Cybersecurity Architectures in 2030: ZT, DCS, CDSS

Transcript

1. Cybersecurity Architectures in 2030: ZT, DCS, CDSS Anastasiia Voitova

2. Anastasiia Voitova Anastasiia Voitova Head of Security Engineering @ Cossack

   Labs cossacklabs.com Cossack Labs is a security solutions company for mission critical applications, founded in 2014 in UK. Building & breaking secure software in power grids, fi nance, ML/AI, ICS/SCADA, IIoT, robotic & autonomous systems, communication systems — where data & application security is a hard requirement. Since 2022 — helping Ukrainian defenders be more resilient against russian aggression in multiple domains. 4cede0c7317ffd14098fa832

3. Anastasiia Voitova 4cede0c7317ffd14098fa832 ⚠ The content of this presentation was

   redacted to avoid frustration and regrets.

4. High-stakes, mission-critical systems

5. Anastasiia Voitova 4cede0c7317ffd14098fa832 Power grid, CNI • Geographically distributed stations

   • Real-time processing • Telemetry -> SCADA, control commands -> stations

6. Anastasiia Voitova 4cede0c7317ffd14098fa832 Power grid, CNI • Geographically distributed stations

   • Real-time processing • Telemetry -> SCADA, control commands -> stations Governmental systems (govtech) • Process citizens data • Owned by different agencies / ministries • Heavily regulated, interdependent

7. Anastasiia Voitova 4cede0c7317ffd14098fa832 Power grid, CNI • Geographically distributed stations

   • Real-time processing • Telemetry -> SCADA, control commands -> stations Governmental systems (govtech) • Process citizens data • Owned by different agencies / ministries • Heavily regulated, interdependent Situational awareness systems • Web, mobile, desktop, IIoT, sensors • On prem / shared cloud / private cloud • Integrated, cross-domain data exchange

8. Anastasiia Voitova 4cede0c7317ffd14098fa832 Power grid, CNI • Geographically distributed stations

   • Real-time processing • Telemetry -> SCADA, control commands -> stations UVs control systems • Fleet management for 100/1000s of devices • Devices could be lost, captured (evil twin) • Highly unstable connectivity Governmental systems (govtech) • Process citizens data • Owned by different agencies / ministries • Heavily regulated, interdependent Situational awareness systems • Web, mobile, desktop, IIoT, sensors • On prem / shared cloud / private cloud • Integrated, cross-domain data exchange

9. Anastasiia Voitova 4cede0c7317ffd14098fa832 Mission critical Failure has real-world consq Heterogeneous

   ⚠ High stakes, high-risks Geo and logically distributed Many devices (Near) real-time ⏰ Real-time and scale Operate on sensitive data Different data classes Require data security 🔐 Sensitive data

10. Anastasiia Voitova 4cede0c7317ffd14098fa832 Mission critical Failure has real-world consq Heterogeneous

    ⚠ High stakes, high-risks Geo and logically distributed Many devices (Near) real-time ⏰ Real-time and scale Operate on sensitive data Different data classes Require data security 🔐 Sensitive data Data security measures become security boundary for data. Beyond software and perimeter security alone.

11. Security goals Anastasiia Voitova 1. Protect data and IP: prevent

    leakage and modi fi cation of PII, payloads, telemetry, fi rmware, mission data. 2. Secure data exchange through different systems. 3. Ensure authenticity and authorisation: devices, operators, actions. 4. Prevent cascade effects: failures must not propagate across the system. 5. Remain operational even with poor connectivity. 6. Auditability: when, who, what; tamper-evident logs. 4cede0c7317ffd14098fa832

12. Anastasiia Voitova 4cede0c7317ffd14098fa832

13. Anastasiia Voitova 4cede0c7317ffd14098fa832 MITRE ATT&CK matrix attack.mitre.org

14. Anastasiia Voitova 4cede0c7317ffd14098fa832 OWASP Top10 2025 * release candidate, not

    fi nal owasp.org/Top10/2025/

15. Security guidelines and standards OWASP ASVS, ISMS, SAMM NIST SP

    800-53 Security and Privacy Controls for Federal Information Systems and Organizations Anastasiia Voitova NIST SP 800-37 Risk Management Framework NIST SP 800-207 Zero Trust Architecture NIST CSF CyberSecurity Framework NIST SP 800-63b Digital Identity Guidelines: Authentication and Authenticator Management NIST SP 800-160 Engineering Trustworthy Secure Systems NIST SP 800-213 IoT Device Cybersecurity Guidance for the Federal Government NIST SP 800-82 Guide to Operational Technology Security 4cede0c7317ffd14098fa832

16. DCS, ZTNA, CDSS, DiD Anastasiia Voitova 4cede0c7317ffd14098fa832 Data centric security

    – protect the data no matter where it is, not the environment. Based on encryption.

17. DCS, ZTNA, CDSS, DiD Anastasiia Voitova Zero Trust Network Access

    – ZT assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. ZTNA gives users access to speci fi c network / service. “Never trust, always verify”. NIST SP 800-207. 4cede0c7317ffd14098fa832 Data centric security – protect the data no matter where it is, not the environment. Based on encryption.

18. DCS, ZTNA, CDSS, DiD Anastasiia Voitova Zero Trust Network Access

    – ZT assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. ZTNA gives users access to speci fi c network / service. “Never trust, always verify”. NIST SP 800-207. Cross Domain Security Solutions – trusted gateways for secure, policy- controlled data exchange of data with different classi fi cation levels between systems. Inspection, sanitisation, data validation. NSA RTB. 4cede0c7317ffd14098fa832 Data centric security – protect the data no matter where it is, not the environment. Based on encryption.

19. DCS, ZTNA, CDSS, DiD Anastasiia Voitova Zero Trust Network Access

    – ZT assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. ZTNA gives users access to speci fi c network / service. “Never trust, always verify”. NIST SP 800-207. Defence in Depth – creating overlapped and interconnected security defences for the most critical assets. Cross Domain Security Solutions – trusted gateways for secure, policy- controlled data exchange of data with different classi fi cation levels between systems. Inspection, sanitisation, data validation. NSA RTB. 4cede0c7317ffd14098fa832 Data centric security – protect the data no matter where it is, not the environment. Based on encryption.

20. Data centric security

21. 4cede0c7317ffd14098fa832 ALE is encryption happening within application context. ALE works

    together with data-at-rest and data-in-transit encryption. ALE could be client-side, server-side, end-to-end, etc. Anastasiia Voitova Encryption is an ultimate data security measure. Protect the data where it lives. Encryption, signatures, audit logs. Data centric security

22. 4cede0c7317ffd14098fa832 TLS (in transit) application-level encryption server 1 server 2

    server 3 Alice Carol Bob server 1 server 2 server 3 Alice Carol Bob encrypted encrypted Anastasiia Voitova

23. 4cede0c7317ffd14098fa832 Anastasiia Voitova { "name": base64_str(encrypted_name),
 "phone": base64_str(encrypted_phone),
 "passport": base64_str(encrypted_passport),

    "ID": user_ID, "last_activity_date": timestamp, ... }

24. 4cede0c7317ffd14098fa832 Anastasiia Voitova infoq.com/articles/ale-software-architects/

25. 4cede0c7317ffd14098fa832 Anastasiia Voitova Hybrid Public Key Encryption (HPKE) datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ encrypt

    data with symmetric key using AEAD (AES-256-GCM) encapsulate symmetric key with public key scheme

26. 4cede0c7317ffd14098fa832 Payload security Anastasiia Voitova payload generation encryption per device

    storage transfer & TLS transfer & TLS decryption re-encryption & storage encryptedPayload encryptedPayload Core infrastructure device payload decryption & usage encryptedPayload payload Encrypt data per each device using unique keys, tie data to device. HPKE. Authenticate device. Transfer data encrypted, and store encrypted on any modules that don’t need it (like base station). Re-encrypt on device, decrypt before usage. base station

27. 4cede0c7317ffd14098fa832 Telemetry security Anastasiia Voitova Telemetry (location, logs, sensor data)

    from device to core should be protected. We care about con fi dentiality (often) and authenticity (always) of telemetry data. Solutions: encryption (AEAD) and signing using device-speci fi c keys. telemetry processing decryption, validation storage transfer & TLS transfer & TLS encryption, signing, storage encryptedTelemetry encryptedTelemetry Core infrastructure device telemetry generation encryptedTelemetry base station

28. Cross domain security solution

29. Anastasiia Voitova 4cede0c7317ffd14098fa832 Cross domain security solution controls and enforces

    secure data transfer between systems operating at different trust or classi fi cation levels. The goals of CDSS: 1. Secure data exchange across different domains or same-level systems with different owners or locations. 2. Reduce risks towards data that is being exchanged (protect con fi dentiality and integrity). 3. Reduce risks towards systems (prevent cross-domain compromise and unintended impact).

30. Anastasiia Voitova 4cede0c7317ffd14098fa832

31. Anastasiia Voitova 4cede0c7317ffd14098fa832

32. Anastasiia Voitova 4cede0c7317ffd14098fa832 1. Transfer: Direct online, data pump /

    bulk transfer, fi le transfer 2. Access: Gain access to applications in other domain. 3. Application gateway (could be Transfer, Access or both): Application-speci fi c exchanges (e.g., email, chat, web, database) across domains. 4. Stream: Pass strong-typed streaming data between domains (voice, imagery, etc). 5. MLS (Multi-level security/Multi-level Cross-domain solution): Allow data consumers to access multiple domains or transfer data, without merging them. CDS types / usages

33. Anastasiia Voitova 4cede0c7317ffd14098fa832 Connection break: Link break Protocol break Validation:

    Payload, schema, protocol validation Route to payload validation Import sanitisation: Identi fi cation of malicious payloads (malware, executable code) Transform to cut off CDS features Ex fi ltration detection: Signature-based Validate against schema Limit output formats to scannable Pattern detection (PII, passport info, names) Data traceability: Origin, transmission provenance via signing

34. Power grids

35. Anastasiia Voitova 4cede0c7317ffd14098fa832

36. OT country scale level Anastasiia Voitova Local SCADA PLC PLC

    PLC Central SCADA Dispatch software Regional SCADA Regional SCADA Regional SCADA Local SCADA PLC PLC PLC Local SCADA PLC PLC PLC Substation Regional Dispatch Center Core TSO Dispatch Center 4cede0c7317ffd14098fa832

37. Anastasiia Voitova 4cede0c7317ffd14098fa832 telemetry control commands Substation Regional Dispatch Center

    Core TSO Dispatch Center Central SCADA Dispatch software Regional SCADA Local SCADA PLC

38. Anastasiia Voitova 4cede0c7317ffd14098fa832 Substation Regional Dispatch Center Core TSO Dispatch

    Center Central SCADA Dispatch software Regional SCADA Local SCADA PLC Identify and authorise fi rst. Protect authenticity and protect against evil twin.

39. Anastasiia Voitova 4cede0c7317ffd14098fa832 Regional SCADA Local SCADA PLC

40. Anastasiia Voitova 4cede0c7317ffd14098fa832 Regional SCADA Local SCADA PLC VPN +

    dynamic networking mTLS channel binding

41. Anastasiia Voitova 4cede0c7317ffd14098fa832 Regional SCADA Local SCADA PLC VPN +

    dynamic networking mTLS channel binding VPN TLS app allow if VPN cert registered allow if (TLS_ID == VPN_ID) allow if (app_ID == TLS_ID == VPN_ID) Who passes all 3 rules will get dynamically evaluated against policy (ZTNA). IP allowlist IP

42. Internet Anastasiia Voitova Source Destinati on Network Edge Network edge

    Center (private cloud) Link break Protocol break Validate / fi lter Protect Link break Protocol break Validate / fi lter Device identity Transport identity Application identity Payload identity Combining the best from ZT and CDS 4cede0c7317ffd14098fa832

43. Fleet management

44. 4cede0c7317ffd14098fa832 UA DroneID 1. UA DroneID — a suite of

    protocols and transport methods (software and hardware modules for UVs and ground stations, cloud processing). 2. UA DroneID protocol provides trustworthy positioning, friend-or-foe and telemetry collection for UV/UAVs. 3. To avoid friendly fi re, we need to collect Blue Force Data. Anastasiia Voitova Actively used on the battle fi eld since 2023. Civilian counterpart is being built. Joint efforts by Cossack Labs, CIDTD UA MOD, UA MDT, NGO Aerorozvidka. 4cede0c7317ffd14098fa832

45. 4cede0c7317ffd14098fa832 Anastasiia Voitova Same problem, different angle Many units with

    bad connectivity. Real time sensitive data. Cannot connect directly to the cloud. High security risks. 🤔 Looks familiar? = cossacklabs.com/projects/uadroneid/

46. 4cede0c7317ffd14098fa832 Anastasiia Voitova cossacklabs.com/projects/uadroneid/

47. Anastasiia Voitova Data DMZ for high risk data sources Integration

    type2: remote semi- trusted (DroneID) Main integration data pipeline anomaly detection & validation Integration type1: remote untrusted External source domain model 1 data format 1 receiver historical raw data anomaly data trusted data network data & meta-data SIEM generate “clean” data untrusted data remote device trust validation domain model 2 & validation API for agent generate “clean” data External source our agent (API, contract, code) 4cede0c7317ffd14098fa832 C4ISR

48. Wrapping up

49. Failure of a single security control is a question of

    time. Failure of a security system is a question of design. 4cede0c7317ffd14098fa832 Anastasiia Voitova

50. AAA WAF IDS DCS CDSS SIEM HIDS DAST SAST KMS

    HSM PKI TPM UEBA IAM TLS TDE 4cede0c7317ffd14098fa832 Anastasiia Voitova TDE HPKE DID ZTA ZTNA MFA RBAC MLS ALE SBOM TEE VDP E2EE RA IRP HNY

51. AAA WAF IDS DCS CDSS SIEM HIDS DAST SAST KMS

    HSM PKI TPM UEBA IAM TLS TDE 4cede0c7317ffd14098fa832 Anastasiia Voitova TDE HPKE DID ZTA ZTNA MFA RBAC MLS ALE SBOM TEE VDP E2EE RA IRP HNY

52. Anastasiia Voitova Head of Security Engineering @ Cossack Labs cossacklabs.com

    [email protected] linkedin.com/in/anastasiiavoitova/ x.com/vixentael cossacklabs.com/job/ let’s work on nerdy great things together