Proposed Federal Law Would Boost Security Training for Utilities, Critical Infrastructure Operators
Legislation aims to bolster cyber defenses, but operators should still act now to strengthen security skills
Congress wants to require organizations deemed critical infrastructure to have a cybersecurity awareness training program. And it’s pushing through legislation that would provide such training for free.
More specifically, the Industrial Control Systems Cybersecurity Training Act requires the Cybersecurity and Infrastructure Security Agency – better known as CISA – to provide cybersecurity workers with no-cost training on best practices for securing industrial control systems.
It also calls for CISA to provide both virtual and in-person training, with courses targeted to workers at various skill levels.
These programs would be available to security workers in government entities as well as the private sector.
This new training initiative would supplement a raft of existing training programs already offered by CISA.
The government’s goal here is to ensure security professionals know about emerging threats and how they can most effectively mitigate them – an essential skill in a world where adversarial tactics and techniques are constantly evolving.
Indeed, the bill’s sponsor – U.S. Rep. Eric Swalwell, a California Democrat serving on both the House Select Committee on Intelligence and the House Homeland Security Committee – introduced the bill in May in response to the increasing number of cyberthreats coming out of Russia, saying that the country “must be cognizant of cyberwarfare from state-sponsored actors.”
He noted that this legislation “would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”
Members of both parties agreed: The House on June 21 passed the bill with strong bipartisan support, sending it to the Senate for its approval.
This training initiative has Strive’s vote of confidence, too, as we have long believed that a well-trained, well-informed cybersecurity workforce is essential to protecting both operational technology (OT) and information technology (IT).
And we expect this bill to be enacted into law – as it should be.
Our country needs more training to counter the growing number and sophistication of attacks coming at us here in the United States and at the critical infrastructure sector in particular.
We also recognize that this training could help address some of the challenges that organizations face on the talent front.
First, there’s a lack of cybersecurity professionals in general. A report from the International Information System Security Certification Consortium, or (ISC)², puts the number of unfilled cybersecurity jobs at 377,000 in the United States alone. (It’s about 2.7 million globally.)
The nonprofit Cyberseek puts the number of unfilled U.S. cybersecurity positions even higher, at 714,548 as of mid-August.
At the same time, many of the existing cybersecurity professionals lack some of the essential skills needed to be most effective in their roles – a lack that’s particularly acute in the area of OT cybersecurity, where practitioners must have an understanding of both IT and OT systems as well as the policies, procedures and tools that can protect them.
Consider the findings from The 2022 State of Operational Technology report, which surveyed 3,500 OT security professionals across the globe and found that 69% believe the lack of OT security staff “is diminishing the effectiveness of their organization’s OT security.”
The ICS training act, if passed by the Senate and then signed into law by President Biden, could help alleviate some of those dire findings.
That said, we see no need for critical infrastructure owners and operators to wait for Congress to finalize this act.
Upskilling your existing staff and providing ongoing training to your team is one of the most effective investments you can make – and it’s one you should be making now.
Your security pros already know your environment and have a good handle on the components that present the highest risks and, thus, need the highest levels of protection. So give them the additional skills they need to perform at their best and to their top potential.
As mentioned above, CISA already offers numerous free training programs, including both independent study and instructor-led courses, tailored for critical infrastructure owners and operators. That’s in addition to the training programs offered by multiple other sources, including (ISC)² and SANS as well as colleges and universities.
At the same time critical infrastructure owners and operators should review their cybersecurity awareness training program for their overall workforce to ensure its comprehensive and up-to-date.
It’s worth the effort.
According to the World Economic Forum’s Global Risks Report 2022, 95% of cybersecurity issues can be traced to human error. And the 2022 State of Operational Technology report found that 79% of survey respondents think human error poses the greatest risk for compromise to OT systems.
With figures like that, it’s easy to demonstrate why solid cybersecurity training programs for both security pros and general staff pay off. We see it. The U.S. House of Representatives sees it. And you should know, too, that an investment in security training delivers real returns by decreasing your risk and increasing your security posture.
So, if and when the ICS security training act becomes law, take advantage of the free courses. But don’t feel you should wait for it. Training and up-skilling should be an ongoing activity, and you should be doing it now.
Looking for more information?
Our Cybersecurity & Compliance solutions ensure that your business is protected and secured from cyber threats whenever, wherever. Minimize your risk to cyber attack exposure and regulatory fines without impacting your business operations – Strive can help.
Cybersecurity for Utilities: Compliance Does Not Equal Security
The utilities industry remains one of the most heavily regulated sectors in the United States. In fact, every utility must demonstrate its compliance with a significant number of rules and regulations designed to ensure that they each can deliver clean, reliable and safe energy, water or related services.
Given such regulatory obligations, utility executives are intensely focused on ensuring that their organizations comply with the guidelines established by the Environmental Protection Agency, the Federal Energy Regulatory Commission and other such entities. Similarly, utility executives are diligent in making sure they align with frameworks such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards (NERC CIP).
That attention to regulations is well-placed. Compliance is non-negotiable, not only because it’s required but because it certifies that you as a utility are performing at the highest levels of safety and efficiency. However, you should not assume that being compliant with all relevant rules and regulations means you’re safe from cyber threats. Compliance does not equal security.
Organizations in the utilities space – and indeed in all other industry verticals – are finding that even when they meet regulatory requirements, they still can have vulnerabilities that unduly expose them to cyber risks.
How can this be? Just consider, for example, that CIP didn’t regulate low-impact assets until recently. In that case, a utility could have been fully compliant with all CIP standards yet still have unprotected low-level assets – a gap that hackers could have exploited and used as entry points to higher-impact assets that, if successfully breached, could have hindered utility operations.
The proof of the compliance vs. security gap can be seen in figures from Verizon’s 2021 Data Breach Investigations Report. It tallied 546 incidents this year (including 355 with confirmed data disclosures) in the mining, quarrying, oil & gas extraction, and utilities sector. Furthermore, the report found that social engineering accounts for 86% of the breaches in the sector, followed by system intrusions and basic web application attacks.
Such statistics indicate that organizations remain vulnerable to cyber attacks even when they’re fully compliant with all the rules and regulations that pertain to this industry. Note, for instance, that phishing attacks and other similar social engineering hacking strategies could possibly succeed even if just one single person in a fully-compliant enterprise falls for the scam.
We see a few other reasons for this dichotomy between being compliant and not necessarily being secure.
As stated earlier, some utilities continue to falsely believe that they’ve adequately secured their environments against cyber threats if they are compliant with all the rules and regulations. Therefore, they’re not investing in needed security measures that fall outside of regulatory requirements.
Similarly, some utilities focus more on compliance and thus invest there to the exclusion of adequate security investments. In such cases, executives often want to ensure that the utility doesn’t encounter negative findings and subsequent fines from regulators; they may not realize that the cost of a cyber incident could be significantly more and bring much more disruption than any regulatory action would.
In other cases, utilities combine security and compliance in one function and task the same people with both jobs – even though those two functions require different skills and expertise and must know and implement completely different strategies and standards. In such circumstances, organizations run the risk of doing neither security nor compliance well and thus falling short in both areas.
On the other hand, some utilities have compliance teams and security teams working independently of each other, each in its own silo. That practice can lead to duplication of efforts, wasted resources and missed opportunities to create a strategic risk management approach that addresses both needs in the most efficient, effective manner.
None of these scenarios is acceptable in an era when the number of cyber threats is growing – one study counted 304 million ransomware attacks worldwide in 2020, a 62% increase from the 2019 tally – and the impact of such attacks is also on the rise.
Companies in critical industries such as utilities are facing a constant threat to their ability to maintain operations and deliver essential services. Given that reality, you must devote the same high-level diligence to security as you commit to compliance.
That means having a security team with the resources needed to think comprehensively about the threats that could impact your utility, the likelihood and potential impact of those threats, and how to guard against them.
It means, too, having a security team capable of implementing, maintaining and maturing the people, processes and technology required to protect the enterprise.
At the same time, you must create an environment where your security and compliance teams can work collaboratively. This helps both departments stay on top of needed actions, as regulators are constantly updating standards to meet new challenges and address emerging threats. It also allows both teams to devise strategies that meet all relevant rules and regulations in a holistic fashion that eliminates gaps but doesn’t waste resources by duplicating efforts.
Keep in mind the payoff for such efforts. You’ll have an environment that delivers the reliability and security the company needs and your customers expect, where compliance requirements inform the security strategy and vice versa. Indeed, in the end you’ll have security and compliance in lockstep to effectively counter their common foe: those bad actors who seek to harm your organization.
If your utility is compliant it could still be ripe for a cyberattack. Let’s talk about how we can help!
Where Is Ransomware Most Prevalent?
Fact: Over 50% of ransomware attacks are introduced to networks via internal enterprise or IT networks. Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, NSE3, explains how the best way to prevent ransomware attacks is to have a formal cybersecurity process in place.
I think that ransomware is most prevalent in Industrial Control System environments due to the culture of not having proper cybersecurity controls in place to mitigate against the propagation and the infiltration. You have to remember that over 50% of attacks actually are introduced to networks via your enterprise or IT network, and then they propagate across to the OT ICS boundary.
It used to be that these networks were air gapped, but that’s no longer the case. The need to pull data out of these networks has increased attack vectors that we previously hadn’t seen.
Security is not convenient. You do have to be diligent about the way you approach your defense in depth. Within these networks, the culture is to run lean and to remain operational. This makes it increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense, network segmentation, etc.
Does your ICS environment need help protecting it from ransomware?
State of the Industry: Russia-backed Cyberattacks are Targeting the Country’s Critical Infrastructure
Russia has shown us the damage it’s capable of inflicting.
In April, Russian hackers hit a Ukrainian energy company with malware that, had it successfully destroyed the targeted computers, would have caused a blackout for 2 million people.
A suspected Russian hacker in December of 2015 successfully attacked a Ukrainian power grid, knocking out power for more than 200,000 consumers for hours.
And, of course, there was the Russian-backed attack against Colonial Pipeline here in the United States in May 2021, which shut down the company’s distribution operations and led to fuel shortages along the East Coast.
Unfortunately, as the recent warnings indicate, we know the Russians are escalating their cyber activities against American critical infrastructure, including our electric grid. And the potential for another successful attack leading to another round of shortages or power outages exists.
Utility owners and operators report that they are seeing more scans against their firewalls and external-facing web application services, both indications that hackers are looking for open ports and known vulnerabilities that haven’t been patched. We know that this kind of activity is often a prelude to an attack.
The industry is better defended than it was just a year ago, as the Colonial Pipeline attack served as a real wake-up call for many. As a result, we saw many utilities strengthen their cybersecurity postures by investing in their security teams, tools and policies.
But those investments aren’t enough to adequately harden security at all – or even most – of the critical infrastructure entities in this country.
In fact, researchers with Gartner have estimated that “less than 30% of U.S. critical infrastructure owners and operators will meet newly-mandated government security requirements for cyber-physical systems” through 2026.
We must recognize that for too long the industry has had a culture of running extremely lean, which in turn, has led to a chronic underinvestment in security. At the same time it continues to run operations on legacy systems that cannot be patched.
That combination has left utilities overly vulnerable to attacks today.
Now is the time to change that.
CISA lists a number of recommendations as part of its Shields Up guidance to organizations. It advises CEOs and other executives to empower their CISOs, include CISOs in decision-making and prioritize security investments. CISA also advises executives to lower reporting thresholds, test their incident response plans, focus on continuity and – ominously – “plan for the worst.”
CISA also recommends a series of proactive defense actions, such as implementing multifactor authentication and prioritizing software updates, to help reduce the likelihood of a damaging cyber intrusion.
Here at Rokster, we endorse such moves and are advising utility owners and operators to tighten their defenses and strengthen their security posture. Those are always necessary moves, but they’re more critical today than ever before given the Russian-backed hacking activities we’re seeing.
Indeed, we’re also recommending that utilities take additional steps, such as:
- disabling nonessential connectivity to business-critical systems
- increasing the security of remote-access capabilities
- increasing the sensitivity of SIEM tools to reduce the threshold for alerting potentially suspicious activities
- paying more attention to anomalies that could hint at compromise
- adding or increasing both endpoint detection and threat detection capabilities
- automating security responses as much as possible to bring speed and efficiency, while decreasing the chance of alert fatigue
- adding staff to ensure the security team has the capacity to perform the work needed today
We’re also advising owners and operators to, first, review their incident response plans and then run drills using them. These two exercises should reveal any shortcomings with the plans, allowing those to be addressed now instead of during an actual event. They also help teams develop some muscle memory and understand the procedures they must follow to ensure continuity and recovery.
Advisors and owners also want to build into their incident response plans the procedures to follow for simultaneously conducting a root cause analysis. This is a critical step that you don’t want to skip. Hackers often return to where they’ve had success, and if you don’t address the vulnerabilities that the hackers exploited the first time, you could find yourself victimized again.
Given the state of the world, we agree with government officials and other security leaders that there’s a high likelihood of attacks. And given the existing vulnerabilities within critical infrastructure, we unfortunately think we could see something like last year’s Colonial Pipeline incident happen again.
However, we don’t accept that as an inevitability. We know that the more actions we take now, the more investments we make in a defense-in-depth security strategy, the better we can get at thwarting attacks – wherever they come from.
Worried about how cyber attacks may impact your business? Let’s Talk!
Cyber Perimeters: An Evolving Concept
No utility would have a single key that could be used to open every lock. If it did, all its assets – even the most critical ones – would be vulnerable should some bad actor steal or copy it. Yet many utilities do something very similar when it comes to their electronic environments: They have keys that hackers could swipe and then use to gain access to most, if not all, their systems.
What are those keys? They’re the identities that employees and devices use to connect with the computer applications, networks, and servers they need to do their jobs. That’s because hackers know how to use just a single compromised identity to unlock increasing levels of access within IT and OT environments as they work toward their intended targets. Given that, utilities must develop and implement a cybersecurity strategy that accounts for such a threat and evolve their defenses accordingly.
Utilities should start by understanding the threat, which exists even if they have both strong perimeter defenses (i.e. firewalls) and a segmented environment that segregates their industrial control systems and operational technology (ICS/OT) from their information technology (IT). We know hackers can – and do – breach firewalls and are adept at finding ways to lurk around IT environments as they seek high-value assets. This is where identity can become a risk.
Here’s how: a subject – that is, an individual or a device – uses its identity to access applications, networks and/or servers. Perhaps it’s an employee who signs into their desktop and then, in the course of doing their job, uses that same identity to access a database, a file server, the company’s intranet web server, a collaboration platform, a cloud-based app and next a website. That employee has now created an identity perimeter that encompasses all those components.
Meanwhile, a network or database administrator signs into the IT environment to do their work and accesses some of the same systems as the first employee. Then the administrator accesses a system within the OT environment – not an uncommon scenario in many utilities. All the components that the administrator is using is now within their identity perimeter, which also now extends into the OT environment.
Moreover, the first employee’s identity perimeter overlaps with the administrator’s identity perimeter.
In a perfect world, that’s no big deal. But in reality there’s a big risk because if hackers compromise that first employee’s identity, even if the employee has low-levels permissions, they can use that to start unlocking more and more access. Those hackers can use that single compromised identity to move laterally within the environment where they can intersect with the administrator’s identity perimeter.
If they can then compromise that administrator’s identity, they can then use it to access systems within the administrator’s reach. In many utilities, that could include the OT environment. And once in that OT environment, the hackers could continue their lateral moves and perhaps compromise another overlapping identity that they can use to access even more critical systems.
The risks that come with these overlapping identity perimeters is not theoretical. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) in 2018 released an alert about an advanced persistent threat (APT) that uses compromised identities to first gain access into IT environments and then harvest credentials to elevate their access. Believed to be Russian-based and known as Dragonfly 2.0, this APT has been targeting the utility and critical manufacturing sectors. Similarly, another entity, known as Xenotime, has been targeting utilities – and more specifically their industrial safety systems – using various attack tactics including credential harvesting. Such threats pose a significant risk to the typical organization, in which a subject (whether an individual or a device) uses the same single identity to access many components of the environment.
Think of it this way: That first compromised identity becomes a key that hackers could then use to gain access to any and all systems that the subject is authorized to access – and then exploit that access to compromise other identities whose access overlaps with it.
Security leaders need to evolve their strategies to account for the risks we’re seeing around overlapping identity perimeters and implement measures to limit those risks. They should first ensure that subjects (whether individual users or devices) only have access to the systems they require to do their jobs and nothing more than that. This is the principle of least privilege, and it keeps a subject’s identity perimeter as small as possible.
That, however, is only the start. Security executives should implement another layer of barriers around assets, particularly critical applications, networks and servers; they can create those barriers by requiring subjects to have a different identity (preferably with multifactor authentication) to access each individual critical asset. This approach limits the size of identity perimeters and can limit overlaps that facilitate the lateral moves that hackers seek to make. In other words, this approach can significantly limit a hacker’s ability to use a single compromised identity to move through the IT environment to escalate permissions and gain access to critical systems and possibly the OT environment itself.
An identity and access management (IAM) strategy that encompasses this approach ultimately helps utilities strengthen their security posture. Of course, this approach should not replace other, existing security measures. Firewalls and segmented networks are still essential elements of a strong security program, as are basic cybersecurity hygiene and a robust employee cybersecurity awareness program.
Still, an identity perimeter security strategy should become one more layer that’s required for a mature defensive position so we’re not leaving any keys that hackers can use to unlock our technology environments.
Looking for cybersecurity advice? Or maybe a bit more information? Let’s Talk!
Ransomware 101: How to Prevent an Attack and What to Do if You Fall Victim
It seems like ransomware attacks are lurking around every corner—a threat that is especially heightened for industrial control systems and utility companies in the U.S. For these industries, a ransomware attack could mean dire consequences for a wide range of people. In the below Q&A, our Vice President of Cybersecurity & Compliance, Dominick Birolin (CSSP, CISA, NSE3), shares how you can safeguard against these attacks and what to do if you fall victim to one.
Q: Why is ransomware dangerous for utility and industrial control systems – what’s at stake?
A: For utilities and industrial control systems, it goes beyond what you’d find on a normal enterprise network. These networks impact the real world around us. There are wide-reaching consequences in the event that these networks are compromised. For instance, it could mean a shut down on the oil pipeline (as in the case of Colonial Pipeline 2021), power grids could be blacked out (Ukraine power grid attack 2015), manufacturing can stop (Honda manufacturing plants 2020) , and so on. With industrial control systems—like emergency management systems or transportation networks—they can all cease to work properly and that can impact millions of people and have wide ranging impacts to health, resources, and finances.
Q: Why is ransomware so prevalent right now?
A: The motivation with hackers and ransomware, first and foremost, is the financial incentive. Exfiltration of intellectual property to resell later is another financial component. These attacks are becoming more and more prevalent now because there has been a culture of not having proper cybersecurity controls in place to mitigate against the propagation and infiltration of attacks. ICS/OT systems present unique security challenges. They have a much longer patch cycle, some systems may be end-of-life, protocols are different from traditional IT networks, and remote access for trouble shooting by vendors are often not secured properly.
You have to remember that over 50% of attacks are actually introduced to networks via the enterprise or IT network and then they propagate across to the OT/ICS boundary.
These networks used to be air gapped but that’s no longer the case. The culture is to run lean, so it becomes increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense network segmentation, etc. But the need to pull data out of these networks has increased attack vectors that the industry previously hadn’t seen and there has not been a Defense in Depth approach needed to counteract that. Because early networks were air gapped, this wasn’t initially a concern but with the need to pull data from these control system environments, we have increased the attack vectors and with it, the likelihood of attacks.
Q: What can companies do to safeguard against ransomware attacks?
A: First we need to address the fact that there’s no magic bullet. Every comprehensive strategy is a Defense in Depth approach, which involves many components, some of which are:
- Testing your disaster recovery plan to ensure it is viable
- System data configuration and inventory of your file backup systems
- Patch management and vulnerability mitigation programs
- Quarantine capabilities including network segmentation and application layer inspection of segment ingress/egress traffic
- Network monitoring and threat detection to know if you are indeed infiltrated by ransomware and be able to respond to it
- Incident response is also key – not just this but also training cybersecurity personnel to deal with these types of ransomware attacks, mitigation of threats, communications to government agencies, and roles and responsibilities of responders
- Network perimeter defense
- Endpoint Detection and Response (EDR)
- System Hardening techniques
Q: What should companies do immediately after realizing they are victims of a ransomware attack?
A: First, enact your incident response plan and hopefully apply kill chain to stop the propagation of the ransomware. Then, assess where you are from a disaster recovery standpoint while preserving the cybersecurity forensic evidence for further investigation.
The next steps are really just evaluating what it’s going to cost you to recover or if you should pay the ransom. Do you have the ability to recover to full functionality without paying the ransom? That leads to other considerations like: is it legal to pay the ransom? What’s the operational impact cost? What’s the total loss of the incident going to cost you and how much will it cost to recuperate from that?
Root cause analysis is also key. In these environments we routinely see that companies recover from ransomware attacks and they don’t do a root cause analysis. This leaves them prone to having a repeat attack and it is the ransomware gang’s modus operandi to repeat these attacks on organizations that do not mitigate the root cause.
These are all considerations, but one point to emphasize is that whatever any cybersecurity professional does needs to have defensible evidence to support their case.
Q: What, if anything, should companies be doing to inform employees about cybersecurity best practices to avoid ransomware attacks?
A: It all starts with employees. The most likely attack vector is your enterprise or IT network – like I mentioned previously, this accounts for over 50% of attacks. There are four main causes for this: phishing emails, remote desktop protocol (RDP) used for propagation, click bait, and drive-by downloads.
The key here is having a robust cybersecurity awareness program that informs employees on what to recognize in a potential attack and encourages them to report anything suspicious to their IT department.
Q: If you had only one piece of advice for companies around ransomware, what would it be?
A: Be diligent in your cybersecurity approach. Develop and apply a comprehensive cybersecurity risk management program. Cybersecurity is not convenient but knowing the impact to your operations and then mitigating to your acceptable risk level is key to being successful in this area.
Q: What can utility companies do to know if they are properly protected or not?
A: If you’re unsure and don’t have the internal resources to check, you should hire a capable consulting company or third party like ours to validate your cybersecurity protection via a ransomware readiness assessment.
Interested in learning about our Ransomware Readiness offering? Let’s Talk!
U.S. Officials Warn of Russian Threats to Domestic Critical Infrastructure
Top U.S. defense agencies are warning critical infrastructure owners and operators against growing cyberthreats coming from Russian state-sponsored bad actors.
In a Jan. 11, 2022, joint statement, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency all advise “the cybersecurity community —especially critical infrastructure network defenders—to adopt a heightened state of awareness.”
This warning shouldn’t come as a surprise. The Russian government has a well-known history of sponsoring cyberattacks across the globe, and it has been ramping up its activities in recent years. Consider the figures from Microsoft on this front. Its 2021 Digital Defense Report notes that 58% of all cyberattacks observed by Microsoft from nation-states during the prior year came from Russia. Microsoft also reports that the attacks from Russian nation-state actors are increasingly effective – hitting a 32% successful compromise rate in 2021 vs. 21% the year before.
And the top target of these attacks, according to Microsoft? You guessed it: the United States, followed by Ukraine and the United Kingdom.
Russia is not the only country engaged in such activities, with Microsoft pointing out that (after Russia) North Korea, Iran and China are the top state sponsors of hostile cyber actions. Be aware, too, that the hacking groups and troll farms they shelter within their countries use a full range of technologies and tactics to launch all sorts of attacks, from distributed denial-of-service (DDoS) to ransomware to targeted espionage attacks. They will – and do – use any and all capabilities at their disposal to ensure success.
We know that these countries, particularly Russia, engage in state-sponsored cyberattacks for several reasons – namely to engage in espionage (as noted above), gain political influence and disseminate disinformation as well as to create discord and havoc.
The hacker groups themselves are after the payday.
Take the Colonial Pipeline attack. Authorities named the DarkSide hacking group – a ransomware gang that they believe is based in Russia – as the culprits of the May 2021 successful breach. The Colonial Pipeline CEO told a Senate committee that the company paid $5 million in ransom a day after the attack, which disrupted fuel supplies throughout the Eastern United States.
The damage that these state-sponsored hackers can do is significant. Look at what has happened in Ukraine. Cybercriminals took out the Ukrainian power grid in December 2016, leaving customers throughout the country without power for an hour, while a December 2015 attack knocked out power for nearly 250,000 Ukrainians.
More recently – in fact, just days after the U.S. warning to American entities – Ukraine suffered another crippling attack. This time hackers struck against government agencies, bringing down scores of websites for hours.
European officials blamed Russia for the attack, which indicates with increasing certainty that nation-states are using such tactics not only for political gain but for military purposes as well.
What, then, does this mean for U.S. organizations – and, in particular, the owners and operators of critical infrastructure?
First and foremost it should sound an alarm. Organizations across all industries – but in particular utilities and other such entities – must realize that the hackers targeting them are organized, highly motivated and well-funded. They should know that these hackers have their tactics, techniques and procedures laid out for them so they have the best chances of success when they go to execute.
Second, this should be seen as a call to action.
CISA, the FBI and the NSA in its advisory say as much, telling entities, their executives and their security teams to – in their exact words –
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
We agree with all that advice. We also endorse the agencies’ recommendation that security leaders at utilities and other critical infrastructure facilities adopt the MITRE Adversarial Tactics, Techniques, and Common Knowledge (or MITRE ATT&CK for ICS) framework to ensure they’re implementing appropriate safeguards and controls for industrial systems.
Think of this framework as a database of known attack and mitigation techniques that, when used to guide security strategies, helps organizations create more comprehensive defense, detection and recovery plans and, thus, increase their ability to thwart an attack as well as quickly respond and contain a successful breach.
The NIST Special Publication (SP) 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security as well as the ISO/IEC 27000 series and IEC 62443 for information security management are also effective and worthwhile frameworks to use.
The frameworks have several critical elements in common. They all stress the importance of doing fundamentals – such as vulnerability and patch management – exceedingly well. They also reinforce the need for having robust incident response programs as well as disaster recovery and business continuity plans in place.
A strong security program, however, shouldn’t rely solely on following a framework. Enterprise security leaders must also invest in staff, hiring and training – or contracting – for the skills necessary to implement frameworks and engage in other essential security operations such as threat hunting.
And they should work with their IT and business unit counterparts to ensure the systems within their information technology (IT) and operational technology (OT) environments are modern and still supported by vendors.
Unfortunately, for various reasons, utilities often run operational technologies that are well past end of life with unpatched vulnerabilities – a practice that needs to stop. Similarly, OT cybersecurity practices have lagged behind IT security in maturity. That, too, must change.
Organizations need to develop a depth-in-defense approach to security. Utilities – faced with the threat from Russia and other nation-states – should be at the forefront of taking this action.
We work with such entities to do that, to adopt frameworks and to align framework requirements to each organization’s unique risk profile and security objectives. Taking such action is an imperative, given who the adversaries are today, as CISA, the FBI and the NSA have warned.
Need advice on how to protect your critical infrastructure? Let’s Talk!
Take Charge of Active Directory Security with BloodHound from SpecterOps
Despite 2020 being dubbed “the year of ransomware,” bad actors have ramped up ransomware attacks in 2021 even more than last year. Somewhat more alarmingly is the speed and effectiveness with which actors can compromise entire networks, enabled by sub-optimal design and maintenance of an organization’s Active Directory. That shouldn’t come as a surprise to anyone in the security world. Hackers and penetration testers alike have targeted Active Directory for years as the most effective means of achieving the attacker’s end goals.
There are many reasons why Active Directory has been, and remains, a prime mark for attackers. As many of you know, Active Directory is Microsoft’s proprietary directory service. IT Administrators use it for a variety of tasks from organizational hierarchy, managing permissions and controlling access to network resources, to what your profile picture looks like or whether you can install an application on your machine.
Its very nature is why it’s so valuable to attackers. Active Directory serves as the central repository for all non-local account authentications and privileges. As such, Active Directory contains the proverbial keys to the kingdom. Attackers can query it to perform reconnaissance on the network; identifying accounts for privilege escalation, lateral movement, or maintaining persistence within the environment; and determining the shortest path to achieving an attacker’s goal (exfiltration of sensitive data, making an impact, or both).
One 2021 study found that 50% of organizations experienced an attack on Active Directory within the past two years and more than 40% reported that the attack was successful. However, Active Directory is inherently difficult to secure – and has been for decades. In fact, many of the features in Active Directory that actually make it work are also what make it so vulnerable.
Consider, for example, the domain controller’s sync function, which transfers and updates AD objects from one domain controller to another. Attackers can take advantage of this process using a DCSync attack, which, with the help of some vulnerable accounts, can impersonate an Active Directory domain controller to then get authentication credentials from other domain controllers. A process designed to maintain availability and prevent a single-point of failure can be abused to compromise every single credential in a domain, without ever actually compromising the Domain Controller itself.
Another example: attackers can exploit functionality in Kerberos, the computer network protocol used to authenticate identities, by finding service accounts with weak passwords and using a common attack known as Kerberoasting to grab the hash of the service account, crack it offline, then use that cracked password to progress further into the network. This ability to grab service account hashes is a feature, not a bug. There’s no patch to fix this, only principals of least privilege for the account, good password hygiene, and regular password changes. This assumes the admins even remember the account exists, let alone what purpose it was originally created to serve.
At the same time, IT teams can create additional security challenges by allowing group and privilege sprawl to creep into the Active Directory environment. Some common issues include: use of unconstrained delegation, poor change management practices/documentation (temporarily elevating privileges and never revoking them), use of simple passwords, and maintaining inactive accounts. Malicious actors know how to exploit all those scenarios to their advantage.
Yet, despite such security challenges and the significant potential for successful attacks, many organizations don’t devote enough attention and resources to assess the risk associated with their Active Directory environment and implement appropriate mitigation strategies.
That’s true in the utilities industry, too.
Many security and technology leaders in this field rely only on network segmentation to provide a layer of protection for OT networks. There is a misconception that if an attacker gains access to the information technology network, segmentation will prevent the attacker from accessing the operational technology. In reality, that’s not the case – even when an organization has established a proper demilitarized zone between segmented IT and OT environments.
That’s because there’s still trust that remains between the two environments (by necessity), so a hacker who is able to compromise a Domain Controller or launch a successful DCSync attack could use hacked credentials to pick a trusted IT machine to connect with one on the OT side of the house – knowing that the two servers trust each other and the credentials would be accepted.
So what’s the short of it?
It’s this: You can lock down and air gap your OT environment, but that won’t protect you from a threat actor who has compromised the IT’s Active Directory services, especially when those services are shared between IT and OT.
The question becomes: how do organizations be more attentive to the risks associated with Active Directory? How do they cut through the massive amount of data and understand what their posture is, and how to improve it? To do that, I recommend organizations start deploying BloodHound: a free open-source software provided by SpectreOps. You can be sure attackers already are.
BloodHound is a discovery tool, designed for users to understand an Active Directory environment. It does this using graph theory and visual representation to uncover hidden or unintended relationships, kerberoastable accounts, opportunities for DCSync attacks, and a number of other misconfigurations or flaws within the environment. It then creates a graph of that analysis, thereby giving security and technology leaders a simple and quick way to depict privilege relationships and design remediations.
I worked with one client to deploy BloodHound, allowing us to identify four kerberoastable service accounts that had the appropriate permissions to accomplish a DCSync attack. Imagine, without ever compromising the Domain Controller or a Domain Admin account – attackers could easily replicate the credentials of every single user account.
In another case, I worked with a client’s Chief Information Security Officer using BloodHound to analyze his organization’s Active Directory environment and found kerberoastable accounts that he thought had been remediated months ago but were actually still active.
Learning how to use BloodHound does require an investment of time, but it’s not a steep learning curve to put this tool to use. SpecterOps has free online tutorials and blogs to help security teams get started, and the tool itself has prewritten queries that enable teams to quickly make use of it with a simple point-and-click. You can even find queries that others have written to expand upon your library.
Given all this, I advise organizations to use BloodHound to audit their own Active Directory environments, or work with us on that analysis. Then, use what BloodHound uncovers to advance onto a path of active monitoring and remediation of identified risks.
This work is critical for defenders if they want to keep pace with their adversaries, who are, as mentioned earlier, also using BloodHound to identify the easiest pathways to a successful attack in their targets.
IT and OT teams together should own this work. Yes, the IT department typically maintains Active Directory, but the impact of a successful attack on Active Directory won’t be limited to IT; as previously stated, it could cripple the OT environment, too.
And that fact alone should make it a primary concern for both IT and OT teams, as well as security personnel and, really, the enterprise as a whole.
Want to learn more about BloodHound or Active Directory security? Let’s Talk!
The Log4j Exploit and Ransomware
BitDefender reported yesterday that ransomware gangs are now utilizing the Log4j exploit to install ransomware. This raises the stakes for organizations that have not undertaken efforts to patch the vulnerability or mitigate the threats for systems that do not yet have patches available.
This ransomware does not contain a clear way to contact the threat actor to pay the ransom. So in cases where victims’ files are encrypted, they may have a difficult time recovering their files even if they are willing to pay the ransom. This is the first known case of a ransomware gang utilizing the Log4j exploit to directly install ransomware.
On Monday, Apache released Log4J version 2.16 to fix another problem: CVE-2021-45046. Previously, it was thought that version 2.15 corrected the issue. However, there was a new flaw discovered in version 2.15. It is highly suggested that anyone who patched to version 2.15 immediately install version 2.16, which corrects the CVE-2021-45046 problem. The flaw fixed in version 2.16 “doesn’t seem to permit remote code execution or data exfiltration; it’s merely a denial-of-service attack that might cause the affected process to hang,” according to Paul Ducklin, a research scientist at Sophos.
The cybersecurity community expects that not only criminals, but also Chinese, Iranian, and other state-sponsored groups will move quickly to leverage this vulnerability. Organizations need to take appropriate measures to ensure their security. If organizations do not have appropriate in-house resources, they should reach out to organizations like ours that can provide help.
Facing a Ransomware attack or need help securing your systems? Let’s Talk!
Understanding the Different Needs, Approaches for OT Security in the Utilities Space
Cybersecurity managers continue to face significant challenges when it comes to recruiting and retaining the professionals needed to secure their organizations – with studies showing that hiring the right cybersecurity skills is only getting harder.
It’s even tougher, though, for utilities to hire qualified security workers because utilities must protect both the usual information technology (IT) stack that runs their business operations as well as the operational technology (OT) that delivers the critical services that the utilities provide.
Although there are some overlapping skills, protecting IT and safeguarding OT require different expertise and different strategies.
As such, utilities can’t successfully secure their organizations if they have only the standard IT-oriented cybersecurity skills on their teams because those professionals – as skilled as they may be – don’t know the unique security challenges of operational environments. Utilities need people who have the specific expertise and specialized acumen needed to secure operational technology.
Utilities who lack those specialized OT security skills risk not only a breach but also risk hindering their operations. Apply some standard IT cybersecurity techniques to operational technology, you have a good chance of negatively impacting operations.
There are plenty of examples that illustrate why IT and OT security are different disciplines. Consider firewall selection. Security experts working in utilities should know to choose firewalls that work with and are able to inspect Industrial Control System (ICS) and OT protocols – an additional selection requirement that only security professionals with OT-focused expertise would likely know.
Similarly, security experts working in utilities need to understand which hardware scanning tools to use – or whether to use any at all – within their organizations. Most hardware scanning tools aren’t effective in an OT environment and, in fact, can do more harm than good if deployed without proper configuration. For instance, a Network Mapper (Nmap) scan is a standard tool used to find open ports and detect systems running on remote machines in an IT environment. But run it in an OT environment and it will likely brick the older remote terminal units. Utility personnel then will have to reboot the Remote Terminal Unit (RTU) and hope that maneuver works. If it doesn’t work, which is frequently the case, then they’ll have to actually replace the RTU. In the interim, without an operable RTU, the utility will be without remote control capabilities and the telemetry it needs for optimal operations.
There are other circumstances related to OT environments that create unique security challenges for utilities.
Utilities use proprietary, purpose-built technologies to run their operations; these are not standard off-the-shelf systems. As a result, vendors don’t offer security patches for such systems at the same speed and frequency they do for their standard applications. Instead, vendors take more time to test and issue patches to fix identified security problems within proprietary software. Vendors that offer weekly or monthly patches for their standard software could take 4-6 months to release patches for custom-built OT systems. Meanwhile, hardware vendors might only come out with updates once a year. That means utilities must live with known vulnerabilities within their environments for months and therefore should know how to configure their security strategies accordingly.
OT systems also tend to have significantly longer lifecycles than IT applications and platforms. It’s not uncommon to find operational technologies that are 15 to 20 years old; a utility, for example, could have decades-old switch relays. Contrast that with IT systems, which today typically have lifecycles of five years or less. Consequently, most or even all of the systems within a modern IT stack have been built with current security risks and threats in mind. On the other hand, those old OT systems have no such built-in considerations; they simply weren’t designed to handle modern cybersecurity threats.
Moreover, those older OT systems are usually end of life. That means vendors aren’t issuing any more patches even as they uncover new security vulnerabilities. And utilities often must run outdated, unsupported IT systems, such as older versions of Microsoft Windows, because they need those legacy IT systems in place to work with the legacy OT systems. That further complicates the security scenario within the OT environment.
Now there is some good news on the security front for utilities. A typical OT environment has a much lower number of gateways to the Internet, if any, than a standard IT environment, making OT environments a bit safer from external breaches when compared to IT infrastructures.
That, however, hardly negates the cybersecurity risks to utilities – and the significant consequences that could come with a successful cyber-related breach.
In fact, the potential magnitude of a compromised physical equipment tends to be greater than that of a data breach within an IT environment. Even slight OT cyber incidents can lead to not only huge financial losses but damaging ramifications, too, such as water contamination, gas shortages, manufacturing down time, and power outages.
Utility leaders must recognize what’s at stake and why finding security help skilled in OT is so critical. They should recognize that IT security prioritizes privacy and confidentiality – essentially guarding data against unauthorized access. But OT security must prioritize safety and reliability, because an OT-related cybersecurity attack can put utility personnel and the public itself at risk of injury or even death.
We’ve already witnessed the damage that security incidents involving operational technology can cause. A 2007 Department of Homeland Security program called the Aurora Project, which was intended to bring attention to the issue of cybersecurity, exploited a known vulnerability that resulted in over-torque stresses in a generator. Hackers breached a Florida water treatment plant in February 2021 and tried to poison the water by changing the levels of added chemicals – a change caught by a diligent worker before it was executed. And the May 2021 ransomware attack on Colonial Pipeline caused gas shortages around the East Coast for weeks.
Such incidents highlight the importance of having security professionals with the expertise needed for OT, and not just IT, environments.
Utilities need security specialists with the experience and skills to administer patches which require them to take down highly sensitive OT environments that were designed to run 24/7. They need professionals capable of choosing the right security tools for their own unique requirements. And they need cybersecurity workers who can devise holistic security strategies that account for all such issues.
Utilities benefit from cybersecurity professionals who can successfully collaborate with the plant engineers who built and now run the operational technology, who can understand the unique complexities of the operational technologies that run their utilities, and who can design and deliver a layered, defense-in-depth approach that prioritizes the protection of the utility’s most critical assets.