After hackers linked to China reportedly gained access to the IT networks  of hundreds of small and medium-sized water and power utilities in the U.S, alarm bells are ringing for utilities and critical infrastructure (CI) operations across the world. In an attack that some observers suggest is pre-positioning for sabotage of water and power supplies should the U.S. look to intervene in any potential conflict with Taiwan, China has demonstrated the inherent weaknesses in operational technology (OT) systems that many have been calling out for the last decade. The Ongoing Volt Typhoon Case This type of threat is something that CISA (the U.S. Government’s Cybersecurity and Infrastructure Security Agency) first warned about over two years ago after detecting the tactics, techniques, and procedures (TTPs) linked to the Chinese hacking group ‘Volt Typhoon' were discovered affecting networks across U.S. critical infrastructure, which led to the warning being issued to CI operators of the potential threat. The Real-World Impact of Infrastructure Attacks The consequences of a successful attack on CI can be severe – for example, a hospital without water supply would be forced to evacuate within hours. A shut down in electricity generation could affect entire cities, bring transport to a halt and disrupt manufacturing facilities. Even when not directly targeting CI, cyberattacks can have far reaching effects. We don’t need to look far to see how a single intrusion can reach when industrial systems are subjected to a cyberattack. The recent Jaguar Land Rover (JLR) hack which forced the complete shutdown of production lines globally and reportedly affected over 5,000  related organisations. This incident is being described as the most expensive cyberattack ever in the UK with estimated economic losses of £1.9 billion (US$2.55 billion), and JLR losing £50 million per week from the shutdown. Costs to business are one measure, but the cost to society could be far greater given the potential turmoil a successful attack on a city’s infrastructure could generate. It is no surprise then, that government cyber agencies would issue directives such as CISA 23-02 which required all US Gov Agencies to immediately implement controls to block access to web interfaces on appliances – but while important these seemingly small changes have wide ranging impacts to operational actions and costs of running utility companies. Persistent Vulnerabilities in Utility Networks According to Dark Reading ’s review of attacks on US water utility companies there remains significant issues with network and system security such as: Inadequate identity and access controls for devices and users. Poor segmentation of IT/OT networks. Legacy OT equipment, often with weak authentication (some reportedly still using default credentials) and remote connectivity. Under-resourced utilities: little staffing, small budgets, less mature cyber practices. Insufficient monitoring and incident detection in OT/ICS domains. Default credentials / insecure configurations of ICS/SCADA devices. While PLC vendors are increasingly building security features  into their devices, the vast majority of operations don't typically run this next-generation gear. Strategic Priorities for CI Operators To mitigate risk, CI operators should prioritise: Strong identity & device authentication  across both IT and OT domains. Network and device segmentation , especially isolating OT from general IT. Reducing attack surfaces by disabling insecure remote access, default credentials, open ports. Continuous Monitoring  for unusual activity or lateral movement within networks.   The Role of VeroGuard in Securing CI The VeroGuard Platform offers a scalable and effective solution for protecting access to systems and technology assets. Role of VeroGuard / VeroMod Hardware-based identity for OT devices : VeroMod reduces the risk of rogue devices and lateral exploitation. User identity verification : VeroCard ensures secure authentication for personnel. Virtual air gap and segmentation : VeroMod allows OT devices to communicate only with authorised endpoints, maintaining isolation while enabling remote access. Legacy infrastructure protection : Utilities can retrofit VeroMod onto existing OT systems, enhancing security without costly replacements. Scalable for resource-constrained utilities : The platform reduces reliance on large in-house cyber teams, addressing the “target rich but cyber poor” challenge.   VeroGuard offers the next generation of platform that secures connected systems, machines and data. The VeroGuard Platform ELIMINATES credential and identity compromise on open networks to act as the foundation of any zero-trust deployment. With our ecosystem partners VeroGuard’s modern end-to-end ICAM solution provides Next Generation MFA^ and advanced Attribute Based Access Control (ABAC) for powerful granular access management to systems and assets. Any critical infrastructure operator migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform. ^Next Generation MFA:  Secure hardware bound cryptographic authenticator ( NIST AAL3 ) with identity verification . Phish-resistant, Tamper-resistant, Verifier impersonation-resistant, Compromise-resistant.

In a bizarre twist that sounds more like satire than cybersecurity research, it was recently demonstrated that a spring onion  (yes the vegetable!) could be used to bypass security on Dell devices by exploiting firmware vulnerabilities. This isn’t just a quirky headline – it’s a serious wake-up call for anyone relying on built-in device security like TPMs or biometrics. What Happened? The vulnerability, as reported by Computer Weekly,  involves flaws in Dell’s firmware that could allow an attacker to bypass secure boot mechanisms. The researchers showed that even with a Trusted Platform Module (TPM) present, the system could be compromised using physical access and “clever manipulation” - like using a vegetable to trigger capacitive sensors  – highlighting how superficial some security implementations can be. The Problem: Trusting the Wrong Hardware The Dell vulnerability highlights that fundamental flaws in modern device security can occur even when a PC has a secure element like a TPM, it’s not truly secure if the firmware can be tampered with. In general, these devices lack tamper-resistance, meaning attackers can gain physical access to probe secure circuits and manipulate them to reveal their secrets. And then there’s biometrics. The “Spring Onion Hack” shows how biometric authentication can be spoofed or bypassed. Once considered cutting-edge, biometrics are now continually proving to be inherently insecure when used as the sole method of authentication. The Limitations of TPM and Biometrics TPM: Not a Silver Bullet TPMs are embedded in general-purpose devices and rely on firmware integrity. If the firmware is compromised, the TPM can be rendered ineffective. TPMs lack physical tamper resistance in most consumer devices. Biometrics: Convenient but Insecure Biometric data is not secret. Can be spoofed and bypassed. The “Spring Onion Hack” shows how easily sensors can be tricked. The VeroGuard Solution: Security by Design At VeroGuard, we believe security should be purpose-built , not patched together from consumer-grade components. Here’s how our solution addresses the issues exposed by the Dell incident: Purpose-Built Hardware Authenticator VeroGuard uses a dedicated hardware authenticator that is designed from the ground up for secure identity verification. The VeroCard is dedicated solely to identity-based functions. It has no physical ports for external connections and cannot be remotely activated, ensuring it remains isolated and secure from unauthorised access.   Tamper Resistance Is Non-Negotiable   Security that can be physically bypassed isn’t security at all. VeroGuard’s authenticator is engineered with true tamper resistance   and certified to payment industry specifications, ensuring that even if an attacker has physical access, they can’t compromise the device or the credentials it protects. No Biometrics, No Guesswork We don’t rely on biometrics. Why? Because; 1)        they’re not secret, and 2)        they’re probabilistic and not deterministic. Biometric authentication systems are intentionally designed to tolerate slight variations in input, because no two biometric scans – even from the same person – are ever exactly identical. Ironically, a 100% match is often treated as suspicious, since it may indicate a replay attack using a previously captured biometric sample. VeroGuard uses cryptographic keys stored in secure hardware. Out-of-Band Authentication Most importantly, VeroGuard’s authentication process occurs outside the target device. This out-of-band approach means that even if the PC or phone is compromised, the authentication remains secure. The device never sees your credentials, making phishing and malware attacks highly ineffective.   Final Thoughts: Don’t Let Your Security Be a Joke The spring onion hack is amusing—until you realise it could happen to your business. It’s time to stop trusting consumer-grade security and start demanding real protection . VeroGuard offers a solution that is not just secure in theory, but secure by design . Dedicated hardware designed specifically for secure identity verification. Purpose built for authentication – NOT general-purpose use Out of Band – Authentication occurs outside the target device. Hardware Security Modules – Credentials are never exposed to the device, reducing phishing and malware risks. Engineered with true tamper-resistance – keys are wiped if tamper is detected

No, but could this be a sign of what's ahead? Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication using passkeys, the industry-wide standard being adopted by thousands of sites and enterprises. Further review of the attack path has shown that the bad actor did not bypass the passkey authentication but was successful in using a downgrade path to achieve their goal of accessing the user’s account. While this review emphasises that passkeys remain a strong and secure method for MFA , it also highlights that not all authenticator types should be considered equal, and that software bound credentials and implementations (in this case the implementation of the passkey authentication standard) should never be completely trusted. TL; DR While smartphone-based passkeys improve user convenience, they compromise FIDO2’s foundational hardware-bound security model. In high-risk environments, only dedicated hardware authenticators like VeroCard   can maintain cryptographic integrity, attestation trust, and robust phishing resistance. What Happened in the Recent "Downgrade" Phishing Attack Using FIDO2 Cross-Device Sign-In? In a recent report (mid‑2025), researchers at Expel observed a real-world phishing campaign by the group known as PoisonSeed, which exploited the cross-device sign-in feature in a clever adversary-in-the-middle attack: Victims received a phishing email directing them to a counterfeit enterprise login portal. After entering credentials, the phishing site relayed them in real-time to the legitimate site and triggered a cross-device sign-in request. The legitimate site generated a QR code for authentication, which the phishing page immediately captured and displayed. When the victim scanned the QR code with their phone, they unknowingly authenticated the attacker to the legitimate site. While this manoeuvre downgrades FIDO2 authentication to a weaker flow and is not a breach of the Fido2 protocol, it uses the weakness of the downgraded process, facilitated using a smartphone based passkey, to obfuscate reality from the victim. Why Using a Smartphone as a FIDO2 Authenticator Is Insecure Using a smartphone as a FIDO2 authenticator introduces fundamental security trade-offs that break key FIDO2 security assumptions, fracture passkey provenance and can enable bad actors to run a downgrade attack on passkey authentication. Passkeys created and stored on smartphones provides a convenience-security compromise that may be acceptable for consumers, but remains unsuitable for enterprise, critical infrastructure, or regulated environments. For these use cases, dedicated hardware authenticators like a VeroCard are the only way to maintain the original security promise of Fido2. Breaking FIDO2’s Original Core Security Premise Fido2 was designed with the principle that the private keys never left the security of the hardware authenticator. Driven by the consumer desire for convenience the Fido2 specification was revised to allow synchronisation of passkeys across cloud ecosystems so that users could easily access systems and sites using a single passkey. When users sync passkeys across devices using cloud services (like iCloud Keychain or Google Password Manager), the baseline security of passkeys is violated: The private credential is copied to multiple devices. Security of passkeys is now dependent on cloud account protections, not local hardware. If a cloud account is compromised, all passkeys are accessible remotely. In some environments users can share passkeys with others – fracturing any assertion of passkey  attestation . This turns a local, hardware-bound credential  into a cloud-distributed secret , significantly weakening the trust model.   How VeroCard Solves These Issues VeroCard restores the original FIDO2 security promise by: Hardware-Enforced Isolation Private keys remain protected in hardware at all times. Each key is device-bound  and tied to the physical VeroCard hardware. No Cloud Syncing Eliminates risks from iCloud, Google account, or password manager compromise. No cross-device duplication or migration of credentials. Downgraded flows are not allowed: VeroCard does not allow the user of QR code downgrades A single user gesture, PIN entry, and subsequent passkey login provide a full MFA without the need for any other factors. VeroGuard  further enhances security by: Requiring User Verification VeroCard enforces user presence  through PIN verification for every login. PIN verification is completed by the VeroGuard Platform prior to allowing the passkey to be used Requires explicit user interaction  resulting in identity verification and impersonation resistance. Origin Binding Enforced in Platform VeroGuard verifies the relying party (domain) has been permitted for the user, and ensures credentials are domain-specific . Centrally managing VeroCards: Tracking and managing devices Block use of and remove credentials Block VeroCard if lost Offering certified end to end process Common criteria PCI-PTS   Summary Risk Area Smartphone Passkeys VeroCard Private key leaves device ❌ Yes (via cloud sync) ✅ No Cloud account attack risk ❌ High ✅ None Cross-device phishing exposure ❌ Possible ✅ Prevented True hardware-based isolation ❌ Weak ✅ Strong Enterprise-grade assurance ❌ Lacks ✅ Delivers Verified user presence ❌ Optional or implicit ✅ Required (and verified) every time Phishing/aitm resistance ⚠️ Can be bypassed with cross-device flows ✅ Guaranteed Hardware certification & standards ⚠️ Some component level ✅ EAL2+/PCI-PTS VeroGuard is Common Criteria EAL 2+ certified  and VeroCard also holds PCI-PTS certification (standards for PIN security), along with FIDO2.

The economic impact from cybercrime continues to increase and as we enter 2025 we thought it well worth reviewing the key cybersecurity observations and lessons from 2024. This series of articles will wrap up with an opinion about what we believe is the trend leading us into 2025. Be more Proactive with Cyber Security   Observation 1: Surging Zero-Day Exploits 2024 has been a landmark year for cybersecurity, with a significant increase in the discovery and exploitation of zero-day vulnerabilities. These unpatched security flaws have become a primary tool for cybercriminals, posing serious challenges for cybersecurity teams. The volume of reported CVE’s in 2024 should act as a reminder that no system is ever totally secure, and with some of the most impactful affecting FortiManager, Google Chrome and Windows, a large percentage of businesses globally were in the direct firing line. The evolving tactics and strategies of attackers suggest this line of attack is not going away.   Observation 2: Nation-State and Cybercrime Collaboration Observation of several high-profile attacks has suggested that the level of collaboration between nation-state actors and cybercriminals, increasingly blurring the line between these actors. Nation-state sponsored attackers initially used zero-days in targeted attacks, which were then escalated to widespread exploitation to cover their tracks.   Lesson 1: You must have a proactive defence strategy The best defence against cyber threats is awareness and preparation. Organisations must stay informed of emerging threats, maintain staff awareness training and prioritise the patching of weaponised CVE’s. These actions, however, won't help much if the adversary is using valid stolen or created credentials.  Therefore, the foundation of proactive defence strategy must be to deploy the latest and strongest identity management system as your first priority.   Why is identity important ? Implementing strong identity verification can prevent unauthorised access even if a zero-day exploit is used. Implementing a phish-resistant MFA solution can significantly enhance security by ensuring that even if credentials are compromised, unauthorised access is prevented.   Resilience in the face of Ransomware  Observation 3: Ransomware attacks surge A significant increase in ransomware attacks affecting various sectors including healthcare, finance, and critical infrastructure occurred in 2024. The top 5 confirmed attacks include Change Healthcare (US), LoanDepot (US), MediSecure (Aus), Izumi Co (Japan), Evolve Bank & Trust (US) in which an estimated 140 million records were stolen. Aside from data theft, these attacks led to substantial service disruptions and financial losses.   Observation 4: Ransomware targeting service providers and supply chain networks Ransomware attacks in 2024 highlighted the fragility of supply chains and business continuity. A cyberattack on the parent company of major US supermarket chains disrupted services across its entire network impacting more than 2,000 stores for several days.   Observatio n 5: Cybercriminal “Whack-a-Mole” While law enforcement efforts to combat ransomware gangs were able to disrupt the LockBit gang, which saw 34 servers seized, cryptocurrency accounts frozen, 1,000 decryption keys obtained and that two individuals arrested, they were reportedly ‘back on line’ within 2 weeks. Furthermore, new ransomware groups like RansomHub have become prominent.   Lesson 2: Resilience in the Face of Ransomware Limiting the spread is a critical factor in network resilience when faced with a ransomware attack. Backups, patching, antivirus/antimalware and EDR tools are all important, but as ransomware gangs target business disruption through attacking supply chains and service providers, network resilience is key . Implementing network segmentation can help limit the spread of ransomware, by blocking common pathways and protecting the most valuable assets which can significantly reduce the impact of a ransomware attack. More importantly, identity-based segmentation can help isolate compromised accounts and prevent lateral movement within the network.   Why is identity important? Implementing strong identity verification can help ensure that only authorised personnel can access critical systems, reducing the risk of ransomware attacks. A phish-resistant MFA solution can help protect against ransomware by ensuring that only authorised personnel can access critical systems, reducing the risk of attacks spreading and building resiliency. Critical Infrastructure needs an IT security focus Observation 6: Attacks on Critical Infrastructure (CI) rise as IT system defences become stronger. Attacks on critical infrastructure reached new levels in 2024, so much so that the US Cybersecurity and Infrastructure Security Agency (CISA) issued a notice warning that US government-run water systems were at risk. Attackers shifted their focus to more the vulnerable systems like water processing plants and power grids as they represent a much easier target. This is because there is often a lack of visibility into connected Operational Technology (OT) devices, making threat detection extremely difficult.   Observation 7: OT teams need to take more precautions when connecting devices online One of the key issues is the fact that many CI operators continue to connect industrial tools to the internet to remotely manage them. Different from IT (which has a relatively shorter life cycle), much of the industrial systems operate using legacy equipment that was never designed with cybersecurity in mind, leaving devices exposed to relatively unsophisticated methods such as the use of default passwords or conducting brute force attacks.   Lesson 3: Critical Infrastructure needs an IT security focus The time to invest in an “IT style” cybersecurity strategy for operational technology (OT) systems is now. This strategy needs to cover the systems in use, how they can be managed in a critical operations environment as well as upskilling personnel who are generally not IT professionals who are more familiar with cyberattacks and the required defences. Collaboration between IT and OT teams will be crucial for securing these systems, using the lessons learned in traditional cybersecurity practice – especially around strong identity and access controls.   Why is identity important? Implementing strong identity verification can help ensure that only authorised personnel can access critical systems. A phish-resistant MFA solution can help protect against unauthorised access, and strong managed hardware based VPN connectivity can be used to prevent exposing devices themselves to the internet.   Phish-resistant MFA should be employed on every system and device.   Observation 8: Phishing techniques will continue to grow in sophistication Phishing was the leading attack vector in 2024, reportedly up 58% on 2023. Cybercriminals are employing increasingly sophisticated methods to deceive individuals, with AI now able to create more convincing and tailored messages to individual targets, increasing the likelihood of success. Expecting humans to be able to effectively discern the difference between an advanced AI crafted email, online chat, phone or video deepfake call will soon become an inappropriate defensive tactic.   Observation 9: Proliferation of online tools The number of phishing kits available on the dark web has apparently increased by 50% in 2024. These tools are now so advanced, even novice cybercriminals can effortlessly launch sophisticated campaigns, and impersonate brands, governments, banks and service organisations. With success rates rising from 14% to 18% attackers are clearly becoming adept at manipulating victims to bypass poor security.   Lesson 4: Phish Resistant MFA should be employed on every system and device. Humans will always be able to be manipulated, and therefore identity and authentication mechanisms must be phish-resistant. Second factor authentication systems should now be considered as providing no added security, and only phish-resistant MFA should be utilised (where ever possible using separate purpose-built hardware authenticator).    Why is identity important? Phishing   has a single goal in mind – credential theft. Implementing a phish-resistant MFA solution will prevent your organisation from becoming another statistic and will significantly enhance your security posture by ensuring that even if credentials are compromised, unauthorised access is prevented. Trends to expect in 2025   In the part of this article, we look ahead to the cybersecurity trends and challenges expected in 2025.   Continued Rise of Zero-Days:  We predict the ongoing increase in zero-day vulnerabilities and exploits. Why? Simply put software is complex (more than ever) and adversaries are now very focused on finding and exploiting software flaws. Phish-resistant MFA will become the minimum standard:  More organisations will deploy phish-resistant MFA, phone-based authentication apps will be widely breached. Passkeys will be more widely adopted:  however, enterprise and government will be slower to adopt due to legacy equipment and systems which are not passkey ready. Account recovery processes will be targeted: Especially for passkey-protected accounts, attackers are now more likely to focus on finding weaknesses in account recovery and reset requests and pivot to phishing for recovery keys. AI will be widely adopted by adversaries to be more targeted and efficient with their attacks: Emails, SMS, chats, phone calls, deep fake videos will be almost impossible for humans to decern as fakes. Evolving Ransomware Tactics:  Ransomware operators will target new sectors, such as service and supply chain organisations, seeking to disrupt operations as much as steal personal data. Focus on Critical Infrastructure: Attackers see CI as a strategic and much softer target and will seek out any unprotected operational and edge devices. More executive prosecution for cyber incidents:  Litigation for cyber incidents will increase as tightened laws around liability of senior management take hold. The Rise of Identity-Based Security: Traditional security measures like firewalls and VPNs are no longer sufficient. The focus of security for organisations will change to be on verifying and securing the identities of users and devices accessing systems.   Who is VeroGuard Systems? VeroGuard is a leading digital identity technology company that understands the importance of a secure, verified and reusable identity in today’s hybrid IT environments.  The VeroGuard Platform provides our customers with a bank-to-bank level identity verification system and when combined with our VeroCard offers Next Generation Authentication solutions, where authentication is linked to identity verification with every authentication request. VeroGuard NFA can secure legacy authentication protocols and support the latest Cloud systems with passkeys - all with a phish-resistant and identity aware overlay.   One more Trend for 2025 1.       Next Generation Authentication will be the security foundation for all digital transformation.

Introduction Passwordless authentication remains an appealing, yet elusive, long-term goal for many organisations. The numerous implementation challenges — from legacy system compatibility to user adoption — can make it a complex and potentially expensive endeavour. It is well recognised that password-related vulnerabilities remain the major threat to organisational security, and that human behaviour is a key underlying factor with weak, compromised and reused passwords often factor in root causes of data breaches. These factors have driven some IT teams to continue the ongoing – and somewhat fruitless – continuous cycle of enhancing password security policies in a belief that there remains no other viable option. A successful implementation of passwordless authentication offers several potential benefits including: Enhanced security:  By eliminating the need for users to create and remember complex credentials, passwordless authentication can significantly reduce the risk of breaches caused by human error. Improved end user experience:  Passwordless authentication is desirable from an end-user perspective. After all, who relishes the challenge of remembering multiple complex passwords across various accounts? Reduced IT burden:  Passwordless authentication promises to lighten IT teams' administrative load by: decreasing password reset requests and related support tickets. removing constant password policy management reduced expenditure on password hygiene tools and procedures   However, despite the ongoing efforts to establish an industry standard (FIDO2) and the release of a number of passwordless products many challenges remain.   The challenges of going passwordless Notwithstanding the significant benefits, the numerous challenges organisations face when considering a move to passwordless authentication can appear insurmountable and depending on the industry, compliance and regulatory considerations also come into the mix. Legacy system compatibility. User adoption and training. Backup authentication methods. Biometric data privacy concerns. Interoperability challenges. Regulatory considerations. Multiple Solution for different environments. Hardware Requirements.     Addressing the challenges. A complete passwordless authentication solution should: Utilise next generation and phish-resistant MFA Remove the burden of creating and remembering unique complex passwords Remove user friction from layers of weaker authentication methods Solve for every system and application Support IT teams by reducing workloads and systems maintenances / no of solutions supported Reduce CISO concerns over compliance with password hygiene and related policy Utilise a certified stand alone hardware based authenticator   VeroGuard Systems provides passwordless authentication experience without the risks and costs associated with other approaches. In fact the VeroGuard Platform can deliver significant savings to an organisation. Challenge VeroGuard Response 1.   Legacy system compatibility: Many businesses rely on a mix of modern and legacy systems — some of which may not support passwordless authentication methods. Updating or replacing these systems can be costly and time-consuming, often requiring significant changes to existing infrastructure.  The VeroGuard Platform works with legacy and modern systems providing a common passwordless experience for all environments. This supports a managed transition whilst providing all the benefits of going passwordless without the complexity and cost. 2.   User adoption and training: While passwordless methods may be intuitive to tech-savvy users, they can confuse others. Your organisation may need to invest in comprehensive training to ensure all employees can effectively use the new authentication system.  The VeroCard interface uses a familiar PIN prompt and entry with a simple and familiar Bluetooth or NFC connection to any device. The authentication experience remains the same irrelevant of the device, operating system or network. 3.   Backup authentication methods: Even with passwordless primary authentication, most systems still require a backup method — which tends to be a traditional password. This means passwords don't truly disappear; they just become less visible, potentially leading to weaker security practices around these "hidden" passwords.  With Active Directory VeroGuard takes over the password management to effectively nullify this vulnerability, with a feature to also roll a password on each login avoiding the threats of replay or similar attacks. VeroCard’s can contain password wallets, key management and other methods of secure access all protected by a personal certified hardware security module. A number of secure backup options are available to support access policies. 4.   Biometric data privacy concerns: Many passwordless solutions rely on biometric data, such as fingerprints or facial recognition. This raises important questions about data privacy and storage. Your organisation must carefully consider the legal (and ethical) implications of collecting and managing this type of sensitive information  VeroGuard does not use or rely on biometrics. Biometrics not only create the concerns of privacy and ethics biometrics particularly when dependent on a smartphone for capture vary in reliability and security. Biometric solutions vary in quality across devices, and deployment consideration must accept that any biometric is probabilistic by design and not deterministic meaning that false positives are an accepted part of any biometric solution. 5.   Hardware requirements: Some passwordless solutions require specific hardware, such as fingerprint readers or security keys. Equipping your organisation with these devices can be expensive, especially if you have a large or distributed workforce.       VeroGuard provides a single hardware terminal for next generation phish-resistant authentication at a cost-effective price. With the added benefits provided by passwordless authentication and the broader VeroGuard platform 6.   Interoperability challenges: In environments where employees need to access multiple systems and applications, it can be tricky for your IT team to ensure seamless interoperability between different passwordless solutions.  Because VeroGuard is a Platform, interoperability and integration challenges can be solved for legacy systems either at the host, hardware or client level, and VeroGuard supports the modern passwordless standards such as OAuth and FIDO2. Integration at any point does not change the common authentication user experience. 7.   Regulatory considerations: Depending on your industry and location, your business may face regulatory requirements that impact your choice of authentication methods. Some regulations may mandate specific security measures or data protection practices that could influence your decision between passwordless and traditional password systems.  VeroGuard is suitable for any regulated industry.   Defence certified for use in sensitive high assurance environments, and equally suitable to business and enterprise alike.   VeroGuard Organisations wanting to go passwordless without the challenges can deploy VeroGuard Platform today and start enjoying the benefits of secure, unified and universal authentication across the enterprise.

On Friday (July 19, 2024), CrowdStrike’s 'Falcon' product was sent an automatic remote content update for Microsoft Windows hosts (which it does on a regular basis). Unfortunately, the update had a defect. When uploaded, the defect triggered widescale failures of computers and systems with Microsoft operating systems that were online. This is being described as the largest IT outage in history.  How has this affected VeroGuard? The VeroGuard Platform was  not  affected by the CrowdStrike-caused outage and has continued to operate normally. Our customers using the VeroGuard verification services continue to use our services without interruption. For any customer whose PCs or laptops were impacted during the period that their devices were compromised as they tried to find workarounds, customers could, nonetheless, continue to use VeroGuard without needing to worry about downstream attacks on their users’ credentials or ID's, because the VeroGuard Platform operates independently of other cloud services and remains vigilant even if a device is compromised. A shift to stronger identity protection rather than reliance on detection models CrowdStrike is embedded software detection that works with a computer’s operating system, essentially watching and assessing code to determine if a cyber threat is present.  As each new variant of a threat is developed by an adversary, CrowdStrike must identify the threat and update their application.  The VeroGuard Platform works 'out of band' as the guardian rather than the detector. As such, the VeroGuard Platform rarely needs updates, which typically are functional improvements and not a reaction to each new threat. Fundamentally, the VeroGuard Platform is designed and built to defend the primary attack surfaces (over 95% of all attacks), which are identity and credentials.  Regardless of the source or type of attack, VeroGuard will stop the adversary from gaining control or executing actions in a system or network. In practical terms, the majority of cyber breaches over the past two years either started with a credential breach or had lateral movement using credentials acquired inside the network after the breach. An outage that raises many questions. CrowdStrike has said that the global outage was not caused by a cyber-attack, but the release of a defective update. The big questions by journalists and industry experts have included: the nature, robustness and effectiveness of testing procedures for updates and patches on cloud systems; the risk of concentration of internet services, and the impact when one of them has a major outage; and the potentially catastrophic impact of a mega cybersecurity breach to critical infrastructure and services. is a global defect-caused outage better than a global cyber breach? (i.e.: speed to deploy updates) The World Economic Forum has stated that, in 2023, the economic impact from cybercrime was over US$8 trillion and, by 2027, the impact is forecast to rise to over US$24 trillion. Time for a new approach Given the clear unprecedented impact of the CrowdStrike outage and the questions that it has raised around the design, robustness and assumptions underlying global IT infrastructure protection, it is clear that a new approach to cybersecurity is needed. The new approach needs to: improve an organisations' and individuals’ security online from credential and ID compromise; not be largely dependent on centralised detection software and services that are clearly under increasing pressures and can cause major global disruptions to systems and networks when that pressure leads to mistakes; be able to operate in a distributed way like bank switches, whereby a single failure does not bring down multiple industries and geographies; protect identity and credentials at all times, regardless of the choice of environment (cloud, on-premise or hybrid) and the status of the applications, network and systems; and not result in widespread scamming each time a new incident occurs by improving the verification of both parties in all high value transactions. The VeroGuard Platform addresses these issues. #VeroGuard #DigitalIdentity #DigitalID #identity #cybersecurity #cybercrime  Want to discuss how VeroGuard can change your organisations cyber-protection profile? Contact Us using the form below. Originally published on LinkedIn 22 July 2024

Published on Defence Connect 17 Feb 2023 Opinion: Recent national concerns about the risk of installed Chinese-manufactured security cameras at sensitive government sites have exposed the tip of an iceberg, explains cyber security and IT industry veteran Nic Nuske.  The ensuing political debate also repeated the mistaken belief that Australia has no manufacturing capacity that delivers quality surveillance with no risk to data. Let’s start with the government’s response of “remove the cameras” and “review their installation”. Removing Chinese-made cameras will eliminate manufactured threats in those devices.  It is not going far enough, however, when it comes to addressing the cyber risks inherent to connecting any camera or device to the internet.  Raising the profile of these serious threats to business and government warrants endorsement, first, to prevent declines in public confidence, and second, to encourage local solutions. Positive action to remediate or remove the cameras warrants applause. Replacing the cameras now is an important security action for Australia.    However, for the purposes of long-term strategies,  it is critical to understand that threats embedded at the time of manufacture are  not  the only risks to cameras and other devices exposed to the internet. For example, Chinese hackers exploit more zero-day threats in devices made outside China than any other group. Cyber security weaknesses inherent to machines plague device and equipment manufacturers and are being regularly exploited by bad actors. As we connect more and more devices to the internet in the name of productivity, efficiency, and mobility, we are witnessing an exponential increase in cyber threats and breaches that exploit device security irrelevant of the place of manufacture.   It is well documented that many devices (machines and sensors) have little or insufficient security to protect against increasingly sophisticated crime.  The Office of the Australian Information Commissioner reported last year that there were 853 notifiable data breaches in 2021–22. Around 20 per cent of those were in health service providers, followed by finance, legal and accounting, education and Australian government agencies.  The list shows that data breaches have become ever-present with some jaw-dropping losses of data. The Australian Cyber Security Centre’s latest threat report shows the centre received more than 76,000 cyber crime reports in the 2022 financial year, up 13 per cent on the previous year. That’s one attack every seven minutes, on average. The cost of dealing with cyber attacks, as Optus and Medibank have discovered, is huge. Video surveillance systems bring with them some extra challenges to cyber security including an additional layer of abstraction (the visual layer), however many of the cyber issues for machines are common to any device, machine, or sensor connecting with the internet. The possible risks embedded at the time of manufacture (intentional or not) can lead to and/or compound many other risks.    The most common threats to devices exposed to online connections can be summarised as follows:  Protection of passwords and credentials.  Secure and timely updates and delivery of firmware and other patches to machines.  Networks and protocols that don’t have robust, end-to-end hardware-based encryption. The use of mobile apps to access data and control devices. A lack of processing capacity in the device to perform effective encryption of communications. Emerging capability by organisations to identify and track all devices connected to their network impacting deployment and management of cyber security to all endpoints.  When cameras and other devices, along with their control systems, connect to the internet, they become a “weak link” that can allow hackers to take control of the device and its functions and/or infiltrate an entire IT system.  Yet it is inevitable that cameras, surveillance systems, and other devices will be connected to the internet at some time. AI and BI will rely on data gathering and exchange to be effective. Cloud services are changing the economics and dynamics for IT and OT systems.  One Australian company tackling these issues head-on is VeroGuard Systems, which has developed the world’s first identity and communications platform that utilises hardware security module (HSM) identity management and communications on open networks for any device or machine.  The advanced, secure platform has been developed in Australia. Adding further to the company’s sovereign status is that it manufactures products at its Edinburgh, South Australia facility. One of the products, VeroMod, is an HSM that can connect with any camera, device, or machine. VeroMods, operating with the certified VeroGuard platform, provide any machine with an ultra-secure digital ID. The solution delivers military-grade protection of the ID and verified zero-trust access to or from the connected machine. VeroMod also takes on the cryptographic workload for devices communicating at “secret” and above levels.  The company has also embedded an HSM into its Australian-built cameras. This eliminates any risks of breaches to the camera, its data, or systems, even when the connections are direct-to-the-internet. The company’s chairman and co-CEO, H Daniel Elbaum, says ,  “We have for the first time brought a technology to open networks that eliminates identity and security risks to any machine including surveillance systems”. The company’s VeroMod and cameras connect to the VeroGuard platform, which has been certified Common Criteria for access on open networks by the Australian Cyber Security Centre and is a global one-of-a-kind.  Removing Chinese-made security cameras can eliminate their embedded threats, however, security vulnerabilities will continue to be uncovered in the peripheral connectivity, software VPNs, and even the devices themselves.  These all represent significant attack surfaces for threat actors looking to exploit these systems and are urgently in need of actions to prevent the growing threats inherent to connecting machines to the internet.  There is a solution, and it’s Australian made.

VeroGuard Chief Executive Nic Nuske interviewed on Sky News on April 27th 2024 says everyone is “being impacted” by “some sort of cybercrime”. “Either directly or someone they know,” Mr Nuske said. On average, one cybercrime is reported every six minutes, with ransomware and breaches causing billions of dollars in damages to the Australian economy. “The estimates that we have from the analysts are telling us that there’s almost $US8 trillion worth of economic impact from cybercrimes every year. That’s anticipated to grow to $US23.8 trillion by 2027.” Watch the full interview https://www.skynews.com.au/australia-news/crime/everyone-being-impacted-by-some-sort-of-cybercrime/video/94051b10ab15ded93771428ffe190dc0

Published on Asia Pacific Defence Reporter Among spiralling cost of living pressures, and the threat of kinetic warfare in our region, millions of us have already been impacted by a silent and insidious form of attack – cyber, according to leading cyber security solutions provider VeroGuard Systems. The unwavering onslaught to our personal privacy and information is unprecedented in its ferocity. Attacks on government agencies and businesses that we use every day, those that would do us harm know that data and online access is at the heart of our economic ecosystems. According to the Australian Signals Directorate, on average, one cybercrime is reported every six minutes – with ransomware and breaches causing billions of dollars damage to our economy every year. In recent months, we have witnessed severe disruptions to our national economy and significant risk posed to our privacy through cyber-attacks. We’ve heard of the high-profile attacks like DP World, Optus, Medibank, and Telstra – yet hundreds go unreported. Rogue nations, groups and individuals are intent on testing Australia’s defence capabilities, to cause widespread disruption, chaos, and economic devastation. Our critical infrastructure is constantly being probed, and so are we… every Australian is in the scope of hackers – both directly and through disruptions to the services we rely on. As threats become increasingly sophisticated – it is no longer adequate to just patch software, buy off the shelf detection software and switch on second factor authentication – we’re under attack, and an urgent uplift to our security infrastructure and standards are needed. A vulnerability to one is often a risk to us all. Government and industry leaders must urgently elevate our organisations cyber security postures to protect every Australian. Our organisations must lead in the requirement to adopt zero trust architecture if we are to become one of the world’s leading cyber countries by 2030. The consequences if we lag are dire – businesses will stumble and often fold, trust in government institutions will deteriorate, our personal security and wellbeing will be affected, our society will be compromised. The economic impact from cyber-crime is expected to increase almost 300% to US$23.8 trillion by 2027 representing about 28% of global GDP which is a direct loss of wealth, services, and investment for important projects. There are significant economic advantages that may stem from our AUKUS agreement with the United Kingdom and United States. As a key enabler for our Defence capabilities, Australia is preparing for an unprecedented sharing of technologies and knowledge between allied nations. For this to be a success, any transfer must be shielded by a high level of trust and confidence that Australians will be good custodians of this sensitive information. While we are firming up our standards across critical infrastructure like electricity, water, and telecommunications – we cannot shy away from the need to adopt higher standards across other recognised vulnerabilities, such as Defence’s supply chain partners – often made up of small businesses who lack the resources to protect themselves. “However more broadly, who is looking out for the millions of Australians who are currently exposed? Given what is at stake, the actions by government and large industry have been unable to stem the tide. Primarily focusing on detection and remediation initiatives that are designed to react rather than defend are proving to be inadequate. Equally changing habits and behaviors through education programs is worthwhile – but governments cannot outsource the problem to those that lack the knowledge and resources to solve the growing issue. A belief, that it is ok to compromise security for perceived convenience, is counter intuitive. There are few things more inconvenient than having to rebuild a person’s identity or try to run a hospital or airport without the systems on which we now depend. Governments must invest resources to roll out defence grade preventive mechanisms and build the cyber security infrastructures that underpin zero trust networks. Indeed, it is widely accepted that identity centric security is the bedrock to Zero Trust Architecture. It is important to acknowledge the release of the Australian Government’s Cyber Strategy, efforts to uplift critical infrastructure standards and progress coordinating a Country wide digital identity framework.  I also welcome the ambitious target to embed a zero-trust culture across the Australian Public Service to become a global cyber leader by 2030. It is also intended to achieve a consistency in cyber security standards across government, industry, and jurisdictions. I commend the Australian Government for taking the initial steps to strengthen legislation and mandate the reporting of incidents. The Strategy provides much needed focus on weaknesses, especially educating businesses on the inherent risks. However, to achieve the zero-trust outcome, urgency is required on implementing measures that deliver non-repudiable identity verification online for everyone and greater focus on standards to protect remote access and privileged access management. Simple actions now can lead to significant and enduring benefits across Australian communities, such as: Setting and policing rigorous cyber security standards across government and the private sector. Make these standards a pre-requisite for doing business with Government. Establishing a robust baseline for cyber security infrastructure that the whole country must comply with. Re-Focusing government grants and investments to incubation programs within Government agencies that focus on sovereign solutions to provide an overall uplift to Australian capability. I applaud the Albanese Government’s ambitious plan to boost domestic manufacturing and progress to a ‘ Future Made in Australia Act. ’ The immediate priority must be building sovereign capabilities that reinforce our national security including cyber-attack prevention. Preference must be given to innovative solutions made locally through pilot programs and meaningful contracts. This is a model that has worked with tangible results in Countries such as Estonia, France the United Kingdom, and United States. It’s clear that the government agencies tasked with protecting us are challenged by the increasingly sophisticated threat environment. Adversaries attacks are are buoyed by AI and the development of quantum technologies and an increasing intent to inflict damage on Australia’s economy and communities, we’re seeing the rate and sophistication of attacks continue to escalate and no sector is safe. The economics and current trends are irrefutable, so corporate and political decision makers must carry the responsibility to invest in areas that effectively do a better job of protecting Australians online and our future economic prosperity. Adopting Defence certified preventative solutions across the country is achievable and affordable. There are Australian owned and manufactured options – we should use them. If Australia is to achieve its ambition to be a cyber security world leader by 2030, it must move now to implement policy and funding changes that enable local capabilities to foster and transition away from legacy systems with improved confidence in the security of using the Cloud and connected networks. Until we do, cybercriminals will continue to view Australia as an attractive target, and why wouldn’t they when it continues to be a low cost and high pay off activity? Much smaller nations than Australia, have shown us how an efficient and targeted use of resources combined with the political will, can deliver effective uplifts to cyber security capability and solutions. Now is the time for our political and industry leaders to step up and use world leading Australian solutions to achieve their and everyone’s objective of being more secure online.

IoT ecosystems are replacing legacy telematics solutions to help solve some of the most critical problems commercial fleets face today. In fact, digital transformation in Transport and Logistics (T&L) has significantly improved upstream and downstream facets across the entire industry and created unprecedented efficiencies. However for T&L companies, major corporate assets are both connected online and constantly on the move, shifting the organisations security perimeter to the fleet asset – a distinct differentiator from many other industries going through the same digitalisation process – and exposing organisations to a greater extent to the potential of cyberattack. There are multiple reasons for the increased threat. For one, the expanded use of technology, which opens new communications and wireless channels that are connected directly to T&L companies’ digital ecosystems, is a soft target for hackers. Another is the fact that T&L suffers from lagging cyber regulations and standards, inadequate cybersecurity awareness – the impact heightened by a shortage of cyber-defence talent. Although other aspects of the T&L industry are highly regulated in many regions, and despite the sector’s global operations (or perhaps because of them) regulators have not been able to agree on a set of suitable T&L cybersecurity standards. Threats Are on the Rise The number of attacks involving OT has continued to increase since 2021 Malware is emerging with targeted functionality and ease of deployment. More Vulnerabilities Vulnerabilities disclosed in OT systems continues to grow. Risk is heightened by the constant use of open networks and the need to patch ‘over the air’. Specialised Security Skills in Short Supply Skills shortages has made it clear that developing an effective security strategy that spans IT, OT and IoT environments is complex. Lack of Regulations and Frameworks Cyber security standards are lagging behind other industries. Further, as many of the devices and sensors on connected vehicles are similar to those deployed in other operational industries – commonly termed Operation Technology (OT) – T&L is not immune from the numerous cybersecurity issues plaguing OT across manufacturing, energy and utilities. The impact of a cyberattack can be costly and disruptive to operations, and has the potential to create further liability, particularly when sensitive customer data is breached. The more connected systems become, the larger the respective attack surface becomes and the more attractive they become as targets for cyberattacks. In 2022 we have seen international cyber security agencies (including Australia) issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of new OT specific malware, as well as the disclosure of a growing list of OT vulnerabilities. A different approach is required to combat these persistent and growing threats. VeroGuard’s technology maintains network integrity for any devices when connected to open networks. Providing un-phishable MFA for access to networks and devices and strong post quantum level data encryption for device communications, T&L companies can continue to accelerate digital transformation plans by providing a certified virtual airgap between the fleet asset and open internet connectivity. VeroGuard is the only platform worldwide to have Common Criteria certification for access on open networks, meaning it has been verified by the Australian Cyber Security Centre (ACSC) for use in Defence and other government departments with high assurance requirements for online access. Background The T&L industry continues to face an expanding cyber threat landscape which presents a substantial challenge to operations.  While some industry participants have been working to develop standard practices to bolster cybersecurity among carriers, mechanics and truck manufacturers, there remains a significant gap between proposed standards and any implementation – especially when considering existing fleets.  Moreover, hackers are increasingly attempting to steal data stored in networks that are critical to the T&L industry’s modernisation and growth. These networks enable digital improvements like automated ordering, shipment tracking, and access to account information. While extremely valuable, such customer initiatives require access via online platforms, phone apps, and other mobile devices, which are among the most insecure channels.  But the threat goes beyond data and information. With trucks becoming more modernised, it’s possible to hijack certain processes within them. A study by the University of Michigan highlights the alarming possibilities. Researchers were able to hack into a vehicle’s diagnostic port, manipulate the readouts from the instrument panel, force the truck to accelerate, and even disable part of the truck’s braking system.  There’s a sensor for that It is common for organisations to track the location of their fleets, and now also the real-time performance of their trucks and drivers. The average truck today is connected to a huge number of devices generating the data needed for logistics companies to run smarter and more efficiently. While this translates directly to cost savings, better governance and OH&S outcomes, the downside to this is that it has exposed a series of technology shortcomings and made the industry extremely vulnerable to cyberattacks. Every sector of the industry—including maritime, rail, trucking, logistics providers, and package deliverers—is affected.  Complicating matters further, “insecurity by design” remains very relevant in OT and IoT systems, which is why a shift in security infrastructure to account for open network connectivity and all the variables it presents is so necessary. Insecure by design vulnerabilities abound evidenced by a recent investigation by Vedere Labs which found 56 vulnerabilities affecting 10 major vendors. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of devices, bypass authentication, compromise credentials, cause denials of service or have a range of operational impacts. While the devices in this study are not focussed on T&L it is not hard to see how a small change in focus for cybercriminals could lead to similar attacks focussed on this sector. It is not appropriate to simply embrace the cybersecurity operations from existing IT practices. While IT network and operating system patching and identity management practices are well established, the ability to manage fleet devices and systems in the same manner is not as straight forward.  The T&L industry is faced with the need to continue with the rapid adoption of digital transformation and cloud computing to maintain competitiveness in an ever more challenging market. This represents a step change in work practices for the sector, in that trucks and onboard sensors were never originally deigned to be connected to the internet, and new models for cyber security are required.   Some of the key mitigation strategies (aside from patching, monitoring, training and awareness – these are all “after the fact” activities and not prevention) in every advisory are to: 1.     Require multi-factor authentication for all access 2.     Implement and ensure robust network segmentation between fleet assets and corporate networks to limit the ability of malicious cyber actors to pivot from a compromised supply chain to the fleet asset and potentially to your IT network. 3.     Implement strong machine identity and encrypted communications for connected fleet assets over open networks. It is important to note that without strong Identity and Access management control over any additional tools, the criminals will find a way through.   This is on ongoing occurrence online with bad actors simply bypassing second factor authentication (2fa) and detection software. There have been attacks where 2fa applications and VPN’s themselves were used as the vectors for successful breaches . A New Approach The VeroGuard Platform offers a unique solution to securing connected environments, by providing secure Identity and Access Management controls, virtual network separation, data encryption and flow control.  VeroGuard’s products have Common Criteria (CC) certification (defence level security) and can be quickly and cost effectively deployed to legacy, new and hybrid environments. The platform was specifically designed for protecting identity, access and data on the open internet and works by inserting an HSM between the device being accessed and the network connectivity delivering an impenetrable defensive layer for online protection.  When initiating connectivity, the inline HSM must connect to and verify itself with the platform HSM, which then creates a secure encrypted tunnel using hardware derived keys and encryption protocols for data flows and any user verification needs. HSM-to-HSM verification and communication is not new – however until now they have been expensive and limited to terrestrial connection. Two-way HSMs are utilised in banking (e.g.: ATM’s, Eftpos) and military systems around the globe for securing critical communications. Typically, the technology is used in guided missile control where it is crucial that command messages cannot be decrypted, or the command plane hijacked. VeroGuard brings this mutual two-way hardware verification for use in OT environments, at scale and without the high cost. Multifactor Authentication For all access points on any device Humans via VeroCard Machines Via VeroMod Robust Segmentation Virtual Air Gap – only encrypted communications initiated by HSM-to-HSM Other network traffic can not route past VeroMod Can only be accessed by via VeroCard authentication Secure Communications Data Diode - VeroMod only communicates to predetermined IP address via encrypted communications Jump Box – users and devices must be able to authenticate to the VeroMod before passing on to the device or network Form factors include the VeroCard HSM for humans, and the VeroMod HSM for machines/devices. The VeroCard HSM enables users to be verified to access networks, applications and devices authenticating via the combination of the specific users VeroCard and their secret PIN. Every login attempt is verified by the secure connection back to the VeroGuard Platform. The VeroMod IoT Shield is a commoditised Hardware security module (HSM) which connects inline and creates a “virtual air gap” between the device and any connectivity. VeroMod IoT Shield brings HSM-to-HSM technology for verification and encryption to any device. This guarantees access requests to and from all machines and provides the highest level of encryption to all data in transit. VeroGuard is unmatched for security and scalability as the only online platform that always uses HSM-to-HSM protection time after time, for identity verification, communications, data integrity and switching services.   The rapid adoption of technology presents universal concerns for service providers: Increased digital services/devices and interconnectivity between systems means an increased attack surface for cybercrime. Rapid rise in data volumes, flows and complexity of management means increased opportunities for identity breaches Transitioning from legacy systems and navigating the complexity of hybrid environments Complex layers for identity and security become more costly with many mixed environments Expansion of stakeholders and associated integration requirements (suppliers, citizens, 3rd party providers, businesses).   VeroGuard Systems offers a solution that begins with indisputable proof of identity for all online and digital communications. It is the only platform available anywhere in the world that can guarantee defence certified identification security for both people and machines. By providing host connections into the VeroGuard platform the VeroMod effectively provides point-to-point connection over open networks. User access is provided with permission verified by the VeroGuard platform before being able to access networks, devices and data. Machine to machine connections are verified in the same way with the digital identity provided by the VeroMod. All VeroGuard HSM-to-HSM connections are protected using  elliptic-curve Diffie–Hellman encryption set for post quantum protection, with a DUKPT (Derived Unique Key Per Transaction) key management protocol meaning that the keys are derived within the HSM and there is no possibility of the keys being intercepted or stolen. Each time a connection is initiated a new set of encryption keys are generated.   There is an opportunity to harness this technology now and build a safe and secure digital ecosystem for T&L companies, their suppliers and contractors . How can this technology be harnessed to benefit the Transport & Logistics Industry? Credential compromises remain one of the largest reasons for breaches of systems, as well as one of the most easily preventable with the appropriate system infrastructure. The next generation of IoT systems must be designed with identity and data security at their core – but changing out infrastructure is costly and slow. To stay ahead of the curve and defend against the threats outlined in the introduction, the next generation of T&L system architecture must include: A unified platform to reduce the complexity of layers of technology built up over decades A cybersecurity platform architecture that is identity centric - purpose built for protection over open networks A digital identity that is robust, tethered to the user, re-usable in many places and can’t be tampered with Machine/human identity and communications that cannot be breached or compromised A solution that can be readily retro-fitted to existing networks and fleet assets An identity layer that facilitates hyper convergence of IT and IoT functions to simplify and reduce costs rather than duplicating across networks and participants Privacy controls and low friction interfaces for users Essentially, once deployed VeroGuard creates a virtual airgap for your fleet asset environment. Access is controlled via the irrefutable identity provided by the platform, and communications from devices or nodes are encrypted via the impenetrable security of the HSM-to-HSM technology core to the success of the Platform. VeroGuard Systems is the next generation of platform to secure connected systems, machines and data. The VeroGuard Platform practically ELIMINATES credential and identity compromise on open networks to act as the core of any zero-trust deployment. Any company migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform.

When most people hear the words “Adelaide” and “defence” in the same sentence, they probably think of the big naval shipbuilding programs that produce submarines and surface warships; or perhaps, more unkindly, of this year’s defensive porosity that brought the Adelaide Crows the club’s first AFL “wooden spoon”. But there are two other dedicated defence-industry precincts besides the naval shipyard at Osborne — the national defence research, manufacturing and sustainment hub around the RAAF Base at Edinburgh, and Technology Park Adelaide. Both are backed by the capabilities of the Lot Fourteen ideas and innovation neighbourhood in Adelaide’s CBD, and the Tonsley Innovation District. With the critical mass of defence industry that Adelaide has developed, there is a roll call of some of the biggest global names in defence, including BAE Systems, Boeing, General Dynamics, Lockheed Martin, L3Harris, Northrop Grumman, Raytheon and Saab Systems. But underneath this is a myriad of small to medium-sized enterprises (SMEs) that have upskilled into the defence world. And with the growth of the defence industry, the cyber industry has burgeoned too, as defence supply chains require cyber-resilience. Defence SA, South Australia’s lead government agency for all defence matters, recognises that the two go hand-in-hand: chief executive Richard Price says, “South Australia is emerging as a global centre in the cyber and defence industries, which are some of our fastest-growing industries”. ‘We had very generous subsidy offers from NSW. But at the end of the day, a lot of the expertise we needed was already in Adelaide’ Philippe Odouard, chief executive of the ASX-listed ballistic protection and security products manufacturer XTEK, says Adelaide’s “critical mass” in hi-tech, defence-related industries was a major reason why the company chose the city for its manufacturing facility, which uses its proprietary XTclave composite materials curing and consolidation technology to make thermoset and thermoplastic composite materials. Opened in February, the Adelaide plant makes structural composite products that go into personal armour and helmets, lightweight tactical and human load carriage equipment, robotic mechanical systems and unmanned craft. Last month, XTEK delivered its first export order, a shipment of body-armour plates to the Finnish Defence Force (FDF). The company is also leveraging its Adelaide location to enter the burgeoning Australian space sector, working on composite materials suitable for nanosatellites, for the space industry. Like any investment decision, choosing a manufacturing site is “a convergence of a number of factors”, Odouard says. “We had a choice between the Canberra area, which is where our head office is, and Adelaide, where we have our R&D centre. We had very generous subsidy offers from NSW. But at the end of the day, a lot of the expertise we needed was already in Adelaide.” In particular, says Odouard, the skills in the city’s subcontractor sector stood out to XTEK. “A lot of the firms that were subcontracting to the car industry went up-market to service the defence industry, they really upskilled, which is great for us, because we’re working in an area that is quite new,” he says. “The presence in terms of composites manufacturing in Adelaide is actually very small, but we’ve found very highly skilled people, we can get bespoke things done, and a real receptiveness in terms of being more innovative and working on things that are probably more value-added, in smaller quantities. “We need high skills rather than the capacity to do large quantities, so definitely, that upskilling is a benefit to us.” The CEO of Melbourne-based cybersecurity company VeroGuard Systems, chose Adelaide for the firm’s advanced manufacturing facility, which will make hardware security modules for digital identity and secure payments, making possible the ultra-secure authentication, encryption and communications at both ends of every online transaction. VeroGuard announced its hi-tech, purpose-built manufacturing plant, at Edinburgh, in November 2017, began building it in 2018, and has made its first production “cards” there this year. With several siting alternatives on the table, VeroGuard chose Adelaide — and the crucial reason was the base of manufacturing workers, VeroGuard said. “We want to create a culture of quality and perfection and the number of former automotive industry workers here in Adelaide is a massive advantage,” he says. “The South Australian automotive manufacturing industry was known for its high-quality, lean methodologies and virtually zero error-rates, and you can’t buy that expertise when you’re looking to start up a whole new business. “Auto workers’ ability to run supply chains and just-in-time processes is highly valuable to us, particularly as we scale up. They are a perfect fit for VeroGuard. “The whole advanced manufacturing and technology ecosystem and pool of skills are well aligned to our needs and priorities as a core centre for delivering on our strategy. “Advanced manufacturing for us is extremely well developed in South Australia and there were a lot of highly skilled people, as well as very passionate people around delivering what we needed, in this location.” Both government and industry in SA have been highly supportive of new industry, the CEO says. “Our experience has been outstanding,” he explains. “The key individuals we met across business, government and research were passionate about the success of South Australia on the global stage, and taking a leadership position in the new economy, as evidenced by the proactive and integrated approach by the state in initiatives such as Smart Cities, autonomous vehicle industry and defence programs. “We’ve also encountered a vibrant business community with entrepreneurial flair, reinforced as we engage with class-leading local companies such as Morton Blacketer, YourDC and CashFlowManager.” Although just 15 employees work at VeroGuard at present, the company says it will require almost 600 people at its Edinburgh facility as it ramps up towards full production. The physical ­location is also a big plus. “In Edinburgh, we are right in the centre of the defence programs, and as a developer of security products it’s ­really critical that we have an ­ecosystem around us that reflects us.” James Dunn - 12 November 2020 Source: https:https://www.theaustralian.com.au/special-reports/south-australia-is-emerging-as-a-global-centre-in-cyber-and-defence

Provision of core transport infrastructure in major cities has evolved from simply building and maintaining roads into managing entire transport networks.  Major arterial roads incorporate significant public assets, such as tunnels, bridges and interchanges, which necessitate a need for control and oversight over an even broader range of assets to ensure traffic flow remains safe, reliable and efficient for all road users.  For any organisation to be able to provide this level of supervision of these networks, there must be a significant investment in technology and, toll collection aside, an immense network of devices, sensors, communications systems, signage and other equipment that is all linked back to central control rooms. The complexity of managing efficient traffic flow on a major road network, which can include bus lanes as well as cycling and walking paths, will continue to grow with the growth of the number of vehicles on the road as interactions, incidents, closures and major events can all impact use and flow.  Tools used by organisations to manage this include variable speed signs, lane management and incident recovery teams, all of which can be triggered remotely through decisions made via observing CCTV and other traffic flow data.  Further to the technology currently in use, the future prospect of connected autonomous vehicles (CAV’s) will see these vehicles interact with the infrastructure itself, with data on traffic flow and incidents being fed to the vehicles, as well as the possibility of telematics from the vehicles themselves being fed back to the road operator. Each and every one of these devices and communications systems is, therefore, a component of Critical Infrastructure (CI).  Any part of that CI being compromised, leading to roads being degraded or rendered unavailable for an extended period, could lead to massive disruptions and potential grid lock across cities. With every new device connecting to any system, the attack vector against the system from nefarious actors grows.  There are multiple reasons for the increased threats.  Firstly, the Operational Technology (OT) in use is not immune from the numerous cybersecurity issues plaguing these devices across manufacturing, energy and utilities.  Secondly, it is difficult to apply patches to equipment required for 24 hour operating environments, leading to the potential for exploits to remain unpatched for longer.  Thirdly, there is a significant a lack of available cybersecurity talent, especially those skilled across all of the IT, OT and IoT environments. In 2022 and 2023, we saw international cyber security agencies (including Australia) issuing multiple alerts about malicious Russian cyber operations and potential attacks on CI, the discovery of new OT specific malware, as well as the disclosure of a growing list of OT vulnerabilities. Threats Are on the Rise The number of attacks involving OT has continued to increase since 2021 Malware is emerging with targeted functionality and ease of deployment. More Vulnerabilities Vulnerabilities disclosed in OT systems continues to grow. Risk is heightened by the use of open networks and the need to patch ‘over the air’. Specialised Security Skills in Short Supply Skills shortages has made it clear that developing an effective security strategy that spans IT, OT and IoT environments is complex. A different approach is required to combat these persistent and growing threats. VeroGuard System’s technology maintains network integrity for any devices when connected to open networks.  Providing un-phishable MFA for access to networks and devices and strong post quantum level data encryption for device communications, organisations can implement a certified virtual airgap between field asset and open internet connectivity.  The VeroGuard Platform is the only platform worldwide to have Common Criteria certification for access on open networks, meaning it has been verified by the Australian Cyber Security Centre (ACSC) for use in Defence and other government departments with high assurance requirements for online access. Background CI continues to face an expanding cyber threat landscape which presents a substantial challenge to operations.  Governments have mandated controls for cyber across the CI landscape and have continued to broaden the definitions of industries and systems included under the CI banner.  With several recent high-profile hacks on the sector, including the Colonial Pipeline in the US and, locally, Optus and DP World, CI operators should be continually evaluating their strategies and technology stacks used to prevent digital incursions. The ACSC recently released a report stating that “ state-sponsored cyber groups and hackers have increased assaults on Australia's critical infrastructure …. adding that its new defence agreement with Britain and the U.S. had likely made it more of a target” .  While Australia is not alone in being targeted, our large land mass and distributed workforce makes a strong case for removing airgap controls and enabling remote access – potentially opening the door for malicious actors. Complicating matters further, “insecurity by design” remains very relevant in OT and IoT systems, which is why a shift in security infrastructure to account for open network connectivity and all the variables it presents is so necessary.  Insecure by design vulnerabilities abound, as evidenced by a recent investigation by Vedere Labs which found 56 vulnerabilities affecting 10 major vendors.  Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of devices, bypass authentication, compromise credentials, cause denials of service or have a range of operational impacts. In a closely related sector, a study by the University of Michigan highlights the alarming possibilities for attacks against vehicles - proving that it’s possible to hijack certain processes within modern trucks.  Researchers were able to hack into a diagnostic port, manipulate the readouts from the instrument panel, force the truck to accelerate and even disable part of the truck’s braking system. Analysis by threat hunters at Mandiant of the October 2023 Ukrainian Power station attack showed that a pair of previously undocumented OT attacks were used to cause the power outage, highlighting the difficulty of maintaining protection on OT devices when vulnerabilities are continually being discovered and weaponised by nation-states. It is not appropriate to simply embrace the cybersecurity operations from existing IT practices.  While IT network and operating system patching and identity management practices are well established, the ability to manage OT devices and systems in the same manner is not as straight forward.  Many OT devices deployed in CI systems were never originally designed to be connected to the internet and new models for cybersecurity are required. Some of the key mitigation strategies recommended in every advisory (aside from patching, monitoring, training and awareness – these are all “after the fact” activities and not prevention) are to: require multi-factor authentication for all access (system, PC’s, devices, networks); implement and ensure robust network segmentation between OT assets and corporate networks to limit the ability of malicious cyber actors to pivot from a compromised asset and, potentially, to an IT network; and implement strong machine identity and encrypted communications for connected assets over open networks. It is important to note that without strong Identity and Access Management (IAM) control over any additional tools, the criminals will find a way through.   This is on ongoing occurrence online, with bad actors simply by-passing second factor authentication ( 2fa) and detection software.  There have been attacks where 2fa applications and VPN’s themselves were used as the vectors for successful breaches . Defending against current and emerging threats. The rapid adoption of technology presents universal concerns for service providers: Increased digital services/devices and interconnectivity between systems means an increased attack surface for cybercrime. Rapid rise in data volumes, flows and complexity of management means increased opportunities for identity breaches. Transitioning from legacy systems and navigating the complexity of hybrid environments. Complex layers for identity and security become more costly with many mixed environments. Expansion of stakeholders and associated integration requirements (suppliers, citizens, third party providers, businesses). Credential compromises remain one of the largest reasons for breaches of systems, as well as one of the most easily preventable with the appropriate system infrastructure.  The next generation of IoT systems must be designed with identity and data security at their core – but changing out infrastructure is costly and slow. To stay ahead of the curve and defend against the threats outlined in the introduction, the next generation of CI system architecture must include: a unified platform to reduce the complexity of layers of technology built up over decades; a cybersecurity platform architecture that is identity centric - purpose built for protection over open networks; a digital identity that is robust, tethered to the user, re-usable in many places and can’t be tampered with; machine/human identity and communications that cannot be breached or compromised; a solution that can be readily retro-fitted to existing networks and company assets; a n identity layer that facilitates hyper convergence of IT and IoT functions to simplify and reduce costs rather than duplicating across networks and participants; and p rivacy controls and low friction interfaces for users. The VeroGuard Platform Critical Infrastructure Security – a significantly better approach The VeroGuard Platform offers a unique solution to securing connected environments by providing secure IAM controls, virtual network separation, data encryption and flow control.  VeroGuard System’s products have Common Criteria (CC) certification (defence level security) and can be quickly and cost effectively deployed to legacy, new and hybrid environments. The VeroGuard Platform was specifically designed for protecting identity, access and data on the open internet and works by inserting a Hardware Security Module (HSM) between the device being accessed and the network connectivity, delivering an impenetrable defensive layer for online protection.  When initiating connectivity, the inline HSM must connect to and verify itself with the VeroGuard Platform HSM, which then creates a secure encrypted tunnel using hardware derived keys and encryption protocols for data flows and any user verification needs. HSM-to-HSM verification and communication is not new – however, until now, this has been expensive and limited to terrestrial connection.  Two-way HSMs are utilised in banking (eg ATM’s, eftpos) and military systems around the globe for securing critical communications.  Typically, the technology is used in guided missile control where it is crucial that command messages cannot be decrypted or the command plane hijacked.  The VeroGuard Platform brings this mutual two-way hardware verification for use in OT environments, at scale and without the high cost. Form factors used on the VeroGuard Platform include the VeroCard HSM (for humans) and the VeroMod IoT Shield (for machines/devices). The VeroCard HSM  enables human users to be verified to access networks, applications and devices by authenticating the human via a combination of the specific user’s VeroCard and the user’s secret PIN. Every login attempt is verified by the secure connection back to the VeroGuard Platform. The VeroMod IoT Shield  is a commoditised HSM which connects inline and creates a “virtual airgap” between the device and any connectivity.  The VeroMod IoT Shield brings HSM-to-HSM technology for verification and encryption to any device, guaranteeing access requests to and from all machines and providing the highest level of encryption to all data in transit. The VeroGuard Platform  is unmatched for security and scalability as the only online platform that always uses HSM-to-HSM protection time after time, for identity verification, communications, data integrity and switching services. Multifactor Authentication For all access points on any device Humans via VeroCard Machines Via VeroMod Robust Segmentation Virtual Air Gap – only encrypted communications initiated by HSM-to-HSM Other network traffic can not route past VeroMod Can only be accessed by via VeroCard authentication Secure Communications Data Diode - VeroMod only communicates to predetermined IP address via encrypted communications Jump Box – users and devices must be able to authenticate to the VeroMod before passing on to the device or network The VeroGuard Platform offers a solution for organisations operating roads and transport CI that begins with indisputable proof of identity for all online and digital communications. The VeroGuard Platform is the only platform available anywhere in the world that can guarantee defence certified identification security for both people and machines over open networks. How does the VeroGuard Platform do this? The VeroGuard Platform does this as follows: by using VeroMods to provide  host connections into the VeroGuard Platform, effectively providing point-to-point connection over open networks; user access is provided with permission verified by the VeroGuard Platform before a user is able to access networks, devices and data, machine to machine connections are verified in the same way with the digital identity provided by the VeroMod; all VeroGuard HSM-to-HSM connections are protected using elliptic-curve Diffie–Hellman encryption set for post quantum protection, with a DUKPT (Derived Unique Key Per Transaction) key management protocol, meaning that the keys are derived within the HSM and there is no possibility of the keys being intercepted or stolen; and each time a connection is initiated, a new set of encryption keys are generated. Essentially, once deployed the VeroGuard Platform creates a virtual airgap for a connected asset environment.  Access is controlled via the irrefutable identity provided by the platform and communications from devices or nodes are encrypted via the impenetrable security of the HSM-to-HSM technology core to the success of the platform. The VeroGuard Platform is the next generation of platform to secure connected systems, machines and data. The VeroGuard Platform ELIMINATES credential and identity compromise on open networks to act as the core of any zero-trust deployment. Any company migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications or looking to secure their supply chain should assess the VeroGuard Platform. There is an opportunity to harness the VeroGuard Platform now to build a safe and secure digital ecosystem for CI companies internally, as well as for its infrastructure and for each of its suppliers, contractors and users.