NIS 2 er et direktiv fra EU som har til formål at sikre et højt niveau af cybersikkerhed for alle medlemslandene. En disciplin, der sikrer, at samfundskritiske services som el, vand, varme, transport, medicin og fødevareproduktion (m.fl.) har styr på tingene, hvis uheldet er ude. Netop ordet “kritisk” er en betegnelse, der anvendes om de virksomheder (eller enheder, hvis man bruger NIS 2-sprog) som er væsentlige for vores samfund. Det er jo en rar ting, at man kan betale for sine madvarer, når man er ude at handle, så vi er fri for at plyndre bankerne som… nåh ja, alligevel ikke ligger inde med kontanter i dag. Alt det vi i dag tager for givet og først skænker en tanke, når der er problemer i leverancen.

Often times when I design secure infrastructure solutions, I find dependencies. Typically, we aim for independent solutions to ensure reliable and stable environments to keep our business running and customers happy. This is particularly important when working with critical infrastructure providers in the electricity, water, and heating sectors which we all rely on and depend upon ourselves.

Island mode often refers to a state in which a system is disconnected from the Internet or the IT network, particularly from an OT perspective. The key concept is identifying the bare minimum required to keep the business and its services operational. This, of course, places an extraordinary burden on the company’s operational resources. The question is whether such a situation is acceptable, or if investments should be made to reduce this burden before deciding to enter island mode. Perhaps some tooling and automation could help here. Know, though, that in order to find the perfect balance between running everything manually vs. building “what-if” solutions, you’ll need to make some tough choices, because:

Security is top of mind for most companies today. And for good reasons. Every day new major security incidents hit both the private and public sectors. We’re no longer dealing with curious geeks, script kiddies, and smaller groups of cyber criminals. Hacking used to be a niche thing. Today state-sponsored hackers are a reality.

Although you cannot guarantee protection from these malicious events, you can try to limit the risk and possibility of their success. Various methods and technologies help narrowing the attack surfaces you make available to the threat actors.

I am a huge fan of securing user facing interfaces. With a few knobs some attacks and mis-configurations are avoided. I like configuring an SVI like this:

interface Vlan12
 description Users
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip verify unicast source reachable-via rx

ICMP Redirects

I like to disable sending ICMP redirects. This might cause a sub-optimal forwarding of packets, but I like the idea that my router which is the clients default gateway does the forwarding.

So you might have stumbled upon the FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP  configuration guide which works OK for local user authentication and authorization. But if you try to follow the guide on how to configure authentication and authorization with a AAA server, it will not work!