those various types of communication. Clearly if one has more layers than one needs, this is economically inefficient. All of the cybersecurity controls tend to have their draw backs. One of the controls is conducting intrusion detection, which is valuable, but then one has to think about communicating that intrustion detection information back to security specialists, which opens up potential new lines for security.
Some corporations that opeate nuclear power plants have decided that the matter is most efficiently handled by people at the corporate office. So now these people at the corporate office have access to firewalls and intrusion detection systems that are in the inner layers. There are active discussions going on about that right now: what is acceptable and what is not acceptable. As security is added, be it layers or something else, one has to be very mindful of the vulnerabilities that such security control may introduce into the system.
A workshop participant asked to clarify whether or not an attack can happen during the time the security update is occuring. Is the attacker conscious of when the security update is being done or does it mean that the attacker is looking to attack all the time? Babu replied that this happened in Mumbai when they were trying to update their software to introduce more antivirus capability. While updating, what happened is the security level was brought down and an insider logged on at that particular time between 11:00 and 11:30 pm. With this information an external attack took place. The most fatal one is where an insider collaborated with an external attacker and logged on and then launched the attack. It becomes extremely difficult to track in this case.
Glantz replied that one of the major issues is where a good system is built with firewalls in the right place and an appropriate rule set, but they do not invest in actually looking at their firewall logs on a regular basis. Maybe they will do it every 30 days or 60 days or maybe they will give it a superficial look. A cyber attack could be an ongoing, non-stop, 24/7, automated attack, just waiting for that security level to drop or a vulnerability to show up that it can take advantage of. Those attacks are ongoing all the time. If attackers suspect that there is a vulnerability, they will keep pinging at it until defenders detect it and do something to stop that threat vector from going forward.
A participant picked up on the other aspect of that question: How well or poorly can one authenticate the updates themselves? It seems that the updates could be a pathway into the system that might not be checked. Babu replied that normally updates come with digital signatures. There are ways to authenticate that it is coming from the right source. That could be a vulnerability point, but there are methods to take care of that.