The Hidden Dangers of AMI Infrastructure: Protect Your Utility Company Now

The rise of Advanced Metering Infrastructure (AMI) has revolutionized the way utilities collect and manage data. Implementing AMI improves the efficiency and accuracy of energy consumption monitoring and billing, and provides more real time information and control to consumers. But AMI also increases the exposure of both utilities and consumers to cyber threats.

AMI installations comprise a wide range of interconnected devices – most of which are deployed out in the field – from smart meters to data gateways, as well as communication networks and data management systems. The large surface area of this AMI infrastructure and its interconnectedness create new security challenges that must be addressed by utilities and their cybersecurity partners.

AMI platforms pose physical security risks. The deployment of smart meters on customer premises means that there are now more points of access into the utility networks. Malicious actors can use physical attacks, such as tampering with the meters or the communication infrastructure, to gain access to the network. And if an attacker can compromise the AMI infrastructure, this can result in a potential threat to the entire energy grid.

Threats to AMI installations come in various forms, including:

  • Unauthorized access to customer data and system controls
  • Malware and ransomware attacks on network components
  • Physical tampering with meters and other devices
  • Distributed denial of service (DDoS) attacks on communication networks

Given the significant risks associated with AMI platforms, it is critical for utility companies to take proactive steps to protect their systems. This includes implementing robust cyber security protocols, ensuring that perimeter devices have hardened configurations, maintaining defense in depth throughout the AMI network with proper segmentation from critical infrastructure, conducting regular security assessments, and partnering with trusted cyber security experts to identify and mitigate vulnerabilities.

Here at Securicon we specialize in helping utility companies protect their AMI and other critical platforms from cyber security threats. Our team of experienced professionals can conduct thorough security assessments to identify potential vulnerabilities, develop custom solutions to address those vulnerabilities, and provide ongoing support to ensure that your AMI platform remains secure.

How to Protect Your Operational Technology (OT) in 2023

OT Security
OT Security

Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.  

Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve. 

In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer. 

Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions. 

OT Security Trends 

OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.

1. OT Talent Gap

With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.  

This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.

2. Supply Chain Issues Driving IT/OT Convergence

IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.  

With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.

3. Geopolitical Conflict

Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.  

According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.

4. OT-Directed Attacks

In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.  

Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments. 

The Impact of OT Threats 

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include: 

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property. 
  • Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities. 
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue. 

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst. 

Protecting Your OT Systems 

Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.

1. Adopt ICS Security Frameworks

With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF) 

They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).

2. Treat OT as a Separate Domain

Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”  

Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.

3. Promote More Secure Authentication

Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.  

Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.

4. Develop an Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to: 

    • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it. 
    • Record and document an ongoing attack for later analysis and review. 
    • Reduce harm by resetting affected systems’ passwords and user profiles. 
    • Inform stakeholders and implement measures to prevent future incidents. 
  • During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.   

The Need for Expertise 

When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT. 

Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today. 

Seven Ways to Reduce the Impact of Zero-Day Exploits

Reducing the impact of zero day exploits
Reducing the impact of zero day exploits

At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. With millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.

Log4Shell is an example of a zero-day exploit: zero-days are vulnerabilities exploited by malicious cyber actors immediately after they are discovered in devices and software products. The term “zero-day” is a reference to the number of days organizations and cyber defenders have to prepare – zero.

As cyber actors increase in sophistication, the number of zero-day exploits is increasing every year. In 2021, Mandiant found that the number of zero-days had doubled since 2019. In this article, we’ll explain where zero days are most likely to originate, and how businesses can protect themselves from harm.

Common Types of Zero-Days

Since zero-days are code-based vulnerabilities that allow remote actors to hijack devices and applications, any Internet-connected, programmable surface is susceptible to zero-day exploits. Today, common targets include:

  •  Third-Party Software – third-party applications are frequently built on top of dependencies that can suffer from zero-day exploits. Since Log4Shell targeted a component in Apache Logging Services, millions of apps which depend on Apache were impacted.
  • Web Browsers – every day, Internet users spend up to 6 hours of their day online – this makes Web Browsers like Edge, Chrome and Firefox common targets for malicious actors seeking zero day exploits. In 2022 alone, Google has patched seven zero-days in the Chrome browser.
  • Mobile Operating Systems – compromised mobile devices are a great source of sensitive data which makes them a major target for nation-state actors. Zero-day exploits often surface in iOS, Android and other mobile operating systems; worse, they can go undiscovered for years before they are patched.
  • Network Edge Devices – routers and switches regularly fall victim to zero days which enable cyber actors to bypass protocols and WPA encryption. In 2018, 83% of home and enterprise routers were found to possess publicly known vulnerabilities, and today, these devices are also a favorite target for ransomware attacks.

As organizations grow more reliant on information technology (IT), the threat of zero day exploits will continue to rise – the average business deploys over 100 software-as-a-service (SaaS) apps, and at least as many connected devices. Now more than ever, businesses need to take preventive steps to protect themselves from vulnerabilities.

Reducing the Impact of Zero-Day Exploits

The danger of a zero-day exploit is exacerbated by the fact that cyber defenders cannot detect its presence based on Common Vulnerabilities and Exposures (CVEs) or attack signatures. Fortunately, there are ways to reduce the likelihood of a zero-day exploit and increase your attack preparedness.

  1. Threat Detection Systems – aside from basic cyber defenses – such as firewalls and anti-virus – organizations should adopt real-time protection in the form of inline intrusion-prevention systems (IPS). An IPS system can use network intelligence to detect signs of intrusion even if it cannot detect the specific type of attack, alerting your team if a zero-day exploit is used.
  2. Egress Filtering – while filtering inbound traffic is crucial, filtering outbound traffic is equally important. This is possible with egress filtering, which can be implemented through a firewall or intrusion prevention system (IPS), enabling network admins to prevent applications on your network from reaching out to certain destinations or using unsafe protocols.
  3. Network Visibility – security teams often have limited visibility into the devices and applications that are operating across their networks. Bringing this fragmented knowledge together is essential for securing your network from exploits: keep an inventory of every device, whether IT, IoT or OT, classify and continually monitor them for configuration changes.
  4. Device Oversight – devices – including routers, switches, laptops and mobile phones – typically receive regular updates that patch zero-days when they are discovered by the malware researchers. Organizations should maintain an up-to-date inventory of all the devices connected to their network, set update policies, and replace devices that are no longer supported by the manufacturer.
  5. Third-Party Vendor Management – while no vendor can guarantee that their devices or software products won’t fall prey to a zero-day exploit, some vendors are more security conscious than others. Take inventory of your software supply chain, and research all your technology partners to ensure they are applying adequate security controls.
  6. Adopt a Zero-Trust Paradigm – when malicious actors compromise your network through a zero-day exploit, they will try to move laterally to other systems. A zero-trust security paradigm can stop them in the process by applying the principle of least privileges, and constantly verifying a user’s identity as they switch between devices and applications.
  7. Vulnerability Assessmentvulnerability assessments and penetration tests can help you to better document your IT infrastructure and remediate security gaps that increase the impact of zero-day exploits.While there’s no way to eliminate the chance of a zero-day exploit altogether, developing a strong cybersecurity program can give your business the tools it needs to close cybersecurity gaps, eliminate risky vendors, and respond quickly in a disaster. 

Partner With Cybersecurity Veterans

In today’s perilous cyber landscape, organizations need expert cybersecurity consultants to help them find and identify risks to their mission-critical assets. But with a worldwide shortage of cyber talent, finding experts has become increasingly difficult – fortunately, Securicon is here to help.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – we are equipped to prepare your organization for the worst, from gap analysis to compliance consulting, assessment support and audit preparation. To learn more, contact us today.

What the Federal Government is Doing to Fight Ransomware in 2022

ransomware
ransomware

Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.

The cost of ransomware is high, with many cyber actors embracing a double extortion model which extracts twice the payment from their victims – but cost is far from the biggest concern for the U.S government. Foreign adversaries – including China, North Korea, and Russia – are increasingly using ransomware against organizations in the West: sometimes, they even work together.

Government Initiatives and New Security Burdens

With all that being said, ransomware is a risk that organizations in the public and private sectors should be worried about: not only is it capable of driving businesses into bankruptcy, but it also represents a national security threat that can cripple critical infrastructure and expose classified information to nation state actors.

Fortunately, 2022 has also brought multiple initiatives across agencies and branches of the U.S government which will help curb the incidence of ransomware and keep businesses safe for years to come. Some will also impose new security burdens which government contractors will have to apply if they want to stay compliant.

In this blog post, we will share five recent developments in legislation and policy while explaining their implications for ransomware and compliance.

1.  New Cyber Reporting Requirements

In the aftermath of a cyber incident or data breach, organizations have an ethical responsibility to inform their customers – sadly, that doesn’t always happen in a timely matter. But when a ransomware attack occurs against critical infrastructure, public safety is at stake, and rapid disclosure is all the more urgent.

In March, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 20221 (CIRCIA) was passed into law – under CIRCIA, critical infrastructure companies will be required to report any substantial cybersecurity incidents within 72 hours, and any ransom payments within 24. While the precise scope of covered entities remains to be determined, it will likely include sectors like:

      • Critical Manufacturing
      • Financial Services
      • Energy
      • The Defense Industrial Base (DIB)

Ultimately, the new cyber reporting requirements will help law enforcement agencies to gather intelligence on attack patterns, track the activity of advanced persistent threat (APT) groups and respond to cyber emergencies in a timely way.

1 The official source for CIRCIA is the Consolidated Appropriations Act of 2022; for readers’ convenience, the PDF linked above contains only the portions of the Act which comprise CIRCIA.

2.  The Joint Ransomware Task Force

Within the text of CIRCIA, legislators proposed the formation of a ransomware task force, which was formally announced by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on the 20th of May.

The task force – which aims to combine cybersecurity initiatives across multiple U.S agencies – will be co-headed by the Federal Bureau of Investigation (FBI), allowing law enforcement to collaborate with CISA more effectively.

Today, government agencies suffer from entrenched barriers to information sharing that hinder cybersecurity efforts. Better collaboration will be a major boon, allowing agencies to share and react to intelligence more quickly while building attack profiles that will help businesses to defend themselves against advanced ransomware strains that evade popular detection methods.

3.  CMMC 2.0 and Updated CMMC Timeline

Following the release of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) is now working with federal policymakers on an implementation timeline that could see CMMC enforced on DoD contracts by May of 2023.

CMMC 2.0 seeks to protect controlled unclassified information (CUI) by requiring federal contractors to undergo third-party assessment for cybersecurity compliance before they can be eligible for most Defense contracts. For less sensitive “Level 1” contracts, the DoD will accept self-assessment – for more sensitive “Level 3” contracts, organizations will need a more official government assessment.

By enforcing cybersecurity controls proportional to the sensitivity of each contract, CMMC 2.0 will not only encourage better security throughout the DIB – it will also ensure that the most sensitive CUI is only shared with contractors who are ready to defend it against a variety of threats, including ransomware.

4.  Zero-Trust Legislation and Implementation

In 2021, the ‘Executive Order on Improving the Nation’s Cybersecurity’ instructed federal agencies to adopt zero-trust security models to defend their IT infrastructure. Shortly afterwards, CISA and the Office of Management and Budget issued documents outlining a zero-trust maturity model (ZTMM) to help agencies comply with the executive order.

The road ahead is difficult, especially with many federal organizations still relying on outdated, legacy IT architecture. But zero-trust adoption is well underway, and – difficulties notwithstanding – 6 out of 10 federal IT officials believe their agencies will be able to meet the challenge. More than 75% say they already have some form of zero-trust security policy in place.

From the perspective of reducing ransomware attacks, this is good news: zero-trust architecture won’t render organizations invulnerable to cyberattacks, but it will bring about significant transformation by forcing organizations to continually validate user identities, monitor apps, and accelerate modernization.

Most importantly – with zero-trust in place – it won’t be enough for ransomware actors to “get past the door”: they will be faced with multiple barriers to lateral movement and penetration that will halt many in their tracks.

5.  Updates to NIST’s Cybersecurity Framework (CSF)

The National Institute for Standards and Technology (NIST) is updating its cybersecurity framework (CSF), a set of standards that have guided cybersecurity efforts in both the public and private sectors since it was first issued in 2014. In February of this year, NIST requested comments for an upcoming update to CSF, prompting an outpouring of responses from industry experts.

Recently, DoD sources have stated that they want better risk-management guidance in the next version of the CSF framework, to align it with another NIST special publication (SP), 800-30, ‘Guide for Conducting Risk Assessments’. Aligning the two NIST resources would help organizations who are currently following CSF to develop a better understanding of risk and risk factors that lead to data breaches, ransomware attacks, and more.

Whether NIST implements this advice or not, an update to CSF could not come at a better time – cyber tactics have developed rapidly since the last update was released in 2018, and organizations are in need of guidance. According to the agency, a majority of respondents to its request for comment stated they find CSF to be a “useful model for organizations seeking to identify, assess, address, and manage cybersecurity risk” – it can only remain useful as long as it remains up to date with leading risk sources.

Cyber Expertise to Help You Stay Compliant

Compliance with federal cybersecurity standards and laws are non-negotiable for any businesses in the federal space, and a very good idea for businesses outside it. But the cyber landscape changes, protecting revenue and customers demands a steadily rising cybersecurity baseline that can be hard to meet without guidance.

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.