5 NIST Updates That Will Impact Security Professionals in 2020

NIST Updates
NIST Updates

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.

Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

5 Big Risks for Industrial Control Systems (ICS) in 2020

manage the risks for Industrial Control Systems
manage the risks for Industrial Control Systems

2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.

Before 2010 when the Stuxnet attack crippled one-fifth of nuclear enrichment centrifuges in Iran, comprehensive cybersecurity programs for industrial systems and operational technology (OT) were practically non-existent. Since then, the IT/OT convergence has brought about a slew of malware attacks specifically targeting Industrial Control Systems (ICS) and programmable logic controllers (PLCs), from BlackEnergy in 2014 to Industroyer in 2016.

A Chance for Improvement

According to major players in the malware detection industry, over 40% of ICS systems across utilities and manufacturing were targeted or outright attacked during the first quarter of 2018. On the one hand, this is a scary moment in history: for the first time, terrorists can wage war on another country’s critical infrastructure. On the other hand, industry professionals are waking up to the need for robust security in the face of increased risk.

In the best-case scenario, America and other developed countries will emerge from the 2020s with stronger infrastructure and a renewed focus on cybersecurity. Along the way, they will have to take a critical look at the greatest risks for ICS systems today.

In this article, we’ll give you a head start: here’s our list of the top 5 threats that ICS professionals need to worry about during the new year.

Top 5 Risks to ICS in 2020

It’s commonly believed that OT security risks stem from developing technology. However, this is not entirely true: some ICS risks stem from systemic flaws in an organization’s structure, supply chain and talent pool. In this list, we’ll give equal priority to all of them.

1. False Promises

Automation has long been the dream of cybersecurity, and in his talk at the ICS Cybersecurity Conference last month, Mark Carrigan pointed out that unscrupulous vendors have been promising a level of automation they just can’t deliver. Organizations who are looking for off-the-shelf solutions to OT security must beware: targeted attacks are masterminded by humans, and it takes human intelligence to identify and beat them.

More generally – as Steven Booth of FireEye maintains – bad vendors can be a liability to security, even when their products work as advertised: “we have seen a number of situations in the past few years where software components in automatic updates were corrupted or poisoned with malicious code,” said Booth.

This is a trend which security practitioners in every field need to be aware of. Next year, the Department of Defense (DoD) will require vendors to pass a certification program before working with government partners. Until then, organizations must stay vigilant in vetting their supply chain.

2. The Industrial Internet of Things (IIoT)

IIoT has been a mixed basket for organizations: on the one hand, it extends the functionality of networks and helps to generate data that drives operational efficiencies – consequently many operations managers love IIoT devices.

However, these devices can also create points of entry for attackers, especially because IIoT vendors are rushing their products to market, utilizing components from less-than-reputable sources, and skipping basic security controls along the way. Many products lack two-factor authentication (2FA) and secure update mechanisms— or in some cases, they don’t allow customers to change default accounts and passwords from default settings.

The National Institute of Standards and Technology (NIST) is currently working to develop mandatory standards for IIoT, in response to lax security in Distributed Energy Resources (DERs) which threaten the power grid. In the meantime, organizations should adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.

3. Insider Threats

In response to ICS risks, some organizations have rejected the IT/OT convergence altogether, isolating their OT from any contact with networks. While this so-called “air gap” method of defense kept OT on the periphery of cybersecurity for years, it is no defense against the biggest threat to ICS security of all: people.

Only 3% of attacks on critical infrastructure begin and end with technical exploits and vulnerabilities. Ninety-seven percent rely on social engineering techniques which trick an organization’s personnel into divulging passwords and access information. Insiders can also compromise a system through careless Internet activity and negligence of security protocol.

Going forward, organizations should invest more resources in training their personnel. Knowing cyber hygiene techniques, developing security situational awareness, and understanding the tactics of hackers can often prevent a major security breach.

4. Hackers Are Improving

According to Thomas Pope from Dragos, modern hackers have begun to converge on a common set of threats, techniques and procedures (TTPs). On the one hand, this is good news for security professionals, since it means attacks will be easier to detect. On the other hand, an over-reliance on commodity IT solutions and open design protocols put organizations at significant risk.

According to CyberX, 82% of industrial sites depended on remote management protocols like RDP and SSH in 2017. Not only are hackers familiar with these access protocols and their vulnerabilities, but they are even familiar with proprietary ICS systems.

Every year, attackers become stronger thanks to the resources available to them: increased digital literacy, the widespread availability of pentesting toolkits and darknet markets where SCADA/ICS protocols and exploits are sold cheap. Organizations should acknowledge this fact by designing industrial infrastructure with greater attention to segmentation and detection of indicators of compromise.

5. Talent Gap

When it comes to talent, the entire security industry is in a rough spot. According to some estimates, there will be 3.5 million unfilled security positions by 2021, thanks to the rise of cybercrime and a lack of educated professionals.

The situation is even worse for OT security: according to Robert M. Lee of Dragos, there are fewer than 1,000 ICS professionals in the entire world. In the coming decade, industrial organizations would do well to make sure their personnel have the education they need for success and promote the cybersecurity career path to inbound university students.

The Need for Expertise

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of OT security today.

The 2020’s are an opportunity for renewed focus on cybersecurity. Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.

Key Takeaways from ICS Cybersecurity Conference

Securicon attended the 2019 ICS Cybersecurity Conference in Atlanta on October 21-24. It was a four-day whirlwind of speakers working at the cutting edge of OT security who provided a crash course on the state of the industry, and areas for improvement in 2020.

If you couldn’t make it to this incredible event, don’t worry, we’ve compiled our top four takeaways from the conference just for you.

1. OT cybersecurity can’t be automated

We all know that malware attacks against ICS systems have been rising for the past decade. According to Mark Carrigan from PAS Global, there’s good news: security officers are taking notice, and 84% of businesses have invested in solutions to address the IT/OT convergence.

Here’s the bad news: the demand for solutions has generated an influx of vendors who lull their clients into a false sense of security by making promises they can’t deliver. When it comes to threat detection, nothing beats human expertise, and over-dependence on automation allows targeted attacks to slip beneath the radar.

2. IoT is the next big threat for ICS

Distributed Energy Resources (DERs) are helping power companies to better manage the grid: unfortunately, they also create points of entry for attackers. In response, Jim McCarthy from the National Institute of Standards and Technology (NIST) spoke about ongoing efforts to regulate the Industrial Internet of Things (IIoT).

Lionel Jacobs from Palo Alto Networks argues that organizations should adopt a zero-trust policy towards IoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers. The dangers of IoT may be unavoidable, but with careful governance policies, they can also be managed.

3. Insider threats: still a problem

Conventional wisdom suggests that isolating control systems from network access is the best way to protect them. But – says Chad Lloyd from Schneider Electric – “air gaps” can produce a false sense of security, because they are still vulnerable to human failure inside organizations.

97% of attacks on critical infrastructure do not depend on clever exploits or vulnerabilities, but on social engineering attacks which trick personnel into divulging passwords and access information. It’s clear that more investment is needed to train personnel in cyber hygiene and prevent insider threats.

4.  Threat hunting is best way to strengthen networks

Thomas Pope from Dragos delivered an insightful presentation, showing that modern hackers increasingly rely on the same tactics, techniques and procedures (TTPs) that pen testers and threat hunters have been using for years.

For this reason, threat hunting remains one of the most powerful ways to prevent attacks before they occur. To prove the point, Illan Barda from Radiflow showed eye-opening results from red-teaming on a water treatment facility.

Adopting a Threat-Based Mindset

All our takeaways from the ICS Cybersecurity Conference emphasize one theme: OT-dependent organizations will have to adopt a threat-based mindset to fight the next generation of attacks on ICS and critical infrastructure.

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of cybersecurity today.

Securicon’s threat management solutions are based on industry standards for safety and professionalism. With years of experience in ICS cybersecurity, we are here to protect your organization. Contact us for more information.

The IoT Security Gap, and Six Ways to Overcome It

IoT Security
IoT Security

By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.

Like thought leaders predicted a decade ago, the burgeoning Internet of Things (IoT) is outgrowing mobile phones and dominating network connectivity in both the public and private sector. Unfortunately, the more Internet connections an organization has, the more vulnerable it is to attack; but IoT vendors don’t seem to care.

While today’s IoT is more secure than the devices of yesterday, security remains little more than an afterthought for too many product developers. According to scientist Sarah Zatko, IoT vendors continue to omit basic security features out of mere complacency.  “They’re just not bothering,” said Zatko, adding that “the needle hasn’t moved much in 15 years”.

The Consequences of Insecure IoT

On one hand, the almost impossibly fast growth of IoT means that a security gap is inevitable. On the other hand, this gap has consequences which organizations cannot afford to ignore: according to research, 48% of companies have already been the victim of at least one IoT attack.

Some of these incidents are damaging enough to gain significant publicity. In 2016, the Mirai botnet propagated through open Telnet ports on 600,000 IoT devices and brought down Internet connectivity across the U.S. East Coast. Other major attacks include:

  • EchoBot – with similar source code to Mirai, EchoBot targeted popular consumer and enterprise routers using over 26 unpatched vulnerabilities. It’s spread continued into 2019, and still threatens organizations today.
  • TheMoon – in many ways TheMoon represents “peak malware,” allowing threat actors to rent out thousands of hijacked routers and modems around the world for various malicious purposes.
  • Industroyer – in 2016, the Industroyer malware targeted Ukraine’s power grid and left thousands without electricity for a few hours. In 2017, researchers concluded that points of entry had been exploited within “Industrial IoT” deployed throughout the grid.

What happened in the Ukraine is instructive. As time wears on, critical infrastructure in the United States will depend on remote access technologies facilitated by IoT or will at least be in contact with IoT devices on the same network. Current security standards leave vulnerabilities that could have devastating consequences on businesses, their customers and the nation as a whole.

Regulatory Attempts

Efforts to regulate IoT like other technologies – including cloud and storage systems for classified information – have failed on more than one occasion. In 2017, the “Internet of Things Cybersecurity Improvement Act” was proposed to Congress, but never passed.

A new version of the same bill was introduced earlier this year, with a narrower focus. If passed, it would have put the National Institute of Standards and Technology (NIST) in charge of developing security standards for IoT devices by last month – a move that many in the industry approved of. However, the act is still in limbo and no further developments have occurred.

Unfortunately, it may take a serious incident before the government is prepared to hold IoT vendors to a higher standard. In the meantime, vendors simply don’t face enough pressure from the free market to take care of the problem themselves. For now, organizations must shoulder the responsibility of securing their own devices.

Six Ways to Improve IoT Security

Fortunately, there are many ways to significantly improve IoT security within a public or private enterprise environment. Here are six:

1. Minimize device footprint – the billions of IoT devices in use today, not all serve an important purpose. Minimize the number of devices in your organization, removing the frivolous and using non-networked solutions wherever possible. Remember that any opening to the Internet creates a potential route for attackers.

2. Segment IoT from critical assets – whenever possible, keep IoT disconnected from networks used to access classified information and sensitive data. Barriers between critical and non-critical assets in your organization make it difficult for attackers to move laterally even if they gain a foothold through one opening.

3. Replace default credentials – according to the Office of Management and Budget (OMB), lack of strong authentication is one of the most common security mistakes across federal agencies. IoT devices rarely require administrators to change their weak default credentials. Ensure that every networked device in your organization is tightly secured.

4. Use two-factor authentication – in the same vein, two-factor authentication (2FA) creates an extra barrier against brute-forcing and stolen login information. Most IoT devices are compatible with 2FA, but – again – they will not prompt users to install it. Take the initiative to keep devices as secure as possible.

5. Choose high-reputation vendors – not all IoT is created equal, and some vendors have a better reputation for security than others. Research IoT vendors as part of your risk management strategy and avoid those known for past attacks, lax standards or slow firmware updates.

6. Track and test devices – tracking IT assets is an important part of any security strategy, and IoT is no exception. Track all your IoT assets, and regularly test them for strong authentication. Firmware updates sometimes include patches for known vulnerabilities, so ensure that the latest version is always installed.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.