordance with ISO, PCI or even DSGVO requirements.
Public administrations targeted by data thieves
Public authorities house a wealth of sensitive data. At the same time, access to this data must be flexible for the various specialized procedures - on different devices and at multiple locations. In a city council, one works with extremely sensitive personal data of the residents, which represents a lucrative target for cybercriminals. According to its own information, the City Council of Bochum alone records 10,000 attempted attacks on the administration’s computer systems - every day.
Likewise, information on critical infrastructures, such as data from energy suppliers or the public transport system, can be found in the networks of public authorities. By using a Network Access Control Solution, IT administrators know at all times which devices are on the network and can monitor and control them efficiently and conveniently. This is confirmed by Catino Valerio, Chief Information Officer of the Municipality of Comune di Trani, Italy: "Thanks to NAC, we can ensure the integrity of the network by exclusively allowing network access to the defined own and authorized devices."
When selecting a NAC solution for the public sector, a vendor-independent security solution that offers reliable monitoring even of networks with a wide variety of network components is a good choice. Since changes in the administrative structure or tenders also create heterogeneous IT infrastructure environments in public administration, vendor independence and the ability to easily integrate existing IT security solutions should be an important decision criterion.
Zero Trust Network Access (ZTNA) is gaining in importance - Security for IT- and OT -Networks
The ZTNA philosophy provides the framework for intelligent security solutions for networks and cloud. The consultancy techconsult published a study on cyber security in German companies in July 2022: 46 percent of companies, for example, say they will introduce Zero Trust in the next two years. Theft, espionage, and sabotage cause a total damage of 223 billion Euros to the German economy every year, and the number of unreported cases is high. Home offices and digitization offer new opportunities for attacks, so holistic security concepts with NAC and SDP are necessary. The concept is based on restriction and monitoring. In addition to securing local networks, the security solution is extended to all cloud services. In contrast to classic VPNs, with Secure Defined Parameter (SDP) both the user and the agent authenticate themselves at the controller. If authentication is successful, the controller informs the agent whether the respective user has access rights to the company resources and what these are. Every single access - whether on the corporate network or in the cloud - is checked. With the increasing integration of production systems, which in some cases extends into the office world, the complexity and vulnerability of networks is increasing. Threat scenarios for industrial networks are constantly changing. New attack vectors and methods are emerging, and Operational Technology (OT) operators are striving to maintain and improve their security. In addition, new standards and regulations pose additional challenges to OT network operators. In particular, the control of the devices located in the network and their communication play a central role. Modern approaches to network access control (NAC) are therefore a crucial component of any network and security concept today. With ZTNA by security expert macmon, a Belden company, unauthorized usage of systems in administration and production is virtually impossible.