Tuesday, November 19, 2024

 

Comparing and Contrasting Volt Typhoon and Salt Typhoon: 
A Cyber Threat Analysis

Understanding the tactics and motivations of threat actors is crucial in the dynamic landscape of cybersecurity. Two notable groups, Volt Typhoon and Salt Typhoon, both linked to the Chinese government, exemplify the complexities of modern cyber threats. While they share some similarities, their methods and targets reveal distinct characteristics.

Similarities
  1. State-Sponsored Origins: Both Volt Typhoon and Salt Typhoon are believed to be state-sponsored actors, operating under the auspices of the Chinese government. Their activities align with national interests, focusing on espionage and data theft.
  2. Targeting Critical Infrastructure: Each group has demonstrated a keen interest in critical infrastructure. Volt Typhoon focuses on operational technology (OT) environments, while Salt Typhoon has targeted internet service providers (ISPs) and communication networks.
  3. Advanced Techniques: Both groups employ sophisticated cyber tactics. They utilize living off the land techniques, leveraging existing system tools to evade detection. Additionally, they exploit vulnerabilities in widely used network equipment.
Differences:
  1. Primary Objectives: Volt Typhoon primarily aims to maintain long-term access to networks for espionage, often focusing on operational technology sectors. In contrast, Salt Typhoon is more aggressive in its data theft efforts, particularly targeting sensitive information from ISPs and law enforcement systems.
  2. Methodologies: Volt Typhoon is known for its stealthy approach, using techniques that blend in with normal network traffic. Salt Typhoon, however, employs more disruptive methods, including the use of a kernel-mode rootkit called Demodex, which allows for deeper infiltration and control.
  3. Geographic Focus: While both groups operate globally, Salt Typhoon has been particularly active in North America and Southeast Asia, with recent high-profile breaches in U.S. broadband networks. Volt Typhoon's activities are more varied, targeting a broader range of critical infrastructure sectors. 
Common Recommendations:
Given the threats posed by both groups, organizations should adopt comprehensive cybersecurity strategies:
  • Regular Vulnerability Assessments: Conduct frequent assessments to identify and patch vulnerabilities in critical systems and network equipment.
  • Enhanced Monitoring: Implement advanced monitoring solutions to detect unusual network activity, especially in OT environments.
  • Employee Training: Educate staff on cybersecurity best practices, including recognizing phishing attempts and securing credentials.
  • Incident Response Plans: Develop and regularly update incident response plans to ensure quick and effective action in the event of a breach.
While Volt Typhoon and Salt Typhoon share common roots as state-sponsored cyber actors, their differing objectives and methodologies highlight the need for tailored cybersecurity measures.

In all cases:
  1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
  2. Implement phishing-resistant MFA.
  3. Ensure logging is turned on for application, access, and security logs and store logs in a central system.
  4. Plan “end of life” for technology beyond the manufacturer’s supported lifecycle.
 

Thursday, August 10, 2023

Using ChatGPT in Corporate Environments: Ensuring Data Security and Mitigating Exfiltration Risks

 I had a chat with Open AI the other day. Of course, being a security geek, I was shut down right away for asking “tell me all the ChatGPT exploits and associated security controls suggested to mitigate the risk”. Good to know that it came back with “I’m sorry Dave, I can’t let you do that”. And for the younger folks, that is from HAL, the mythical computer that foreshadowed our interaction with computers from the 1968 film "2001: A Space Odyssey". By adjusting my query to a more positive ask of "what are all the ways to allow the use of ChatGPT in corporate environments without the worry of sensitive data exfiltration?", it seemed happy to answer.

ChatGPT, with its versatile capabilities, has seen a surge in demand across various sectors, including corporate environments. Its impressive ability to provide solutions, answer questions, and simplify complex processes can be a game-changer for businesses. However, like all technology tools, there is a risk associated with data privacy and security. Ensuring that sensitive corporate data does not get ex-filtrated is paramount. The results of the response are a bit sophomoric, but a friendly reminder that it is possible to wrap practices around leveraging this powerful tool. And it all comes down to basic necessary cybersecurity practices (note the absence of the term "Best Practices").

Here are several methods to safely integrate ChatGPT into corporate settings:

Local Deployment

Dedicated On-Premises Setup: Deploying ChatGPT on local servers ensures that no data leaves the organization's premises. While this can be more resource-intensive, it provides complete control over the environment and data flow.

Data Anonymization

Strip Identifiers: Before querying ChatGPT, ensure that all data is stripped of personal or corporate identifiers. This way, even if data were to be intercepted, it would be challenging to link it back to an individual or an entity.

Regular Audits and Monitoring

Log Analysis: Implement logging mechanisms to monitor what kind of data is being sent to ChatGPT and ensure nothing sensitive is being shared. Regular audits can then be performed on these logs.

Real-time Monitoring: Tools that monitor data packets in real-time can help in immediately flagging or blocking any suspicious or non-compliant data transmissions.

Restricted Use Cases

Limited Scope: Instead of providing unrestricted access, companies can define a specific set of tasks or queries that employees can pose to ChatGPT. By doing so, the chance of inadvertently sharing sensitive information is reduced.

Training and Awareness

User Training: Employees should be adequately trained on the do's and don'ts when interacting with ChatGPT. This should include understanding the type of information that shouldn't be shared and how to formulate queries without giving away sensitive data.

Regular Updates: As with all cyber-security measures, periodic refreshers and updates to training materials are essential to accommodate the evolving landscape of threats and best practices.

Encryption

End-to-End Encryption: If ChatGPT is accessed over the internet, ensure that the connection is encrypted, making it difficult for data to be intercepted during transmission.

API Controls

Rate Limiting: By setting a limit on how frequently the API can be called, you reduce the risk of mass data exfiltration.

Whitelisting IPs: Only allow specific IPs to access the API. This will ensure that even if API credentials are compromised, unauthorized entities won't be able to access the service.

Regular Patches and Updates

Stay Updated: Ensure that your ChatGPT instance, whether cloud-based or on-premises, is regularly updated with the latest patches. This can help in addressing any known vulnerabilities.

Backup and Disaster Recovery

Data Redundancy: Have backup systems in place so that in the event of any mishaps, your data remains safe.  

Incident Response Plan: In case of any potential breaches or unauthorized access, having a clear response plan can help in quickly addressing the issue and mitigating risks.

Collaborate with the Vendor

Feedback Loop: OpenAI and other AI providers often appreciate feedback on potential vulnerabilities or security concerns. By maintaining an open line of communication, companies can ensure that they're aware of the best practices and updates specific to ChatGPT.

In conclusion, while the integration of tools like ChatGPT can introduce new avenues of risk in corporate environments, a combination of technological solutions and human vigilance can significantly mitigate these risks. As always, it's about finding the right balance between usability and security.


Monday, August 7, 2023

Alliances that changed history: From Digital Infrastructure to Operational Technology

The continual evolution of technology is what makes my journey as a security professional so fascinating. I have always told my protégés that “To truly be in cybersecurity, one must learn something new every day.” Few domains have witnessed such swift and transformative progression as cybersecurity. The maturation of this discipline has been driven by visionary alliances, initiatives, and ever-evolving threats that underscored the necessity for adaptability and foresight.

Foundational Internet Protocols came from an alliance. Established in 1986 and initially supported by the U.S. government, the IETF, currently led by Jay Daley has been operating under the auspices of the Internet Society since 1993, a non-profit organization with local chapters around the world. The IETF laid down the groundwork for internet standards and security. This foundation signified that as the internet burgeoned, security protocols would be paramount.

Approaching the new millennium, the digital realm faced an influx of sophisticated threats. This period gave birth to the MITRE Corporation's CVE (Common Vulnerabilities and Exposures) system in 1999, providing the cybersecurity community with a unified lexicon and approach to vulnerabilities. I've had the honor over the past year or so, of being a part of this alliance, specifically in the mapping of the CVEs to ISA/IEC 62443 and its subsequent promotion. MITRE also created the ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. These tactics have been amassed for Enterprise, Mobile, and as Samuel Visner noted in another post, as of January 2020, industrial control systems.

By the early 2000s, as digital infrastructure proliferated, initiatives like the Center for Internet Security (CIS), currently led by John Gilligan, and its Critical Security Controls emerged, setting the stage for a more secure digital era. These protocols became pivotal, outlining robust defensive mechanisms for organizations. Around the same period, the digital landscape acknowledged the indispensable nature of web security. Consequently, the Web Application Security Consortium (WASC) was established, shifting industry focus towards ensuring the integrity of web platforms.

By 2006, as online commerce expanded, the inception of the PCI Security Standards Council. The council was founded by American Express, Discover, JCB International, MasterCard, and Visa Inc. Founding Members share equally in ownership, governance, and execution of the organization’s work. This alliance and subsequent standards highlighted the real-world implications of cybersecurity. Tasked with ensuring the sanctity of financial transactions, this initiative would forever change the underlying processes and controls for protecting transactions, online and in brick-and-mortar establishments across all industries.
The late 2000s and early 2010s witnessed a surge in cloud technologies. Recognizing this shift, the Cloud Security Alliance, founded by my friend Jim Reavis in 2009, underscored the need for updated security practices.

In 2012, OASIS, a respected, non-profit standards body, led by Richard Struse introduced STIX/TAXII, Structured Threat Information Expression (STIX), and TAXII, short for Trusted Automated eXchange of Intelligence Information, championed a collaborative defense by facilitating structured sharing of real-time threat intelligence among diverse organizations.

As I said in my post yesterday, compared to the long history of maturing the security standards, processes only recently have the cybersecurity community, as a discipline, added focus to Operational Technology (OT) and Industrial Control Systems. However, as the digital realm matured, it was evident that unique security challenges faced Operational Technology and Industrial Control Systems. Recognizing the critical nature of infrastructures relying on OT and ICS, entities such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), established in the late 2000s, became pivotal in the domain. Operating under the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) led by Jen Easterly, ICS-CERT provides robust resources to bolster the defenses of critical infrastructures.

Industry groups, such as the International Society of Automation (ISA) with the ISA99 project led by Eric C. Cosman, introduced standards like the ISA/IEC 62443 series in the 2010s, providing tailored guidelines for industrial automation and control systems security. This further fortified the landscape with comprehensive guidelines tailored for industrial automation and control systems security. While we have made headway in identifying the OT attack vectors, tools, Techniques, and common knowledge, and built a security framework for OT, we still find ourselves, in some cases, using tools fundamentally designed for IT. Integration and sharing between OT and the IT business segments are necessary to fully measure and manage cybersecurity, and ultimately, the overall business risk.

So, let’s look at a practical example of how these alliances, which produced great standards and frameworks, have influenced technological advancements. From the early days of digital communication protocols to the modern focus on Operational Technology (OT) defenses, cybersecurity's journey has been nothing short of amazing. To illustrate the power of alliances, this example revolves around the birth and maturation of Security Information and Event Management (SIEM) systems.

Early log proliferation and the need for management in the same epoch that saw the foundational work of the Internet Engineering Task Force (IETF) in 1986, the IT world was rapidly expanding. As infrastructures grew diverse and complex, each facet churned out logs like a library endlessly acquiring new books. Unfortunately, at the time, logs were in many cases bespoke and disparate in format. Seeking Log aggregation and normalization, organizations, not just wanting to store but also make sense of these logs, birthed log management systems.

Real-time Threat Detection emerged parallel to the more standardized web security protocols championed by the Web Application Security Consortium (WASC). The cyber threat landscape was undergoing its own transformation. It wasn't just about keeping logs for forensic purposes anymore. The digital realm needed real-time vigilance. Enter Security Event Management (SEM) tools, focusing on detecting live threats by analyzing event data as it streamed in.

The expanding digital universe didn't just require independent solutions; it craved a merger. SIEM was this harmonious blend—marrying the archival capabilities of log management with the real-time alertness of SEM. The driving forces behind this amalgamation echoed the complexity of modern IT environments, stringent regulatory landscapes, and an ever-mutating threat panorama.

Initiatives such as PCI Security Standards Council, which underscored the tangible implications of cybersecurity, SIEM platforms began to solidify their position as indispensable tools for organizations. They offered businesses a panoramic view of their digital environment, crucial for detecting, responding to, and investigating security incidents. This shaped the future of Incident Response and the associated playbooks.

In 2012, SIEMs paved the way for the next generation of security tools. These included User and Entity Behavior Analytics (UEBA), focusing on nuanced behavioral patterns, and Security Orchestration, Automation, and Response (SOAR) systems, streamlining and integrating various security responses.
As we've observed through the progression from foundational internet protocols to OT security measures, the essence of cybersecurity needs to adapt. I would say it needs to remain fluid, however, I would be remiss. In the current security climate, "fluid" is simply too rigid, one must remain "vapor". The alliances made between government, industry, academia, and tool designers/vendors will continue to shape and define OT security. With the stories of SIEM, UEBA, and SOAR in mind, it becomes clear that alliances will influence tool adoption and capabilities.

Organizations will gravitate to, and look to adopt, tools and technologies that resonate with established or emerging frameworks and policy recommendations. This alignment not only helps secure current operations but ensures readiness for the threats of tomorrow. By doing so, we can ensure the continual evolution of the practices and technology choices of OT security. When it comes to safeguarding our most critical assets and infrastructures we all are better, faster, and stronger together than separately.
This wraps up my thoughts (for today anyway) on how alliances will change OT security. As global threats continue to grow, we grow and innovate. Stay brave, stay bold, and stay unified in our cybersecurity goals.

Our way forward: Alliances Drive OT Security

OT Security is a hot topic these days. We are in the early stages of defining OT Security as a practice. The IT security resource challenge pales in comparison to folks with an understanding of OT Security. 

That may be because we are still evolving. For OT Security, we are now where we were in the early to mid-1990s with defining IT Security. Currently, the sentiment is that IT Cybersecurity folks know little about the fundamental differences in OT, while the OT engineers that own the systems march toward a different set of objectives. 

As we further evolve OT Security, we will see alliances change the OT Security landscape, thereby solidifying OT Security as a unique discipline (and eventually a conscious career choice).

Having personally witnessed the evolution of Information Technology (IT) Security, I see the potential that we are repeating the challenges and gyrations of its early days of innovation—this time in the Operational Technology (OT) space. Once the industry finally surrendered to the notion that maintaining a true "Air Gap" between IT and OT environments was impractical, and an impediment to business-driven data sharing, we witnessed the floodgates open with an influx of vendors and technologies that fill “a” (sometimes perceived) security gap in OT. As we learned from IT, the "point solutions" will gravitate to one another, and security processes are streamlined through capability consolidation. The current era, driven by digital transformation and business-driven, process-related, information-sharing trends, places immense importance on OT security.

Cyber threats to OT have evolved from theory and speculation, like we saw coming from exercises like the Gartner-sponsored “Digital Pearl Harbor” event of 2002, into our new reality. These threats have not only materialized but have also grown in sophistication to the extent they are commoditized and sold as a service. As in the early days of IT Security, emerging point solutions clamor for the attention of senior leadership and budget. The situation is further complicated by the scarcity of engineers and other technical resources with a comprehensive understanding and focus on the entire corporate cybersecurity landscape. Exacerbating the dearth of talent, the OT security teams also need to possess a deep understanding of the Purdue Model's requirements, limitations, and processes. Looking for indications of compromise (IoC) in Industrial Control systems differs vastly from looking for IoCs in IT systems. This basic disparity between environments gives the OT security industry all three legs of the traditional cybersecurity triad, confidentiality, integrity, and availability (CIA) to massage and re-invent. For OT, maybe something more associated with the environment, like Reliable Access, Intended Functions, and Preserving Restrictions (AFR).

Déjà vu! As we saw in the IT Security space, forming strategic alliances has risen as a key strategy to foster innovation, share risks, and tap into new markets. More importantly, alliances help drive us to further define “true” OT Security.

The application of IT processes, policies, and technologies directly to OT can be as counterproductive as forcing a square peg into a round hole. Some of you may have heard me say, “Technology is not 'security' and 'security' is not technology.” Technology alone will not save your bacon. Technology is simply a tool to augment people and processes to achieve an acceptable level of risk management and make sound business decisions. However, the foundations of process and education need to evolve in tandem with technological transformation and improvement.

Our way forward crucially depends on pairing technologies that complement each other. The adoption of leading IT tools in OT, particularly with the onset of Industry 4.0, and the use of superior tools designed specifically for OT, will expand "OT Security" as a discipline. As tools evolve, so do people and processes. With the strategic alliances of key industry leaders, we will further define the maturation roadmap of OT Security. This evolution will drive higher learning and training opportunities. Strategic alliances unlock a multitude of benefits, such as shared resources, combined knowledge, and broadened customer reach.

Considering the opportunities and the proven strategic value of alliances in the OT security landscape, it is imperative for us to explore potential partnership avenues. To succeed, we must identify partners aligning with the strategic objectives of OT operators and commensurately grow the OT security discipline. Through the mutually beneficial nature of strategic alliances, we can capitalize on our unique strengths to spur exponential growth in the OT security domain. We should view exploring potential alliances as more than a necessity for advancing OT Cybersecurity—it's a strategic advantage for enhancing our security capabilities, expanding our market reach, and maintaining our lead in the rapidly evolving OT security landscape. I am happy to connect to discuss ideas or suggestions about OT Security, its evolution, or especially any gaps in (or a wish list for additional) capabilities.

Saturday, July 29, 2023

Control System Attacks: The Power of Virtual Digital Twins & Config Files

When we look at Operational Technology (OT), system failures and outages are a part of running the business and the unavoidable price of complex control system operation. However, hidden in plain sight, leveraging vulnerabilities in technology, process, or visibility, and cloaked as operational 'hiccups', may be indications of OT cybersecurity incidents.

One of the greatest challenges we face as OT security practitioners is the difficulty in distinguishing between a standard system issue and a targeted cyber-attack. This predicament creates operator/responder fatigue and is analogous to the boy who cried wolf: is it a false alarm or a genuine threat? Do we have spares? Do we even know our vulnerable assets? Sometimes, just answering this question may be much more complex than looking at a single asset, class, or condition. This classic fable finds a striking parallel in our OT environments, where the 'wolf' of potential or actual cyber-attacks often masquerades as the 'boy’s cries' of typical operations and system failures, causing confusion and delay in effective attribution and responses.

For example, consider the lessons from the notorious Stuxnet worm attack that unfolded in 2010. While initially appearing to be a common system or process anomaly, it was revealed to be a highly sophisticated and targeted cyber weapon. Stuxnet was an exploit that targeted Supervisory Control and Data Acquisition (SCADA) systems, Siemens' Step7 software, widely used in programmable logic controllers (PLCs). The worm reconfigured these PLCs, eventually causing significant damage to Iran's nuclear program by subtly altering the speed of centrifuges. It did so while sending normal operating values to the control room, making it seem like everything was operating normally. 

The 2015 cyber attack on Ukraine's power grid serves as another stark reminder of the complexity and potential impact of OT Cyber Attacks. Initially masked as a mundane power outage, this event turned out to be a well-orchestrated cyber attack, demonstrating a new level of sophistication in OT security threats. The adversaries used spear-phishing emails to gain initial access to the systems of three regional electricity distribution companies. They then moved laterally across the Information Technology (IT) and OT network, eventually gaining access to the HMIs used by operators to monitor and control the distribution substations. Utilizing the KillDisk malware, the attackers wiped critical system files on these control systems, causing about 230,000 people to lose power in the middle of winter.

Norsk Hydro, one of the world's largest aluminum producers, was also hit by a severe cyber attack in March 2019. This ransomware attack, known as LockerGoga, brought the company's operations to a standstill, causing significant disruptions in its worldwide production.

The LockerGoga ransomware infiltrated Norsk Hydro's systems and began encrypting files, rendering critical systems and data inaccessible. Interestingly, rather than primarily focusing on the company's IT systems, the attack went a step further - it targeted the company's OT assets, including the control systems that managed the aluminum production lines.

Once inside the system, the attackers locked out operators from their HMI interfaces, thereby preventing them from monitoring or adjusting the production processes. This resulted in a substantial decrease in Norsk Hydro's production capacity, forcing the company to switch to manual operations wherever possible.

The economic impact of the attack was substantial. Norsk Hydro reported a financial loss of approximately $40 million dollars in the first week following the incident. The total costs, including recovery and lost revenue, exceeded $70 million dollars. Moreover, the attack had a prolonged effect on the company's ability to fulfill orders, impacting its reputation and customer relations.

These real-world incidents illustrate the significant potential for OT Cyber Attacks to cause extensive physical and financial damage. These incidents also underscore the need for advanced and comprehensive security strategies in OT environments, including the use of virtual digital twins and detailed configuration file analysis. As shown by these examples, a deeper and more comprehensive understanding of the ingress and egress points, and the symbiotic relationship between our OT environments and IT, is necessary.

To fully articulate the extent of this issue, we need to explore the Purdue Model, which has remained the gold standard for Industrial Control System (ICS) architecture, despite rumblings that it is outdated. The Purdue Model for Control Hierarchy, an industrial reference model, provides a structured framework for process control, separating network functions and assets into multiple layers. From the physical process layer, where field devices like sensors and actuators are found; moving up to supervisory control with Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs); all the way to the business planning and logistics system on the top-level, each layer represents a unique set of assets and communication protocols. While this segregation is beneficial for structured operations, it poses a challenge for comprehensive cybersecurity. Security tools, techniques, and procedures (TTPs) effective at one layer might be nonexistent, inadequate, or even incompatible and detrimental, at another. There will always be assets that cannot be "secured" from a technological standpoint. 

Some of the OT Asset discovery and management solutions on the market today use Deep Packet Inspection (DPI) to gather asset information. This technology emerged from the IT world as a tool for examining the data part (and not just the header) of a packet as it passes an inspection point. This process looks at identifying its content to determine whether the packet complies with predetermined rules. In another wrinkle, these rules typically rely on known conditions for which to search, doing little for a zero-day exploit. In the realm of Operational Technology, DPI tools safeguard and monitor the network traffic within and across the upper layers of the Purdue Model. These layers are undergoing a transformation into more open IT-like hardware and software, influenced by the Industrial Revolution 4.0. However, the complexity and diversity of protocols used deeper down in OT, the latency sensitivity, and the physical differences between "Programming IT" and "Configuring OT" assets require more of a "CMDB for OT" approach to cybersecurity. The ability to safely and seamlessly access the configuration files of OT assets for quick "drill down" examination is imperative, based on the sheer nature of OT systems, for cybersecurity incident response or research and is extremely beneficial in supplementing operational efficiency. Relying solely on DPI-gathered asset information can fall short of providing the complete tapestry of risk, vulnerability, and asset visibility. This might be akin to reading every fourth page of a novel. It obfuscates vital plot developments, characters' motivations, or subtle foreshadowing, all crucial to understanding the complete story.

The packet headers, serial numbers, and network information gathered through DPI network analysis tools provide valuable insights into networked asset system communications, adversarial movement, and potential anomalies. For instance, they can help identify an unauthorized device attempting to communicate within the boundaries of the system or flag unusual data transmission patterns. However, they don't necessarily illuminate the complete operational context of these communications. Without understanding the interplay of all devices capable of being captured (up and down the layers) within a control system, along with the operational conditions at the time of an incident, we find these data points can leave analysts wanting, generating more questions than answers.

Configuration files provide a much richer source for understanding a system's setup, including the roles and behaviors of various devices, their communication patterns, and the expected operational parameters and conditions. Analyzing these files can yield much more detailed insights, enabling a quicker, more effective response to potential issues or attacks. Configuration files - the DNA of our systems - hold a wealth of untapped data. They can reveal the system's design, architecture, and potential vulnerabilities. It's like having a comprehensive synopsis of the novel, including all characters, their motivations, and the entire plot. 

By employing emerging virtual digital twin technology, a digital replica of the target system, we could go further and analyze these configuration files in a safe, non-disruptive environment. Using the configuration files, we can definitively tell "what's connected to what", "what applications are running", and at what revision level. We can look at the up and downstream effects of a change. With the power of configuration file analysis, we gain visibility into configuration baselining. We can see "what keys were changed" and when (what sequence, etc.). Traditionally, a small adjustment to the tolerance gap of a process that produced unwanted production results could elude discovery without the ability to drill down, examine and compare config files. 

When configuration file analysis is paired with a virtual twin of the system, researchers and analysts can safely investigate issues, test hypotheses, and develop countermeasures without risking the live system. In the continuously evolving landscape of OT security, these techniques offer a promising way forward. It offers an unprecedented opportunity for deep analysis akin to forensic examination without the usual confines. It propels us from being reactive to proactive, from battling uncertainty to commanding confidence.

Unfettered access to, and analysis of, the configuration files illuminates the system's inherent structure and significantly increases our success rate for streamlining our response time (MTTR) in mitigating OT cyber events. In our constant pursuit of enhanced OT cybersecurity, the pairing of virtual twins and the last known "good" configuration files becomes a potent tool to unmask the 'wolf' and defend our systems effectively.

Friday, July 28, 2023

Purpose-Built ICS Assets and the Unique Challenges of Cybersecurity

Edward J. Liebig

There are a lot of “me too” vendors jumping on the OT Cybersecurity bandwagon. Many businesses are finding out the hard way that the cybersecurity rules for information technology (IT) systems don't necessarily apply to industrial control systems (ICS). Not just technologically, but IT processes and policies don’t seamlessly apply to OT as well. Why? The answer lies in the fundamental differences between IT systems and "Purpose Built" ICS assets. 

"Purpose Built" – What does it mean?

Purpose-built ICS assets, such as Programmable Logic Controllers (PLCs), Distributed Control Systems (DCSs), and Supervisory Control and Data Acquisition (SCADA) systems, are designed and configured for specific operational tasks. They typically focus their purpose on the control of industrial processes or systems, from production lines in manufacturing facilities to electrical grid management systems.

In contrast, designers typically make IT systems with a more general-purpose functionality. These assets are "programmed" to perform a dynamic and broad range of tasks, such as data processing, information management, communications, and network services.

The difference in the approach between "programming" and "configuration" is what sets these systems apart. IT assets are programmed for various functionalities and can thus operate in widely differing capacities. Meanwhile, ICS assets are typically customized through configuration for a specific task, making their functionality more restricted.

What is the connection to cybersecurity?

The implications of this difference are profound when it comes to cybersecurity. In IT systems, vulnerabilities and potential attack vectors are more easily identified and studied due to the widespread use of these systems and the standardization of their programming languages and techniques. In many cases, this makes automation of vulnerability detection and security patch deployment more straightforward.

Conversely, ICS assets are in a class of their own. Their unique configurations and custom-built functionalities can make them much more elusive to study and understand from a cybersecurity standpoint. Cybersecurity research in the ICS realm can be challenging due to the specific nature of each system and the lack of standardization. This also makes automation of vulnerability detection and security hardening much more difficult.

Let's take the case of an energy grid managed by SCADA systems. These highly specialized systems are configured to control and monitor every aspect of the grid with precision. A vulnerability in such a system might not present in the same way it would in a general-purpose IT system, or it may be hidden within the custom configuration of the system.

This complexity is compounded by the potential for significant real-world consequences if an ICS asset is compromised. An IT system security breach is bad, but a successful attack on an ICS asset may cause physical damage or even threaten human safety.

The Leadership Perspective

From an executive leadership perspective, the unique cybersecurity challenges presented by purpose-built ICS assets necessitate a tailored approach. We must prioritize understanding these systems in their specificity and invest in dedicated ICS cybersecurity solutions. To effectively search for signs of compromise or attack, it is necessary to have visibility into, and a thorough understanding of, the ICS asset configuration files. 

A one-size-fits-all IT cybersecurity strategy will not suffice. While applying general cybersecurity best practices is crucial, we also need to focus on system-specific vulnerability assessments and penetration testing for ICS assets. This requires a deep understanding of each system's unique configurations and the potential cybersecurity threats they might pose.

To better safeguard our essential industrial infrastructures, we need to blend a robust OT-specific cybersecurity foundation with an individualized approach to ICS security processes, policies, and procedures. 


Friday, July 14, 2023

How well are we “doing” with our overall security program?


By: Edward Liebig

07/14/2023

Additional Complexity that needs to be measured

The diminishing “airgap” and proliferation of systems designed on IT principles reach deeper levels of the Purdue Model, Operational Technology (OT) operators find themselves gaining additional benefits coupled with additional security concerns. This has led many OT operators to look at OT security through a dedicated “OT Secure Operation Center (SOC)” that focuses on industrial control systems. The OT SOC amasses Tactics, Techniques and Procedures (TTPs), and OT-specific tools to aid the OT Engineering team with defending and preserving their world. These OT SOC(s) concatenate metrics and Indicators of Compromise/Attack (IoC/IoA) with the IT SOC. Ideally, another layer should amass data on the performance of the security program and its effectiveness. To manage cybersecurity risks effectively and maintain a strong defense posture, organizations need a clear understanding of their security program and the ability to measure their progress toward key objectives.

Enter key performance indicators (KPIs), these metrics allow organizations to gauge and track their cybersecurity effectiveness. In this article we delve into cybersecurity KPIs, exploring their meaning, showcasing real-world examples of cybersecurity metrics, and highlighting the numerous benefits of employing a data-driven approach to cybersecurity management.

KPIs in Cybersecurity

Key Performance Indicators (KPIs) are crucial components that allow businesses to measure and analyze their performance in relation to defined objectives. Effective KPIs drive strategic goals, facilitate decision-making, and ensure that your team is on the right track. Here are some of the most pertinent KPIs within the cybersecurity realm:

  • Number of Detected Threats: This measures the volume of threats identified within a given timeframe. It provides insight into the effectiveness of your intrusion detection systems and threat intelligence capabilities.
  • Incident Response Time: This metric measures how quickly your security team can identify and respond to a security incident. The faster the response, the less potential damage.
  • Patch Management Cadence Trend: This KPI determines the efficiency at which identified vulnerabilities are patched. Rapid response reduces the risk of exploitation.
  • Percentage of Staff Trained in Cybersecurity: This indicates the proportion of employees who have undergone cybersecurity training. A well-educated workforce is the first line of defense against cyber threats.
  • Cost of a Data Breach: This KPI provides a tangible figure on the financial impact of a “declared” data breach, factoring in costs associated with recovery, regulatory fines, reputational damage, and customer compensation.

Benefits of these KPIs include:

  • Improved decision-making: Real-time, data-driven insights allow for more informed, timely decisions.
  • Enhanced communication: Clear, measurable goals improve transparency and align the entire organization on cybersecurity objectives.
  • Strategic alignment: KPIs help ensure that day-to-day activities are aligned with the larger strategic goals of the organization.

Challenges to measuring and automating the collection and analysis of these KPIs include:

  • Data integrity: Ensuring accurate, reliable, and consistent data can be challenging, especially with large volumes of data and numerous data sources.
  • Timeliness: Real-time or near real-time data collection and analysis can be difficult, especially for large organizations with numerous potential threats and vulnerabilities.
  • Complexity: Cybersecurity is complex, with many interconnected parts. Simplifying this into easy-to-understand KPIs can be challenging.

In cybersecurity specifically, KPIs help to evaluate the effectiveness of security measures and processes to mitigate security threats.

Some other commonly used KPIs in cybersecurity:

  • Security incidents. This KPI measures the total number of “declared” security incidents, including data breaches, malware infections, unauthorized access attempts, and system compromises.
  • Intrusion attempts. How often have malicious actors tried to breach your networks? By monitoring “who’s knocking at the door” it feeds intel to identifying and profiling potential threat actors.
  • Mean time between failures (MTBF). How much time elapses between one system or product failure and the next? This metric helps to understand system reliability.
  • Mean time to detect (MTTD). MTTD measures the average time taken to detect security incidents from the moment they occur. It reflects the efficiency of an organization’s detection mechanisms and its ability to identify and respond to threats promptly.
  • Mean time to recovery (MTTR). How long does your organization take to recover from a system failure?
  • Cost per incident (not Breach). This KPI measures the average cost incurred by the organization for each “declared” security incident. It considers factors such as incident response efforts, investigation, remediation, legal actions, regulatory fines, and other associated costs.
  • Cybersecurity awareness training. How well are you maintaining documentation for security awareness training? Are you including all members of your organization, including senior executives?
  • Number of cybersecurity events reported. Are employees and users reporting cybersecurity issues to your team? If yes, that’s a good sign; the employees and stakeholders recognize the issues outlined in your training.
  • Compliance with security policies and regulations. This compliance metric measures the degree of adherence to security policies, standards, and regulatory requirements. It helps to assure that security controls and measures are implemented as per the defined guidelines.
  • Security ratings. Security ratings provide a simple score to communicate metrics to non-technical colleagues, evaluating your company’s security posture in various categories such as network security, patching cadence, endpoint security, IP reputation, web application security, hacker activity, leaked credentials, and social engineering.
  • Phishing attack success. This KPI measures the percentage of employees who fall victim to phishing attempts by clicking on malicious links or providing sensitive information.
  • Vendor patching cadence. This vendor risk management KPI refers to how often (and promptly) third-party vendors release and deploy patches to address security vulnerabilities in their products or services. It is an essential aspect of third-party risk management as it directly affects the security of organizations relying on these vendors.
By critically looking at your organizational goals and employing these or other KPIs, you can better manage, understand, and enhance your organization's cybersecurity posture. Even amid adding an operational technology, OT SOC to the mix. 


Tuesday, June 13, 2023

Industrial Revolution 5.0 Cybersecurity

The Industrial Revolution 5.0 builds upon the integration of systems and technology that has been typically designed for and run on IT networks to be used in the OT environment (Industrial Revolution 4.0). Including Environmental Social and Governance criteria, organizations have another facet of risk to which to attend. This progression of ESG risk vantage points is supported by a societal movement referred to as "Society 5.0". This social movement is a concept that aims to create a human-centric society by integrating cutting-edge technologies into various industries. The fusion of technologies characterizes this revolution, such as artificial intelligence (AI), the Internet of Things (IoT), big data, robotics, and blockchain, among others. While these technologies offer immense potential for economic growth and societal improvement, they also introduce additional cybersecurity risks to critical infrastructure sectors. 
  • Artificial Intelligence (AI) - AI technologies are increasingly being employed across various critical infrastructure sectors for enhancing efficiency, productivity, and decision-making. However, the growing reliance on AI systems also introduces new cybersecurity risks, such as expedited adversarial attacks, data poisoning, and model inversion, posing threats to the confidentiality, integrity, and availability of critical infrastructure.
  • Industrial Internet of Things (IIoT) - IIoT devices are widely integrated into critical infrastructure systems, including transportation, energy, water, and healthcare that monitor and control various processes. The expanding IIoT ecosystem that is integrated into legacy control systems lacks interoperability between components to support standardized IT "like" security techniques. This "difference between IT and OT", coupled with the lack of standardized security protocols in OT, can create significant vulnerabilities in critical infrastructure, enabling cyberattacks such as distributed denial-of-service (DDoS) attacks and data breaches.
  • Big Data - The analysis of big data is essential for informed decision-making in critical infrastructure sectors. However, the storage and processing of vast amounts of sensitive data create potential security risks, including unauthorized access, data tampering, and data exfiltration.
  • Robotics - The deployment of robotics in critical infrastructure sectors such as manufacturing, logistics, and healthcare presents new cybersecurity challenges. Vulnerabilities in robotic systems can lead to physical damages, unauthorized access, and manipulation of sensitive data, ultimately affecting our critical infrastructure.
  • Blockchain - While blockchain technology has the potential to improve the security and transparency of critical infrastructure, it also presents several cybersecurity risks, such as the 51% attack, smart contract vulnerabilities, and Sybil attacks.
Critical Infrastructure risks

This revolution will impact a wide range of critical infrastructure industries, including:
  • Energy: The energy sector, encompassing power generation, transmission, and distribution, will see increased implementation of smart grids, renewable energy sources, and AI-driven predictive maintenance. This transformation will enable more efficient and resilient energy systems but also introduce new cybersecurity risks.
  • Transportation: IR 5.0 technologies like autonomous vehicles, smart traffic management, and data-driven logistics optimization will transform the transportation sector. These advancements will improve the efficiency and safety of transportation systems while presenting new cybersecurity and data privacy challenges.
  • Manufacturing: The manufacturing sector will increasingly adopt advanced technologies such as robotics, AI, IoT, and additive manufacturing to create smart factories, enabling higher efficiency, flexibility, and customization. This transition to Industry 5.0 and beyond will also introduce additional risks and vulnerabilities to critical infrastructure.
  • Water and wastewater management: IoT devices, AI-driven monitoring, and automation will play a significant role in improving water management systems. This will enable better resource allocation and early detection of leaks or contamination events, but also expose the sector to new cybersecurity risks.
  • Healthcare: IR 5.0 technologies like telemedicine, AI-driven diagnostics, personalized medicine, and remote patient monitoring will revolutionize healthcare delivery. These advancements can improve patient outcomes and accessibility but also raise concerns about data security and privacy.
  • Financial services: The integration of advanced technologies like AI, blockchain, and biometric authentication in the financial sector will transform banking, payments, and insurance services. This transition will bring greater efficiency and security, but also create new vulnerabilities and regulatory challenges.
  • Telecommunications: The deployment of 5G networks and IoT connectivity will accelerate the growth of smart cities, connected industries, and consumer services. This expansion will enable new applications and services, but also present additional security risks to critical infrastructure.
  • Agriculture: Precision agriculture, powered by AI, IoT, robotics, and data analytics, will increase crop yields, optimize resource utilization, and minimize environmental impacts. However, the reliance on advanced technologies will also introduce new vulnerabilities to the agriculture sector's critical infrastructure.
Industrial Revolution 5.0 will introduce a range of additional risks to critical infrastructure industries due to the increased reliance on advanced technologies. Some specific additional risks include:
  • Increased attack surface: The integration of interconnected devices and systems in critical infrastructure industries will expand the potential attack surface for cybercriminals, increasing the opportunities for exploitation.
  • Data privacy concerns: With the large-scale collection, storage, and processing of sensitive data, IR 5.0 will introduce new data privacy risks. Unauthorized access, data breaches, and data misuse could have severe consequences for individuals and organizations alike.
  • Supply chain vulnerabilities: As industries become more reliant on technology vendors and service providers, supply chain vulnerabilities will become a significant risk factor. Compromised components or software can introduce security weaknesses that affect the entire infrastructure.
  • The complexity of security management: The integration of multiple advanced technologies and interconnected systems will increase the complexity of security management, making it more challenging for organizations to maintain visibility and control over their security posture.
  • Insider threats: As organizations adopt more sophisticated technologies, the potential damage caused by insider threats will increase. This can include intentional or unintentional actions by employees, contractors, or other trusted individuals with authorized access to systems and data.
  • New vulnerabilities in AI and machine learning systems: The adoption of AI and machine learning in critical infrastructure industries will introduce new and unforeseeable risks, such as adversarial attacks, data poisoning, and model inversion. These threats could undermine the reliability and integrity of AI-driven systems.
  • Increased reliance on automation: Greater automation in critical infrastructure industries can lead to an overreliance on technology, potentially resulting in inadequate human oversight, slower response times to incidents, and increased vulnerability to automated cyberattacks.
  • Obsolescence and backward compatibility: As critical infrastructure industries modernize their systems and adopt new technologies; they may face challenges in maintaining compatibility with older or legacy systems. This can create security gaps and increase the risk of cyberattacks on these older systems.
  • Cross-sector interdependencies: The interconnected nature of IR 5.0 technologies will result in greater interdependencies between different critical infrastructure sectors. A cyber incident in one sector could have cascading effects across other sectors, potentially causing widespread disruption.

The impact of IR 5.0 on critical infrastructure industries will bring about a myriad of benefits, such as increased efficiency, improved sustainability, and enhanced productivity. However, the widespread adoption of these technologies will also expose these industries to additional cybersecurity risks that must be managed across both IT and OT to ensure the resilience and security of our critical infrastructure. Collaboration between public and private sector stakeholders will be essential in ensuring the security and resilience of critical infrastructure in the era of the Industrial Revolution 5.0.

Operational Technology - Industrial Control System (ICS) Attack types

Industrial control systems (ICS) are critical components of infrastructure, such as manufacturing, power plants, water treatment facilities, and transportation systems. Cybercriminals and nation-state actors often target these systems, resulting in significant risks to the availability, integrity, and confidentiality of ICS. The most common attack vectors in industrial control systems include:
  • Phishing: Phishing attacks are commonly used to deceive employees into providing sensitive information or inadvertently installing malware on ICS networks. These attacks often involve the use of social engineering tactics and carefully crafted emails to gain access to critical systems. Generative Pre-Taught technologies have made the production of phishing emails smoother and more accurate.
  • Remote access exploitation: Many ICS rely on remote access technologies, such as virtual private networks (VPNs) and remote desktop protocols (RDP), for maintenance and monitoring purposes. Attackers often exploit vulnerabilities or weak configurations in these remote access systems to gain unauthorized access to ICS networks. This attack surface has grown much larger due to the COVID-19 pandemic.
  • Malware and ransomware: Attackers often use malware and ransomware to compromise ICS networks, disrupt operations, and extort organizations. Attackers introduce malware through various channels, including malicious emails, infected USB drives, and compromised software updates.
  • Wireless network attacks: Industrial control systems often utilize wireless networks for communication and control. Attackers can target these networks by intercepting, modifying, or injecting malicious data, leading to unauthorized access, data manipulation, or even complete control over the ICS.
  • Supply chain attacks: Attackers can target third-party vendors and suppliers that have access to ICS networks, as these entities may have weaker security measures in place. Once the attackers compromise the supplier's systems, they can use this access to infiltrate the target organization's ICS network.
  • Human error: Human error, such as weak password policies or unsecured system configurations, can lead to vulnerabilities in ICS networks. Attackers can exploit these weaknesses to gain unauthorized access and cause disruptions in critical systems.
  • Insider threats: Employees, contractors, or other individuals with authorized access to ICS networks can pose a significant risk if they intentionally or unintentionally cause harm to the systems. This can include the unauthorized disclosure of sensitive information, data manipulation, or intentional sabotage.
  • Zero-day vulnerabilities: Zero-day vulnerabilities are security flaws in software or hardware that are unknown to the vendor or affected parties. Attackers can take advantage of these vulnerabilities before they are patched, gaining unauthorized access or control over ICS networks.

Conclusion
To protect industrial control systems from these attack vectors, organizations must adopt a comprehensive approach to cybersecurity, including regular risk assessments, security awareness training, proactive network monitoring, and the implementation of multi-layered security measures. 

This all starts with a comprehensive asset lifecycle and cybersecurity management program. Risk is inherent in industrial facilities, but risk acceptance doesn't have to be. Hexagon helps mitigate OT/ICS cybersecurity risk by enabling you to assess your risk utilizing a proprietary risk scoring method to visualize and comprehend risk within the industrial facility in your own context. Armed with this powerful insight, you will be more equipped to focus your OT security investments on the activities that reduce the most risk to make your industrial operations safer and more resilient. 

The Industrial Revolution 5.0 is transforming critical infrastructure sectors, offering numerous benefits and opportunities for growth. However, it also introduces additional cybersecurity risks that must be addressed to ensure the confidentiality, integrity, and availability of these essential systems. The proper implementation of cybersecurity necessary practices and the development of resilient technologies will be key to mitigating these risks.

Monday, June 12, 2023

Holistic Enterprise IT/OT Risk Management

 Implementing a unified risk measurement approach across both IT and OT environments can be challenging for OT operators due to several non-technical obstacles. These obstacles can hinder the effective measurement of risk and the integration of security programs. Here are some common non-technical obstacles:

  • Organizational Silos: OT and IT departments often operate in separate silos within an organization. This siloed structure can create barriers to collaboration and hinder the sharing of information and resources. Differences in goals, priorities, and communication channels can impede the development of a unified risk measurement strategy.

  • Cultural Differences: The cultural differences between IT and OT teams can pose challenges to aligning risk measurement approaches. IT teams are typically more familiar with cybersecurity concepts, while OT teams prioritize operational reliability and safety. Bridging the gap between these two cultures requires effective communication, education, and fostering a shared understanding of the importance of integrated risk measurement.

  • Knowledge and Skill Gaps: OT operators may lack the necessary knowledge and skills related to IT security, and vice versa. Understanding the unique characteristics, vulnerabilities, and threats of both IT and OT environments is crucial for accurate risk measurement. Bridging these knowledge gaps through training, cross-training, and knowledge-sharing initiatives is essential for effective risk assessment.

  • Regulatory and Compliance Challenges: Different regulatory frameworks and compliance requirements often govern IT and OT separately. These differing regulations can create complexity when trying to establish a unified risk measurement program. Overcoming regulatory challenges requires a comprehensive understanding of the applicable regulations and finding commonalities to align risk measurement practices.
  • Resource Constraints: Implementing risk measurement programs across IT and OT environments requires significant resources, including budget, personnel, and technology. Limited resources can impede the integration of security programs and the allocation of necessary resources to measure risk holistically. Prioritization, resource allocation, and leveraging cost-effective solutions are essential to overcoming these constraints.
  • Legacy Systems and Infrastructure: Many OT environments still rely on legacy systems and infrastructure, which may lack the necessary security controls and monitoring capabilities. Integrating these legacy systems with modern IT security tools and technologies can be challenging and may require substantial investments in upgrades or replacements.

Overcoming these non-technical obstacles requires a combination of leadership support, cultural change, cross-functional collaboration, and effective communication. It is essential to foster a shared vision of risk measurement across IT and OT, break down organizational silos, and bridge knowledge gaps to ensure a comprehensive and unified approach to measuring risk in both environments.

Thursday, June 1, 2023

 ICS Cybersecurity Forecast for 2023/2024

The forecast for cybersecurity in the Industrial Control Systems space (ICS) for 2023 is based on the metrics available for 2022. Please note that the forecast is speculative and subject to change as new information becomes available.

1. Increased Targeting of ICS: As the importance of critical infrastructure grows, attackers will continue to target Industrial Control Systems. The number of cyberattacks against ICS is likely to increase, driven by both state-sponsored actors and financially motivated cybercriminals. These attacks may aim to disrupt operations, compromise sensitive data, or cause physical damage.

2. Ransomware Attacks on ICS: Ransomware has emerged as a significant threat in recent years, affecting various sectors. In 2023, the ICS sector may experience a rise in ransomware attacks. Attackers may employ sophisticated techniques to encrypt ICS systems and demand significant ransom payments, putting organizations under immense pressure to restore operations quickly.

3. Supply Chain Attacks: Supply chain attacks, where malicious actors compromise trusted software or hardware components, have become a growing concern. In 2023, the ICS sector may witness an increase in supply chain attacks, potentially impacting the integrity and security of ICS systems. Organizations will need to prioritize supply chain risk management and adopt rigorous vetting processes for their vendors and suppliers.

4. Emergence of Advanced Threats: As adversaries become more sophisticated, the ICS sector will face advanced threats that leverage zero-day vulnerabilities and complex attack methodologies. Attackers may exploit gaps in ICS security architectures and target specific weaknesses, making it crucial for organizations to invest in advanced threat detection and response capabilities.

5. Continued Focus on Vulnerability Management: Vulnerability management will remain a key priority for ICS security in 2023. Organizations will need to establish robust processes to identify, assess, and remediate vulnerabilities promptly. Patch management, network segmentation, and regular security assessments will be essential to maintain a resilient ICS environment.

6. Regulatory Compliance and Standards: Governments and regulatory bodies worldwide are recognizing the criticality of securing ICS environments. In 2023, there may be an increased emphasis on ICS cybersecurity regulations and standards. Organizations will need to ensure compliance with relevant frameworks, such as the NIST Cybersecurity Framework or industry-specific guidelines, to demonstrate their commitment to protecting critical infrastructure.

7. Enhanced Security Awareness and Training: As the human factor remains a significant vulnerability, organizations will invest in security awareness and training programs for employees. Training initiatives will aim to educate staff about common attack vectors, phishing techniques, and the importance of adhering to security protocols. Regular awareness campaigns will be crucial to foster a culture of cybersecurity within ICS organizations.

8. Collaboration and Information Sharing: Recognizing the collective defense approach, industry collaboration and information sharing will gain further importance in 2023. Organizations will actively participate in sharing threat intelligence, best practices, and incident response experiences with peers and relevant cybersecurity communities to stay ahead of emerging threats.

These predictions are based on the understanding that the threat landscape is dynamic and ever-evolving. As the year progresses, new vulnerabilities, attack vectors, and regulatory developments may influence the actual cybersecurity landscape for Industrial Control Systems in 2023. Organizations should remain vigilant, adapt their security strategies accordingly, and stay abreast of the latest cybersecurity trends and practices.