In an increasingly virtualised world, how can IT be secured in the context of 5G?

CTO of Utimaco

Government platforms are employed in Singapore to link everything for its citizens. This includes essential infrastructure like smart meters that communicate energy use and possibly also communicate if you know you have families who may use solar panels to feed electricity into the grid, which is a relatively new phenomenon, so networks must be able to handle that. Energy grids used to function in a fashion where everyone consumed energy, with the exception of certain central power generation. However, this is completely changing now that power generation is decentralized, and in order to keep the network balanced and secure, you need this type of infrastructure. And this is something that Utimaco also sees as a global use case.

GovWare Conference and Exhibition, Asia Pacific’s premier cybersecurity event, returned in person on 18-20 October 2022, at Sands Expo and Convention Centre, Singapore where Utimaco shared some major insights on the priorities of the latest cybersecurity issues and trends, tech and policy developments, strategies and best practices. CIO World Asia spoke with Nils Gerhardt, CTO of Utimaco to find out deeper about hardware security modules, solutions for key management, data protection and identity management, and data intelligence solutions for regulated critical infrastructures discussed during his panel discussion.

Cybersecurity is at the forefront of many companies’ priorities today

Today, most of what we do is dependent on data, which is available within the organization itself as opposed to the past when it was only on-site. However, with the addition of the cloud, it is now mobile, which is why businesses need to worry more and more about security since they can stop anything from entering their organization. Businesses once had the technology to air-gap their production, but this is no longer an option. You must connect to the cloud in order to properly use modern technologies and the data.

The first step is to recognize the data you own and the level of protection required for it. The classification process is crucial because without knowing how long you must secure your data, you cannot select the appropriate safeguard. The other issue is that, like password managers, IT teams have a lot of items flying around, including keys, key material, certificates, and so on. Everyone has probably used a password manager before, similar to how our phones alert us when we use the same password on multiple websites. And you perform the same actions on the key and certificate sides. You need to understand the expiration dates when you need to renew things – getting this in control would be one of the big priorities in the future.

What is crucial for data security as data interacts between traditional banks and Fintechs + digital-only banks

It depends on the configuration; if you look at banks, there are a lot of rules, compliance requirements, and security measures that are generally implemented on-premise. That sector of the economy is doing reasonably well and is generally secure.

But in fintech, you have to contend with the need to create a better user experience. At the same time, you also want to get security right, so you must be careful to pay attention to both security and features in addition to those you are aware users will find useful. Looking back at some of the hacks, like the Nomad Hack, we can see that the functionality was initially intended to be beneficial, since it was added to the software to make it easier to use. All of a sudden, it emerges that an attacker was able to exploit it, and these are basically some of the issues that services can help us with.

You can sign up for a service that, for instance, handles all transaction security if it exists. This means that you don’t have to build it yourself, but you still have to pay for the service in accordance with the fact that it is already certified and free. MYHSM is the first multi-vendor, fully managed Payment HSMs service provider, offering secure and highly available host connections to two of the top HSMs manufacturers in the world, Utimaco Atalla AT1000 and Thales payShield 10K.

 The MYHSM service offers a distinctive and universally accessible service offering to the whole payment ecosystem and is cross-cloud compatible with all significant payment apps. To secure processes like PIN protection and validation, transaction processing, issuing mobile and payment cards, and key management, connect effortlessly to a group of Payment HSMs of your choosing.

How can a virtualized environment be secured with the availability of 5G?

In general, whether in the cloud or with 5G, we currently rely on virtualization in many situations to provide specialized services. The Internet of Things (IoT) gadgets, for example, are those that connect to the network and have the communication capabilities they need. They arrive in the billions, have low data rates, and aren’t necessary in need of very large amounts of data with a broadband bent. When it comes to cars, it’s quite a different story. They also require the transmission of massive data at greater data rates, such as emergency services or vital infrastructure that may need to have priority access to the network.

What is the process for doing that, then? Individually installed hardware cannot actually malfunction. Virtualization is employed since this is not practical. The risk increases naturally, especially if someone, for instance, pretends to be an IoT device or emergency service and then essentially gets customized messages. This is the main area where this kind of root of trust is required for virtualization in general and 5G security in particular.

The confluence of IT-OT-IoT is required for Singapore’s SMART city aspiration. Is end-to-end protection feasible in this convergence?

It is certainly possible, but is it necessarily possible in all configurations and with all legacy equipment that might be connected? Most likely not. Going forward, this is something that is essential. In these kinds of configurations, the sensor—a very small device with very limited computational capability to perform much authentication—might be the first place you look. When you finally make it to the machine, gateway, or cloud, you realize how many more risks there are and how important it is to safeguard your data. Each step has a solution, but bringing those solutions together is difficult.

Costs will definitely be taken into account when planning, right? How much money are you investing in these legacy machines? If they can’t provide the required level of protection, you’ll need a system up front to make sure the machine is protected in some way as it was probably not built with security in mind when it was made, say ten years ago. Without it, the attack surface would be incredibly large. It’s really about identifying what you need – and then putting these technologies together to work seamlessly hand in hand.

If you think about a smart city and all the different digitalization cases that you may see there, you might have fast communication using 5G, and then you have critical infrastructure that gets connected. You also have the IT & OT conversion of factories being connected to the cloud and removing the air gapping. There’s one thing that all these digitalization cases have in common:

And that is that they need the root of trust, which is the fundamental. Like with a building, it has to be solid and secure, and that’s something Utimaco provides, a hardware root of trust for all your key materials. And then of course it also has applications around that to support companies in building the digital services required.