The Hidden Dangers of AMI Infrastructure: Protect Your Utility Company Now

Posted on

The rise of Advanced Metering Infrastructure (AMI) has revolutionized the way utilities collect and manage data. Implementing AMI improves the efficiency and accuracy of energy consumption monitoring and billing, and provides more real time information and control to consumers. But AMI also increases the exposure of both utilities and consumers to cyber threats.

AMI installations comprise a wide range of interconnected devices – most of which are deployed out in the field – from smart meters to data gateways, as well as communication networks and data management systems. The large surface area of this AMI infrastructure and its interconnectedness create new security challenges that must be addressed by utilities and their cybersecurity partners.

AMI platforms pose physical security risks. The deployment of smart meters on customer premises means that there are now more points of access into the utility networks. Malicious actors can use physical attacks, such as tampering with the meters or the communication infrastructure, to gain access to the network. And if an attacker can compromise the AMI infrastructure, this can result in a potential threat to the entire energy grid.

Threats to AMI installations come in various forms, including:

  • Unauthorized access to customer data and system controls
  • Malware and ransomware attacks on network components
  • Physical tampering with meters and other devices
  • Distributed denial of service (DDoS) attacks on communication networks

Given the significant risks associated with AMI platforms, it is critical for utility companies to take proactive steps to protect their systems. This includes implementing robust cyber security protocols, ensuring that perimeter devices have hardened configurations, maintaining defense in depth throughout the AMI network with proper segmentation from critical infrastructure, conducting regular security assessments, and partnering with trusted cyber security experts to identify and mitigate vulnerabilities.

Here at Securicon we specialize in helping utility companies protect their AMI and other critical platforms from cyber security threats. Our team of experienced professionals can conduct thorough security assessments to identify potential vulnerabilities, develop custom solutions to address those vulnerabilities, and provide ongoing support to ensure that your AMI platform remains secure.

How to Protect Your Operational Technology (OT) in 2023

Posted on
OT Security
OT Security

Oil and gas, manufacturing, energy distribution and critical infrastructure – what do all these industries have in common? Aside from their indispensability, they all rely on operational technology (OT) such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.  

Collectively, these technologies control the world we live in, and OT-directed attacks can have a devastating impact. In contrast to traditional Information Technology based attacks, these Cyber-Physical attacks affect machinery and processes that have real world impacts to the industries and people they serve. 

In 2021, we were reminded of this fact by the Colonial Pipeline attack, which nearly crippled gas supplies across the Eastern U.S. More recently, 9 out of 10 organizations reported that cyberattacks impacted their production or energy supplies within the last 12 months, with 56% seeing disruption lasting 4 days or longer. 

Thanks to a combination of factors, OT-directed attacks – and traditional cyberattacks that impact OT systems – are steadily increasing, with government agencies increasingly taking notice. But why is this happening and how can you protect yourself in 2023? In this article, we’ll answer both questions. 

OT Security Trends 

OT threats have been on the rise for years, and while the factors behind this rise have largely remained consistent, they are being accelerated by larger trends affecting the IT landscape and business world in 2023.

1. OT Talent Gap

With the need for cybersecurity talent growing faster than the supply, ISC2 reported that global organizations were facing 3.4 million unfilled cyber positions in 2022.  

This gap continues to impact OT worse than other fields, as OT environments are filled with a combination of specialized and legacy systems. According to one expert, there were fewer than 1,000 ICS cybersecurity experts around the world only five years ago, and improvements have not kept pace with OT threats.

2. Supply Chain Issues Driving IT/OT Convergence

IT and OT have been converging for long enough that SANS Institute recommended dropping the IT/OT nomenclature several years ago: today’s industrial environments are dependent on IT infrastructure, which makes OT systems vulnerable to IT-directed attacks.  

With continued supply chain issues and economic downturn projected in 2023, organizations are being pushed to maximize efficiency, meaning an influx of industrial IoT (IIoT), cloud apps and other Internet-facing surfaces that drive OT threats.

3. Geopolitical Conflict

Given the critical role that OT plays in supporting national industry and infrastructure, it is a common target for nation-state actors and politically motivated advanced persistent threat groups (APT) groups.  

According to one study, hacking and reconnaissance against government bodies accounted for 48% of Internet traffic monitored across all public-sector organizations in 2022. As geopolitical conflict increases around the world, politically motivated cyberattacks of all types can be expected to rise even higher.

4. OT-Directed Attacks

In the past, OT threats have tracked IT threats closely, with many OT security incidents occurring as a side effect of malware or traditional cyberattacks. Now, threat actors are increasingly optimizing their attacks for ICS and SCADA devices, including systems from specific manufacturers.  

Last April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with several federal agencies warning that APT groups had developed a malicious ICS framework known as “PIPEDREAM,” tailored for devices found throughout OT environments. 

The Impact of OT Threats 

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include: 

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property. 
  • Operational disruption – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities. 
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue. 

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of lives for the worst. 

Protecting Your OT Systems 

Faced with the prospect of cyberattacks on critical infrastructure, the government is focusing more attention on OT than ever before. It is only a matter of time before businesses – particularly government contractors – are required to follow regulations to protect their OT systems. But there’s no reason they can’t start now.

1. Adopt ICS Security Frameworks

With IT-directed attacks still accounting for a large number of OT threat incidents, securing your IT and network perimeter is a first step towards protecting OT. Organizations can start by complying with standards like the National Institute of Technology (NIST)’s Cybersecurity Framework (CSF) 

They can also implement guidelines developed specifically for industrial environments, such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP).

2. Treat OT as a Separate Domain

Despite IT and OT convergence, organizations are increasingly shifting the primary responsibility for OT security from IT managers to OT operators. As a SANS Institute survey reports: “organizations are realizing the enterprise IT and ICS/OT environments are not the same. They not only have different types of systems, but also have technologies that are not directly cross-compatible.”  

Ultimately, increased communication between IT and OT professionals can help to bridge knowledge gaps. While 72% of cybersecurity professionals can’t tell whether a disruption originated from IT or OT, a much larger number of professionals with a combination of IT and OT expertise can.

3. Promote More Secure Authentication

Poor identity management and authentication practices – such as weak passwords and lack of two-factor authentication – continue to threaten systems within an OT environment and on the periphery.  

Now more than ever, it’s vital for organizations to educate their employees on the importance of secure passwords, and update applications with most-secure configurations, which may include 2FA and support for biometrics.

4. Develop an Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to: 

    • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it. 
    • Record and document an ongoing attack for later analysis and review. 
    • Reduce harm by resetting affected systems’ passwords and user profiles. 
    • Inform stakeholders and implement measures to prevent future incidents. 
  • During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our blog post on disaster recovery and response. Additionally, consider joining industry organizations such as Incident Command System for Industrial Control Systems (ICS4ICS), which focuses on an OT based emergency management framework.   

The Need for Expertise 

When it comes to defending against OT attacks, no method of security is more reliable than proactive risk management, threat hunting and vulnerability assessment conducted by experts at the intersection between IT and OT. 

Unfortunately, experts are hard to come by, especially for ICS, SCADA, programmable logic controllers (PLCs) and other OT systems. Fortunately, many are employed by Securicon. With years of experience with critical infrastructure – and the ability to implement NERC CIP guidelines – no one is better equipped to find vulnerabilities and promote safety in modern OT systems. To learn more, contact us today. 

Why Shadow IT is the Biggest Blind Spot in Your Cybersecurity Strategy

Posted on
Shadow IT and SaaS
Shadow IT and SaaS

In the past few years, software-as-a-service (SaaS) apps have exploded in popularity, bringing powerful new functionality to organizations which they could only dream of in the past. Unfortunately, the ease and availability of cloud apps are a double-edged sword that can work against the security of your business without proper oversight. 

Recently, a study found that 97% of cloud apps across organizations are “shadow IT,” meaning they are brought in by employees without the awareness or approval of IT and cybersecurity staff. At the same time, users are connecting to these services with unauthorized devices that may be unsafe. 

While shadow IT – which may encompass file sharing, communication, and collaboration services – is not without benefits, it also creates a major blind spot in your cybersecurity strategy that brings many risks. In this article, we will explain what those risks are and how your business can fight against them. 

The Dangers of Shadow IT 

In a recent blog post, we talked about the cybersecurity risks that can arise in an improperly configured cloud environment. Ultimately, the existence of unauthorized SaaS apps compounds the dangers that already impact approved cloud services, while also bringing new problems of their own. Among them are: 

  • Data Risks – With users storing information across their own personal SaaS apps, data may be altered in ways that can harm your business and customers. Relying on these apps also brings a risk of data loss when employees depart your company. 
  • Cybersecurity Risks – Unapproved apps create new attack surfaces that malicious actors may target while attempting to breach your organization; they can also suffer from vulnerabilities that will escape the attention of cybersecurity teams. Worse yet, they are susceptible to user misconfiguration which may expose data to outside actors.  
  • Regulatory Violations – Because shadow IT is not subject to the same scrutiny as other devices and applications throughout your organization, it may fail to comply with emerging data privacy regulations like GDPR, government cybersecurity standards like NIST 800-53, and industry-specific regulations like HIPAA. 
  • High Costs – While many SaaS apps are free (a major reason employees may resort to them), others may come with a small subscription fee. These “shadow costs” can pile up if they are charged to your business without proper oversight. As an example, the average organization spends more than $135,000 on unnecessary cloud services every year. 
  • Reduced Network Performance – Excessive Internet-facing apps can put a strain on network resources that they are not designed to handle. Organizations with a shadow IT problem may face bandwidth issues, slow response time, system outages and delays in job execution. 

In spite of these issues, employees resort to shadow IT for a reason, and understanding those reasons is vital for identifying and reducing shadow IT usage throughout your organization. 

Why Does Shadow IT Exist? 

At a high level, the existence of shadow IT is almost always a consequence of IT problems such as slow resolution of help desk tickets, or a lack of tools to help employees do their jobs effectively. It also arises from low awareness of the dangers associated with shadow IT use, which may indicate lack of proper training and procedures. 

Today, most employees can improve their productivity and efficiency with advanced features provided by SaaS apps. Others – particularly remote employees – may rely on shadow IT to stay connected with their workforce. Taking control of shadow IT requires businesses to not only find and eliminate shadow IT services from their network, but also to solve the root problems leading employees to rely on them. 

How to Take Control of Shadow IT 

With the average organization using 250 SaaS apps or more, shadow IT is becoming a harder problem to solve as time goes by. But with the right approach, it is possible. 

1. Understand Your Company’s Business and IT Needs 

Ensure that your employees have the tools and services they need to do their jobs effectively. This requires understanding what your company needs across different teams and departments. Conduct surveys and take feedback into consideration, especially where current tools and processes may be interfering with productivity. 

2. Provide Employee Training  

As in many other cases, shadow IT is a problem more often caused by ignorance than malice. According to one study, 37% of IT employees say that their organization has not outlined consequences for employees involved in shadow IT. Ensure that employees are aware both of the dangers associated with shadow IT and company policies surrounding its use.  

3. Supervise Provisioning of Services 

Make sure that employees have a clear channel to request new apps and have processes in place to review and approve requests. Not only does this ensure your IT team will have time to review the security and implementation of new services, but it will also provide better visibility and control over spending. 

4. Continually Monitor Your Network  

In order to detect shadow IT, network administrators should keep an up-to-date inventory of IT resources, including all devices and applications running on their network. They should continually monitor network activity to detect new IP addresses, unexpected communications to external services, unusually slow performance and outages that could signal shadow IT activity. 

5. Consider Specialized Solutions 

Consider adopting specialized solutions like a cloud access security broker (CASB) to govern cloud usage throughout your organization. CASB solutions can provide a centralized view of cloud apps running across your network along with a ranking for risk and overall trustworthiness.  

Cyber Expertise You Can Trust 

From shadow IT to ransomware and software supply chain attacks, protecting your business in today’s cyber landscape requires visibility into your network and IT infrastructure. Without that, the biggest risks to your organization will continue to lurk in the shadows. 

At Securicon, our seasoned cybersecurity experts work to find vulnerabilities in your IT infrastructure, providing solutions and long-term support – we give you the visibility you need to identify risks, and the expertise to remediate them. Contact us today for a rapid assessment and learn how we can bring your organization’s security to the next level. 

Seven Ways to Reduce the Impact of Zero-Day Exploits

Posted on
Reducing the impact of zero day exploits
Reducing the impact of zero day exploits

At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. With millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.

Log4Shell is an example of a zero-day exploit: zero-days are vulnerabilities exploited by malicious cyber actors immediately after they are discovered in devices and software products. The term “zero-day” is a reference to the number of days organizations and cyber defenders have to prepare – zero.

As cyber actors increase in sophistication, the number of zero-day exploits is increasing every year. In 2021, Mandiant found that the number of zero-days had doubled since 2019. In this article, we’ll explain where zero days are most likely to originate, and how businesses can protect themselves from harm.

Common Types of Zero-Days

Since zero-days are code-based vulnerabilities that allow remote actors to hijack devices and applications, any Internet-connected, programmable surface is susceptible to zero-day exploits. Today, common targets include:

  •  Third-Party Software – third-party applications are frequently built on top of dependencies that can suffer from zero-day exploits. Since Log4Shell targeted a component in Apache Logging Services, millions of apps which depend on Apache were impacted.
  • Web Browsers – every day, Internet users spend up to 6 hours of their day online – this makes Web Browsers like Edge, Chrome and Firefox common targets for malicious actors seeking zero day exploits. In 2022 alone, Google has patched seven zero-days in the Chrome browser.
  • Mobile Operating Systems – compromised mobile devices are a great source of sensitive data which makes them a major target for nation-state actors. Zero-day exploits often surface in iOS, Android and other mobile operating systems; worse, they can go undiscovered for years before they are patched.
  • Network Edge Devices – routers and switches regularly fall victim to zero days which enable cyber actors to bypass protocols and WPA encryption. In 2018, 83% of home and enterprise routers were found to possess publicly known vulnerabilities, and today, these devices are also a favorite target for ransomware attacks.

As organizations grow more reliant on information technology (IT), the threat of zero day exploits will continue to rise – the average business deploys over 100 software-as-a-service (SaaS) apps, and at least as many connected devices. Now more than ever, businesses need to take preventive steps to protect themselves from vulnerabilities.

Reducing the Impact of Zero-Day Exploits

The danger of a zero-day exploit is exacerbated by the fact that cyber defenders cannot detect its presence based on Common Vulnerabilities and Exposures (CVEs) or attack signatures. Fortunately, there are ways to reduce the likelihood of a zero-day exploit and increase your attack preparedness.

  1. Threat Detection Systems – aside from basic cyber defenses – such as firewalls and anti-virus – organizations should adopt real-time protection in the form of inline intrusion-prevention systems (IPS). An IPS system can use network intelligence to detect signs of intrusion even if it cannot detect the specific type of attack, alerting your team if a zero-day exploit is used.
  2. Egress Filtering – while filtering inbound traffic is crucial, filtering outbound traffic is equally important. This is possible with egress filtering, which can be implemented through a firewall or intrusion prevention system (IPS), enabling network admins to prevent applications on your network from reaching out to certain destinations or using unsafe protocols.
  3. Network Visibility – security teams often have limited visibility into the devices and applications that are operating across their networks. Bringing this fragmented knowledge together is essential for securing your network from exploits: keep an inventory of every device, whether IT, IoT or OT, classify and continually monitor them for configuration changes.
  4. Device Oversight – devices – including routers, switches, laptops and mobile phones – typically receive regular updates that patch zero-days when they are discovered by the malware researchers. Organizations should maintain an up-to-date inventory of all the devices connected to their network, set update policies, and replace devices that are no longer supported by the manufacturer.
  5. Third-Party Vendor Management – while no vendor can guarantee that their devices or software products won’t fall prey to a zero-day exploit, some vendors are more security conscious than others. Take inventory of your software supply chain, and research all your technology partners to ensure they are applying adequate security controls.
  6. Adopt a Zero-Trust Paradigm – when malicious actors compromise your network through a zero-day exploit, they will try to move laterally to other systems. A zero-trust security paradigm can stop them in the process by applying the principle of least privileges, and constantly verifying a user’s identity as they switch between devices and applications.
  7. Vulnerability Assessmentvulnerability assessments and penetration tests can help you to better document your IT infrastructure and remediate security gaps that increase the impact of zero-day exploits.While there’s no way to eliminate the chance of a zero-day exploit altogether, developing a strong cybersecurity program can give your business the tools it needs to close cybersecurity gaps, eliminate risky vendors, and respond quickly in a disaster. 

Partner With Cybersecurity Veterans

In today’s perilous cyber landscape, organizations need expert cybersecurity consultants to help them find and identify risks to their mission-critical assets. But with a worldwide shortage of cyber talent, finding experts has become increasingly difficult – fortunately, Securicon is here to help.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – we are equipped to prepare your organization for the worst, from gap analysis to compliance consulting, assessment support and audit preparation. To learn more, contact us today.