Proposed Federal Law Would Boost Security Training for Utilities, Critical Infrastructure Operators
Legislation aims to bolster cyber defenses, but operators should still act now to strengthen security skills
Congress wants to require organizations deemed critical infrastructure to have a cybersecurity awareness training program. And it’s pushing through legislation that would provide such training for free.
More specifically, the Industrial Control Systems Cybersecurity Training Act requires the Cybersecurity and Infrastructure Security Agency – better known as CISA – to provide cybersecurity workers with no-cost training on best practices for securing industrial control systems.
It also calls for CISA to provide both virtual and in-person training, with courses targeted to workers at various skill levels.
These programs would be available to security workers in government entities as well as the private sector.
This new training initiative would supplement a raft of existing training programs already offered by CISA.
The government’s goal here is to ensure security professionals know about emerging threats and how they can most effectively mitigate them – an essential skill in a world where adversarial tactics and techniques are constantly evolving.
Indeed, the bill’s sponsor – U.S. Rep. Eric Swalwell, a California Democrat serving on both the House Select Committee on Intelligence and the House Homeland Security Committee – introduced the bill in May in response to the increasing number of cyberthreats coming out of Russia, saying that the country “must be cognizant of cyberwarfare from state-sponsored actors.”
He noted that this legislation “would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”
Members of both parties agreed: The House on June 21 passed the bill with strong bipartisan support, sending it to the Senate for its approval.
This training initiative has Strive’s vote of confidence, too, as we have long believed that a well-trained, well-informed cybersecurity workforce is essential to protecting both operational technology (OT) and information technology (IT).
And we expect this bill to be enacted into law – as it should be.
Our country needs more training to counter the growing number and sophistication of attacks coming at us here in the United States and at the critical infrastructure sector in particular.
We also recognize that this training could help address some of the challenges that organizations face on the talent front.
First, there’s a lack of cybersecurity professionals in general. A report from the International Information System Security Certification Consortium, or (ISC)², puts the number of unfilled cybersecurity jobs at 377,000 in the United States alone. (It’s about 2.7 million globally.)
The nonprofit Cyberseek puts the number of unfilled U.S. cybersecurity positions even higher, at 714,548 as of mid-August.
At the same time, many of the existing cybersecurity professionals lack some of the essential skills needed to be most effective in their roles – a lack that’s particularly acute in the area of OT cybersecurity, where practitioners must have an understanding of both IT and OT systems as well as the policies, procedures and tools that can protect them.
Consider the findings from The 2022 State of Operational Technology report, which surveyed 3,500 OT security professionals across the globe and found that 69% believe the lack of OT security staff “is diminishing the effectiveness of their organization’s OT security.”
The ICS training act, if passed by the Senate and then signed into law by President Biden, could help alleviate some of those dire findings.
That said, we see no need for critical infrastructure owners and operators to wait for Congress to finalize this act.
Upskilling your existing staff and providing ongoing training to your team is one of the most effective investments you can make – and it’s one you should be making now.
Your security pros already know your environment and have a good handle on the components that present the highest risks and, thus, need the highest levels of protection. So give them the additional skills they need to perform at their best and to their top potential.
As mentioned above, CISA already offers numerous free training programs, including both independent study and instructor-led courses, tailored for critical infrastructure owners and operators. That’s in addition to the training programs offered by multiple other sources, including (ISC)² and SANS as well as colleges and universities.
At the same time critical infrastructure owners and operators should review their cybersecurity awareness training program for their overall workforce to ensure its comprehensive and up-to-date.
It’s worth the effort.
According to the World Economic Forum’s Global Risks Report 2022, 95% of cybersecurity issues can be traced to human error. And the 2022 State of Operational Technology report found that 79% of survey respondents think human error poses the greatest risk for compromise to OT systems.
With figures like that, it’s easy to demonstrate why solid cybersecurity training programs for both security pros and general staff pay off. We see it. The U.S. House of Representatives sees it. And you should know, too, that an investment in security training delivers real returns by decreasing your risk and increasing your security posture.
So, if and when the ICS security training act becomes law, take advantage of the free courses. But don’t feel you should wait for it. Training and up-skilling should be an ongoing activity, and you should be doing it now.
Looking for more information?
Our Cybersecurity & Compliance solutions ensure that your business is protected and secured from cyber threats whenever, wherever. Minimize your risk to cyber attack exposure and regulatory fines without impacting your business operations – Strive can help.
Where Is Ransomware Most Prevalent?
Fact: Over 50% of ransomware attacks are introduced to networks via internal enterprise or IT networks. Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, NSE3, explains how the best way to prevent ransomware attacks is to have a formal cybersecurity process in place.
I think that ransomware is most prevalent in Industrial Control System environments due to the culture of not having proper cybersecurity controls in place to mitigate against the propagation and the infiltration. You have to remember that over 50% of attacks actually are introduced to networks via your enterprise or IT network, and then they propagate across to the OT ICS boundary.
It used to be that these networks were air gapped, but that’s no longer the case. The need to pull data out of these networks has increased attack vectors that we previously hadn’t seen.
Security is not convenient. You do have to be diligent about the way you approach your defense in depth. Within these networks, the culture is to run lean and to remain operational. This makes it increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense, network segmentation, etc.
Does your ICS environment need help protecting it from ransomware?
State of the Industry: Russia-backed Cyberattacks are Targeting the Country’s Critical Infrastructure
Russia has shown us the damage it’s capable of inflicting.
In April, Russian hackers hit a Ukrainian energy company with malware that, had it successfully destroyed the targeted computers, would have caused a blackout for 2 million people.
A suspected Russian hacker in December of 2015 successfully attacked a Ukrainian power grid, knocking out power for more than 200,000 consumers for hours.
And, of course, there was the Russian-backed attack against Colonial Pipeline here in the United States in May 2021, which shut down the company’s distribution operations and led to fuel shortages along the East Coast.
Unfortunately, as the recent warnings indicate, we know the Russians are escalating their cyber activities against American critical infrastructure, including our electric grid. And the potential for another successful attack leading to another round of shortages or power outages exists.
Utility owners and operators report that they are seeing more scans against their firewalls and external-facing web application services, both indications that hackers are looking for open ports and known vulnerabilities that haven’t been patched. We know that this kind of activity is often a prelude to an attack.
The industry is better defended than it was just a year ago, as the Colonial Pipeline attack served as a real wake-up call for many. As a result, we saw many utilities strengthen their cybersecurity postures by investing in their security teams, tools and policies.
But those investments aren’t enough to adequately harden security at all – or even most – of the critical infrastructure entities in this country.
In fact, researchers with Gartner have estimated that “less than 30% of U.S. critical infrastructure owners and operators will meet newly-mandated government security requirements for cyber-physical systems” through 2026.
We must recognize that for too long the industry has had a culture of running extremely lean, which in turn, has led to a chronic underinvestment in security. At the same time it continues to run operations on legacy systems that cannot be patched.
That combination has left utilities overly vulnerable to attacks today.
Now is the time to change that.
CISA lists a number of recommendations as part of its Shields Up guidance to organizations. It advises CEOs and other executives to empower their CISOs, include CISOs in decision-making and prioritize security investments. CISA also advises executives to lower reporting thresholds, test their incident response plans, focus on continuity and – ominously – “plan for the worst.”
CISA also recommends a series of proactive defense actions, such as implementing multifactor authentication and prioritizing software updates, to help reduce the likelihood of a damaging cyber intrusion.
Here at Rokster, we endorse such moves and are advising utility owners and operators to tighten their defenses and strengthen their security posture. Those are always necessary moves, but they’re more critical today than ever before given the Russian-backed hacking activities we’re seeing.
Indeed, we’re also recommending that utilities take additional steps, such as:
- disabling nonessential connectivity to business-critical systems
- increasing the security of remote-access capabilities
- increasing the sensitivity of SIEM tools to reduce the threshold for alerting potentially suspicious activities
- paying more attention to anomalies that could hint at compromise
- adding or increasing both endpoint detection and threat detection capabilities
- automating security responses as much as possible to bring speed and efficiency, while decreasing the chance of alert fatigue
- adding staff to ensure the security team has the capacity to perform the work needed today
We’re also advising owners and operators to, first, review their incident response plans and then run drills using them. These two exercises should reveal any shortcomings with the plans, allowing those to be addressed now instead of during an actual event. They also help teams develop some muscle memory and understand the procedures they must follow to ensure continuity and recovery.
Advisors and owners also want to build into their incident response plans the procedures to follow for simultaneously conducting a root cause analysis. This is a critical step that you don’t want to skip. Hackers often return to where they’ve had success, and if you don’t address the vulnerabilities that the hackers exploited the first time, you could find yourself victimized again.
Given the state of the world, we agree with government officials and other security leaders that there’s a high likelihood of attacks. And given the existing vulnerabilities within critical infrastructure, we unfortunately think we could see something like last year’s Colonial Pipeline incident happen again.
However, we don’t accept that as an inevitability. We know that the more actions we take now, the more investments we make in a defense-in-depth security strategy, the better we can get at thwarting attacks – wherever they come from.
Worried about how cyber attacks may impact your business? Let’s Talk!
Why Utility Providers Need Robust Cybersecurity | State of Cybersecurity
Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, discusses why a robust cybersecurity process is particularly important for companies like utilities whose services are crucial to a functioning society.
So, I think the biggest point we need to touch up here on why it’s dangerous to utility companies is because utility companies and their Industrial Control System networks affect the real world around them. This could be not just with utilities, but manufacturing.
But with utilities, it could shut down oil pipelines, create gas shortages, create power blackouts. Manufacturing can stop – especially with pharmaceutical companies where people need drugs, their production can be ceased.
Emergency Management Systems can fall victim to ransomware and that would create causing them to be unable to respond to emergency situations. Transportation networks, which could shut down shipping and railways.
Don’t let your utility or Industrial Control System network fall victim to ransomware. Schedule a Ransomware Readiness Assessment with us today!
Cyber Perimeters: An Evolving Concept
No utility would have a single key that could be used to open every lock. If it did, all its assets – even the most critical ones – would be vulnerable should some bad actor steal or copy it. Yet many utilities do something very similar when it comes to their electronic environments: They have keys that hackers could swipe and then use to gain access to most, if not all, their systems.
What are those keys? They’re the identities that employees and devices use to connect with the computer applications, networks, and servers they need to do their jobs. That’s because hackers know how to use just a single compromised identity to unlock increasing levels of access within IT and OT environments as they work toward their intended targets. Given that, utilities must develop and implement a cybersecurity strategy that accounts for such a threat and evolve their defenses accordingly.
Utilities should start by understanding the threat, which exists even if they have both strong perimeter defenses (i.e. firewalls) and a segmented environment that segregates their industrial control systems and operational technology (ICS/OT) from their information technology (IT). We know hackers can – and do – breach firewalls and are adept at finding ways to lurk around IT environments as they seek high-value assets. This is where identity can become a risk.
Here’s how: a subject – that is, an individual or a device – uses its identity to access applications, networks and/or servers. Perhaps it’s an employee who signs into their desktop and then, in the course of doing their job, uses that same identity to access a database, a file server, the company’s intranet web server, a collaboration platform, a cloud-based app and next a website. That employee has now created an identity perimeter that encompasses all those components.
Meanwhile, a network or database administrator signs into the IT environment to do their work and accesses some of the same systems as the first employee. Then the administrator accesses a system within the OT environment – not an uncommon scenario in many utilities. All the components that the administrator is using is now within their identity perimeter, which also now extends into the OT environment.
Moreover, the first employee’s identity perimeter overlaps with the administrator’s identity perimeter.
In a perfect world, that’s no big deal. But in reality there’s a big risk because if hackers compromise that first employee’s identity, even if the employee has low-levels permissions, they can use that to start unlocking more and more access. Those hackers can use that single compromised identity to move laterally within the environment where they can intersect with the administrator’s identity perimeter.
If they can then compromise that administrator’s identity, they can then use it to access systems within the administrator’s reach. In many utilities, that could include the OT environment. And once in that OT environment, the hackers could continue their lateral moves and perhaps compromise another overlapping identity that they can use to access even more critical systems.
The risks that come with these overlapping identity perimeters is not theoretical. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) in 2018 released an alert about an advanced persistent threat (APT) that uses compromised identities to first gain access into IT environments and then harvest credentials to elevate their access. Believed to be Russian-based and known as Dragonfly 2.0, this APT has been targeting the utility and critical manufacturing sectors. Similarly, another entity, known as Xenotime, has been targeting utilities – and more specifically their industrial safety systems – using various attack tactics including credential harvesting. Such threats pose a significant risk to the typical organization, in which a subject (whether an individual or a device) uses the same single identity to access many components of the environment.
Think of it this way: That first compromised identity becomes a key that hackers could then use to gain access to any and all systems that the subject is authorized to access – and then exploit that access to compromise other identities whose access overlaps with it.
Security leaders need to evolve their strategies to account for the risks we’re seeing around overlapping identity perimeters and implement measures to limit those risks. They should first ensure that subjects (whether individual users or devices) only have access to the systems they require to do their jobs and nothing more than that. This is the principle of least privilege, and it keeps a subject’s identity perimeter as small as possible.
That, however, is only the start. Security executives should implement another layer of barriers around assets, particularly critical applications, networks and servers; they can create those barriers by requiring subjects to have a different identity (preferably with multifactor authentication) to access each individual critical asset. This approach limits the size of identity perimeters and can limit overlaps that facilitate the lateral moves that hackers seek to make. In other words, this approach can significantly limit a hacker’s ability to use a single compromised identity to move through the IT environment to escalate permissions and gain access to critical systems and possibly the OT environment itself.
An identity and access management (IAM) strategy that encompasses this approach ultimately helps utilities strengthen their security posture. Of course, this approach should not replace other, existing security measures. Firewalls and segmented networks are still essential elements of a strong security program, as are basic cybersecurity hygiene and a robust employee cybersecurity awareness program.
Still, an identity perimeter security strategy should become one more layer that’s required for a mature defensive position so we’re not leaving any keys that hackers can use to unlock our technology environments.
Looking for cybersecurity advice? Or maybe a bit more information? Let’s Talk!
Ransomware 101: How to Prevent an Attack and What to Do if You Fall Victim
It seems like ransomware attacks are lurking around every corner—a threat that is especially heightened for industrial control systems and utility companies in the U.S. For these industries, a ransomware attack could mean dire consequences for a wide range of people. In the below Q&A, our Vice President of Cybersecurity & Compliance, Dominick Birolin (CSSP, CISA, NSE3), shares how you can safeguard against these attacks and what to do if you fall victim to one.
Q: Why is ransomware dangerous for utility and industrial control systems – what’s at stake?
A: For utilities and industrial control systems, it goes beyond what you’d find on a normal enterprise network. These networks impact the real world around us. There are wide-reaching consequences in the event that these networks are compromised. For instance, it could mean a shut down on the oil pipeline (as in the case of Colonial Pipeline 2021), power grids could be blacked out (Ukraine power grid attack 2015), manufacturing can stop (Honda manufacturing plants 2020) , and so on. With industrial control systems—like emergency management systems or transportation networks—they can all cease to work properly and that can impact millions of people and have wide ranging impacts to health, resources, and finances.
Q: Why is ransomware so prevalent right now?
A: The motivation with hackers and ransomware, first and foremost, is the financial incentive. Exfiltration of intellectual property to resell later is another financial component. These attacks are becoming more and more prevalent now because there has been a culture of not having proper cybersecurity controls in place to mitigate against the propagation and infiltration of attacks. ICS/OT systems present unique security challenges. They have a much longer patch cycle, some systems may be end-of-life, protocols are different from traditional IT networks, and remote access for trouble shooting by vendors are often not secured properly.
You have to remember that over 50% of attacks are actually introduced to networks via the enterprise or IT network and then they propagate across to the OT/ICS boundary.
These networks used to be air gapped but that’s no longer the case. The culture is to run lean, so it becomes increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense network segmentation, etc. But the need to pull data out of these networks has increased attack vectors that the industry previously hadn’t seen and there has not been a Defense in Depth approach needed to counteract that. Because early networks were air gapped, this wasn’t initially a concern but with the need to pull data from these control system environments, we have increased the attack vectors and with it, the likelihood of attacks.
Q: What can companies do to safeguard against ransomware attacks?
A: First we need to address the fact that there’s no magic bullet. Every comprehensive strategy is a Defense in Depth approach, which involves many components, some of which are:
- Testing your disaster recovery plan to ensure it is viable
- System data configuration and inventory of your file backup systems
- Patch management and vulnerability mitigation programs
- Quarantine capabilities including network segmentation and application layer inspection of segment ingress/egress traffic
- Network monitoring and threat detection to know if you are indeed infiltrated by ransomware and be able to respond to it
- Incident response is also key – not just this but also training cybersecurity personnel to deal with these types of ransomware attacks, mitigation of threats, communications to government agencies, and roles and responsibilities of responders
- Network perimeter defense
- Endpoint Detection and Response (EDR)
- System Hardening techniques
Q: What should companies do immediately after realizing they are victims of a ransomware attack?
A: First, enact your incident response plan and hopefully apply kill chain to stop the propagation of the ransomware. Then, assess where you are from a disaster recovery standpoint while preserving the cybersecurity forensic evidence for further investigation.
The next steps are really just evaluating what it’s going to cost you to recover or if you should pay the ransom. Do you have the ability to recover to full functionality without paying the ransom? That leads to other considerations like: is it legal to pay the ransom? What’s the operational impact cost? What’s the total loss of the incident going to cost you and how much will it cost to recuperate from that?
Root cause analysis is also key. In these environments we routinely see that companies recover from ransomware attacks and they don’t do a root cause analysis. This leaves them prone to having a repeat attack and it is the ransomware gang’s modus operandi to repeat these attacks on organizations that do not mitigate the root cause.
These are all considerations, but one point to emphasize is that whatever any cybersecurity professional does needs to have defensible evidence to support their case.
Q: What, if anything, should companies be doing to inform employees about cybersecurity best practices to avoid ransomware attacks?
A: It all starts with employees. The most likely attack vector is your enterprise or IT network – like I mentioned previously, this accounts for over 50% of attacks. There are four main causes for this: phishing emails, remote desktop protocol (RDP) used for propagation, click bait, and drive-by downloads.
The key here is having a robust cybersecurity awareness program that informs employees on what to recognize in a potential attack and encourages them to report anything suspicious to their IT department.
Q: If you had only one piece of advice for companies around ransomware, what would it be?
A: Be diligent in your cybersecurity approach. Develop and apply a comprehensive cybersecurity risk management program. Cybersecurity is not convenient but knowing the impact to your operations and then mitigating to your acceptable risk level is key to being successful in this area.
Q: What can utility companies do to know if they are properly protected or not?
A: If you’re unsure and don’t have the internal resources to check, you should hire a capable consulting company or third party like ours to validate your cybersecurity protection via a ransomware readiness assessment.
Interested in learning about our Ransomware Readiness offering? Let’s Talk!
U.S. Officials Warn of Russian Threats to Domestic Critical Infrastructure
Top U.S. defense agencies are warning critical infrastructure owners and operators against growing cyberthreats coming from Russian state-sponsored bad actors.
In a Jan. 11, 2022, joint statement, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency all advise “the cybersecurity community —especially critical infrastructure network defenders—to adopt a heightened state of awareness.”
This warning shouldn’t come as a surprise. The Russian government has a well-known history of sponsoring cyberattacks across the globe, and it has been ramping up its activities in recent years. Consider the figures from Microsoft on this front. Its 2021 Digital Defense Report notes that 58% of all cyberattacks observed by Microsoft from nation-states during the prior year came from Russia. Microsoft also reports that the attacks from Russian nation-state actors are increasingly effective – hitting a 32% successful compromise rate in 2021 vs. 21% the year before.
And the top target of these attacks, according to Microsoft? You guessed it: the United States, followed by Ukraine and the United Kingdom.
Russia is not the only country engaged in such activities, with Microsoft pointing out that (after Russia) North Korea, Iran and China are the top state sponsors of hostile cyber actions. Be aware, too, that the hacking groups and troll farms they shelter within their countries use a full range of technologies and tactics to launch all sorts of attacks, from distributed denial-of-service (DDoS) to ransomware to targeted espionage attacks. They will – and do – use any and all capabilities at their disposal to ensure success.
We know that these countries, particularly Russia, engage in state-sponsored cyberattacks for several reasons – namely to engage in espionage (as noted above), gain political influence and disseminate disinformation as well as to create discord and havoc.
The hacker groups themselves are after the payday.
Take the Colonial Pipeline attack. Authorities named the DarkSide hacking group – a ransomware gang that they believe is based in Russia – as the culprits of the May 2021 successful breach. The Colonial Pipeline CEO told a Senate committee that the company paid $5 million in ransom a day after the attack, which disrupted fuel supplies throughout the Eastern United States.
The damage that these state-sponsored hackers can do is significant. Look at what has happened in Ukraine. Cybercriminals took out the Ukrainian power grid in December 2016, leaving customers throughout the country without power for an hour, while a December 2015 attack knocked out power for nearly 250,000 Ukrainians.
More recently – in fact, just days after the U.S. warning to American entities – Ukraine suffered another crippling attack. This time hackers struck against government agencies, bringing down scores of websites for hours.
European officials blamed Russia for the attack, which indicates with increasing certainty that nation-states are using such tactics not only for political gain but for military purposes as well.
What, then, does this mean for U.S. organizations – and, in particular, the owners and operators of critical infrastructure?
First and foremost it should sound an alarm. Organizations across all industries – but in particular utilities and other such entities – must realize that the hackers targeting them are organized, highly motivated and well-funded. They should know that these hackers have their tactics, techniques and procedures laid out for them so they have the best chances of success when they go to execute.
Second, this should be seen as a call to action.
CISA, the FBI and the NSA in its advisory say as much, telling entities, their executives and their security teams to – in their exact words –
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
We agree with all that advice. We also endorse the agencies’ recommendation that security leaders at utilities and other critical infrastructure facilities adopt the MITRE Adversarial Tactics, Techniques, and Common Knowledge (or MITRE ATT&CK for ICS) framework to ensure they’re implementing appropriate safeguards and controls for industrial systems.
Think of this framework as a database of known attack and mitigation techniques that, when used to guide security strategies, helps organizations create more comprehensive defense, detection and recovery plans and, thus, increase their ability to thwart an attack as well as quickly respond and contain a successful breach.
The NIST Special Publication (SP) 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security as well as the ISO/IEC 27000 series and IEC 62443 for information security management are also effective and worthwhile frameworks to use.
The frameworks have several critical elements in common. They all stress the importance of doing fundamentals – such as vulnerability and patch management – exceedingly well. They also reinforce the need for having robust incident response programs as well as disaster recovery and business continuity plans in place.
A strong security program, however, shouldn’t rely solely on following a framework. Enterprise security leaders must also invest in staff, hiring and training – or contracting – for the skills necessary to implement frameworks and engage in other essential security operations such as threat hunting.
And they should work with their IT and business unit counterparts to ensure the systems within their information technology (IT) and operational technology (OT) environments are modern and still supported by vendors.
Unfortunately, for various reasons, utilities often run operational technologies that are well past end of life with unpatched vulnerabilities – a practice that needs to stop. Similarly, OT cybersecurity practices have lagged behind IT security in maturity. That, too, must change.
Organizations need to develop a depth-in-defense approach to security. Utilities – faced with the threat from Russia and other nation-states – should be at the forefront of taking this action.
We work with such entities to do that, to adopt frameworks and to align framework requirements to each organization’s unique risk profile and security objectives. Taking such action is an imperative, given who the adversaries are today, as CISA, the FBI and the NSA have warned.
Need advice on how to protect your critical infrastructure? Let’s Talk!
The Log4j Exploit and Ransomware
BitDefender reported yesterday that ransomware gangs are now utilizing the Log4j exploit to install ransomware. This raises the stakes for organizations that have not undertaken efforts to patch the vulnerability or mitigate the threats for systems that do not yet have patches available.
This ransomware does not contain a clear way to contact the threat actor to pay the ransom. So in cases where victims’ files are encrypted, they may have a difficult time recovering their files even if they are willing to pay the ransom. This is the first known case of a ransomware gang utilizing the Log4j exploit to directly install ransomware.
On Monday, Apache released Log4J version 2.16 to fix another problem: CVE-2021-45046. Previously, it was thought that version 2.15 corrected the issue. However, there was a new flaw discovered in version 2.15. It is highly suggested that anyone who patched to version 2.15 immediately install version 2.16, which corrects the CVE-2021-45046 problem. The flaw fixed in version 2.16 “doesn’t seem to permit remote code execution or data exfiltration; it’s merely a denial-of-service attack that might cause the affected process to hang,” according to Paul Ducklin, a research scientist at Sophos.
The cybersecurity community expects that not only criminals, but also Chinese, Iranian, and other state-sponsored groups will move quickly to leverage this vulnerability. Organizations need to take appropriate measures to ensure their security. If organizations do not have appropriate in-house resources, they should reach out to organizations like ours that can provide help.
Facing a Ransomware attack or need help securing your systems? Let’s Talk!
Understanding the Different Needs, Approaches for OT Security in the Utilities Space
Cybersecurity managers continue to face significant challenges when it comes to recruiting and retaining the professionals needed to secure their organizations – with studies showing that hiring the right cybersecurity skills is only getting harder.
It’s even tougher, though, for utilities to hire qualified security workers because utilities must protect both the usual information technology (IT) stack that runs their business operations as well as the operational technology (OT) that delivers the critical services that the utilities provide.
Although there are some overlapping skills, protecting IT and safeguarding OT require different expertise and different strategies.
As such, utilities can’t successfully secure their organizations if they have only the standard IT-oriented cybersecurity skills on their teams because those professionals – as skilled as they may be – don’t know the unique security challenges of operational environments. Utilities need people who have the specific expertise and specialized acumen needed to secure operational technology.
Utilities who lack those specialized OT security skills risk not only a breach but also risk hindering their operations. Apply some standard IT cybersecurity techniques to operational technology, you have a good chance of negatively impacting operations.
There are plenty of examples that illustrate why IT and OT security are different disciplines. Consider firewall selection. Security experts working in utilities should know to choose firewalls that work with and are able to inspect Industrial Control System (ICS) and OT protocols – an additional selection requirement that only security professionals with OT-focused expertise would likely know.
Similarly, security experts working in utilities need to understand which hardware scanning tools to use – or whether to use any at all – within their organizations. Most hardware scanning tools aren’t effective in an OT environment and, in fact, can do more harm than good if deployed without proper configuration. For instance, a Network Mapper (Nmap) scan is a standard tool used to find open ports and detect systems running on remote machines in an IT environment. But run it in an OT environment and it will likely brick the older remote terminal units. Utility personnel then will have to reboot the Remote Terminal Unit (RTU) and hope that maneuver works. If it doesn’t work, which is frequently the case, then they’ll have to actually replace the RTU. In the interim, without an operable RTU, the utility will be without remote control capabilities and the telemetry it needs for optimal operations.
There are other circumstances related to OT environments that create unique security challenges for utilities.
Utilities use proprietary, purpose-built technologies to run their operations; these are not standard off-the-shelf systems. As a result, vendors don’t offer security patches for such systems at the same speed and frequency they do for their standard applications. Instead, vendors take more time to test and issue patches to fix identified security problems within proprietary software. Vendors that offer weekly or monthly patches for their standard software could take 4-6 months to release patches for custom-built OT systems. Meanwhile, hardware vendors might only come out with updates once a year. That means utilities must live with known vulnerabilities within their environments for months and therefore should know how to configure their security strategies accordingly.
OT systems also tend to have significantly longer lifecycles than IT applications and platforms. It’s not uncommon to find operational technologies that are 15 to 20 years old; a utility, for example, could have decades-old switch relays. Contrast that with IT systems, which today typically have lifecycles of five years or less. Consequently, most or even all of the systems within a modern IT stack have been built with current security risks and threats in mind. On the other hand, those old OT systems have no such built-in considerations; they simply weren’t designed to handle modern cybersecurity threats.
Moreover, those older OT systems are usually end of life. That means vendors aren’t issuing any more patches even as they uncover new security vulnerabilities. And utilities often must run outdated, unsupported IT systems, such as older versions of Microsoft Windows, because they need those legacy IT systems in place to work with the legacy OT systems. That further complicates the security scenario within the OT environment.
Now there is some good news on the security front for utilities. A typical OT environment has a much lower number of gateways to the Internet, if any, than a standard IT environment, making OT environments a bit safer from external breaches when compared to IT infrastructures.
That, however, hardly negates the cybersecurity risks to utilities – and the significant consequences that could come with a successful cyber-related breach.
In fact, the potential magnitude of a compromised physical equipment tends to be greater than that of a data breach within an IT environment. Even slight OT cyber incidents can lead to not only huge financial losses but damaging ramifications, too, such as water contamination, gas shortages, manufacturing down time, and power outages.
Utility leaders must recognize what’s at stake and why finding security help skilled in OT is so critical. They should recognize that IT security prioritizes privacy and confidentiality – essentially guarding data against unauthorized access. But OT security must prioritize safety and reliability, because an OT-related cybersecurity attack can put utility personnel and the public itself at risk of injury or even death.
We’ve already witnessed the damage that security incidents involving operational technology can cause. A 2007 Department of Homeland Security program called the Aurora Project, which was intended to bring attention to the issue of cybersecurity, exploited a known vulnerability that resulted in over-torque stresses in a generator. Hackers breached a Florida water treatment plant in February 2021 and tried to poison the water by changing the levels of added chemicals – a change caught by a diligent worker before it was executed. And the May 2021 ransomware attack on Colonial Pipeline caused gas shortages around the East Coast for weeks.
Such incidents highlight the importance of having security professionals with the expertise needed for OT, and not just IT, environments.
Utilities need security specialists with the experience and skills to administer patches which require them to take down highly sensitive OT environments that were designed to run 24/7. They need professionals capable of choosing the right security tools for their own unique requirements. And they need cybersecurity workers who can devise holistic security strategies that account for all such issues.
Utilities benefit from cybersecurity professionals who can successfully collaborate with the plant engineers who built and now run the operational technology, who can understand the unique complexities of the operational technologies that run their utilities, and who can design and deliver a layered, defense-in-depth approach that prioritizes the protection of the utility’s most critical assets.
Does your utility need help understanding the different approaches to OT security? Let’s Talk!
What Motivates Hackers for Ransomware? | State of Cybersecurity
Hackers will exploit an unprotected system in whatever ways they can. Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, speaks to their motivations and some areas that companies falter in protecting against repeat attacks.
What motivates hackers for ransomware? I think that overwhelmingly it’s the financial component. Obviously getting the ransomware payments is a big motivating factor. Secondly, they’ve been successful.
We’ve seen companies that failed to identify Root Cause Analysis, so they’ve fallen victim to ransomware multiple times. They’re easier targets than their Enterprise IT counterparts.
Also, data – if they are able to exfiltrate company data, they can steal intellectual property, which could be for Research & Development, that can be very costly to a company.