Share this article
Thanks to COVID-19 I’ve recently found myself spending more time than I’d like reading about biology and understanding the virus’s impact on the human body. While watching one of the better videos I've seen explaining the epidemic, for some reason the day-to-day dilemmas of my work crept into my brain. Specifically, the problem I spend a good amount of my time helping clients try to solve - how to defend critical infrastructure systems from cyber threats.
I think there is some inspiration we can take from biology when trying to tackle this problem.
The cell is a core functional unit of all known living organisms. They are the building blocks of life, which work in tandem to form spectacularly complex collections such as plants and animals. At the macro level it’s easy to lose sight of the fact that cells themselves are complex - they require a cell membrane, a boundary, to protect the cell from potentially harmful threats in their surrounding environment.
There is a striking analogy here with Operational Technology (OT) environments, which are the core of most critical infrastructure systems and services we depend upon every day. OT environments need to be protected with boundaries from less-trusted environments, such as corporate or public networks. Anyone responsible for protecting these environments in today's age of IT/OT convergence will know this boundary isn’t a simple matter of a building an impenetrable wall. Cells, just like modern OT, cannot exist in complete isolation and rely on certain substances (or information) to pass from the outside environment through the cell membrane, and vice versa, in order for the overall ecosystem to function normally.
In other words, biology has built the tiniest most amazing all-in-one firewall / IDS / demilitarized zone architecture you’ll ever see (or never see, as they’re only visible with a microscope). These cell membranes are selectively permeable, able to let certain substances pass through while restricting others (a.k.a. whitelisting), and tiny “receptors” have the job of identifying malicious threats on the membrane which can trigger a defensive response if needed (a.k.a. the blue team). All this occurs in real time millions of times per day across millions of cells in all life as we know it.
But no system, digital or biological, is 100% secure.
COVID-19 has been an effective threat thanks to its ability to socially engineer one of these receptors (named ACE2) and successfully execute command injection into the epithelial cells that line our body's organs. Sometime later, when the blue team (immune system) starts investigating they become unknowingly compromised and start spamming calls for more responders, causing a massive state of confusion. In this confusion, they start shutting down healthy systems in addition to compromised ones, and they become ultimately responsible for widespread impacts across the production environment. Most organisations will eventually turn this situation around, but some don't, and perish.
The lesson here is one of continual and seamless threat adaptation, or in more familiar cyber security terms, detection and response. If you are responsible for securing critical infrastructure environments, you cannot rely on the boundary alone, and should be instead asking yourself whether your boundary (the membrane) is threat-aware? Does it understand what constitutes normal behavior? Are you informed enough to configure your defenses to be selectively permeable? Do you have “receptors” that will identify suspicious behavior on the boundary and raise timely alerts to the right resources? Are you training those receptors to ensure they don't become compromised themselves? And perhaps most important of all, can you replicate this cell reference architecture in a standardised manner across your entire technology ecosystem?
The interaction across cells within a biological lifeform are far more complex than any organisation’s technology landscape will ever be, and it’s obvious why we often look to biology for inspiration as complex systems that solve complex tasks. The topic of Artificial Intelligence (AI) attracts a lot of attention today - the promise of machines that will think and act for themselves. But within the realm of cyber security, how about we start with something a little simpler, like an artificial cell?
If we can master that, we’re a big step closer to creating a safe and secure environment for our most critical systems, and just maybe we can withstand a cyber epidemic should it ever come.