\ Ransomware Readiness Archives - Strive Consulting, LLC. All Rights Reserved.

Why Utility Providers Need Robust Cybersecurity | State of Cybersecurity

Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, discusses why a robust cybersecurity process is particularly important for companies like utilities whose services are crucial to a functioning society.

Transcript:

So, I think the biggest point we need to touch up here on why it’s dangerous to utility companies is because utility companies and their Industrial Control System networks affect the real world around them. This could be not just with utilities, but manufacturing.

But with utilities, it could shut down oil pipelines, create gas shortages, create power blackouts. Manufacturing can stop – especially with pharmaceutical companies where people need drugs, their production can be ceased.

Emergency Management Systems can fall victim to ransomware and that would create causing them to be unable to respond to emergency situations. Transportation networks, which could shut down shipping and railways.

Don’t let your utility or Industrial Control System network fall victim to ransomware. Schedule a Ransomware Readiness Assessment with us today! 

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

Ransomware 101: How to Prevent an Attack and What to Do if You Fall Victim

It seems like ransomware attacks are lurking around every corner—a threat that is especially heightened for industrial control systems and utility companies in the U.S. For these industries, a ransomware attack could mean dire consequences for a wide range of people. In the below Q&A, our Vice President of Cybersecurity & Compliance, Dominick Birolin (CSSP, CISA, NSE3), shares how you can safeguard against these attacks and what to do if you fall victim to one.

Q: Why is ransomware dangerous for utility and industrial control systems – what’s at stake?

A: For utilities and industrial control systems, it goes beyond what you’d find on a normal enterprise network. These networks impact the real world around us. There are wide-reaching consequences in the event that these networks are compromised. For instance, it could mean a shut down on the oil pipeline (as in the case of Colonial Pipeline 2021), power grids could be blacked out (Ukraine power grid attack 2015), manufacturing can stop (Honda manufacturing plants 2020) , and so on. With industrial control systems—like emergency management systems or transportation networks—they can all cease to work properly and that can impact millions of people and have wide ranging impacts to health, resources, and finances.

Q: Why is ransomware so prevalent right now?

A: The motivation with hackers and ransomware, first and foremost, is the financial incentive. Exfiltration of intellectual property to resell later is another financial component. These attacks are becoming more and more prevalent now because there has been a culture of not having proper cybersecurity controls in place to mitigate against the propagation and infiltration of attacks. ICS/OT systems present unique security challenges. They have a much longer patch cycle, some systems may be end-of-life, protocols are different from traditional IT networks, and remote access for trouble shooting by vendors are often not secured properly.

You have to remember that over 50% of attacks are actually introduced to networks via the enterprise or IT network and then they propagate across to the OT/ICS boundary.

These networks used to be air gapped but that’s no longer the case. The culture is to run lean, so it becomes increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense network segmentation, etc. But the need to pull data out of these networks has increased attack vectors that the industry previously hadn’t seen and there has not been a Defense in Depth approach needed to counteract that. Because early networks were air gapped, this wasn’t initially a concern but with the need to pull data from these control system environments, we have increased the attack vectors and with it, the likelihood of attacks.

Q: What can companies do to safeguard against ransomware attacks?

A: First we need to address the fact that there’s no magic bullet. Every comprehensive strategy is a Defense in Depth approach, which involves many components, some of which are:

  • Testing your disaster recovery plan to ensure it is viable
  • System data configuration and inventory of your file backup systems
  • Patch management and vulnerability mitigation programs
  • Quarantine capabilities including network segmentation and application layer inspection of segment ingress/egress traffic
  • Network monitoring and threat detection to know if you are indeed infiltrated by ransomware and be able to respond to it
  • Incident response is also key – not just this but also training cybersecurity personnel to deal with these types of ransomware attacks, mitigation of threats, communications to government agencies, and roles and responsibilities of responders
  • Network perimeter defense
  • Endpoint Detection and Response (EDR)
  • System Hardening techniques

Q: What should companies do immediately after realizing they are victims of a ransomware attack?

A: First, enact your incident response plan and hopefully apply kill chain to stop the propagation of the ransomware. Then, assess where you are from a disaster recovery standpoint while preserving the cybersecurity forensic evidence for further investigation.  

The next steps are really just evaluating what it’s going to cost you to recover or if you should pay the ransom. Do you have the ability to recover to full functionality without paying the ransom? That leads to other considerations like: is it legal to pay the ransom? What’s the operational impact cost? What’s the total loss of the incident going to cost you and how much will it cost to recuperate from that?

Root cause analysis is also key. In these environments we routinely see that companies recover from ransomware attacks and they don’t do a root cause analysis. This leaves them prone to having a repeat attack and it is the ransomware gang’s modus operandi to repeat these attacks on organizations that do not mitigate the root cause.

These are all considerations, but one point to emphasize is that whatever any cybersecurity professional does needs to have defensible evidence to support their case.

Q: What, if anything, should companies be doing to inform employees about cybersecurity best practices to avoid ransomware attacks?

A: It all starts with employees. The most likely attack vector is your enterprise or IT network – like I mentioned previously, this accounts for over 50% of attacks. There are four main causes for this: phishing emails, remote desktop protocol (RDP) used for propagation, click bait, and drive-by downloads.

The key here is having a robust cybersecurity awareness program that informs employees on what to recognize in a potential attack and encourages them to report anything suspicious to their IT department.

Q: If you had only one piece of advice for companies around ransomware, what would it be?

A: Be diligent in your cybersecurity approach. Develop and apply a comprehensive cybersecurity risk management program. Cybersecurity is not convenient but knowing the impact to your operations and then mitigating to your acceptable risk level is key to being successful in this area.

Q: What can utility companies do to know if they are properly protected or not? 

A: If you’re unsure and don’t have the internal resources to check, you should hire a capable consulting company or third party like ours to validate your cybersecurity protection via a ransomware readiness assessment.

Interested in learning about our Ransomware Readiness offering? Let’s Talk!

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

U.S. Officials Warn of Russian Threats to Domestic Critical Infrastructure

Top U.S. defense agencies are warning critical infrastructure owners and operators against growing cyberthreats coming from Russian state-sponsored bad actors.

In a Jan. 11, 2022, joint statement, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency all advise “the cybersecurity community —especially critical infrastructure network defenders—to adopt a heightened state of awareness.”

This warning shouldn’t come as a surprise. The Russian government has a well-known history of sponsoring cyberattacks across the globe, and it has been ramping up its activities in recent years. Consider the figures from Microsoft on this front. Its 2021 Digital Defense Report notes that 58% of all cyberattacks observed by Microsoft from nation-states during the prior year came from Russia. Microsoft also reports that the attacks from Russian nation-state actors are increasingly effective – hitting a 32% successful compromise rate in 2021 vs. 21% the year before.

And the top target of these attacks, according to Microsoft? You guessed it: the United States, followed by Ukraine and the United Kingdom.

Russia is not the only country engaged in such activities, with Microsoft pointing out that (after Russia) North Korea, Iran and China are the top state sponsors of hostile cyber actions. Be aware, too, that the hacking groups and troll farms they shelter within their countries use a full range of technologies and tactics to launch all sorts of attacks, from distributed denial-of-service (DDoS) to ransomware to targeted espionage attacks. They will – and do – use any and all capabilities at their disposal to ensure success.

We know that these countries, particularly Russia, engage in state-sponsored cyberattacks for several reasons – namely to engage in espionage (as noted above), gain political influence and disseminate disinformation as well as to create discord and havoc.

The hacker groups themselves are after the payday.

Take the Colonial Pipeline attack. Authorities named the DarkSide hacking group – a ransomware gang that they believe is based in Russia – as the culprits of the May 2021 successful breach. The Colonial Pipeline CEO told a Senate committee that the company paid $5 million in ransom a day after the attack, which disrupted fuel supplies throughout the Eastern United States.

The damage that these state-sponsored hackers can do is significant. Look at what has happened in Ukraine. Cybercriminals took out the Ukrainian power grid in December 2016, leaving customers throughout the country without power for an hour, while a December 2015 attack knocked out power for nearly 250,000 Ukrainians.

More recently – in fact, just days after the U.S. warning to American entities – Ukraine suffered another crippling attack. This time hackers struck against government agencies, bringing down scores of websites for hours.

European officials blamed Russia for the attack, which indicates with increasing certainty that nation-states are using such tactics not only for political gain but for military purposes as well.

What, then, does this mean for U.S. organizations – and, in particular, the owners and operators of critical infrastructure?

First and foremost it should sound an alarm. Organizations across all industries – but in particular utilities and other such entities – must realize that the hackers targeting them are organized, highly motivated and well-funded. They should know that these hackers have their tactics, techniques and procedures laid out for them so they have the best chances of success when they go to execute.

Second, this should be seen as a call to action.

CISA, the FBI and the NSA in its advisory say as much, telling entities, their executives and their security teams to – in their exact words –

  • Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
  • Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
  • Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

We agree with all that advice. We also endorse the agencies’ recommendation that security leaders at utilities and other critical infrastructure facilities adopt the MITRE Adversarial Tactics, Techniques, and Common Knowledge (or MITRE ATT&CK for ICS) framework to ensure they’re implementing appropriate safeguards and controls for industrial systems.

Think of this framework as a database of known attack and mitigation techniques that, when used to guide security strategies, helps organizations create more comprehensive defense, detection and recovery plans and, thus, increase their ability to thwart an attack as well as quickly respond and contain a successful breach.

The NIST Special Publication (SP) 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security as well as the ISO/IEC 27000 series and IEC 62443 for information security management are also effective and worthwhile frameworks to use.

The frameworks have several critical elements in common. They all stress the importance of doing fundamentals – such as vulnerability and patch management – exceedingly well. They also reinforce the need for having robust incident response programs as well as disaster recovery and business continuity plans in place.

A strong security program, however, shouldn’t rely solely on following a framework. Enterprise security leaders must also invest in staff, hiring and training – or contracting – for the skills necessary to implement frameworks and engage in other essential security operations such as threat hunting.

And they should work with their IT and business unit counterparts to ensure the systems within their information technology (IT) and operational technology (OT) environments are modern and still supported by vendors.

Unfortunately, for various reasons, utilities often run operational technologies that are well past end of life with unpatched vulnerabilities – a practice that needs to stop. Similarly, OT cybersecurity practices have lagged behind IT security in maturity. That, too, must change.

Organizations need to develop a depth-in-defense approach to security. Utilities – faced with the threat from Russia and other nation-states – should be at the forefront of taking this action.

We work with such entities to do that, to adopt frameworks and to align framework requirements to each organization’s unique risk profile and security objectives. Taking such action is an imperative, given who the adversaries are today, as CISA, the FBI and the NSA have warned.

Need advice on how to protect your critical infrastructure? Let’s Talk

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

The Log4j Exploit and Ransomware

BitDefender reported yesterday that ransomware gangs are now utilizing the Log4j exploit to install ransomware. This raises the stakes for organizations that have not undertaken efforts to patch the vulnerability or mitigate the threats for systems that do not yet have patches available.

This ransomware does not contain a clear way to contact the threat actor to pay the ransom. So in cases where victims’ files are encrypted, they may have a difficult time recovering their files even if they are willing to pay the ransom. This is the first known case of a ransomware gang utilizing the Log4j exploit to directly install ransomware.

On Monday, Apache released Log4J version 2.16 to fix another problem: CVE-2021-45046. Previously, it was thought that version 2.15 corrected the issue. However, there was a new flaw discovered in version 2.15. It is highly suggested that anyone who patched to version 2.15 immediately install version 2.16, which corrects the CVE-2021-45046 problem. The flaw fixed in version 2.16  “doesn’t seem to permit remote code execution or data exfiltration; it’s merely a denial-of-service attack that might cause the affected process to hang,” according to Paul Ducklin, a research scientist at Sophos.

The cybersecurity community expects that not only criminals, but also Chinese, Iranian, and other state-sponsored groups will move quickly to leverage this vulnerability. Organizations need to take appropriate measures to ensure their security. If organizations do not have appropriate in-house resources, they should reach out to organizations like ours that can provide help.

Facing a Ransomware attack or need help securing your systems? Let’s Talk

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

What Motivates Hackers for Ransomware? | State of Cybersecurity

Hackers will exploit an unprotected system in whatever ways they can. Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, speaks to their motivations and some areas that companies falter in protecting against repeat attacks.

Transcript:

What motivates hackers for ransomware? I think that overwhelmingly it’s the financial component. Obviously getting the ransomware payments is a big motivating factor. Secondly, they’ve been successful.

We’ve seen companies that failed to identify Root Cause Analysis, so they’ve fallen victim to ransomware multiple times. They’re easier targets than their Enterprise IT counterparts.

Also, data – if they are able to exfiltrate company data, they can steal intellectual property, which could be for Research & Development, that can be very costly to a company.

Is your organization susceptible to hacking? Let’s Talk! 

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

Ransomware Prevention: Who Should Be Responsible? | State of Cybersecurity

Make sure you have capable cybersecurity professionals … if you don’t have the internal resources to do so, you should hire a capable consulting company advises Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA.

Transcript:

In my experience throughout the utility industry, that varies with the emergence of Operational Technology or Industrial Control Systems Process IP, there’s a kind of mixed bag of what you’ll find throughout the utility and hierarchies and who reports to who.

Sometimes the operations reports to the COO, whereas IT Networks report up to the CISO or CIO. It doesn’t really matter the hierarchy, you just need to make sure that you have capable cybersecurity professionals and that you have a leadership that understands the risks and is committed to mitigating the threat.

If a company is unsure or they don’t have internal resources to do so, they should hire a capable consulting company or third party to validate with a Ransomware Readiness Assessment.

If your organization doesn’t have the resources available to accurately assess your Ransomware Readiness, let’s talk! 

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

How To Avoid Ransomware Attacks | State of Cybersecurity

Strive’s VP of Cybersecurity & Compliance, Dominick Birolin, CISSP, CISA, explains some of the many ways companies can avoid falling victim to ransomware attacks – from testing your disaster recovery processes to updating user permissions.

Transcript:

You’re going to need to have your disaster recovery plans and you’re going to need to test your disaster recover plans. If you don’t rest your backups, you don’t have viable backups. Also, a lot of ransomware will remain dormant for an extended period of time, so if you’ve backed up an infected image and then you restored to it, you’re back where you started from where you’re going to have the ransomware. So, the backup is not actually viable.

You need to have a robust patch management and vulnerability mitigation program to make sure your systems are updated accordingly. You need to have quarantine capabilities – a lot of networks and Industrial Control Systems are flat networks meaning that they’re not segmented. So, you should have your like systems and I suggest following the Purdue model for this, which will isolate your networks.

And also, your firewall should be configured to the lower or least privilege, for only communications needed for operations to be allowed through. And these should be audited regularly to make sure that unused firewall rules are closed and no longer in use.

You need to have threat detection. Threat detection can help you recognize when you are having a ransomware attack and then also help you provide a kill chain to stop the propagation of that ransomware attack.

Your endpoint detection and response capabilities, so like antivirus, that’s a big component of whether your machine will be a victim of ransomware. Also, you know least privilege for rights. I see in a lot of Industrial Control System environments a lot of people running normal operations with administrator rights, which is unneeded. It gives them install rights to the PC. You only need a user account for normal operations. You should have a separate account when you want to install software using the admin account.

And, cybersecurity awareness training for all your employees and network perimeter defense review and intrusion detection and / or intrusion prevention.

Does your ICS environment need help avoiding a ransomware attack? Let’s Talk! 

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness

How to Prevent a Utility Hack

Everyday, hackers, both skilled and unskilled, as well as opportunistic or organized, are increasingly taking aim at America’s critical energy infrastructure. They steal confidential information and invade control systems. And, despite years of warnings and crippling attacks, this country’s network of pipelines, electric grids and power plants remains highly vulnerable.

report from IBM found that the energy industry was the third most targeted sector for attacks, behind only finance and manufacturing. The greatest challenge facing our energy infrastructure is the crucial need to protect systems against internal and external forces.

In February 2020, the U.S. Department of Homeland Security issued an alert about a ransomware attack that brought down a U.S. natural gas compressor facility for two days. The incident was entirely preventable – the hackers had simply sent out phishing emails with a malicious link. With an employee’s single click on the offending link, the hackers gained control of the facility’s information technology system.

More recently, one of the largest US fuel pipelines remained paralyzed after a ransomware cyberattack forced the temporary shutdown of its operations. The incident affected fuel distribution up and down the Eastern seaboard, and created a ripple effect that spread across the country.

In another terrifying turn of events, when a water treatment facility in Oldsmar, Fla. was hacked, that city’s drinking water was nearly poisoned. The culprit, likely a former employee, took advantage of the lack of a firewall, an outdated operating system, and the fact that staff all used the same password.

Utility security is also being impacted by the industry’s transition from analogue to digital control, connected technologies such as edge and cloud computing, and the move from centralized power generation to distributed systems. As a result of these upgrades, information technologies (IT) are becoming increasingly bound to operational technologies (OT), generating new vulnerabilities and opening the door to more sophisticated and destructive attacks

With threats on the rise, utility operators are no longer confident in their ability to withstand attacks. But in today’s energy eco-system, there are steps organizations can take to stay ahead of threats.

Cybersecurity Awareness Training

Any organization’s biggest weakness is their people – in fact, over 60% of successful attacks come through phishing emails. Organizations need to have a comprehensive cybersecurity awareness training program that makes users aware of common attacks, how to identify them, and how to avoid them. 

Assess Risk

Discuss risks that are reported across the industry and look at how other organizations are responding to the threat environment. Make a complete asset inventory – both hardware and software – and uncover any gaps in the system. Generate an assessment of the organization’s capabilities and compare it to current and predicted attacks. Prioritize areas of risk and make space to adjust defenses, as security needs change over time.

Create an Incident Response Plan

All organizations should have a comprehensive incident response plan that accounts for likely attack vectors and how to identify, categorize, and respond to incidents in real time. Roles and responsibilities should be clearly laid out. The plan should be tested at least annually using different scenarios each time. Lessons learned should be recorded and the incident response plan updated accordingly.

Business Continuity and Disaster Recovery Plans

Organizations need to have a business continuity and disaster recovery plan. These plans will account for business continuing to operate and/or recover quickly in the event that the organization is breeched by a cybersecurity related incident. These plans need to account for all likely failure and restoration scenarios. Roles and responsibilities should be clearly laid out. The plan should be tested at least annually using different scenarios each time. Lessons learned should be recorded and the incident response plan updated accordingly.

Improve Technology

Staying current with new security technologies goes a long way to reducing the risk of a breach. Remaining current includes the increasing use of digitization, as utilities that continue to upgrade can have a greater overall grasp on system conditions.

Having a long-term cybersecurity strategy will allow organizations to align both short and long-term cybersecurity objectives. Once this strategy is in place, organizations will have a clearer picture of where resources can be allocated and implemented to have the greatest impact on reduction of operational risk.

Patch and Update

The most hacker-resistant environment is the one that is carefully administered. Stay on top of patching, system/application updates, platform migrations, user administration and configuration management. These basic efforts can reduce the risk of cyber events and opportunistic attacks.

Secure Email

Phishing emails, infected attachments and use of simple passwords, are the number one entry point for malware into an enterprise system. By having a suite of controls on the endpoints and servers in the email environment, security teams can identify and shutdown viruses, malware, and other unwanted programs. All endpoints should also remain under management and be kept current. Understanding what threats an organization’s email controls are preventing, and what its exposures are, is an essential element of security hygiene.

Multi-factor / Multi-step Authentication  

Hackers crack, intercept and disclose authentication credentials at an alarming rate. Using strong, multi-factor authentication methods and combining them with detection and alerts on failed login attempts, can provide evidence of what or who may be the focus of targeted attacks. Also, regularly refreshing staff credentials can prevent hackers from using any previously discovered logins.

Segmentation and Filtering 

Limit the ability for systems to communicate across and outside the network through a combination of controls, such as firewall policies. Using proxy servers is also an opportunity for organizations to increase security. A proxy server can limit the impact of a hack and help prevent an incident from becoming a public data breach. 

Least Privilege or Zero-Trust Architectures

To successfully mitigate the current cybersecurity threat environment, organizations need to implement least privilege or zero-trust architectures. Far too often organizations allow more privileges than are needed for operations for the sake of convenience. This allows far greater access and installation privileges than are necessary for business operations. Cybersecurity is not convenient. Escalated privileges need to be limited in scope to only qualified individuals and used only when necessary.

Clear Ownership of Systems

Align people, processes and technology to mitigate risk. Specific personnel should be assigned responsibility for different aspects of system security, and accountability should be transparent all the way to the C-suite.

Budget Resources

Determine what skillsets and security improvements are needed, and then respond with the budget and resources to implement change. It’s vital that leadership allocate attention to the kind of cyber defenses, that are equal to the growing risk to utilities.

Invest in Skilled Specialists

Cyber security often requires expertise from control engineers, security specialists and network specialists. Investing in talent can change the conversation from what has happened to preventing what could happen.

Our utilities remain at great risk and a significant breach could affect millions of users, damage essential infrastructure and sow chaos. Regardless of how a breach may occur, it’s incumbent upon leaders in the utility industry to make the kinds of substantive change to networks and processes that prevents widespread catastrophe.

Is your utility at risk for a cyberattack? You may benefit from our Ransomware Readiness offering. Let’s Talk

Categories: blog, Cybersecurity & Compliance, Ransomware Readiness
/chroot/home/striveco/striveconsulting.com/html/wp-content/themes/starting-point/resources/views/index.blade.php