It was a typical request to set up an interview for a client, “For years, information technology (IT) and operational technology (OT) have operated as separate entities, but now we are beginning to see a shift within organizations.”
Actually, I have no interest for another “IT/OT Convergence” story. I think that Leader organizations have structured things to bring the groups together. Even the average firms have seen the light. As usual, there’s no hope for the laggards.
The reply bounced back to me. Seems that the take is less the now trite IT/OT Convergence theme and really how the groups are coming together due to risks inherent in some of the wide open IoT networks and devices for cybersecurity breaches.
Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX, told me that board-level concern about risk levels due to cybersecurity breaches in their manufacturing operations have led to directives to the CISO to lead risk assessment and mitigation at the plant level as well as the enterprise level. This leads directly to working with plant operations people.
More data is flowing around manufacturing, but more devices coming online don’t support agents thereby increasing attack surface. This has raised awareness of increased risk including awareness at the board level. Not to mention there have been some some significant cyber attacks including the Norse Hydro ransom ware attack that cost perhaps up to $41 million. Merck was hit with a ransom ware attack. And then there was the Triton attack on safety controllers.
These incidents have alerted boards to huge risk potential leading to directing the CISO to avert such future attacks.
As for specific informatin from CyberX, Neray says it has the only patent on behavior anomaly detection. This allows its system to detect faster, more accurately than peers in industrial security.
CyberX continuously monitors the network looking for something suspicious or unauthorized. But plant people are often suspicious of IT solutions believing IT does not understand the critical nature of not shutting down processes for a reboot. This is where leadership must step up. Neray notes this must be both top-down and bottom-up. The Board and top management must say, “We want you to prioritize security.” The security team must also spend time in the plant explaining the what and why of the system. Building trust only results from face time.
Sometimes a detection points to an equipment issue as well as malware. One example was a plant with new PLCs shutting down intermittently. They called IT. “Did you do something to the network to cause this?” IT looked at the CyberX console and ran the reports of alerts. They noticed that when the PLCs were installed the network was not configured correctly causing the network to be pinged too often. Fix that and the problem was solved. The cybersecurity system can even become a plant controls troubleshooting aid.
Neray pointed to a report published in late 2019 called the Global 2020 IoT/ICS Risk Report. This was an analysis of real-world vulnerabilities garnered from studies of real networks. The study pointed out these problems:
BROKEN WINDOWS: OUTDATED OPERATING SYSTEMS
62% of sites have outdated and unsupported Microsoft Windows boxes such as Windows XP and Windows 2000. Unsupported Windows boxes no longer receive regular security patches from Microsoft. The figure jumps to 71% if we include Windows 7, which reaches end-of-support status in January 2020.
HIDING IN PLAIN SIGHT: UNENCRYPTED PASSWORDS
64% of sites have unencrypted (cleartext) passwords traversing their networks.The reason cleartext is dangerous is because it makes gaining access to restricted systems easy — since these passwords are transmitted “in the clear” and can easily be sniffed. Legacy devices that don’t support modern protocols such as SNMP v3 or SFTP are usually the culprits for leaving passwords in cleartext.
EXCESSIVE ACCESS: REMOTELY ACCESSIBLE DEVICES
54% of sites have devices that can be remotely accessed using standard protocols such as RDP, SSH, and VN. One of the primary attack vectors for ransomware is remote access protocols, which enable attackers to move laterally and expand their presence throughout networks.
CLEAR AND PRESENT DANGER: INDICATORS OF THREATS
22% of sites exhibited indicators of threats. CyberX’s network traffic analysis flags suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices, and known malware such as LockerGoga and EternalBlue.
NOT MINDING THE GAP: DIRECT INTERNET CONNECTIONS
27% of sites analyzed have direct connections to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
STALE SIGNATURES: NO AUTOMATIC AV UPDATES
66% of sites are not automatically updating their Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX still finds older malware such as WannaCry and Conficker in IoT/ICS networks.