Cybersecurity protocols and cryptography

Interview with Ana Isabel Gómez

Cybersecurity is a field that is growing in importance with the progressive digitalisation of our reality. The security protocols that govern our current networks and connections are based on key services or cryptographies that have to adapt to a world that is increasingly connected and with more possible vulnerabilities. In the case of the energy sector, as it has a strategic and vital security component for the functioning of our countries, there are national and supranational entities that ensure the certification and standards that help us to discern the vulnerabilities of the system.

Within the analysis of current energy challenges, we are going to analyse the cybersecurity issue, and the security protocols and cryptography. And for this we have Ana Isabel Gómez Pérez, PhD, currently a professor at the URJC in Madrid. Ana will help us to understand what the current reality of these protocols is and how to deal with possible vulnerabilities in the future.

Thank you for collaborating with us Ana and dedicating your time to share your knowledge with our readers. We would like to know a bit more about you: could you tell us a bit about your professional background and how you specialised in security protocols and cryptography?

-Answer: As a researcher, I began my career in research projects on the physical layer properties of wireless communications, although I had previously developed my professional career as a computer systems and network engineer. This led me to the study of computer security and cryptography, first in a self-taught way and later in the framework of a doctorate in which my interest in the application to security began through various scientific collaborations.

In particular, there are a number of techniques that make it more difficult to detect communications for users who do not know a particular code, while maintaining efficiency for legitimate users. By their nature, wireless communications require more measures to ensure security, so they are combined with cryptography-based protocols to ensure that our information is not disclosed or altered, where mathematics gives us guarantees of communication security. All these protocols rely on the generation of secrets, often numbers that are indistinguishable from a random number to a third party.

Talking about the subject in question, we would like to understand the level of complexity of the implementation of security protocols in the reality in we live in. What do you consider to be the biggest challenge in the implementation of security protocols in companies and governments nowadays?

-Answer: The biggest challenge is that it requires a coordinated effort between all the actors involved in advancing technology and knowledge in the field of security for its transfer and application in real situations. On the one hand, with the promise of quantum computers, the type of mathematical problems on which the protocols we use on a daily basis are based, no longer offer the same guarantees in a theoretical way. This involves applications such as digital signatures or encrypted communications on the web, for example, the https protocol. For this reason, organisations such as the National Institute of Security Technologies (NIST) have promoted new proposals that, due to their complexity challenge this type of computation. These new proposals are more complex to understand, as they break with previous techniques making their implementation a challenge. On the other hand, another challenge is the decentralised nature of information access, where availability is required, but also security properties such as confidentiality or data integrity.  We need information to be available at any time, among many users and from various devices such as smartphones or various devices as we can find in the Internet of Things. This raises the need for mechanisms that are transparent and easy to use for users, while maintaining security guarantees.

We know that cryptography is the essential information tool for ensuring security in computer systems. How important will cryptography be in protecting sensitive data in the future and how has its use evolved in recent years?

-Answer: Cryptography has been and will be fundamental to information security. Since the first public key works, which date back to 1976 and are the basis of all digital signature systems, there has been a revolution. A multitude of protocols have been proposed, many of which are still in use with minimal tweaks. On the other hand, advances in computing and information technology have generated new needs, from computing over encrypted data, to the development of secure digital identity and distributed record keeping as in the blockchain among other applications. With the development of increasingly heterogeneous networks in devices and applications, this trend is expected to continue with the construction of new protocols based on cryptographic tools.

The security protocols to be followed and currently being implemented connect bi-directional data and encrypt that information to the associated control networks. As most power generation facilities have SCADAs.

Can you describe an effective security protocol to protect the SCADA networks used in the management of these facilities?

-Answer:  For those who do not know what SCADA networks are, they are an acronym for ‘Supervisory Control and Data Acquisition’. They are part of what are known as operational technologies (OT), which are the result of applying information technologies to previously isolated physical systems in industrial networks. In the case of energy networks, they make it possible both to collect geographically dispersed data from several locations and to send control commands. Thanks to information technologies, it is possible for an operator to monitor an entire system from a central location in near real time. This data transmission, which can partly take place over third party networks such as the Internet, together with the criticality of this type of critical services has led to the publication of specific security guidelines such as ISA 95 or NIST SP 800-82r3. I will focus on the last one to highlight the importance of implementing a comprehensive organisation-wide framework for cybersecurity, including risk management, employee security training, …

Various security mechanisms must be combined, allowing for a layered defence at the different levels of such networks. I would like to comment on a few particular ones, although the list is extensive. The SCADA network has to be protected by zero-trust architectures and intrusion detection and monitoring systems, which also allow logging of network activity. The use of mechanisms at hardware and software level includes the use of certified products and implementation of update policies among others. Cryptography gives us the techniques that will allow us to protect our data, using encryption beforehand for its transmission over networks and storage or digital signature techniques to avoid malicious modification, but it is up to each organisation to choose its pros and cons. Any cryptographic protocol introduces computational costs that can slow down processes, so organisations have to adapt it to their needs. NIST itself maintains a list of recommended standards on its website.

Knowing that the word ‘quantum’ has been a trend in recent years and seems to be a possible revolution in many sectors, and specifically applied to computing, how do you see the future of cryptography with the arrival of emerging technologies such as quantum computing? And above all, when will it arrive?

-Answer: We are immersed in several NIST standardisation competitions, in which new protocols that are robust to the appearance of quantum computers in the field of cryptography are being evaluated. To date I have participated in my own degrees, aimed at professionals with quantum computing content, due to their practical interest in industry for the acceleration of calculation and optimisation processes. Although there is no consensus forecast of when it will be possible to build a quantum computer at scale, the switch has already begun in the case of more critical protocols, such as key exchange, which are fundamental in many security protocols, to algorithms such as Kyber, which won the last successful competition.

Certification in itself is a guarantee that security meets minimum or general standards. How would you ensure that the security and cryptographic solutions implemented comply with the applicable international norms and standards?

-Answer: In the world of cyber security there is a lot of talk of ‘Don’t roll your own crypto’, as it is important to use products that have been evaluated by authorised certifiers grouped under the ‘Common Criteria’ standard, which is agreed between different countries. This ensures that we can be confident that products work as promised without having to test them extensively, as any evaluation process is costly in time and effort and not always affordable for an organisation.  There are different levels of confidence offered by the evaluation process, documented and published so that it can be consulted for decision making. In the case of Spain, the National Cryptographic Centre is the reference body for these certification processes.

And in this reality where AIs are increasingly making headlines and their use is more common, how do you see the role of artificial intelligence and machine learning in improving cybersecurity, and what are the risks associated with their implementation?

-Answer: AI is a very extensive field of research, by definition systems that respond intelligently to their environment with a certain autonomy of action, although recently the so-called generative AI is the one that is receiving more attention due to its rapid development and easy reach of users. Artificial Intelligence is not new to cybersecurity, which, for example, is used in attack monitoring and detection systems, which use these technologies to detect increasingly sophisticated and coordinated attack patterns. Another example can be in aiding in the automatic classification of assets susceptible to protection.  In general, techniques can be found proposed for all levels of activity identified by NIST (Identification, Protection, Detection, Response and Recovery).

Like many tools, its power can lead to misuse, as we see in the case of enabling less effortful and more sophisticated social engineering attacks by malicious actors, using large language models such as those used by ChatGPT.

The debate on Artificial Intelligence and its regulation is currently open, so it remains a complex discussion for society as a whole. In my case, I share the opinion that the implementation of this type of techniques increasingly requires the participation and training of experts in ethics and privacy to ensure that they are fit for purpose without compromising the rights of digital users.

In terms of training and future opportunities, what recommendations do you have for professionals who wish to specialise in security and cryptography? What skills and knowledge are essential?

-Answer: Depending on where a professional is in his or her professional career and interests, a first step is to make use of the educational resources provided by INCIBE through its portal free of charge and then go deeper through master’s degrees and studies offered by the university if they have the appropriate technical knowledge. I consider these technical skills to be a basic knowledge of a programming language, familiarity with the functioning of computer systems and computer networks and an interest in mathematics, which is essential to get started in cybersecurity. The Rey Juan Carlos University is currently offering a degree in cybersecurity engineering for new university students with an interest in computer science.

Ana, thank you for all the information and for your generosity with our corporate blog. You are invited to visit us whenever you want and we will stay in touch.