How to Protect Your Operational Technology (OT) in 2023

OT Security
OT Security

Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.  

Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve. 

In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer. 

Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions. 

OT Security Trends 

OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.

1. OT Talent Gap

With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.  

This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.

2. Supply Chain Issues Driving IT/OT Convergence

IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.  

With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.

3. Geopolitical Conflict

Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.  

According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.

4. OT-Directed Attacks

In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.  

Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments. 

The Impact of OT Threats 

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include: 

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property. 
  • Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities. 
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue. 

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst. 

Protecting Your OT Systems 

Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.

1. Adopt ICS Security Frameworks

With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF) 

They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).

2. Treat OT as a Separate Domain

Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”  

Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.

3. Promote More Secure Authentication

Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.  

Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.

4. Develop an Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to: 

    • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it. 
    • Record and document an ongoing attack for later analysis and review. 
    • Reduce harm by resetting affected systems’ passwords and user profiles. 
    • Inform stakeholders and implement measures to prevent future incidents. 
  • During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.   

The Need for Expertise 

When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT. 

Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today. 

Why Shadow IT is the Biggest Blind Spot in Your Cybersecurity Strategy

Shadow IT and SaaS
Shadow IT and SaaS

In the past few years, software-as-a-service (SaaS) apps have exploded in popularity, bringing powerful new functionality to organizations which they could only dream of in the past. Unfortunately, the ease and availability of cloud apps are a double-edged sword that can work against the security of your business without proper oversight. 

Recently, a study found that 97% of cloud apps across organizations are “shadow IT,” meaning they are brought in by employees without the awareness or approval of IT and cybersecurity staff. At the same time, users are connecting to these services with unauthorized devices that may be unsafe. 

While shadow IT – which may encompass file sharing, communication, and collaboration services – is not without benefits, it also creates a major blind spot in your cybersecurity strategy that brings many risks. In this article, we will explain what those risks are and how your business can fight against them. 

The Dangers of Shadow IT 

In a recent blog post, we talked about the cybersecurity risks that can arise in an improperly configured cloud environment. Ultimately, the existence of unauthorized SaaS apps compounds the dangers that already impact approved cloud services, while also bringing new problems of their own. Among them are: 

  • Data Risks – With users storing information across their own personal SaaS apps, data may be altered in ways that can harm your business and customers. Relying on these apps also brings a risk of data loss when employees depart your company. 
  • Cybersecurity Risks – Unapproved apps create new attack surfaces that malicious actors may target while attempting to breach your organization; they can also suffer from vulnerabilities that will escape the attention of cybersecurity teams. Worse yet, they are susceptible to user misconfiguration which may expose data to outside actors.  
  • Regulatory Violations – Because shadow IT is not subject to the same scrutiny as other devices and applications throughout your organization, it may fail to comply with emerging data privacy regulations like GDPR, government cybersecurity standards like NIST 800-53, and industry-specific regulations like HIPAA. 
  • High Costs – While many SaaS apps are free (a major reason employees may resort to them), others may come with a small subscription fee. These “shadow costs” can pile up if they are charged to your business without proper oversight. As an example, the average organization spends more than $135,000 on unnecessary cloud services every year. 
  • Reduced Network Performance – Excessive Internet-facing apps can put a strain on network resources that they are not designed to handle. Organizations with a shadow IT problem may face bandwidth issues, slow response time, system outages and delays in job execution. 

In spite of these issues, employees resort to shadow IT for a reason, and understanding those reasons is vital for identifying and reducing shadow IT usage throughout your organization. 

Why Does Shadow IT Exist? 

At a high level, the existence of shadow IT is almost always a consequence of IT problems such as slow resolution of help desk tickets, or a lack of tools to help employees do their jobs effectively. It also arises from low awareness of the dangers associated with shadow IT use, which may indicate lack of proper training and procedures. 

Today, most employees can improve their productivity and efficiency with advanced features provided by SaaS apps. Others – particularly remote employees – may rely on shadow IT to stay connected with their workforce. Taking control of shadow IT requires businesses to not only find and eliminate shadow IT services from their network, but also to solve the root problems leading employees to rely on them. 

How to Take Control of Shadow IT 

With the average organization using 250 SaaS apps or more, shadow IT is becoming a harder problem to solve as time goes by. But with the right approach, it is possible. 

1. Understand Your Company’s Business and IT Needs 

Ensure that your employees have the tools and services they need to do their jobs effectively. This requires understanding what your company needs across different teams and departments. Conduct surveys and take feedback into consideration, especially where current tools and processes may be interfering with productivity. 

2. Provide Employee Training  

As in many other cases, shadow IT is a problem more often caused by ignorance than malice. According to one study, 37% of IT employees say that their organization has not outlined consequences for employees involved in shadow IT. Ensure that employees are aware both of the dangers associated with shadow IT and company policies surrounding its use.  

3. Supervise Provisioning of Services 

Make sure that employees have a clear channel to request new apps and have processes in place to review and approve requests. Not only does this ensure your IT team will have time to review the security and implementation of new services, but it will also provide better visibility and control over spending. 

4. Continually Monitor Your Network  

In order to detect shadow IT, network administrators should keep an up-to-date inventory of IT resources, including all devices and applications running on their network. They should continually monitor network activity to detect new IP addresses, unexpected communications to external services, unusually slow performance and outages that could signal shadow IT activity. 

5. Consider Specialized Solutions 

Consider adopting specialized solutions like a cloud access security broker (CASB) to govern cloud usage throughout your organization. CASB solutions can provide a centralized view of cloud apps running across your network along with a ranking for risk and overall trustworthiness.  

Cyber Expertise You Can Trust 

From shadow IT to ransomware and software supply chain attacks, protecting your business in today’s cyber landscape requires visibility into your network and IT infrastructure. Without that, the biggest risks to your organization will continue to lurk in the shadows. 

At Securicon, our seasoned cybersecurity experts work to find vulnerabilities in your IT infrastructure, providing solutions and long-term support – we give you the visibility you need to identify risks, and the expertise to remediate them. Contact us today for a rapid assessment and learn how we can bring your organization’s security to the next level. 

Seven Ways to Reduce the Impact of Zero-Day Exploits

Reducing the impact of zero day exploits
Reducing the impact of zero day exploits

At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. With millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.

Log4Shell is an example of a zero-day exploit: zero-days are vulnerabilities exploited by malicious cyber actors immediately after they are discovered in devices and software products. The term “zero-day” is a reference to the number of days organizations and cyber defenders have to prepare – zero.

As cyber actors increase in sophistication, the number of zero-day exploits is increasing every year. In 2021, Mandiant found that the number of zero-days had doubled since 2019. In this article, we’ll explain where zero days are most likely to originate, and how businesses can protect themselves from harm.

Common Types of Zero-Days

Since zero-days are code-based vulnerabilities that allow remote actors to hijack devices and applications, any Internet-connected, programmable surface is susceptible to zero-day exploits. Today, common targets include:

  •  Third-Party Software – third-party applications are frequently built on top of dependencies that can suffer from zero-day exploits. Since Log4Shell targeted a component in Apache Logging Services, millions of apps which depend on Apache were impacted.
  • Web Browsers – every day, Internet users spend up to 6 hours of their day online – this makes Web Browsers like Edge, Chrome and Firefox common targets for malicious actors seeking zero day exploits. In 2022 alone, Google has patched seven zero-days in the Chrome browser.
  • Mobile Operating Systems – compromised mobile devices are a great source of sensitive data which makes them a major target for nation-state actors. Zero-day exploits often surface in iOS, Android and other mobile operating systems; worse, they can go undiscovered for years before they are patched.
  • Network Edge Devices – routers and switches regularly fall victim to zero days which enable cyber actors to bypass protocols and WPA encryption. In 2018, 83% of home and enterprise routers were found to possess publicly known vulnerabilities, and today, these devices are also a favorite target for ransomware attacks.

As organizations grow more reliant on information technology (IT), the threat of zero day exploits will continue to rise – the average business deploys over 100 software-as-a-service (SaaS) apps, and at least as many connected devices. Now more than ever, businesses need to take preventive steps to protect themselves from vulnerabilities.

Reducing the Impact of Zero-Day Exploits

The danger of a zero-day exploit is exacerbated by the fact that cyber defenders cannot detect its presence based on Common Vulnerabilities and Exposures (CVEs) or attack signatures. Fortunately, there are ways to reduce the likelihood of a zero-day exploit and increase your attack preparedness.

  1. Threat Detection Systems – aside from basic cyber defenses – such as firewalls and anti-virus – organizations should adopt real-time protection in the form of inline intrusion-prevention systems (IPS). An IPS system can use network intelligence to detect signs of intrusion even if it cannot detect the specific type of attack, alerting your team if a zero-day exploit is used.
  2. Egress Filtering – while filtering inbound traffic is crucial, filtering outbound traffic is equally important. This is possible with egress filtering, which can be implemented through a firewall or intrusion prevention system (IPS), enabling network admins to prevent applications on your network from reaching out to certain destinations or using unsafe protocols.
  3. Network Visibility – security teams often have limited visibility into the devices and applications that are operating across their networks. Bringing this fragmented knowledge together is essential for securing your network from exploits: keep an inventory of every device, whether IT, IoT or OT, classify and continually monitor them for configuration changes.
  4. Device Oversight – devices – including routers, switches, laptops and mobile phones – typically receive regular updates that patch zero-days when they are discovered by the malware researchers. Organizations should maintain an up-to-date inventory of all the devices connected to their network, set update policies, and replace devices that are no longer supported by the manufacturer.
  5. Third-Party Vendor Management – while no vendor can guarantee that their devices or software products won’t fall prey to a zero-day exploit, some vendors are more security conscious than others. Take inventory of your software supply chain, and research all your technology partners to ensure they are applying adequate security controls.
  6. Adopt a Zero-Trust Paradigm – when malicious actors compromise your network through a zero-day exploit, they will try to move laterally to other systems. A zero-trust security paradigm can stop them in the process by applying the principle of least privileges, and constantly verifying a user’s identity as they switch between devices and applications.
  7. Vulnerability Assessmentvulnerability assessments and penetration tests can help you to better document your IT infrastructure and remediate security gaps that increase the impact of zero-day exploits.While there’s no way to eliminate the chance of a zero-day exploit altogether, developing a strong cybersecurity program can give your business the tools it needs to close cybersecurity gaps, eliminate risky vendors, and respond quickly in a disaster. 

Partner With Cybersecurity Veterans

In today’s perilous cyber landscape, organizations need expert cybersecurity consultants to help them find and identify risks to their mission-critical assets. But with a worldwide shortage of cyber talent, finding experts has become increasingly difficult – fortunately, Securicon is here to help.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – we are equipped to prepare your organization for the worst, from gap analysis to compliance consulting, assessment support and audit preparation. To learn more, contact us today.

Why Hackers Aren’t the Biggest Threat to Your Cloud Configuration

cloud breaches
cloud breaches

Private businesses and government contractors alike are increasingly relying on public cloud services to drive their core business functions – according to Gartner, global cloud spending will increase by over 20% to almost $500 billion. But the speed of cloud adoption often leaves cybersecurity by the wayside, leaving companies open to major risks.

In 2020, cloud represented the third most targeted cyber environment. That trend has continued, with 45% of organizations reporting a cloud-based data breach within the last 12 months according to Thales Group. But cloud infrastructure is increasingly secure, and vanishingly few cloud security incidents can be laid at the feet of cloud service providers (CSPs) – so why do these breaches occur?

In this article, we will answer that question, explaining the risk factors for cloud breaches, and how organizations can prevent them with better risk assessment, cyber training and security planning.

The Rise of Cloud Security Incidents

The number of companies experiencing cloud-based data breaches is climbing – the 45% of businesses who reported a cloud-based breach in the past 12 months is up 5% from 2021. But while cloud breaches can take many forms, they also share many commonalities.

In 2019, Facebook (now Meta) was involved in a data breach that affected hundreds of millions of users – while the issue was quickly resolved, it was a PR disaster for one of the largest social platforms on Earth. Two years later – in 2021 – software company Cognyte had more than 5 billion sensitive records exposed on the Internet, including names, passwords and email addresses. 

The same year Cognyte was attacked, professional services company Accenture was targeted in a cyberattack by the LockBit group – over 6 TB of data was stolen, with ransomware actors demanding a $50 million payment. Because the company did not pay in time, it lost proprietary information.

What do all these incident share in common? They are all cloud breaches that occurred within the past year, and all of them were caused by misconfigurations: Cognyte left a database unsecured – meanwhile, both Facebook and Accenture left an AWS bucket open to the public. These are all typical examples of the way cloud incidents occur today.

Understanding the Shared Responsibility Model

When an organization stores data and applications on the cloud, it is leasing computing power, storage and networking infrastructure from a CSP, and working within a virtualized environment. While the CSP is generally responsible for the security of its infrastructure, the customer is generally responsible for the security of their assets residing in their virtual environment – this is called the “shared responsibility” model.

Today, most CSPs are heavily protected with multiple, redundant layers of security, including encryption at rest and in transit, firewalls, DDoS protection and more. Accordingly – while breaches on the infrastructure side do happen – they are rare. According to IBM, two-thirds of cloud breaches are caused by exposed Application Programming Interfaces (APIs), and – by 2025 – Gartner predicts that 99% of cloud breaches will be the customer’s fault.

For this reason, organizations can mostly trust the security of CSPs: what they need to be wary of is security vulnerabilities in their virtual environment, arising from user error and poor design.

Cloud Breaches: Top Five Causes

There is more than one way that an organization can leave their cloud platform compromised or exposed. Here are five of the most common:

1. Misconfigured APIs

APIs are provided by CSPs for the purpose of automation and easy access. Unfortunately, organizations often leave their APIs unprotected or poorly protected by mistake, allowing them to be freely accessed by malicious actors. 

2. Poorly Protected Credentials

Unless an organization is using multi-factor authentication (MFA), nothing can stop a malicious actor from gaining access to a cloud environment if they have the right credentials. Data leaks, phishing attacks and exposed devices can compromise the credentials of privileged users, allowing attackers full access to administrative features.

3. Multi-Cloud Complexity

With the growth of multi-cloud environments that combine multiple cloud platforms together in one solution, organizations are facing increased complexity that can make it hard to stay secure. According to Check Point, 57% of organizations struggle to secure data in multi-cloud environments due to inconsistency between different vendors.

4. Vulnerable Third-Party Services

An organization that secures its cloud configuration perfectly can still be compromised if it is hosting vulnerable third-party services within its cloud environment. Like many other IT environments, cloud suffers from a software supply chain problem: organizations don’t know what dependencies exist in their products, or how they might be vulnerable.

5. Bad Virtual Machine Images

Infrastructure-as-a-Service (IaaS) companies typically provide their customers with the option of creating custom virtual machine images (VMI) to interface with their cloud environment, or use a default. Unfortunately, many default VMIs available from cloud providers come with unpatched vulnerabilities, malware or insecure firewall settings.

Impact of Poor Cloud Security

Given how much organizations depend on cloud-based services to run their business, a successful cyberattack on cloud environments can have wide-reaching impacts. These include:

    • Data Exfiltration – malicious actors can steal sensitive data including user credentials, personally identifiable information (PII) about employees or customers, intellectual property and more. Data exfiltration is also a major blow to brand equity and public trust.
    • System Takeover – when attackers infiltrate a cloud environment through compromised credentials, they can do more than steal – they can delete data and applications, change settings, and deface Web surfaces. Ultimately, an arbitrary degree of control is possible.
    • Lateral movement – once in the cloud, attackers can potentially transition to your organization’s internal network and IT systems, giving them access to local files and devices.
    • Ransomware – cloud is one of many channels ransomware actors can use to encrypt data, lock users out of a system and demand ransom payment. While ordinary ransomware attacks are bad enough, ransomware attacks that spread through the cloud have the potential to be more far reaching.

Protecting Your Cloud Environment

While cloud surfaces have become a popular target for hackers, hackers themselves are not the biggest risk to your cloud environment – the biggest risk is failing to properly secure it in easily avoidable ways. Here are a few steps to prevent that from happening:

1. Invest in Cyber Training – cyber training can help employees to set better passwords, avoid phishing scams, and understand the importance of safety in a cloud environment.

2. Choose FedRAMP Certified CSPs – CSPs authorized under the Federal Risk and Authorization Management Program (FedRAMP) are required to follow NIST 800-53 security controls to protect their customers. They are more also more likely than other CSPs to provide security features that make security breaches less likely from the customer side, such as multi-factor authentication (MFA) and warnings in the event of an exposed API.

3. Get a Risk Assessment – a comprehensive risk assessment will reveal potential vulnerabilities throughout your organization’s IT systems and may reveal organizational problems that make cloud misconfigurations more likely.

4. Implement a System Security Plan – under NIST SP 800-171, all government contractors are required to have a System Security Plan (SSP) for all systems that may handle CUI during the course of a contract – this includes cloud surfaces. Implementing an SSP will help your organization to recognize security gaps, and develop procedures around cloud development to reduce the likelihood of dangerous mistakes.

Cyber Expertise You Can Trust

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.