VeroGuard Systems has become one of only three Australian companies with a Common Criteria international standard (ISO/IEC 15408) for computer security certification. VeroGuard Systems can now deploy their platform in defence and other high security environments that require Common Criteria certification. Utilising the same methods guided missile systems use for their communication systems, the VeroGuard Platform is certified for secure access over open networks to all systems and data. The digital identity platform system architecture was designed by wireless EFTPOS pioneer and VeroGuard Systems. “VeroGuard is proud to be an Australian company, providing cutting-edge sovereign technology to the market which is currently dominated by global companies,” the CEO said. “Common Criteria certification provides our customers confidence that they cannot get better protection than our platform for verifying who is accessing their systems and data. This is an ‘out of the box’ zero trust solution.” “VeroGuard’s digital identity platform is the world’s only digital ID platform for open networks that uses Hardware Security Module (HSM) to HSM communications. It uses a ‘personal high security card’ (a Hardware Security Module known as VeroCard) with a PIN, which removes traditional password, low security hardware and software tokens and online identity issues – guaranteeing a user’s identity online.” “The VeroCard has also received the highest security certification available for a PIN entry device (PCI PTS 5.1). An integral part of the certification was VeroGuard System’s advanced manufacturing facility in the Edinburgh defence precinct north of Adelaide, which manufactures VeroCard.” VeroGuard Systems is also partnering with Kyndryl to provide government and enterprise customers access to the platform. Collin Penman, Kyndryl Partner – Cyber Security Practice A/NZ says: “As the principal Systems Integrator for VeroGuard, Kyndryl welcomes the announcement of Common Criteria Certification for VeroGuard HSM for Open Networks. This represents a standout success of sovereign technology innovation, and demand for a higher level of security authentication, non-repudiable identification, and high attainment of cryptographic security that the Australian Defence and Federal Government Agencies market is seeking. Now the technology has been certified, Kyndryl and VeroGuard look forward to expanding on initial deployments and continuing to successfully engage the Australian market and beyond.” Australian Cyber Security Magazine - 21 February 2022 Source: https://australiancybersecuritymagazine.com.au/defence-certification-for-veroguard-systems/

Australian cyber security company VeroGuard Systems has become one of three Australian companies with a Common Criteria certified product, opening new opportunities to deploy its VeroGuard Platform in defence and other high security environments. Common Criteria is an international standard (ISO/IEC 15408) for computer security certification. Reportedly utilising the same methods guided missile systems use for their communication systems, the VeroGuard Platform is certified for secure access over open networks to all systems and data. “VeroGuard is proud to be an Australian company, providing cutting-edge sovereign technology to the market which is currently dominated by global companies,” The CEO said. “Common Criteria certification provides our customers confidence that they cannot get better protection than our platform for verifying who is accessing their systems and data. This is an ‘out of the box’ zero trust solution." According to the company, VeroGuard’s digital identity platform is the world’s only digital ID platform for open networks that uses Hardware Security Module (HSM) to HSM communications. It uses a ‘personal high security card’ (a Hardware Security Module known as VeroCard) with a PIN, which removes traditional password, low security hardware and software tokens and online identity issues – guaranteeing a user’s identity online. The VeroCard has also received the highest security certification available for a PIN entry device (PCI PTS 5.1). An integral part of the certification was VeroGuard System’s advanced manufacturing facility in the Edinburgh defence precinct north of Adelaide, which manufactures VeroCard. VeroGuard Systems also recently partnered with IT integrator Kyndryl to provide government and enterprise customers access to the platform. “As the principal Systems Integrator for VeroGuard, Kyndryl welcomes the announcement of Common Criteria Certification for VeroGuard HSM for Open Networks," Collin Penman, Kyndryl Partner – Cyber Security Practice A/NZ said. "This represents a standout success of sovereign technology innovation, and demand for a higher level of security authentication, non-repudiable identification, and high attainment of cryptographic security that the Australian Defence and Federal Government Agencies market is seeking. “Now the technology has been certified, Kyndryl and VeroGuard look forward to expanding on initial deployments and continuing to successfully engage the Australian market and beyond.” Australian Defence Magazine - 23 February 2022 Source: VeroGuard Systems receives ‘defence certification’ - Australian Defence Magazine

The Federal Government's Ransomware Action Plan has received a lukewarm welcome from security professionals, with one calling for an increased focus on prevention and adoption of advanced cyber security measures. The CEO of VeroGuard said "Whilst the recognition of the cyber security problem in the plan is welcome, an immediate increased focus on preventing the crimes is needed and adoption of enhanced cyber security referred to by the World Economic Forum embraced." Home Affairs Minister Karen Andrews announced the plan on Wednesday, saying that when it took effect, businesses that had an annual turnover of $10 million or more would have to report ransomware attacks. She said the government would also introduce new criminal offences and tougher penalties. But Andrews gave no indication as to when the plan would come into force. "It makes absolutely no sense to continue doing the same thing and expect a different result. For example, a key recommendation by the Australian Cyber Security Centre to prevent ransomware includes turning on multi-factor authentication, but they also acknowledge that not all MFA are equal. Breaches of software-based 2FA solutions are becoming common, yet significantly ‘enhanced MFA cyber security’ solutions are already available in the market that happen to be developed, produced and run in Australia. The government could be doing a lot more to enhance cyber security and protect businesses and citizens online." VeroGuard's CEO went further on the implementation of measures "that would have immediate and material impact on the problem, such as mandating strong MFA rather than any MFA, integrating strong MFA and digital identity into government systems rather than vulnerable applications and biometric-based tools". "I would like to add that a focus on sovereign solutions will also mean better control over our critical infrastructure, economic outcomes and development of high value jobs in the digital economy," he added. Sam Varghese - 14 October 2021 Source: iTWire - Govt's ransomware action plan gets a lukewarm welcome

Australia joins NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE) Locked Shields for the first time, collaborating in Partner Run facilitated by Australian Cyber Collaboration Centre. Last week the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE) facilitated the world’s largest and most complex international live-fire cyber exercise, Locked Shields 2023. The ‘Blue vs Red’ style exercise aims to train technical teams of cyber professionals (Rapid Reaction Teams) and strengthen their cooperation with legal, media, and strategic decision-making entities through a simulated hostile and vulnerable cyber and information crisis. Planning and implementation of the exercise take place throughout 11 months of the year. “No other cyber defence exercise can offer as specialised and detailed of an experience as Locked Shields can. 24 Blue Teams from around the world must keep critical infrastructure and IT systems up and running. Teams can demonstrate how well they can keep systems running under real-life situations and high pressure,” said NATO CCDCOE director Mart Noorma. “Technical specialists cannot solve a cyber crisis alone. Usually, decision-makers and experts from different governmental bodies and walks of life are those who try to repel the attacks,” explains Noorma. “This is why, in addition to cyber defence, we focus on strategy games, legal issues, and crisis communication at Locked Shields. Cooperation must be swift, because a large cyberattack can quickly escalate into a large-scale security crisis, and these kinds of exercises allow us to be better prepared,” added Noorma For the first time in the thirteen years Locked Shields has been running, Australia has participated in the Partner Run. The function of the Partner Run is to test the Game Day scenario, systems and technology before the main event in April, honing the red team tactics for the full exercise. The partner run is a crucial component of the full-scale exercise and many of the teams in the partner run train for up to six months. In early April, with only 5 weeks of preparation the Australian Cyber Collaboration Centre in association with the University of Adelaide, facilitated the Australian participation in the Locked Shields 2023 Partner Run with its members McGrathNicol, CyberOps, Flinders University, DTEX, SecureState, SAAB, CISCO, Veroguard and SA Power Networks. Utilising the most technically advanced commercial Cyber Range in the Southern Hemisphere, the Locked Shields Partner Run was hosted at the Australian Cyber Collaboration Centre’s home base in South Australia’s Innovation Precinct, Lot Fourteen. Led by Team Manager, Ben Cornish of McGrathNicol, alongside Technical Team Leader, Derek Grocke of CyberOps, teams were formed from both Corporate and Education Partners combining workforce and students into an operational body ready to tackle, analyse and report on the most complex of cyber threats in the simulation exercise. Australia’s involvement in the Partner Run is a display of our nation’s capability and increasing strength in the international ecosystem as the cyber defence of sovereign critical infrastructure comes into even sharper focus. The Australian Cyber Collaboration Centre’s CEO, Matt Salier hosted key leaders of Australia’s business and cyber arena as part of the activation to connect on the topic, including the previous Premier, Hon. Steven Marshall MP, Defence Science and Technology Group’s Ben Luo alongside Suneel Randhawa and Ian Johnston both Research Leader Cyberwarfare Operations, University of Adelaide’s Pro Vice-Chancellor (Research Operations) & Chief Security Officer (Defence & National Security) Bruce Northcote and CISO Shuichi Sakai, SAAB’s Chief Engineer Graham Smith, Veroguard CEO Nic Nuske, Santos GM of Transformation Reneke van Soest, CyberOps CEO Daniel Floreani, Australian Space Agency CEO Enrico Palermo, Duncan Scott, Wing Commander 462SQN in the Information Warfare Directorate and Reg Carruthers Executive Director Defence and Space at Defence SA. ‘It is necessary that we provide best-in-world training for those in Australia who protect our critical systems. Regardless of public or private sector control, intense training exercises and live-fire simulations, are essential to upskill these people. Utilising our national and international networks and partners like NATO CCDCOE, we are making tremendously positive steps towards building our nation’s cyber capability.’ Matt expressed. Work will begin on Locked Shields 2024 shortly, if you are interested in learning more about the roles involved and being a part of Australia’s participation, more information can be found at: www.cybercollaboration.org.au/intlcollaboration

In the ever more connected world, operational environments and the Operational Technology (OT) controlling them are a new frontline for cyberattacks. Digital transformation driving manufacturing, energy and utilities has created unprecedented efficiencies which have also exposed those organisations to a greater extent to the potential of cyberattack. There are multiple reasons for the increased threat. For one, the expanded use of technology, which opens new communications and wireless channels that are connected directly to companies’ digital ecosystems, is a soft target for hackers. Another is the fact that OT suffers from lagging cyber regulations and standards, inadequate cybersecurity awareness – this impact heightened further by a shortage of cyber-defence talent. With remote operations becoming increasingly commonplace, more and more devices and machines are required to be connected online to maintain a satisfactory level of service delivery. This represents a step change in work practices in that traditional OT devices were never originally designed to be connected to the internet, and therefore new models for cyber security are required.  The impact of a cyberattack can be costly and disruptive to operations, and has the potential to create further liability, particularly when sensitive customer data is breached. Threats Are on the Rise The number of attacks involving OT has continued to increase since 2021 Malware is emerging with targeted functionality and ease of deployment. More Vulnerabilities Vulnerabilities disclosed in OT systems continues to grow. Risk is heightened in operational environments by the inability to patch at will. Specialised Security Skills in Short Supply Skills shortages has made it clear that developing an effective security strategy that spans IT, OT and IoT environments is complex. Lack of Regulations and Frameworks Cyber security standards are lagging behind other industries. With the expanding threat surface and a shrinking available talent pool to deploy the new security posture required, companies using OT must look to new technology to augment the existing network, protect un-patchable devices and uplift the overall identity and encryption architecture of their operating environment. The more connected systems become, the larger the respective attack surface becomes and the more attractive they become as targets for cyberattacks. In 2022 we saw multiple international cyber security agencies (including Australia) issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of new malware, as well as the disclosure of a growing list of operational technology vulnerabilities. VeroGuard’s technology maintains network integrity for legacy and new infrastructure when connected or exposed to open networks. Providing highly phish-resistant MFA  for access to networks and devices and strong post quantum level data encryption for device communications, companies can accelerate digital transformation plans by providing a certified virtual airgap between the OT environment and open internet connectivity . VeroGuard is the only platform worldwide to have Common Criteria certification for access on open networks, meaning it has been verified by the Australian Cyber Security Centre (ACSC) for use in Defence and other government departments with high assurance requirements for online access. Background The OT industry continues to face an expanding cyber threat landscape which presents a substantial challenge to operations.  The Australian Government has acknowledged the fact that technology in critical infrastructure environments is key to national security and economic prosperity – as reflected with the amendments to the Security of Critical Infrastructure Act – by introducing financial and criminal penalties for non-compliance.  The problem for all industries using OT equipment is the same attack developed to disrupt the operations of large utilities, can easily find its way into the operational environment of any factory. “Insecurity by design” remains very relevant in traditional OT, and that is why a shift in security infrastructure to account for open network connectivity and all the variables it presents is so necessary.  The past decade has shown that one of the biggest security problems continues to be the lack of basic controls, and attackers have exploited this in practice with the recently discovered malware Industroyer2  and InController/PipeDream .  Insecure by design vulnerabilities abound evidenced by a recent investigation by Vedere Labs which found 56 vulnerabilities affecting 10 major OT vendors. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of devices, bypass authentication, compromise credentials, cause denials of service or have a range of operational impacts. The most common issues [1]  found from internal audits and vulnerability scans include: Unmanaged assets are connected everywhere. Operational systems are deployed with their default credentials unchanged. OT networks that were initially designed to be highly segregated have become flatter than realised. Ports on all kinds of systems in all kinds of remote locations are wide open. OEMs are accessing the machines they sold remotely, and no one is managing this. Disclosed vulnerabilities on old OS’s have never been evaluated for possible patching. The functional silos between separate security disciplines (e.g., cybersecurity, physical security, supply chain security, product security, health and safety) are creating seams that bad actors can exploit. No centralised governance exists for end-to-end security processes and decisions. Identity and credential compromise remain the biggest threat, IBM recently found that 78% of incidents began with a phishing attack (consistent with their 2021 findings).  In fact, we know that 95% of all cyberattacks are on identity and credentials and that over 85% of all breaches involve compromised credentials. That is why the average time to discover and remediate a breach has blown out to over 327 days (IBM Data Breach report 2022). It is not appropriate to simply embrace the cybersecurity operations from existing IT practices. While IT network and operating system patching and identity management practices are well established, the ability to manage devices and systems in the same manner is not as straight forward.  “Patching at will” for example is not always an option for OT devices. Though traditional air gap defences can mitigate against many of the vulnerabilities on devices, switching back to this defence mechanism removes the benefits of connectivity and a new approach is required. Some of the key mitigation strategies (aside from patching, monitoring, training and awareness – these are all “after the fact” activities and not prevention) in every advisory are to: Require phish-resistant multi-factor authentication for all remote access Implement and ensure robust network segmentation between operational and corporate networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks. It is important to note that without strong Identity and Access management control over any additional tools, the criminals will find a way through.   This is on ongoing occurrence online with bad actors simply bypassing second factor authentication (2fa) and detection software. There have been attacks where 2fa applications and VPN’s themselves were used as the vectors for successful breaches . [1] Gartner Guide for Operational Technology Security A New Approach The VeroGuard Platform offers a unique solution to securing connected environments, by providing secure Identity and Access Management controls, virtual network separation, data encryption and flow control.  VeroGuard’s products have Common Criteria (CC) certification (defence level security) and can be quickly and cost effectively deployed to legacy, new and hybrid environments. The platform was specifically designed for protecting identity, access and data on the open internet and works by inserting an HSM between the device being accessed and the network connectivity delivering an impenetrable defensive layer for online protection.  When initiating connectivity, the inline HSM must connect to and verify itself with the platform HSM, which then creates a secure encrypted tunnel using hardware derived keys and encryption protocols for data flows and any user verification needs. HSM-to-HSM verification and communication is not new – however until now they have been expensive and limited to terrestrial connection. Two-way HSMs are utilised in banking (e.g.: ATM’s, Eftpos) and military systems around the globe for securing critical communications. Typically, the technology is used in guided missile control where it is crucial that command messages cannot be decrypted, or the command plane hijacked. VeroGuard brings this mutual two-way hardware verification for use in OT environments, at scale and without the high cost. Multifactor Authentication For all access points on any device Humans via VeroCard Machines Via VeroMod Robust Segmentation Virtual Air Gap – only encrypted communications initiated by HSM-to-HSM Other network traffic can not route past VeroMod Can only be accessed by via VeroCard authentication Secure Communications Data Diode - VeroMod only communicates to predetermined IP address via encrypted communications Jump Box – users and devices must be able to authenticate to the VeroMod before passing on to the device or network Form factors include the VeroCard HSM for humans, and the VeroMod HSM for machines/devices. The VeroCard HSM enables users to be verified to access networks, applications and devices authenticating via the combination of the specific users VeroCard and their secret PIN. Every login attempt is verified by the secure connection back to the VeroGuard Platform. The VeroMod IoT Shield is a commoditised Hardware security module (HSM) which connects inline and creates a “virtual air gap” between the device and any connectivity. VeroMod IoT Shield brings HSM-to-HSM technology for verification and encryption to any device. This guarantees access requests to and from all machines and provides the highest level of encryption to all data in transit. VeroGuard is unmatched for security and scalability as the only online platform that always uses HSM-to-HSM protection time after time, for identity verification, communications, data integrity and switching services.   The rapid adoption of technology presents universal concerns for service providers: Increased digital services/devices and interconnectivity between systems means an increased attack surface for cybercrime. Rapid rise in data volumes, flows and complexity of management means increased opportunities for identity breaches Transitioning from legacy systems and navigating the complexity of hybrid environments Complex layers for identity and security become more costly with many mixed environments Expansion of stakeholders and associated integration requirements (suppliers, citizens, 3rd party providers, businesses).   VeroGuard Systems offers a solution that begins with indisputable proof of identity for all online and digital communications. It is the only platform available anywhere in the world that can guarantee defence certified identification security for both people and machines. By providing host connections into the VeroGuard platform the VeroMod effectively provides point-to-point connection over open networks. User access is provided with permission verified by the VeroGuard platform before being able to access networks, devices and data. Machine to machine connections are verified in the same way with the digital identity provided by the VeroMod. All VeroGuard HSM-to-HSM connections are protected using  elliptic-curve Diffie–Hellman encryption set for post quantum protection, with a DUKPT (Derived Unique Key Per Transaction) key management protocol meaning that the keys are derived within the HSM and there is no possibility of the keys being intercepted or stolen. Each time a connection is initiated a new set of encryption keys are generated.   There is an opportunity to harness this technology now and build a safe and secure digital ecosystem for companies, their suppliers and contractors . How can this technology be harnessed to benefit the Industry? The focus of cyber security for Operational Environments is to support the health and safety, reliability and resilience, even in the event of a cyber-attack. Credential compromises remain one of the largest reasons for breaches of systems, as well as one of the most easily preventable with the appropriate system infrastructure. The next generation of connected OT systems must be designed with identity and data security at their core – but changing out infrastructure is costly and slow. To stay ahead of the curve and defend against the threats outlined in the introduction, the next generation of T&L system architecture must include: A unified platform to reduce the complexity of layers of technology built up over decades A cybersecurity platform architecture that is identity centric - purpose built for protection over open networks A digital identity that is robust, tethered to the user, re-usable in many places and can’t be tampered with Machine/human identity and communications that cannot be breached or compromised A solution that can be readily retro-fitted to existing networks and fleet assets An identity layer that facilitates hyper convergence of IT and IoT functions to simplify and reduce costs rather than duplicating across networks and participants Privacy controls and low friction interfaces for users Essentially, once deployed VeroGuard creates a virtual airgap for your fleet asset environment. Access is controlled via the irrefutable identity provided by the platform, and communications from devices or nodes are encrypted via the impenetrable security of the HSM-to-HSM technology core to the success of the Platform. VeroGuard Systems is the next generation of platform to secure connected systems, machines and data. The VeroGuard Platform practically ELIMINATES credential and identity compromise on open networks to act as the core of any zero-trust deployment. Any company migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform.

Maintaining a Trusted Identity in the Digital Economy The transition to a digital economy requires a trusted, efficient and unified secure method for accessing online services. As organisations battle the increasing cyber threat, the new hybrid IT environment and the end to the corporate network perimeter, identity and access management is more challenging than ever. Traditional castle-and-moat security models do not meet with the needs of increasingly mobile users, and has seen move to Zero Trust models, where every new action requires re-authentication creating significant management overhead. The alternate solution to this Absolute Trust. This model can be achieved by breaking down the silos of identity across business units and organisations, and enabling never before seen levels of collaboration and control. The breakthrough for maintaining a Trusted Identity Identity theft remains the number one attack vector for hackers, currently representative of more than 8 out of every 10 data breaches due to hacking. This should not be surprising, given the way in which we access systems and networks has changed little in the past 30 years; with a username and password still being used by the vast majority for user authentication. Add to this the traditional castle-and-moat security strategy which is still being employed and a hacker, once through a company’s perimeter defences, can then freely access systems and resources. The journey through user Access Management thus far, has seen the creation of policies for complex passwords, one-time-password tokens, use of biometric authentication devices and other multi factor authentication (MFA) techniques – none of which has led to a totally secure and trusted user access experience. It all boils down to trust. If trust could be easily established, then access management and network security policies would be far simpler to architect. However, just as trusting another human in a face-to-face interaction is far from a perfect science, there is no way to know if a digital credential has been stolen and is normally accepted without first establishing trust. Given the number and growing sophistication of phishing practices, organisations should be concerned. It is for this reason that a model of Zero Trust is now becoming a popular policy employed for User Access Management. Zero Trust is a holistic IT security model that requires strict identity verification for every person and device trying to access a network, regardless of whether they are sitting inside or outside of the network perimeter. A core principal is to minimise access to the least amount required to perform the tasks a user needs to accomplish, meaning that every request for more resources is met with a re-authentication request. Another option is to move to Absolute Trust where a user’s identity can be irrefutably confirmed and non-repudiable. A model of Absolute Trust can break down the Access Management challenge and offers a single identity layer for any system regardless of the network, access point, device or application which would bring significant control and simplicity to Access Management policies. ​​​​​​​Why don’t existing access management solutions meet the needs of today’s systems and networks? Access management systems and policies have been developed in line with the technology platforms they support, however with the current hybrid of cloud and on premises IT environments most organisations use, maintaining control over who can access what is becoming a complex and time-consuming task. Traditional access management solutions were developed to reduce the inefficiencies and increase control and security when provisioning user accounts across multiple systems. The first era was born in the late 90’s to support on premises applications. Around 2010, a new generation of access management was required to cater for cloud applications, however this has led to fragmentation as the two environments are distinct from one another and users are managed separately and redundantly. The third era is what analysts and industry see as the future: Unified Access Management - secure access management for all devices and applications, regardless of where they’re hosted. Unified access management is the basis for which an Absolute Trust policy can be achieved removing the need to maintain multiple access management systems and policies for users internally, on their own devices and accessing systems remotely. ​​​​​​​​​​​​​​ Everyone must be implementing Zero Trust more locks mean a stronger safe – Right? The complexities of applying Zero Trust to a company’s legacy and existing environments are equally matched by the ongoing effort required to maintain and update configurations across network services and resources, which can actually contribute to making the network more brittle. A Zero Trust policy forces users and devices to strongly authenticate on any request and provide only minimal resource access. In this model requests for any new system or data access is met with a new authentication check every time. This way it is seen to protect an organisation from lateral movement and exposure due to identity theft. The theory being that the entry point for an attack is often not the target location. Zero Trust works by enabling policies giving users the least amount of access required to perform the tasks they need to accomplish, and is enabled by technologies such as multifactor authentication, IAM, orchestration, analytics, encryption, scoring and file system permissions. Some organisations have opted for a multi-layered approach, minimising password entry by implementing Single Sign On (SSO), applying hardware token, geolocation and device risk-based techniques to apply two-factor (2FA) and multifactor authentication (MFA) approaches across systems. SSO without other layers of authentication does become a single point of failure, as once the ‘master password’ has been obtained, an attacker gains access to all of that user’s systems. Zero Trust policies, therefore, build a trust profile based on the resources and systems a user is trying to access, where they are (network and location) and from which device they are on. For a user, this can mean a multitude of different experiences depending on these factors, and combinations of passwords, tokens, one-time passwords and MFA; depending on their access point and requirement. With each layer, yet another solution requires management and user support, adds to complexity and increases costs. The loss of oversight on any one layer becomes a point of susceptibility. Even with strong operational controls in place, a major barrier for Zero Trust is the inability to apply a consistent and highly secure user authentication solution across legacy, on-premises and cloud systems, which provides a simple and frictionless experience for users regardless of how they connect. Further, Zero Trust extends only as far as the reach of the organisation and cannot be applied in the same way to customer facing solutions or shared across corporate boundaries when collaborating with other organisations. “More locks mean more keys, which all need to be rigorously managed from a user and system perspective to maintain the network hardening intended.” ​​​​​​​If you get it set up correctly Zero Trust works doesn’t it? Many experts agree that Zero Trust is a strong security posture for any organisation to employ; however, the reason it is necessary is to defend against the weakest element in the whole cyber security framework the “Human Element”. What a Zero Trust User Access Management policy boils down to is that the CIO does not trust you. Too many employees still use the same weak password on multiple systems, get caught by phishing attacks and have malware on their personal devices. What this means is that cyber criminals can easily guess or collect user credentials and then impersonate an employee leading to the IT department limiting access to everything or implementing Zero Trust. This methodology works well for modern cloud-based systems and greenfield environments, as network access can be designed from the inside out, rather than the traditional castle-and-moat strategy which builds security into the perimeter and trusts everything once it has successfully traversed the drawbridge and raised the portcullis. However, a key drawback is the reliance on a password which leaves the gate open for attack. Therefore, even with a Zero Trust framework in place, organisations must continue to keep adding context, ensure user roles are up-to-date and add more authentication methods to counter credential-based attacks. Zero Trust works, but it’s complex to set up and a lot of work to maintain, and there is still no guarantee of blocking unauthorised access due to use of stolen credentials. ​​​​​​​ Can you realistically achieve Absolute Trust? Absolute Trust appears on the surface to fly in the face of everything we have ever been told about the online world. Hackers and other nefarious actors continue to bombard our personal, business systems and devices with both full frontal and behind the scenes attacks, seeking more often that not the user credentials that provide access to the systems we use. Yes – your username and password. So, what if we removed passwords completely? If you were able to securely access any system or device without needing a password, then there would be nothing to be stolen. Hackers could not access systems or networks via a username and password as this channel would be closed off, and therefore authenticated users could be immediately trusted. To achieve this, one must be able to quickly and simply prove you are who you are VeroGuard has created a system to do exactly that – essentially a solution to the problem of not knowing who or what is at the other end of an online transaction, and therefore the authenticity of the interrogation, communication and associated data. VeroGuard’s technology works by removing passwords and replacing them with a single and fast login experience for all user authentications via a portable Digital ID. Security is assured with Hardware Security Modules (HSM’s otherwise known as ‘Black Boxes’) at both ends of every authentication, communication and data transaction. The VeroGuard Systems solution has been designed to reduce and remove many of the risks of being a victim of identity related cyber-crime and at the same time reduce integration costs, improve the user experience and address many of the issues associated with privileged access. The VeroCard provides a single gesture, out of band, multi-factor authentication solution based on existing proven bank to bank protocols and can provide hardware encrypted and verified security access across platforms regardless of device, network or location. VeroGuard can provide the infrastructure to enable an Absolute Trust policy for any organisation including Governments, Corporate, Large and Small Business and Individuals. ​​​​​​​ Surely Absolute Trust just creates a single point of attack. Once compromised everyone using the system is compromised? Absolute Trust when implemented using VeroGuard’s technology does not create a single point of failure, as the system is secured end to end with HSM’s and all authentication transactions are encrypted. Private keys are never exposed to software where they can be harvested or broken by malware or applications. The VeroCard device is an HSM level Digital Wallet which is tamper proof and if lost, the card has no accessible data on it and can be remotely disabled. Unlike a mobile phone, a VeroCard cannot have any user applications loaded, protecting the device from malware and other malicious applications. In the unlikely event that the VeroGuard server is breached no card can be compromised, no user credentials can be stolen. In the unlikely event that a VeroCard is compromised it cannot affect any other user. ​​​​​​​My organisation is driving an aggressive digital transformation program…. An Absolute Trust model with Unified Access Management is a cornerstone to digital transformation as a transformed company can’t be concerned with where applications are hosted. Hybrid cloud and on premises IT environments are likely to remain for some time, therefore solutions to unify application access across these environments are required for an organisation to be truly effective. Driving a Zero Trust policy is counter intuitive to user adoption and ongoing useability. The mantra of “security is more important than useability” must make way to “security with useability" and will see more organisations implement a unified universal identity that can be anchored to the user and not the application and provide the trusted secure access to any system expected by users and the security required by businesses, governments and individuals. ​​​​​​​Absolute Trust Absolute Trust delivers on the promise of digital transformation, removes the most common attack vector and the cause of more than 80% of data losses (passwords) and offers unprecedented ability to authenticate, collaborate and integrate. Absolute Trust is achieved by enabling systems to release the shackles of outdated, complex and restrictive user access and security policies, embrace a holistic unified universal digital identity layer for the connected world.

Due to its widespread reliance on a huge network of locations, devices and people to provide adequate services, the energy industry faces perhaps more threat from cyber-crime than any other sector. While these threats have always been present, the effect of recent global events on daily operations has severely increased the possibility of attack. With the post-pandemic shift to work from home practices, as well as a push towards “cleaner, greener and cheaper” energy, the industry is faced with the need to rapidly take advantage of efficiencies presented by digital transformation and cloud computing. This represents a step change in work practices for the sector, in that traditional energy OT was never originally designed to be connected to the internet, and new models for cyber security are required. With remote operations becoming increasingly commonplace, more and more devices and machines are required to be connected online to maintain a satisfactory level of service delivery. Insofar as the energy industry is concerned, the sheer scale of services being provided means that practically all aspects of operations are now inescapably facing being connected to the internet, and by extension the IoT (Internet of Things). Threats Are on the Rise The number of attacks involving OT has continued to increase since 2021 Malware is emerging with targeted functionality and ease of deployment. More Vulnerabilities Vulnerabilities disclosed in OT systems continues to grow. Risk is heightened in operational environments by the inability to patch at will. Specialised Security Skills in Short Supply Skills shortages has made it clear that developing an effective security strategy that spans IT, OT and IoT environments is complex. Lack of Regulations and Frameworks Cyber security standards are lagging behind other industries. With the expanding threat surface and a shrinking available talent pool to deploy the new security posture required, companies using OT must look to new technology to augment the existing network, protect un-patchable devices and uplift the overall identity and encryption architecture of their operating environment. The more connected systems become, the larger the respective attack surface becomes and the more attractive they become as targets for cyberattacks. In 2022 we saw multiple international cyber security agencies (including Australia) issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of new malware, as well as the disclosure of a growing list of operational technology vulnerabilities. VeroGuard’s technology maintains network integrity for legacy and new infrastructure when connected or exposed to open networks. Providing highly phish-resistant MFA  for access to networks and devices and strong post quantum level data encryption for device communications, companies can accelerate digital transformation plans by providing a certified virtual airgap between the OT environment and open internet connectivity . VeroGuard is the only platform worldwide to have Common Criteria certification for access on open networks, meaning it has been verified by the Australian Cyber Security Centre (ACSC) for use in Defence and other government departments with high assurance requirements for online access. Background The energy industry continues to face an expanding cyber threat landscape which presents a substantial challenge to operations.  The Australian Government has acknowledged the fact that technology in operational environments is key to national security and economic prosperity – as reflected with the amendments to the Security of Critical Infrastructure Act – by introducing financial and criminal penalties for non-compliance. Complicating matters further, “insecurity by design” remains very relevant in traditional OT, and that is why a shift in security infrastructure to account for open network connectivity and all the variables it presents is so necessary.  The past decade has shown that one of the biggest security problems continues to be the lack of basic controls, and attackers have exploited this in practice with the recently discovered malware  Industroyer2  and InController/PipeDream .  Insecure by design vulnerabilities abound evidenced by a recent investigation by Vedere Labs which found 56 vulnerabilities affecting 10 major vendors. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of devices, bypass authentication, compromise credentials, cause denials of service or have a range of operational impacts. The most common issues [1]  found from internal audits and vulnerability scans include: Unmanaged assets are connected everywhere. Operational systems are deployed with their default credentials unchanged. OT networks that were initially designed to be highly segregated have become flatter than realised. Ports on all kinds of systems in all kinds of remote locations are wide open. OEMs are accessing the machines they sold remotely, and no one is managing this. Disclosed vulnerabilities on old OS’s have never been evaluated for possible patching. The functional silos between separate security disciplines (e.g., cybersecurity, physical security, supply chain security, product security, health and safety) are creating seams that bad actors can exploit. No centralised governance exists for end-to-end security processes and decisions. Identity and credential compromise remain the biggest threat, IBM recently found that 78% of incidents began with a phishing attack (consistent with their 2021 findings).  In fact, we know that 95% of all cyberattacks are on identity and credentials and that over 85% of all breaches involve compromised credentials. That is why the average time to discover and remediate a breach has blown out to over 327 days (IBM Data Breach report 2022). It is not appropriate to simply embrace the cybersecurity operations from existing IT practices. While IT network and operating system patching and identity management practices are well established, the ability to manage devices and systems in the same manner is not as straight forward.  “Patching at will” for example is not always an option for OT devices. Though traditional air gap defences can mitigate against many of the vulnerabilities on devices, switching back to this defence mechanism removes the benefits of connectivity and a new approach is required. Some of the key mitigation strategies (aside from patching, monitoring, training and awareness – these are all “after the fact” activities and not prevention) in every advisory are to: Require phish-resistant multi-factor authentication for all remote access Implement and ensure robust network segmentation between operational and corporate networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks. It is important to note that without strong Identity and Access management control over any additional tools, the criminals will find a way through.   This is on ongoing occurrence online with bad actors simply bypassing second factor authentication (2fa) and detection software. There have been attacks where 2fa applications and VPN’s themselves were used as the vectors for successful breaches . [1] Gartner Guide for Operational Technology Security A New Approach The VeroGuard Platform offers a unique solution to securing connected environments, by providing secure Identity and Access Management controls, virtual network separation, data encryption and flow control.  VeroGuard’s products have Common Criteria (CC) certification (defence level security) and can be quickly and cost effectively deployed to legacy, new and hybrid environments. The platform was specifically designed for protecting identity, access and data on the open internet and works by inserting an HSM between the device being accessed and the network connectivity delivering an impenetrable defensive layer for online protection.  When initiating connectivity, the inline HSM must connect to and verify itself with the platform HSM, which then creates a secure encrypted tunnel using hardware derived keys and encryption protocols for data flows and any user verification needs. HSM-to-HSM verification and communication is not new – however until now they have been expensive and limited to terrestrial connection. Two-way HSMs are utilised in banking (e.g.: ATM’s, Eftpos) and military systems around the globe for securing critical communications. Typically, the technology is used in guided missile control where it is crucial that command messages cannot be decrypted, or the command plane hijacked. VeroGuard brings this mutual two-way hardware verification for use in OT environments, at scale and without the high cost. Multifactor Authentication For all access points on any device Humans via VeroCard Machines Via VeroMod Robust Segmentation Virtual Air Gap – only encrypted communications initiated by HSM-to-HSM Other network traffic can not route past VeroMod Can only be accessed by via VeroCard authentication Secure Communications Data Diode - VeroMod only communicates to predetermined IP address via encrypted communications Jump Box – users and devices must be able to authenticate to the VeroMod before passing on to the device or network Form factors include the VeroCard HSM for humans, and the VeroMod HSM for machines/devices. The VeroCard HSM enables users to be verified to access networks, applications and devices authenticating via the combination of the specific users VeroCard and their secret PIN. Every login attempt is verified by the secure connection back to the VeroGuard Platform. The VeroMod IoT Shield is a commoditised Hardware security module (HSM) which connects inline and creates a “virtual air gap” between the device and any connectivity. VeroMod IoT Shield brings HSM-to-HSM technology for verification and encryption to any device. This guarantees access requests to and from all machines and provides the highest level of encryption to all data in transit. VeroGuard is unmatched for security and scalability as the only online platform that always uses HSM-to-HSM protection time after time, for identity verification, communications, data integrity and switching services.   The rapid adoption of technology presents universal concerns for service providers: Increased digital services/devices and interconnectivity between systems means an increased attack surface for cybercrime. Rapid rise in data volumes, flows and complexity of management means increased opportunities for identity breaches Transitioning from legacy systems and navigating the complexity of hybrid environments Complex layers for identity and security become more costly with many mixed environments Expansion of stakeholders and associated integration requirements (suppliers, citizens, 3rd party providers, businesses).   VeroGuard Systems offers a solution that begins with indisputable proof of identity for all online and digital communications. It is the only platform available anywhere in the world that can guarantee defence certified identification security for both people and machines. By providing host connections into the VeroGuard platform the VeroMod effectively provides point-to-point connection over open networks. User access is provided with permission verified by the VeroGuard platform before being able to access networks, devices and data. Machine to machine connections are verified in the same way with the digital identity provided by the VeroMod. All VeroGuard HSM-to-HSM connections are protected using  elliptic-curve Diffie–Hellman encryption set for post quantum protection, with a DUKPT (Derived Unique Key Per Transaction) key management protocol meaning that the keys are derived within the HSM and there is no possibility of the keys being intercepted or stolen. Each time a connection is initiated a new set of encryption keys are generated.   There is an opportunity to harness this technology now and build a safe and secure digital ecosystem for companies, their suppliers and contractors . How can this technology be harnessed to benefit the Energy Industry? The focus of cyber security for Operational Environments is to support the health and safety, reliability and resilience, even in the event of a cyber-attack. Unlike IT systems, a control system in the energy sector that is under attack cannot be easily disconnected from the network as disconnection could potentially result in safety issues, brownouts or, even blackouts. Credential compromises remain one of the largest reasons for breaches of systems, as well as one of the most easily preventable with the appropriate system infrastructure. The next generation of connected OT systems must be designed with identity and data security at their core – but changing out infrastructure is costly and slow. To stay ahead of the curve and defend against the threats outlined in the introduction, the next generation of T&L system architecture must include: A unified platform to reduce the complexity of layers of technology built up over decades A cybersecurity platform architecture that is identity centric - purpose built for protection over open networks A digital identity that is robust, tethered to the user, re-usable in many places and can’t be tampered with Machine/human identity and communications that cannot be breached or compromised A solution that can be readily retro-fitted to existing networks and fleet assets An identity layer that facilitates hyper convergence of IT and IoT functions to simplify and reduce costs rather than duplicating across networks and participants Privacy controls and low friction interfaces for users Essentially, once deployed VeroGuard creates a virtual airgap for your fleet asset environment. Access is controlled via the irrefutable identity provided by the platform, and communications from devices or nodes are encrypted via the impenetrable security of the HSM-to-HSM technology core to the success of the Platform. VeroGuard Systems is the next generation of platform to secure connected systems, machines and data. The VeroGuard Platform practically ELIMINATES credential and identity compromise on open networks to act as the core of any zero-trust deployment. Any company migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform.

Rawson Verco Need Our core focus is privacy and identity security. There’s nothing out there right now that can effectively guarantee our data, identity and accounts are ours alone; the VeroCard is the best tool we’ve found to bridge that gap and provide real safety online, which is something that can’t be overstated. Importantly, the customer support and deployment process is straight forward, which makes security uptake much easier across the organisation. VeroCard is the best tool we’ve found to provide real safety online. Randall Hughson - Director RVN IT.

The Internet of Things (IoT) refers to the growing billions of connected devices measuring, monitoring, collecting and sharing information, images and data without the need for human interaction. Enabling these otherwise dumb devices to be widely connected and automatically communicate has created extraordinary utility, which in turn has seen exponential growth in the breadth of use and number of connected devices. IoT security has recently been shown to be less than adequate with devices being easily hijacked enabling a remote hacker to take control of the device, view device data streams, and in some cases gain access to private networks. This has been made possible due to the fact that, broadly speaking, device manufacturers have not been accustomed to working in the hostile and security-conscious environment of the internet, leaving a large proportion of IoT devices simply not being designed for these operating conditions. Even with widely publicised IoT security breaches such as the hacking of coffee machines bringing down industrial plants, the huge numbers of new devices being deployed are providing malicious actors with innumerable new attack vectors on a daily basis. Given this state of affairs it not surprising that IoT hacking has been unbelievably effective to date. Hackers were able to exploit thousands (if not millions) of insecure connected devices, to create a huge botnet which unleashed the biggest DDoS attack yet seen (the Mirai botnet attack brought down the likes of Twitter, Reddit, Netflix and CNN). While this hack used exploited devices to attack external networks, an exploited device could just as easily be used as a gateway to deeper levels of a network to seek out and extract sensitive and valuable private data. Forbes predicts that by 2025, there will be over 80 billion smart devices on the internet, and with much of the embedded firmware being insecure and highly vulnerable, this potentially exposes an innumerate number of critical systems and private data sources. Employing connected IP-Cameras and Digital Video Recorders (DVR), Video Surveillance Systems (VSS) are a subset of the IoT, and due to the ease with which these devices can be deployed, networked and controlled, an ever-growing number of VSS are joining the IoT. These systems are often built utilising devices from multiple vendors meaning that, at best, there are only simple standardised end to end security protocols covering the system. While security and privacy challenges remain the foremost concerns for IoT in general, for Video Surveillance Systems (VSS) these issues present an even more serious threat to organisations as they offer an extra layer of abstraction (visual) combined with the often public placement of these devices. Why is Security Such a Challenge for IoT Devices? Not only are the systems for IoT and the associated devices at risk, the devices and systems are proving to be a “weak link” that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall business network. Devices of all types across all industries have been hacked. Home devices such as baby monitors and fridges, implanted devices such as pacemakers and drug infusion pumps, and even webcams and coffee machines, have all been compromised posing risks to individuals, companies and nations alike. There are several reasons for the lack of security and increasing risk of cyber threats of smart and connected machines through the growing inter-connectedness of the Internet of Things. Security was never contemplated in the design or development stages for many of the Internet-connected devices. IoT devices are generally short on processing power and memory and therefore lack the ability to embed robust security solutions and encryption protocols. Networks and protocols that connect them don’t have any or a robust end-to-end hardware-based encryption mechanism. Search engines for IoT devices exist that offer hackers an entrée into webcams, routers and security systems. Many IoT devices have default passwords (some of which cannot be changed!) that hackers can look up online. Organisations are not prepared for IoT management, not tracking inventory or centralising management. The devices often have “backdoors” that provide openings for hackers to obtain control over or inject malicious code. Internet Protocol Addresses (IP) and Machine Identities (MIDs) are often getting miss-directed by network managers (such as large telecoms) allowing data and images to be accessed by the wrong users. Compounding these inherent problems with the weak (or in some cases non-existent) security of devices is the added challenge to keep up with and make timely firmware upgrades (where the device is capable) across these mixed environments. This often requires physical access making the task extremely difficult or near on impossible. Humans. Simply put, the human element for potential sabotage needs to be removed or at least restricted and monitored. "So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network. However, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network." OK so all IoT devices can suffer the same vulnerabilities – why the focus on VSS then? While the security issues identified previously are definitely true for VSS components, they also have some unique issues over and above the obvious data integrity and risks of being an attack vector for other business systems. VSS devices have been shown to be massively insecure/ exploitable, and with the growing number of devices deployed in publicly accessible places the threat is almost visceral. Despite improving attention from camera and system manufacturers to security, the devices themselves remain physically vulnerable to exploitation. Often the published factory default passwords are not changed when cameras are installed, or easily guessed passwords are used, leaving cameras exposed to intrusions including network attacks. Vulnerabilities and attack vectors increase with the growing number of elements to solutions and the exposure of each element to other systems and cloud services. As organisations add artificial intelligence, monitoring and business intelligence, and transmit, match and store more sensitive data, risks increase exponentially. Compared to other IoT systems, VSS have an additional level of abstraction i.e., the visual layer, making it possible to carry out novel attacks on the VSS that take advantage of the imagery semantics and image recognition. Exploited VSS can also be hijacked to extract data from networks, by modulating LEDs, camera movements or the images themselves to create a bridge between air-gapped networks and the internet. The number of VSS devices is estimated to be around 245 million units with circa 20% (i.e., ~50 million) being IP-based and at least 38% of VSS devices have been shown vulnerable to default credentials attacks. It has been shown that devices infected with malicious code can be triggered to blur parts of images such as number plates or faces, or to send commands back to the control centre such as “freeze frame” or “stop recording”. The triggers for this exploit can be as simple as a QR code printed on a T-Shirt. So what is being done about it? Whilst there is improving security for cameras and systems, they are still largely at risk. Industry Response Manufacturers (in many cases) are adding incremental firmware to improve device authentication and security and, where possible, encryption of data in transmission. Integrators, installers and monitoring firms may add firewall appliances to provide blocks to outgoing connection attempts from cameras. Users and integrators, when interfacing with analytics and monitoring services, are sometimes improving security for human access to the controls or associated data from cameras and systems by adding Two-Factor Authentication for the users. Finally, data being collected by the cameras, interpreted by sophisticated analytical engines and being stored in specialised or standard memory repositories, is being encrypted in transit or at rest using standard software encryption methods. Why is VeroGuard a revolution in online and IoT security? One Unified Platform: VeroGuard is a single platform that guarantees the identity of machines and users to ensure communications can only take place by verified actors. It improves and extends the closed-circuit nature of the network. Prevention: VeroGuard is designed to prevent cybercriminal acts by utilising bank-to-bank/military-grade security for every communication and every device. Interoperability and Flexibility: VeroGuard is transparent to operating system and device types allowing enabled devices and associated servers the ability to participate without significant changes to applications. VeroGuard allows others to plug in to the most secure solution available over the internet and protects both communications and data. Identity Guarantee: VeroGuard uses a non-repudiable, out-of-band, multi-factor means of authentication developed for the banking industry. It applies to both machines and humans. Information protection for your network and data: After verifying and validating parties to transactions, VeroGuard provides the communication its own encrypted tunnel irrelevant of the carriage for that communication. VeroGuard provides the most secure, data protection available at point of capture, in transit and at rest for the internet. In Summary Embedded/IoT devices represent the new power-house for large-scale or sophisticated attacks and VSS systems are particularly exposed due to their number, ease of installation and intended functionality. Current Video Surveillance Systems have little or insufficient security to protect devices and data against increasingly sophisticated cybercrime. Current methods of password protection, encryption and increased factors of authentication are being breached and will not help protect your environment, networks or data from cybercrime as the intrusion will be assumed to be authentic when the cybercriminal hijacks, steals or emulates the tokens, taking control of cameras, networks, servers and/or associated data. Increasing complexity and integration opens more vectors for cyber criminals to enter, including using the secure camera systems to infiltrate core business applications, and extract your data. Further Reading IoT Reaper has the potential to be much more powerful than Mirai," warned Ken Munro, partner at Pen Test Partners, which has been tracking the threats posed by web-connected cameras of late. "IoT Reaper is also a bit simple - I suspect others will refine it shortly and make it even more effective." - https://www.forbes.com/sites/thomasbrewster/2017/10/23/reaper-botnet-hacking-iot-cctv-iot-cctv-cameras/#1a6e040638f7 “Additionally, adversaries are likely to continue exploring IoT devices (such as CCTV and HVAC units) as an attack vector for air-gapped systems in government and industrial networks.” - news/cyber-security-challenges-2018 Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so. - https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/ Hackers break into schools' CCTV system and stream footage of pupils live on the internet - http://www.dailymail.co.uk/news/article-5432769/School-CCTV-systems-hacked-broadcast-online.html Security cameras show 'HACKED' instead of live feed video - https://www.csoonline.com/article/3227609/security/security-cameras-show-hacked-instead-of-live-feed-video.html The majority of CCTV cameras can be easily hacked - https://betanews.com/2016/03/10/cctv-cameras-are-easy-to-hack/ Dozens of Canon security cameras hacked in Japan, possibly because factory default passwords weren’t changed - https://www.scmp.com/news/asia/east-asia/article/2144960/dozens-canon-security-cameras-hacked-japan-possibly-because Washington DC’s surveillance cameras hacked… to send spam. - https://nakedsecurity.sophos.com/2017/12/22/washington-dcs-surveillance-cameras-hacked-to-send-spam/ Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations - http://s3.eurecom.fr/docs/trusted16_costin.pdf

In this ever-modernising age, using biometrics to authenticate identity is becoming increasingly popular. The biometric market contains numerous technologies, some of which have been integrated into devices for some time. These include; fingerprint analysis and behavioural biometrics such as; keystroke dynamics and voice recognition. These technologies have existed in phones since 2007 through well-known applications and functions including; Siri (Apples Virtual Assistant released in 2011), Android 1.6 (its subsequent introduction of keystroke dynamics in 2009) and Toshiba G500 (the beginning of smartphone authentication through fingerprint scanning). Recently however, facial recognition has seen an increase in its applicable trend in smart devices, such as the iPhone X, Microsoft Surface and for the past three years Android devices (85% of the global market) have supported this physical biometric to identify user access to partnered smartphones. Consequently, over this timespan issues associated with facial recognition have become identified and subsequently, a proportion have been rectified. Yet, some individual authentication disadvantages have remained insurmountable. Whilst biometric technology has many environments where it is applied this discussion document is focused on consumer grade authentication. Several applications successfully use biometrics where all the conditions are controlled. However, there are many unresolved challenges in making biometric use universal and secure for authentication of an individual’s digital identity. This paper looks at a number of those issues. Biometrics Disadvantages Biometric authentication methods encompassing facial recognition, fingerprint analysis and other biometric identifiers suffer these fundamental flaws: Once a biometric is captured at a certain point, it can be reproduced indefinitely. Current crop facial recognition and fingerprint analysis can be bypassed with little effort. Once a biometric has become compromised, it cannot simply be reset, unlike passwords/ PIN’s. Privacy and ethical constraints. The surrounding environment and usage overtime can affect measurements. Current biometric systems are not 100% accurate. Many biometric systems require integration /additional hardware. Once a biometric is captured, it can be reproduced indefinitely. Current biometric authentications can be bypassed with little effort Specialists promoting biometrics will always point to the positive developments in the technology. However, as security solutions become more sophisticated, the experts seem to leave out that attack methods and hardware consequently discover and develop contemporary techniques of infiltration. “For example, realising that fingerprint scans offered insufficient protection, Barclays, in 2015, progressed from using normal fingerprint scans to adopting technology that scans for the veins in users’ fingers. Despite this innovation, Swiss researchers beat the system using image-processing techniques in the same year.” (Bergsman, 2016) A stolen biometric has far greater repercussions for users than a stolen password. A biometric reveals a part of the user’s identity that is intensely personal and could be used to falsify travel, criminal records and legal documents, let alone how biometrics are fundamentally permanent. In a well-recognized U.S. Government breach, fingerprints of 5.6 million individuals and Social Security numbers of 21.5 million individuals were compromised. In response, an intra-agency group was created to investigate the possibility of resulting payment fraud and creation of fake identities. Although Federal experts have stated that the ability to misuse fingerprint data is limited in this event, its probability will undoubtedly grow for breaches in the future. Another more recent breach saw the biometric authentication data of more than 1 million people compromised including UK Metropolitan police, defence contractors and bank employees. (The Guardian, 2019). The system flaw enabled an infiltrator to view the real time authentication of users as well as change data and add new users. “It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” said Noam Rotem an Israeli security researcher. Bypassing facial recognition Facial recognition is the second most installed biometric security in the market today, subsequent only to fingerprint analysis. Three categories of attacks formulate the bases for facial recognition breaches; impersonation through photography, video impersonation and a 3D facial impersonation of the victim’s face, for example a hyper-realistic mask. The fundamental issues that arise are largely due to hardware and environmental issues such as; whether the system utilises visible light or another method of recognition, the number of active sensors, resolution and lighting to name a few. “Most of the state-of-the-art facial biometric systems are vulnerable to simple attacks that a regular person would detect easily” (Hernandez-Ortega, Fierrez, Morales, Galbally, & Marcel, 2019) and can be effectively achieved at a low cost as high resolution cameras are readily available and are historically cheap. Photographic Impersonation This extremely cheap and simply accessed method of infiltration is performed by either printing out a copy of the victims face or through presentation of a high-resolution photograph on devices such as smartphones, tablets or laptops. Since the introduction of social media applications, it has become tenfold times easier to circumvent simple facial recognition technology. There are however countermeasures that perform well against such attacks, yet, in some cases this is not a ‘stock’ option and needs to become integrated into the product. Video (Replay) Attacks Correspondingly, video attacks reap the same availability benefit from the global increasing use of video sharing applications and social networks. Unlike its predecessor, videos provide an increased success rate through the liveness it supplements to its visual. Additionally, once the visual has been copied, its obtainability (due to our modernising society) is vastly complemented by the global use of smartphones (now approaching 50% of the global population). More specific countermeasures are required to apprehend replay attacks and as expected, often these need to be installed at an extra expense. Mask Attacks Through 3D construction of an individual’s face the attacker by-and-large has full access to the victim’s facial identification. Whilst being the most successful method, mask attacks are also the most expensive and difficult to access in comparison to photographic and replay attacks. This said, 3D facial recognition scanners can be circumvented simply by printing a 2D photo, attaching it to a deformable structure and wearing it as a mask. Whilst this isn’t as successful, especially when utilised on sophisticated identifiers it fundamentally undermines the security of an extremely advanced and to some extent costly form of authentication. However, even sophisticated 3D facial scanners are deceivable, although, at a far greater damage to the pocket. 3D printers enable attackers to create a reconstruction of the individuals face with two photos of the face (frontal & profile). Although this method is unlikely to charlatan the highest calibre of scanners it has been proven effective in most standard recognition systems. Yet, as technology advances, circumvention techniques correlate. At an exorbitant cost, a new generation of 3D acquisition sensors have been developed allowing attackers to create a flawless copy of a targets facial ID and breach even the most sophisticated scanners. (Hernandez-Ortega, Fierrez, Morales, Galbally, & Marcel, 2019) Although a lot of work has been invested into integrating and developing facial recognition it is ultimately an insecure method of authentication, even the manufacturer disclaimers it states that “face recognition is less secure than pattern, PIN or password.” Once a biometric has become compromised, it cannot simply be reset, unlike passwords/ PIN’s A biometric cannot be tossed away and replaced like a password or a credit card number. Rather, it is permanently associated with a user. Recent experimentation with biometric template techniques like salting and one-way encryption reduce the collateral damage. But just as with passwords that are reused across sites, there will always be a poorly designed system that can result in a leak of biometric credentials, ruining them for all other systems. Despite advancements in security controls, one’s identity, which is invaluable and irreplaceable, will always be at risk. Systems such as these cannot be reset once compromised, they can be updated and improved upon, but there is no mechanism to change your face as simply as you could change a password or PIN. This gives another point of identification that could become valuable to fraudsters, if wide adoption of facial recognition occurs it is likely that a black market for wide spread face data will emerge, just as there is for addresses, date of births and your mother’s maiden name, thus, simplifying third tier mask attacks. Privacy and ethical constraints Biometric methods are not for all consumers, whilst mobile devices such as smart phones will likely continue to integrate this technology for customer convenience, it is unlikely that enterprises will follow this path as they continually understand the need for 4th level (maximum security) authentication to shield companies from the increasing cyber threat. Biometric systems invade user privacy as the measurements produced are in fact highly sensitive personal data which is, in many cases stored and re-used. Furthermore, this information is often available for disclosure for example; by the Australian Government to other Governments (including U.S. immigration and security agencies). (Australian Policy Foundation, 2019) Whilst a growing trend in the use of biometric data may not directly concern the users of today and the new generation that has developed amongst intricate biometric developments, current and future integration of this technology to protect increasingly sensitive data is looking increasingly likely to see a wave of citizen regret. As databanks of a relatively permanent identifier multiply the consequential risk of credential loss and/or misuse exponentially increases. Biometric readings are already mandatory for some airport customs in efforts to ensure that the user is who they claim to be upon presentation of a passport document, however, as international travel sees a predicted increase of 35% over the next decade numerous unavoidable databanks of biometrics are likely to become formed. Furthermore, an article in the Traveller discusses the contemporary uses for biometrics such as how “Hertz has already launched biometric kiosk’s” and how “hotels are trialling the technology too” (Groundwater, 2019) proving how widely and irresponsibly biometrics are being excessively pushed. In the case that any one of these data banks are in fact breached, this unreplaceable user identifier could allow for attackers to assume entire control over anyone’s personal information and data. Thus, whilst it is undeniable that international adoption of this technology is becoming irresponsibly widespread, the fact is that biometrics cannot protect its user’s privacy and should not be applied to protect such sensitive data. The surrounding environment and usage overtime can affect measurements This authentication technology whilst being convenient is ultimately susceptible to attacks that attempt to undermine biometric integrity and reliability. Whilst new tech can be implemented to reduce these factors, ultimately to maintain the biometric sensor user expediency sacrifices in accuracy and dependability are necessary. Hence, issues arise in biometric identification consistency as small discrepancies such as minor injuries or differing backlights would be largely inconvenient if the user experienced denial of identification. However, at this expense the expected difference accepted by these devices inevitably divulges loopholes and weak points for circumvention. Current biometric systems are not 100% accurate It is one minor issue for a biometric system to not recognise the user and require repetitive trials, however, it is another when biometric systems, facial identification is used for far more sensitive matters, yet still is not ‘up-to scratch’ in terms of accuracy. Joy Buolamwini in her TEDx talk stated "My friends and I laugh all the time when we see other people mislabelled in our photos… but misidentifying a suspected criminal is no laughing matter, nor is breaching civil liberties." She clearly outlines the potential future issues and danger in the reliance on an inaccurate identification system. (Finley, 2019) A further example of inaccuracy in facial recognition can be seen in a very recent article reporting on the Solar Rebate’s response to making the application process “much faster”. In the first two weeks, 40% of users reported identity check failure Many biometric systems require integration /additional hardware While many personal devices include cameras, it takes more than a simple camera to provide even basic facial recognition for authentication. These are often a regular camera, infrared camera and could be numerous other forms of sensors that can detect depth or map the face in 3D. As increasing amounts of data and information is stored on these devices their intangible value will drastically increase reaching a point in which the convenience of biometric readers will be outweighed by the global requirement for unquestionable security. Furthermore, all additions to the basic device collectively create a somewhat substantial extra cost, which in the future could become largely insecure and redundant. In Summary Ultimately, biometric authentication is not as dependable, private or reliable as a long, secure and strong password. Whilst the method of authentication offers far more protection then a predictable and short password, it is the case that the contemporary and future application of such security measures will become limited to raising the floor level of security, rather than expanding our cyber protection horizons. Our global integration with such technology has already reached a calibre by which the data protected by biometric systems is beyond security proportions that the biometrics scanners can deliver. The probable privacy issues of biometrics will be tested daily and the known vulnerabilities will challenge risk assumptions with rapidly changing real data. A rapid shift to digital economies around the globe requires a far more secure process of user authentication to nullify the current and forthcoming critical issues within biometrics being: Privacy; accuracy; and immutability. There are simply much better options for providing a non-repudiable unified and universal digital identity available that not only address these issues but also provide a safer, secure and more reliable path to the digital economy.

The scale of the cyber-security problem is immense, with cyber-crime costing $US1 trillion in 2018 alone, and forecasts suggesting that losses will grow to $US6 trillion as soon as 2021. In Australia, the government says cyber-security incidents cost Australian businesses up to $29 billion per year, with cybercrime events affecting almost one in three Australian adults in 2018. Chinese tech giant Huawei recently admitted that it endures about a million cyber-attacks on its computers and networks every day. Cyber-security consultant Tony Barnes, director of Cyber Research Group, told me recently, “When you switch servers on, they’re like magnets in the way they attract attacks.” Barnes said that showing companies the scale of the constant attacks on them is a penny-dropping moment: “When people visualise it, it scares the pants off them,” he said. And what really worries the cyber-security community is that innovation in cybersecurity is falling behind innovation by the global hacker community. “As long as humans remain predisposed to click on interesting emails, rely on easy (or no) passwords, or browse to places we shouldn’t, the hackers will have the edge,” says Saumitra Das, chief technology officer and co-founder of deep-learning cyber-security platform Blue Hexagon. Of course, cyber-security is a great business opportunity for those with the products and systems that can help governments, companies, organisations and individuals get ahead of the bad guys. According to the Australian Cyber Security Growth Network, the global cyber-security market is currently worth about US$131 billion, and is set to increase to US$248 billion by 2026. Looking at the Australian stock market, though, you would not know that cyber-security is a growth business. The ASX does host cyber-security companies, but sadly, it is a desert in terms of investment success. Is this because of the technology offerings being lacking in some way, or the relative lack of specialist investors to pick-up on the opportunities being presented, and give them some market support and impetus? That appears to be a big problem. For example, the highly promising Australian cyber-security firm VeroGuard Systems, which says it is the “first and only platform to make indisputable verification possible in online use,” is considering an offshore listing, to maximise its likelihood of reaching the specialist investors that would be the cornerstones of its share register – although the company’s hardware security modules (which make possible the ultra-secure authentication, encryption and communications at both ends of every online transaction) will be manufactured in Adelaide. Source: https://www.nabtrade.com.au/investor/insights/latest-news/news/2019/10/four_asx_listed_cybe

Every day we read about a new threat to personal, government and business systems despite, the billions of dollars spent annually on cyber security. In fact at least one in four people reading this will personally experience an identity breach in the next two years. Direct losses are often covered however the reality is that we all ultimately pay for the economic impact of cyber-crime. Recent cyber-crimes have also had dramatic political and social outcomes that have arguably changed the course of history. It is estimated that the economic impact of cyber-crime in Australia will exceed $15 billion this year and Forbes estimates that the cost is tripling every two years. The actual cost, including the significant costs of building cyber security layers, are becoming increasingly apparent, and are clearly unsustainable on their current trajectory. If these new threats are not enough many of us are also carrying a few battle scars of escalating IT costs or project blowouts as we try to implement better customer services. Everyone is grappling with the complexity that has built up over many years -multiple networks (open and closed) on premise and cloud based applications, millions of devices, software for every function and the challenge of trying to recognise and manage what access users have in each environment. Meanwhile smartphones and platforms have transformed how people go about their lives moving from organisational dependence to individual control. Whilst we are designing systems to make our customers lives easier online, we are often having to trade off either security or convenience. Entering in long strings of numbers, multiple steps to select street signs in pictures, all adds to complexity of the user experience online. Further we are also expecting users to trust organisations and give up unique information (which can’t be reset when breached) like facial features or fingerprints. The bottom line is: it’s hard for anyone to realise the benefits of digitisation when grappling with the complexity of mixed architectures, threats of cyber-crime and escalating costs and risks associated with both. Time to stop paving the same path! Many of our current systems were created to work as private networks, where access to individuals and devices can be controlled with rules and audit trails. Although the concept of the internet dates as far back as the 1960’s and the World Wide Web went mainstream in the mid 90’s, the opening up of these systems to outsiders has been gradual. We are still grappling with the convergence of mixed systems (open and closed), the trillions of devices connected to the internet and the millions of applications co-existing in hybrid environments without any real standards for proving identity (the internet was purposely developed without an identity layer). The answer to the emerging change have been mostly to keep developing and layering on more and more of the same architectures – re-paving the same cow path in an effort to keep up. We need a new Security Architecture In this world of joined up data/services, mixed private and public data, AI driven cognitive systems and sophisticated algorithms, more flexible security architectures that switch between open and closed networks seamlessly, together with a trusted universal ID and verifiable authentication, are essential. Paving the same path has meant that we are not only building tomorrow’s legacy of problems, but we are also increasingly exposing citizens to the potential threats emerging with the internet of things, such as riding in hijackable machines like autonomous buses and cars. A risk managed approach may have unacceptable outcomes. So, if we have the luxury of designing this new security architecture and trusted distributed system from the ground up, how would it look? It is made for the internet, and can switch millions of private connections from user to user across the internet, in and out of open or closed environments. Users can control their own ID and consent, and store their own ID information, not organisations. It uses secure methods that can remove the occurrence of any unauthorised use of an ID. Its security can protect a transaction or transmission against hijacking or interception. It can work securely over multiple systems, operating systems and platforms. It can provide the user with the tools to have complete confidence in the party at the other end of a transaction or communication. At this point, many people would propose Blockchain or Distributed Ledgers as a possible solution, certainly billions of dollars are pouring into R&D to explore this. While it continues to have much data integrity potential, a number of recent publications have highlighted that Blockchain is yet to solve the security, identification, scalability and privacy features required for an identity platform. One that gives the power of identity and privacy to its users If we could rapidly implement a security architecture that switches private connections between individuals and organisations, we would be able to manage our living and working lives with confidence. At the heart of this is the capability to prove authentication of identity and security and to manage privacy. It can be argued that this requires a shift from traditional organisation-bound identity credentials to externalising and aggregating the identity with the true owner – the user. Consumers want power, comfort, convenience and security, so for any solution to be quickly and effectively adopted it should: Deliver a simple ID credential with a single re-usable way to login. Provide the user with complete control over usage and any changes to identity details. Be able to be used with any system, device and operating system. Have security that protects the end user and allows them to trust who they are dealing with online. Being innovative does not have to be risky! The real risk is that we don’t shift our mindsets quickly enough from always looking at established technologies to seeking out the innovations which are being specifically designed for mixed architectures such as Melbourne based VeroGuard or Sydney based Meeco. New architectures can deliver the true citizen centric models we desire by converging security, identity and convenience together, in turn delivering a new level of trust for the economy of people. We have an extraordinary opportunity and some might say responsibility to pursue and trial these step change security solutions that protect all Australians across domains, particularly those developed in our own back yard. Considering what is at stake with cyber crime impacts, a sustainable digitization path which more people can use and trust is essential and, the opportunity is massive for those leaders who open new paths that at the same time could actually reduce their ongoing risks. Source: https://www.themandarin.com.au/83810-rethinking-digital-identity/