BEST PRACTISE Kaspersky has made available the much

awaited KasperskyOS, a secure-by-design operating

CYBER IMMUNITY 2022 system based on Microkernel architecture which is
specially designed for network devices, industrial
ARCView control systems and the Internet of Things.
May 2022
Cyber Immunity could be the foundation to unleash
secure digital transformation in the industry.

By Thomas Menze
Senior Consultant

VISION, EXPERIENCE, ANSWERS FOR INDUSTRY

 ARC White Paper • March 2021

CONTENTS

Executive Overview ............................................................................................................................ 3

Cyberattacks against OT infrastructure ..................................................................................... 3

Industry Cybersecurity Countermeasures ................................................................................. 5

Industry 4.0 requires the Transformation of OT-Cybersecurity ...................................... 6

The call for Cyber-Immunity .......................................................................................................... 8

Best Practice: Electromobility Charging Station ...................................................................10

Best Practice: Railway Switch control .......................................................................................11

Conclusion ...........................................................................................................................................12

About Kaspersky ...............................................................................................................................14

Copyright © ARC Advisory Group • arcweb.com • 2

 ARC White Paper • March 2021

Executive Overview

The Internet of Things (IoT) offers enormous economic advantage for the in-
dustry and the development of related services. Consider reduced
downtimes of machines and facilities, critical infrastructure data or autono-
mously running processes.

So in conclusion, IoT solutions - from remote mon-

While cybersecurity is about software and its itoring, predictive maintenance, energy
implementation, cybersecurity for IoT adds consumption & management and smart buildings
another layer as the cyber and physical worlds to connected products and customer technologies
come together. such as mobile apps - optimize operational com-
plexity, cost and time to market.

Technology experts and analysts predict even wider use of IoT devices and
apps in the future, which will naturally be accompanied by further develop-
ment of IoT devices, services and apps - and more and more companies want
to be part of this development. At the same time, many enterprises are acting
conservatively when implementing IoT solution strategies because IoT secu-
rity concerns are very real. IoT deployments present unique new security,
privacy and compliance challenges for enterprises worldwide.

While cybersecurity is about software and its implementation, cybersecurity

for IoT adds another layer as the cyber and physical worlds come together.
Many maintenance and operational scenarios in IoT use end-to-end connec-
tions to allow users and services to interact with data. However, companies
looking to leverage the efficiency benefits of IoT, such as predictive mainte-
nance, should be very aware of what IoT security standards need to be met
(e.g. IEC 62443 or ISO 27000), as these operational technologies are too im-
portant to ignore intrusions, emergencies or other threats.

Cyberattacks against OT infrastructure

The frequency and sophistication of successful OT cyberattacks should be a

warning to asset owners, network operators, and cybersecurity teams. This
warning applies to both the IT and OT domains. Uncoordinated defenses
from the edge to the cloud enable attacks on production equipment. The
multitude of automation components from different manufacturers makes

Copyright © ARC Advisory Group • arcweb.com • 3

 ARC White Paper • March 2021

it difficult for plant operators to keep track of cybersecurity in OT net-

works. Occupational safety, the avoidance of environmental hazards and
the trouble-free operation are cyber protection goals that are often at the
forefront of operators' minds. To this end, they have always used protection
methods that originated in traditional IT and have been made fit for OT ap-
plications. But the rapid growth of edge to cloud solutions is forcing users
to rethink their security approaches. To proactively secure mission-critical
OT, enterprises must consider the following when planning their cyberse-
curity strategies for 2022 and beyond:
▪ Design of a security concept,
▪ Security-Levels of protection to be achieved for specific parts,
▪ Maintenance of the protection concept over the life cycle,
▪ Ensure the effectiveness of the security concept,
and further.

The evolution towards Industry 4.0 with its focus on process automation and
real-time data collection and exchange plays a paramount role. This existing
infrastructure is ripe for new attacks on PLC, ICS, OT, IIoT and IoT systems
that are no longer proprietary but accessible via the Internet. With IT/OT
convergence, networked control systems now merge with IT-connected en-
terprise networks, leading to additional security risks from cross-
contamination of LAN, Internet, control network traffic.

The issue is that in most OT networks, cybersecurity is limited. And typical

security measures such as virus scanning, endpoint protection, or anomaly
detection are of little help because the multitude of IIoT components and net-
work structures are difficult to patch and protect effectively in practice.

That is why the strict separation between IT and OT has not existed for a long
time. This separation has been eliminated in many places, and not just in the
context of the digital transformation. Machines have had remote mainte-
nance access for a long time, via which the manufacturer carry out remote
maintenance. Remote maintenance is the best way to implement short re-
sponse times to problems in a cost-effective and timely manner. But
adaptions in corporate networks continue to change, driven by digital trans-
formation. Now the aim is to create even more flexible and error-free
production.

Copyright © ARC Advisory Group • arcweb.com • 4

 ARC White Paper • March 2021

An overview of how the OT infrastruc-

ture must be increasingly networked in
order to achieve digital efficiency is
shown in the illustration on the left. All
levels of the automation pyramid are
linked with IT in many cases, and more
and more IoT networks are also being
integrated into automation. In this way,
Source Kaspersky the attack surface of the automation pyr-
amid continues to increase.

Industry Cybersecurity Countermeasures

Asset owners are using new tactics to take advantage of IIoT digital capabil-
ities to increase efficiency. One example is the NAMUR NOA concept. This
uses non-reactive communication between the IIoT networks and process au-
tomation components. This means that digital methods are used to increase
efficiency, but by using a second communication channel, the digital sensor
data is separated from the traditional process automation. NAMUR de-
scribes this concept in NE 175 as follows:

“The NAMUR Open Architecture (NOA) aims to make production data eas-
ily and securely usable for plant and asset monitoring as well as
optimization.

Smart sensors, field devices, mobile devices and the ubiquitous use of IT
equipment are generating more and more data that is often difficult to access
within the classic NAMUR automation pyramid. NOA will change this by
transmitting this data over a second communication channel without affect-
ing the widely accepted advantages of traditional automation structures and
with no impact on the automation system.”

Source NAMUR

Copyright © ARC Advisory Group • arcweb.com • 5

 ARC White Paper • March 2021

NAMUR is a large interest group from the process automation industry. The
committees within NAMUR are able to develop such safety concepts to-
gether with universities. Not every production company can define or
implement such a concept for its own requirements. The development of an
own secure communication concept requires a rethinking of the security
principles, which are based on the OT priorities availability, integrity and
confidentiality and exactly in this order.

It is certainly helpful to use a zero-feedback and manipulation-proof concept

for IIoT communication right from the start. This reduces the security-effort
for IIoT suppliers and gives users the freedom to use simply IIoT to increase
plant efficiency.

Industry 4.0 requires the Transformation of

OT-Cybersecurity

It's no surprise that the growth of cloud computing, APPs and

infrastructures is rapidly increasing in complexity and number of
providers. Traditional scanning and patching methods can no longer
efficiently secure complex cloud structures.

The Outlook

Cybersecurity in process automation has reached a critical point. On the

one hand, systems should be operated as efficiently as possible in order to
safeguard the competitiveness of companies. On the other hand, the use of
IIoT and cloud infrastructure poses a security risk.

Cybersecurity for OT and cloud networks needs to be transformed. The

industry referred to the concept of "Industry 4.0" as digital transformation.
For automation technology, this is a correct statement, but for
cybersecurity, this transformation has yet to take place. What can this
transformation look like for cybersecurity? Perhaps it is the transition from
cybersecurity to Cyber-Immunity. Here, cyber immunity is defined as a
technology that protects against already known attack-methods. In

Copyright © ARC Advisory Group • arcweb.com • 6

 ARC White Paper • March 2021

addition, protection against unknown attacks is also implemented for the

future.

Back to cybersecurity impacts and the use of IoT. The ITSRS report provides
an insight into IoT specifics.

▪ In 2021, 53% of organizations abandoned new business projects due

to an inability to address cybersecurity risks, and 74% faced a situa-
tion where there was a lack of an appropriate security solution.

▪ 64% of businesses already maintain or use IoT solutions.

▪ 52% of organizations are worried about collecting big data from IoT
devices because of the risk of cyber-sabotage and espionage.

▪ However, the risk of a cybersecurity breach is the biggest concern for

57% of organizations that are planning to implement IoT.

When it comes to cybersecurity risks, no two companies and applications are

alike. Effective cybersecurity must be adapted to the threat situation and re-
quires a joint response from all stakeholders. Cyber protection is not a
product you invest in once and forget about, as it is an ongoing process.

Despite the increasing adoption of IoT, more than half of the companies sur-
veyed are concerned about cybersecurity and data integrity when
implementing IoT (57%). Lack of resources or budget constraints are cited as
a second reason (35%).

In terms of different industries, 53% of companies in the industrial sector are

concerned about security breaches and data compromises, followed by a lack
of in-house expertise (35%). The utilities sector is similarly concerned, with
50% and 44% in these areas, respectively.

The IoT creates a host of new security risks and challenges for devices,
platforms and operating systems, their communications, and even the sys-
tems they are connected to (e.g., using IoT devices as a point of attack).

Copyright © ARC Advisory Group • arcweb.com • 7

 ARC White Paper • March 2021

Companies surveyed had concerns about collecting large amounts of data

from IoT devices are they see the risk of cyber sabotage, espionage, and
other advanced threats (52%).

The call for Cyber-Immunity

In order to respond to the IoT security challenges and to support companies

in using practical cybersecurity solutions, new solution paths must be
considered.

Efforts are underway to standardize the development of IoT platforms to

make them more secure. Such initiatives are accompanied by associations
such as the Institute of Electrical and Electronics Engineers (IEEE), the
European Telecommunications Standards Institute (ETSI).

There are also recommendations for organizations on how to build secure

IoT systems or assess the state of existing IoT solutions, such as the
Industry IoT Consortium's "IoT Security Maturity Model." It guides
organizations through processes to help them take security action.

General recommendations for IoT security include the use of encryption

and password policies, network segmentation, and firewalls and special
protection for cloud infrastructures to which IoT devices connect. These
practices are recommended for all critical technology systems.

In addition, there is a unique approach to IoT security called Cyber

Immunity. Cyber Immunity does not focus on reducing the number of
potential vulnerabilities, but on creating conditions that no vulnerabilities

Copyright © ARC Advisory Group • arcweb.com • 8

 ARC White Paper • March 2021

exist. So even if an application is attacked, this has no impact on the reliable

operation of the platform.

This can be realized with a dedicated operating system and platform devel-
opment methodology. This operating system uses a microkernel architecture
with only a few thousand lines of code, which eliminates vulnerabilities and
reduces the attack surface. This software, with a minimal number of trusted
components in the operating system was developed by Kaspersky and is
called KasperskyOS©.

KasperskyOS was developed according to best practices for secure software

and also includes the MILS (Multiple Independent Levels of Security) archi-
tecture. This ensures that attacks cannot compromise the system's functions.

The typical architecture for a Cyber Immune Gateway may look like the fol-
lowing:

Source Kaspersky

The Gateway KISG 1000 is one example where Cyber-Immunity and an

IoT-Gateway function was combined. In such application is the integrity of
IoT data ensured. The Cyber-Immune Gateway connects the

Copyright © ARC Advisory Group • arcweb.com • 9

 ARC White Paper • March 2021

sensor/actuator level to the internet and from there communication takes

place to the cloud services and the corporate network. Cyber-attacks and
manipulations from the internet against the gateway are practically
impossible. Communication in the cloud environment takes place only
according to the configured rules.

Best Practice: Electromobility Charging Station

In the past, automation suppliers patched security vulnerabilities in EV

Charging stations that could lead to denial-of-service (DoS) attacks.

Suppliers addressed 13 flaws in total, including three critical vulnerabili-

ties. Charging points are installed at private properties, public car parks,
and for on-street charging. Three charging station product ranges are af-
fected: City, Parking, and Smart Wallbox.

Source Kaspersky

Exploitation and impact:

Affected charging point owners who fail to apply the firmware update
"may risk potential unauthorized access to the charging station's web
server, which could lead to tampering and of the charging station's set-
tings and accounts," the owners were warned.

Such manipulation could lead to things like denial of service attacks,

which could result in unauthorized use of the charging station, service

Copyright © ARC Advisory Group • arcweb.com • 10

 ARC White Paper • March 2021

interruptions, failure to send charging data records to the supervision

system.

The vulnerabilities can be exploited remotely if stations are exposed di-

rectly to the internet - a configuration. Commercial charging
infrastructure typically consists of hundreds of chargers, so if an attacker
manages to get network access to them, they can take over all of them. To
harden the Charging point it was recommended to change charging sta-
tion's internal communication port, which requires disassembling the
charging station enclosure, or, in the case of a connected station, to the
network of the charging station's supervision system".

As electric vehicle chargers continue to growth, it is likely to expects fur-

ther serious vulnerabilities emerge. Imagine, there could be the
manipulation of charging records or settings to overcharge or under-
charge vehicles, the theft and misuse of charging credentials. Worst case
scenario, the attackers could even find a ways to impact the electrical
grid.

This is an instance of how important it is or will become to protect IoT

components with a system that protects against known and unknown
cyber-attacks. The networking and back-copying in critical infrastructure
systems requires such protection mechanisms. Here KasperskyOS can be
used to ensure effective protection against vulnerable manipulations.

Best Practice: Railway Switch control

The railroad as an important factor of mobility is looking for cost-effective

methods for the use of its resources in the rail system In order to specifi-
cally reduce the energy demand, an intelligent switch heating system was
introduced. The heating is only switched on when various environmental
parameters consider freezing to be possible. The prediction is part of an
autonomous system. For control, all these switches are networked and
the function is centrally displayed.

Copyright © ARC Advisory Group • arcweb.com • 11

 ARC White Paper • March 2021

Source Kaspersky

Such a decentralized project cannot be realized without cyber security.

After all, a successful attack on the networked switch systems would
have disastrous consequences. Rail traffic is part of the critical infrastruc-
ture. The safety of rail traffic is at risk if the switches do not function
properly in all weather conditions. The status of the switches is summa-
rized in decentralized clouds and the local weather data is monitored by
IoT components.

In the process, a KasperskyOS based IoT Secure Gateway was able to en-
sure the integrity of signal processing without requiring a great deal of
maintenance or configuration. Cyber-attacks on the operating system re-
main unsuccessful. The same applies if cybercriminals try to manipulate
the data from the weather transmitters.

The system protects itself when employees connect an infected computer

to the system accidentally. The KasperskyOS IoT Gateway then securely
protects against the installation of unauthorized software that can be
used for compromise.

Conclusion

Digitization combines information technology (IT), traditional opera-

tional technology (OT) and intellectual property (IP) together to boost
industry competitiveness.

Copyright © ARC Advisory Group • arcweb.com • 12

 ARC White Paper • March 2021

That is why this merging of OT, IT and IP can be observed in the manu-
facturing industry. To fully realize this networking is a task that takes
some time for most companies. Thus, we can observe how an entire in-
dustry is slowly moving towards Industry 4.0 by replacing equipment
piece by piece. Unfortunately, this transformation brings a number of
new cyber-threats and -risks.

With the implementation of connected production, digital transformation

presents a new cyber threat profile. While Industry 4.0 presents an ideal
picture of production that supports companies in becoming particularly
competitive and efficient, the necessary IT security measures remain un-
clear.

Overall, IT security must become a matter of course - and not in the sense
of running in parallel, but rather being thought of from the very begin-
ning. ICS Systems have lifetimes of more than 30 years. New cyber
security concepts such as Cyber Immunity are needed here. A system that
protects against current and future cyber threats is certainly a very prac-
tical method. Cyber Immunity can be the new foundation how the digital
transformation will be implemented more securely.

To this end, OEMs and other technology market leaders are seeking part-
nerships with cybersecurity vendors to develop secure-by-design
products and make security a key differentiator as part of their solutions.
For example, to protect Industrial IoT environments and use-cases,
Kaspersky has partnered with Aprotech to develop a secure IIoT gateway
that integrates with Siemens MindSphere, IBM Bluemix, Yandex IoT Core
and other Cloud Platforms. The unique aspect of this product is the ap-
plication of the Cyber Immunity concept using KasperskyOS; enabling
industrial organizations to confidently explore the benefits of Industrial
4.0 and digital transformation.

Copyright © ARC Advisory Group • arcweb.com • 13

 ARC White Paper • March 2021

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s

deep threat intelligence and security expertise is constantly transforming
into innovative security solutions and services to protect businesses, critical
infrastructure, governments and consumers around the globe. The com-
pany’s comprehensive security portfolio includes leading endpoint
protection and a number of specialized security solutions and services to
fight sophisticated and evolving digital threats. Kaspersky technologies and
services provide cybersecurity to over 400 million users, and over 250,000
corporate clients to protect what matters most to them.

Learn more at www.kaspersky.com

Copyright © ARC Advisory Group • arcweb.com • 14

 ARC White Paper • March 2021

About KasperskyOS

KasperskyOS is a specialized microkernel operating system developed

from scratch by Kaspersky to serve as the basis for Cyber Immune IT solu-
tions. Cyber Immunity is the Kaspersky vision for the future of IT systems
security. An IT system is Cyber Immune if the overwhelming majority of
types of cyberattacks on it are ineffective and cannot affect its critical func-
tions in the usage scenarios specified at the design stage. Cyber Immunity
can be achieved by using KasperskyOS and following the special Kaspersky
methodology while creating a solution.

Kaspersky is developing software products based on KasperskyOS, includ-

ing a product line of IoT gateways to operate in industrial, smart city and
other business environments, a specialized SDK to build safe and secure
electronic control units (ECU) in automotive projects, as well as other prod-
ucts.

Learn more at: https://os.kaspersky.com

Contact us: [email protected]

About Adaptive Production Technology

Adaptive Production Technology (APROTECH) is a daughter Kaspersky

company in the field of IIoT founded in 2018. APROTECH’s business relies
on design and development of vertical IIoT solutions, starting from a gate-
way (it provides a secure connection between production equipment and a
cloud-based open operating system) and finishing with visualization of
technological processes bottlenecks proposing agile deployment of business
services for cyber-physical systems.

Learn more at www.aprotech

Copyright © ARC Advisory Group • arcweb.com • 15

 ARC White Paper • March 2021

Analyst: Thomas Menze

Editor:

Acronym Reference:
ALM Asset Lifecycle Management HMI Human Machine Interface
APM Asset Performance Management IIoT Industrial Internet of Things
CPAS Collaborative Process Automation IoT Internet of Things
System IT Information Technology
CMM Collaborative Management Model MES Manufacturing Execution System
CPM Collaborative Production OT Operational Technology
Management PAM Plant Asset Management
CRM Customer Relationship PLC Programmable Logic Controller
Management PLM Product Lifecycle Management
DCS Distributed Control System ROA Return on Assets
EAM Enterprise Asset Management SCM Supply Chain Management
ERP Enterprise Resource Planning WMS Warehouse Management System

Founded in 1986, ARC Advisory Group is the leading technology research and advisory firm for industry, infrastructure, and
cities. ARC stands apart due to our in-depth coverage of information technologies (IT), operational technologies (OT), engi-
neering technologies (ET), and associated business trends. Our analysts and consultants have the industry knowledge and first-
hand experience to help our clients find the best answers to the complex business issues facing organizations today. We provide
technology supplier clients with strategic market research and help end user clients develop appropriate adoption strategies
and evaluate and select the best technology solutions for their needs.

All information in this report is proprietary to and copyrighted by ARC. No part of it may be reproduced without prior permis-
sion from ARC. This research has been sponsored in part by HIMA. However, the opinions expressed by ARC in this paper are
based on ARC's independent analysis.

You can take advantage of ARC's extensive ongoing research plus the experience of our staff members through our Advisory
Services. ARC’s Advisory Services are specifically designed for executives responsible for developing strategies and directions
for their organizations. For membership information, please call, write to, or visit our website:

ARC Advisory Group, Three Allied Drive, Dedham, MA 02026 USA • 781-471-1000 • www.arcweb.com

Copyright © ARC Advisory Group • arcweb.com • 16