by Gary Mintchell | Dec 15, 2021 | Commentary, News, Security
One of the more difficult things I do concerns filtering press releases to figure out which are hype and which have some enduring relevance. The first one I received about the Log4J exploit seemed over the top. However, this one appears to have legs. Best practices tell us to take action and be concerned. Following are a number of statements from security leaders. Take note of these.
This from my host platform, Cloudflare, “Last Friday we sent you an email about a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228). We advised you that Cloudflare had immediately updated our WAF to help protect you against this vulnerability. We also recommended that all organizations that use Log4j immediately update to the newest version to mitigate exploit attacks. The latest version can be found at the Log4j download page.”
Glen Pendley, Deputy CTO at Tenable, “Log4Shell, a critical vulnerability in Apache Log4j, shines a bright light on the risky practice of relying on open-source code libraries to build enterprise-scale applications. Many organizations around the world rely on open-source libraries as a key element in their ability to bring applications to market quickly. Yet, these libraries often stop short of a security-first approach. This dependence on what is effectively a wild, wild west of code libraries will continue to leave organizations vulnerable until time and resources are invested to make them more secure.”
And from Paul Laudanski, Head of Threat Intelligence at Tessian, “The log4j vulnerability has created endless golden opportunities for bad actors – and they know it and are getting creative. What they’re trying to do now is build an arsenal of tools that they can use across the globe for theft and service disruption, especially ahead of the holiday season. DDoS attacks in particular are a top concern, as exploitation could allow bad actors to download, install and then fully control an army of botnets. DDoS operators can then focus on attacks that bring down critical infrastructure – ranging from utilities to power grid – and especially retailers ahead of the holiday season, a time when people are notoriously distracted, tired and more prone to making security mistakes. Couple that with an increase in moratoriums, when no code is released into production, so emergency patches would require a break of that moratorium.
Meanwhile, there’s also the concern that the original CVE will end up generating subsequent CVEs, potentially exponentially multiplying its impact, similarly to the follow-on bugs we saw after SolarWinds. Luckily, log4j only has one in 2021 so far, but I wouldn’t be surprised if other related flaws are found soon. However, it’s worth noting one silver lining: white hats are working tirelessly to train folks on how to identify the vulnerability, so most teams will now be properly educated and informed on the growing threat.”
From the blog of Nozomi Networks, “At the end of last week (Friday, December 10), the cybersecurity world became aware of a new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE). Coupled with the popularity of this tool, multiple companies and commercial applications have become affected by it. It received a codename Log4Shell. In addition to promptly deploying several protection mechanisms for our customers, Nozomi Networks set up a honeypot to monitor the situation and became aware of all potential global scans and exploitation attempts.”
“Apache quickly categorized the vulnerability as critical due to the simplicity of the attack and the number of susceptible platforms and systems. All an attacker has to do is send a malicious string that would be logged by the server. Minecraft users were exploiting servers using the chat function, and Twitter users could trigger the exploit by changing their display names, as could iPhone users by changing their phone name. In this post, we provide some technical details related to how malware authors immediately started taking advantage of this vulnerability.”
Further from Amit Yoran, Chairman and CEO, Tenable, “Just as we warned, Log4Shell is unleashing holy hell on businesses everywhere. And the worst is yet to come if organizations don’t take immediate action.
Researchers are already observing ransomware activities as cybercriminals begin utilizing Log4Shell in their playbooks. Let me be clear, these ransomware activities are not going to go away – they will only increase like wildfire thanks in part to this new, perfect payload in the form of Log4Shell. Organizations need to take swift and decisive action as Log4Shell can and will completely undermine your security program.
No vendor’s product is a silver bullet to solve this problem. Eliminating the threat posed by Log4Shell requires hard work and time to understand this vulnerability and how it will morph and evolve over time to bypass protective measures.”
by Gary Mintchell | Nov 23, 2021 | Internet of Things, Operations Management, Security
The “Subscribe” links goes to a MailChimp sign up page. I have stopped using MailChimp due to its obnoxious marketing tactics. WordPress stopped its service of sending a notice of updated posts. I am now using the Web page and email service of Hey, developed by BaseCamp. Please visit world.hey.com/garymintchell to register for the newsletter. There is no tracking or other privacy-invading tech.
Meanwhile, I spoke at the IoT Workshop of the Precision Metalforming Association and MetalForming magazine virtual IoT Experience with some ideas about IoT projects why and how.
Following is news from my IoT and Networking Security folder that has been accumulating since late summer.
Siemens and Zscaler partner on integrated zero trust security solutions for OT/IT
- Enables secure, on-demand remote access to OT applications and systems
- Delivers Zero Trust OT/IT security approach for office and production networks
- Improves plant uptime and efficiency with secure remote access
Siemens and Zscaler are partnering to enable customers to securely access Operational Technology (OT) systems and applications in the production network from the workplace – whether in the office or working remote. These new capabilities enable users to remotely manage and control quality assurance or diagnoses issues.
To ensure that the OT network is not exposed to any increased threat potential, Siemens and Zscaler have expanded the “Defense-in-Depth” OT concept secured by a Zero Trust Architecture. Based on the principle of “least-privilege access”, Zero Trust only authorizes application-specific access based on verified user identity and context. In combination with the existing OT security mechanisms, such as cell protection firewalls, this allows implementation of a granular access concept.
In addition, production requirements for availability and real-time capabilities continue to be met. This is operationalized by installing the app connector for the cloud-based remote access service Zscaler Private AccessTM (ZPATM) on a Docker container in the Siemens Scalance LPE local processing platform, thus creating an access solution for industrial environments. Centralized management in the Zscaler Zero Trust ExchangeTM cloud platform and the use of outbound connections facilitate more restrictive configuration of existing firewall rules, and the reduction of operating costs for administration and monitoring. Existing legacy systems can also be easily retrofitted with the Zero Trust Exchange solution. This offering is now available to customers through Zscaler and Siemens.
Context
Industrial networks mainly use a protection concept in which the system is subdivided into separate production cells. Each of these cells is individually protected by appropriate measures, such as a cell protection firewall. In office networks, the Zero Trust concept is steadily gaining traction, with all participants, users and devices first having to prove their identity and integrity before communication with a target resource can take place.
Open Source Security Foundation Raises $10 Million in New Commitments to Secure Software Supply Chains
The Linux Foundation https://www.linuxfoundation.org/, the nonprofit organization enabling mass innovation through open source, announced it has raised $9 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. Open source luminary Brian Behlendorf will serve the OpenSSF community as General Manager.
Financial commitments from Premier members include Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and VMware. Additional commitments come from General members Anchore, Apiiro, AuriStar, Deepfence, Devgistics, GitLab, Nutanix, TideLift and Wind River.
According to industry reports (“2021 State of the Software Supply Chain,” by Sonatype, software supply chain attacks have increased 650 percent and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks and other cybercrimes tied to open source software, government leaders around the world are calling for private and public collaboration. Because open source software makes up at least 70 percent of all software (“2020 Open Source Security and Risk Analysis Report” by Synopsys), the OpenSSF offers the natural, neutral and pan-industry forum to accelerate the security of the software supply chain.
The OpenSSF is home for a variety of open source software, open standards and other open content work for improving security. Examples include:
● Security Scorecard https://github.com/ossf/scorecard – a fully automated tool that assesses a number of important heuristics (“checks”) associated with software security
● Best Practices Badge https://bestpractices.coreinfrastructure.org/ – a set of Core Infrastructure Initiative best practices for producing higher-quality secure software providing a way for OSS projects to demonstrate through badges that they are following them
● Security Policies – Allstar https://github.com/ossf/allstar provides a set and enforce security policies on repositories or organizations
● Framework – supply-chain levels for software artifacts (SLSA) https://slsa.dev/ delivers a security framework for increasing levels of software supply chain integrity
● Training – free secure software development fundamentals courses https://openssf.org/training/courses/ educating community members on how to develop secure software
● Vulnerability Disclosures – a guide to coordinated vulnerability disclosure for OSS projects https://github.com/ossf/oss-vulnerability-guide
● Package Analysis https://github.com/ossf/package-analysis – look for malicious software in OSS packages
● Security Reviews https://github.com/ossf/security-reviews – public collection of security reviews of OSS
● Research – studies on open source software and critical security vulnerabilities conducted in association with the Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS Contributor Survey).
For more information about OpenSSF, click here.
Dell Technologies:
“The Linux Foundation’s focus on security is fundamental to addressing the increasing risks associated with software,” said John Roese, Dell Technologies’ Global Chief Technology Officer. “The Open Source Security Foundation’s work will help us collectively make sure critical software programs and the end to end software delivery pipeline is secure and trustworthy.”
Fidelity
“Open Source Software plays a critical role in Fidelity’s technology strategy. We are proud to be part of the Open Source Security Foundation and to work with others to ensure that Open Source solutions and their supply chains are safe, secure, and reliable, enabling Fidelity to better serve our customers and clients,” said John Andrukonis, SVP, Fidelity Application Architecture.
Intel
“As a long-standing member of the open source software community, Intel contributes daily in the upstream projects we collaborate with,” said Greg Lavender, senior vice president, CTO and general manager of Software and Advanced Technology at Intel Corporation. “Along with the Linux Foundation, we believe the Open Security Foundation (OpenSSF) is a unique opportunity to engage in projects and efforts focused on improving the quality and security for today and our future. Intel remains committed to providing contributions that benefit open source software supply chains and improving the security posture of critical projects on which our ecosystem depends.”
JPMorgan Chase
“JPMorgan Chase is deeply committed to working with the open source community to solve our most pressing security challenges. As a founding member of the Open Source Security Foundation, we have worked together to improve the security of open source and the integrity of all software. We commend the US Government’s recent initiative to raise awareness on this pressing topic and call to action the technology community to solve one of the most complex security challenges of our time. We welcome the new members to OpenSSF and look forward to continuing the journey of innovation and bringing meaningful change to how we build, secure, and validate software,” said Pat Opet, Chief Information Security Officer, JPMorgan Chase & Co.
Microsoft
“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own. All of us at Microsoft are excited to participate with others in contributing new investments to the Open Source Security Foundation and we look forward to building more secure software through community-driven efforts to create solutions that will help us all,” said Mark Russinovich, Azure CTO and Technical Fellow, Microsoft.
Snyk
“Open source is built by millions of empowered developers, who also need to secure this critical foundation of the digital world,” said Guy Podjarny, Founder & President, Snyk. “The vital work of the Linux Foundation and the OpenSSF ensures we collectively live up to this responsibility. The Snyk community is fully committed to this important, collaborative effort and we look forward to working closely with the other OpenSSF members to better secure OSS so it can continue to safely fuel innovation.”
VMware
“Every company that uses software should be concerned about their software supply chain,” said Kit Colbert, chief technology officer, VMware. “For two-plus years, VMware has engaged in contributions to open source projects in the broader software supply chain security space and invested in initiatives to help customers further strengthen their security policies and processes. As a member of the Open Source Security Foundation, we’re committed to collaborating across the industry to drive increased level of software supply chain security.
BlackBerry and Deloitte Join Forces to Secure IoT Software Supply Chains
BlackBerry Limited https://www.blackberry.com/us/en and Deloitte https://www2.deloitte.com/ca/en.html announced the two organizations are teaming up to help OEMs and those building mission-critical applications secure their software supply chains.
As part of the agreement, Deloitte will leverage BlackBerry’s flagship software composition analysis tool, BlackBerry Jarvis https://blackberry.qnx.com/en/software-solutions/blackberry-jarvis to provide Open-source Software (OSS), Common Vulnerabilities and Exposures (CVE) and Software Bill of Materials (SBOM) analysis on behalf of their clients across the medical, automotive and aerospace industries, empowering them to keep software safe and secure based on the actionable intelligence the platform provides.
A G7 Transportation Ministry has selected the companies’ joint software and services offering to ensure the security of its traffic management and broader transportation infrastructure.
Designed to address the increasing complexity and growing cybersecurity threats among multi-tiered software supply chains, BlackBerry Jarvis empowers OEMs to inspect the provenance of their code and every single software asset that comes into their overall supply chains to ensure their products are both secure and updated with the most recent security patches.
BlackBerry Jarvis addresses the need to identify and remediate vulnerabilities by identifying them and then providing deep actionable insights in minutes – something that would otherwise involve manual scanning that would take large numbers of experts and an impractical amount of time.
For more information on BlackBerry Jarvis please visit BlackBerry.com/Jarvis.
by Gary Mintchell | Nov 19, 2021 | Automation, Manufacturing IT, Security
Cybersecurity is one place where the great divide between IT professionals and operations technology professionals has shrunk over the past several years. Proactive management and increasing technological overlap combined to promote understanding. This report is based on a survey of more than 600 professionals. I asked Dragos CISO Steve Applegate what stood out in the report. After all, some, but not all, of these items seemed common sense.
He told me he was surprised at the size of the breaches reported. And one could add in more items such as loss of sales and increase the number further. I asked about the famous IT/OT divide. He said that it appears to be more misunderstanding than hostility. For example, risk assessments. Corporate IT people may not realize what things in the plant might hold greater risk. Likewise, operations people may not have calculated the real risk of an intrusion. Collaboration between the two can result in better defenses.
One last nugget of awareness from Steve. Note that only 20% said that their company had regular reports to the Board on status of cybersecurity. That is something that management or an aware board member must take steps to remedy across the board.
Full Release
Dragos, Inc., the global leader in cybersecurity for industrial controls systems (ICS)/operational technology (OT) environments, released “The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams” report from the Ponemon Institute. The new annual report found only 21% of organizations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives and the board are regularly informed about the state of their OT security.
As the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats, according to the survey of 603 IT, IT security, and OT security practitioners at the managerial, director, and C-level. The report finds that 63% of organizations had an ICS/OT cybersecurity incident in the past two years, and it took an average of 316 days to detect, investigate and remediate the incident. Digital transformation and trends in Industrial Internet of Things (IIoT) have greatly expanded cyber risk to the OT and ICS environment according to 61% of respondents who either agree or strongly agree.
The study reveals a cultural divide between IT and OT teams that affects the ability to secure both the IT and the ICS/OT environment. Only 43% of organizations have cybersecurity policies and procedures that are aligned with their ICS and OT security objectives. Thirty-nine percent have IT and OT teams that work together cohesively to achieve a mature security posture across both environments. Just 35% have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities.
“Most organizations lack the IT/OT governance framework needed to drive a unified security strategy, and that begins with the lack of OT-specific cybersecurity expertise in the organization,” said Steve Applegate, Chief Information Security Officer, Dragos, Inc. “Bridging the cultural divide between IT and OT teams is a significant challenge. But organizations must not fall into the trap of thinking that OT can just be tacked onto an existing IT program or managed under a general IT umbrella. There are fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production, and facility shutdowns are real risks. Deep domain expertise as well as ICS/OT-specific technologies are both required to truly safeguard industrial systems.”
“A majority of C-level executives and boards of directors are uninformed about the efficiency, effectiveness and security of their ICS/OT cybersecurity programs,” said Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute. “If the board isn’t keenly aware of the impact a cybersecurity incident would have on the bottom line, securing the appropriate amount of budget for OT programs is much more difficult. As evidenced by the report, this stems from a lack of clear ownership for ICS/OT risk and who reports that to the board between engineering, IT, and CISOs.”
Cultural differences, technical barriers, and lack of clear ownership are primary challenges for OT and IT collaboration
The findings of the report suggest that misunderstanding between the groups, rather than conflict, is the significant issue. Only 32% cite competition between IT and OT for budget dollars and new security projects and only 27% have difficulty in converging security teams across IT and OT as an enterprise-wide security program.
Half of respondents state that cultural differences between engineers, security professionals, and IT staff are the main challenge.
44% say there are problematic technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors.
43% of respondents say there is a lack of clear “ownership” on industrial cyber risk and uncertainty around who leads the initiative, implements the controls and supports the program.
The risks created by the cultural divide between the IT and OT teams
The level of cybersecurity maturity for ICS/OT is inadequate to meet today’s challenges. Only 21% of respondents say their ICS/OT program activities have achieved full maturity, where emerging threats drive priority actions and C-level executives and the board of directors are regularly informed about the state of their program. Half of organizations are in the early and middle stages, while the remaining 29% are late-middle stage.
C-level executives and the board of directors are not regularly informed about the efficiency, effectiveness, and security of the program. Only 35% of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41% say such reporting takes place only when a security incident occurs.
Many senior managers lack awareness of the risks and threats to the OT and ICS environments, resulting in inadequate resource allocation to manage risk. Less than half (48%) of respondents say their organizations understand the unique cyber risks and have specific security processes and policies for OT and ICS environments. Only 43% of respondents say senior management understands the cyber risks and provides enough resources to defend OT and ICS environments.
Reporting relationships and accountability for OT security are not properly structured and become deterrents to investing in OT and ICS. Fifty-six percent of respondents say the reason for blocking investments is that OT security is managed by the engineering department which does not have security expertise, and 53% of respondents say OT security is managed by an IT department without engineering expertise. Only 12% of respondents say the CISO is most accountable for the security of the ICS/OT program.
Consequences of an OT cybersecurity incident
The loss of confidence in the system was the number one consequence of a cybersecurity incident, reported by 54%, followed by sustained process inefficiency (49%), and loss of control availability (47%). Additional consequences include:
- Loss of visibility in the physical process; 41%
- Loss of revenues; 40%
- Loss of public confidence; 32%
- Unintended, catastrophic process failures; 30%
Despite the challenges, organizations are focused on making investments to improve the cybersecurity posture of ICS and OT environments. Investments in areas that assess weaknesses in the security posture of OT environments are the top priority according to 60% of respondents. Contributing to the security posture is gathering threat intelligence specific to their industry, ICS and OT devices, and geography, (56%), and hiring experts in OT and ICS cybersecurity (49%).
Ponemon study methodology
The Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices in their organizations.
The full Ponemon Institute report, “2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT & OT Teams,” is available for download from Dragos here.
by Gary Mintchell | Oct 1, 2021 | Automation, Security
Along with market research I have also been flooded with every security firms’ research especially on ransomware. This one just in from Sophos written by Sally Adam contains information more positive about our market sector than the usual scare tactics I see.
Our [Sophos] new report The State of Ransomware in Manufacturing and Production 2021 reveals that companies in this sector are the least likely to submit to a ransom demand and the most likely to restore encrypted data from backups of all industries surveyed. Just 19% of organizations whose data was encrypted paid attackers to decrypt their files, compared to a global average of 32%.
The report is based on the findings from an independent survey of 5,400 IT decision makers, including 438 in the manufacturing and production sector, conducted at the start of 2021.
Overall, 36% of the manufacturing and production organizations surveyed were hit by ransomware last year which is in line with the global average of 37%. Fortunately for this sector, 68% of those whose data was encrypted were able to restore it using backups, a rate considerably above the global average (57%). This high ability to restore data from backups enables many companies to refuse attacker demands, resulting in the low ransom payment rate.
Chester Wisniewski, principal research scientist at Sophos, advises that “backups are vital, but they cannot protect against this risk, so manufacturing and production businesses should not rely on them as an anti-extortion defense. Organizations need to extend their anti-ransomware defenses by combining technology with human-led threat hunting to neutralize today’s advanced human-led cyberattacks.”
OK, So There Is a Small Scare Tactic
While manufacturing and production companies show good resilience in the face of ransomware, the survey revealed that they have the highest expectation of a future attack of all sectors. Of the respondents not hit by ransomware last year, 77% expect to be hit in the future. The sophistication and prevalence of ransomware are the key factors driving this concern.
A sector heavily impacted by the pandemic
IT teams in manufacturing and production were severely affected by the challenges of 2020. This sector was the least likely to experience a decrease in cybersecurity workload over 2020: just 7% said their cyber workload had decreased, vs. a global average of 13%. It also had the fewest respondents who saw improved response time to IT cases (15% vs. a global average of 20%). The silver lining is that cyber skills also increased, with 71% of respondents saying their team’s ability to further develop cybersecurity knowledge and skills increased over 2020.
Learn more
Download the full report to explore the reality of ransomware in manufacturing and production. It also includes recommendations from Sophos experts to minimize the impact of ransomware in future.
by Gary Mintchell | Sep 1, 2021 | Automation, Embedded Control, Industrial Computers, Security
Cybersecurity has been a frequent topic lately at The Manufacturing Connection. Bedrock Automation founders built on a secure chip set as a foundation for an Industrial Control System (ICS) that is secure in many ways. Founder and CEO Albert Rooyakkers has devoted hours explaining the details and nuances of the many ways the product is nearly invincible. (He would take issue with my qualifying word.) This case study offers a few details about a utility bolstering its defense with an upgrade to Bedrock control platform.
A Colorado utility is transitioning legacy PLCs and RTUs to the intrinsically secure Bedrock OSA (Open Secure Automation) platform. The transition is part of a multi-year automation upgrade plan, which utility management saw as an opportunity to deepen its cyber security protection while also modernizing its controls.
“Like most other public utilities, we must adapt to an ever-changing world and that includes cyber security. We’ve always had robust physical security and required usernames and passwords for access to critical systems and controls, but we saw the world around us changing quickly. Many of today’s automation technologies are not as secure as they could be because they were developed long before security was a major issue in the industry. Most of the security added to them was an afterthought,” said Shay Geisler, I&C Administrator for Colorado’s East Cherry Creek Valley (ECCV) Water & Sanitation District.
ECCV’s legacy control architecture involved SCADA software that is housed on a dedicated Windows desktop or server along with a communications driver, in this case, an OPC Server that speaks to the PLCs via legacy protocols. Each ECCV upgrade target was using two PLCs to concentrate field data for use by the plant SCADA system, which had also been upgraded to a more secure version.
“We knew security could not be limited to the SCADA software only. There were too many downstream systems and assets that, if left untouched, would present a huge vulnerability. We determined that the vast majority of these potential vulnerabilities could be solved by addressing the PLC and SCADA communications system,” said Geisler.
Securing SCADA and control networks
Geisler and his team concluded that the most secure and cost-effective approach would be to connect the SCADA network and control networks with a secure communications channel. Fully implementing this, however, would have required ripping and replacing their entire system immediately, which would have been costly and required significant disruption. Instead, working with automation supplier Process Control Dynamics and system consultant RSI Company, they adopted a phased-in approach using secure Bedrock OSA Remote control units as proxy servers to enable transition ultimately to a full Bedrock platform.
“We are slowly upgrading the remote sites that have been serviced by legacy data concentrators, one-by-one as we convert each to use the secure Bedrock controller. The new controllers at the remote sites bypass the legacy concentrators and now report directly to the Bedrock proxy. Once all sites are converted, we will remove the legacy concentrators,” said Russ Ropken, with RSI Company, the system integrator who developed the architecture that enabled the seamless transition.
The ultimate result is secure, certificated communications from the SCADA software down to the Remote PLCs/RTU. The Bedrock OSA Remote proxy units will switch over to a peer-to-peer network of infinitely scalable secure Bedrock control units connected by an encrypted radio network.
ECCV already has field data running through 12 of its target sites, with some 74 left to go. For more details, including the architecture of each phase, download the case history here.
by Gary Mintchell | Aug 27, 2021 | Automation, Security
This reminds me of other technologies I’ve seen transition from few users to industry standard seemingly overnight. This latest survey from Nozomi Networks and SANS Institute finds industrial organizations are leveraging the cloud as they mature cybersecurity defenses and prioritize control system reliability. However, threats remain high and are growing in severity. In response, a growing majority of organizations have significantly matured their security postures since the last SANS OT/ICS survey in 2019. From the report: In spite of the progress, almost half (48%) don’t know whether their organizations had been compromised. The Nozomi Networks-sponsored survey echoes Nozomi Networks’ own experiences with customers worldwide.
“It’s concerning to see that nearly half of this year’s survey respondents don’t know if they’ve been attacked when visibility and detection solutions are readily available to provide that awareness,” said Nozomi Networks Co-founder and CPO Andrea Carcano. “Threats may be increasing in severity, but new technologies and frameworks for defeating them are available and the survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to adopt a post-breach mindset pre-breach and strengthen their security and operational resiliency before an attack.”
Cyber threats to OT environments continue to rise and threat severity is at an all-time high.
- Most respondents (69.8%) rated the risk to their OT environment as high or severe (up from 51.2% in 2019).
- Ransomware and financially motivated cybercrimes topped the list of threat vectors (54.2%) followed by nation-state sponsored cyberattacks (43.1%). Unprotected devices and things added to the network came in third (cited by 31.3% of survey respondents).
- Of the 15% of survey respondents who indicated they had experienced a breach in the last 12 months, a concerning 18.4% said the engineering workstation was an initial infection vector.
- Nearly half of all respondents (48%) did not know whether their organizations had been compromised and only 12% were confident that they hadn’t had an incident.
- In general, external connections are the dominant access vector (49%) with remote access services identified as the most prevalent reported initial access vector for incidents (36.7%).
This year’s survey found most organizations are taking ICS threats seriously and making solid progress in maturing their security postures to address them. Over the last two years organizations have improved monitoring and threat intelligence capabilities. They are moving away from traditional indicator-based defense capabilities and moving toward threat hunting and hypothesis-based security models. They’re also focusing on data loss prevention.
- 47% say their control system security budget increased over the past two years.
- Almost 70% have a monitoring program in place for OT security.
- 51% say they are now detecting compromises within the first 24 hours of an incident. The majority say they move from detection to containment within 6 to 24 hours.
- 9% have conducted a security audit of their OT/control systems or networks in the past year and almost a third (29.5%) have now implemented a continual assessment program.
- 50% say they have vendor-provided ICS-specific threat intelligence feeds and there is less reliance (36%) on IT threat intelligence providers.
- OT SOC adoption is up by a sharp 11% from 2019 to 2021, re-emphasizing the focus away from traditional indicator-based defense capabilities and more toward a threat hunting and hypothesis-based security model.
- Data loss prevention technologies also saw a sharp increase in deployment (11%).
- As process reliability becomes a top concern, 34% say they’re implementing zero-trust principles and an additional 31% say they plan to.
ICS is Getting Cloudy
Adoption of cloud-native technologies and services transformed the IT industry. This year’s survey found similar impacts are also beginning to be felt in the OT environment.
- 1% of all survey respondents indicate they are using some cloud-based services for OT/ICS systems.
- Almost all (91%) are using cloud technologies to directly support ICS operations (combining remote monitoring configuration and analysis; cloud services supporting OT; and remote control/logic).
- All respondents using cloud technologies are using cloud services for at least one type of cybersecurity function (company NOC/SOC, business continuity and MSSP support).
- Respondents consider cloud assets relatively secure, with only 13% of responses classifying them as risky.
To learn more about the latest trends in OT/ICS cybersecurity:
• Download A SANS 2021 Survey: OT/ICS Cybersecurity
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)
• Here are a few responses to questions about the report:
1 What were the most surprising things you found in the report?
Chris Grove – Technology Evangelist – Nozomi Networks
Positive: It was a pleasant surprise to see that a large group of respondents (40.1%) have embraced cloud-base services. It’s a trend that Nozomi Networks has seen in the field and one that we have responded to with our own cloud-based security offerings. As Industrial and critical infrastructure organizations embrace IoT and converge their OT and IT efforts, they must be able to protect thousands of devices quickly and cost-effectively from threats in real-time and ensure ongoing operational resilience. Cloud-based technologies make that possible. It’s also encouraging to see the majority are confident in the security of their cloud assets. We believe ICS organizations will continue to adopt cloud technologies and the adoption of cloud-base security solutions will grow significantly over the next few years.
Negative: It’s alarming to see that detection and response is still a significant issue for organizations. In fact, the problem seems to have grown since the previous survey (48% of survey participants did not know whether they’d had an incident vs. 42% in 2019). Solutions are available to address this problem and adopting them should be a top priority.
Mark Bristow – Author – A SANS 2021 Survey: OT/ICS Cybersecurity
I found three things particularly striking in the report results.
● The level of adoption of cloud technologies for operational outcomes was striking. Two years ago, cloud adoption was not being seriously discussed and now 49% are using it.
● Incident visibility and confidence is not high. 48% of respondents could not attest that they didn’t have an incident. A further 90% of these incidents had some level of operational impact.
● 18% of incidents involved the engineering workstation. This is a critical piece of equipment and having this involved in so many incidents is troubling.
2 What are three things you think ICS operators need to focus on moving forward to protect themselves?
Chris Grove, Nozomi Networks: Considering Ransomware is such a pervasive issue; it might be a first concern for many operators. Starting off with some tabletop exercises, operators would be able to identify areas where improvements can be made. Typically, one area that gets highlighted is the need for a systematic risk assessment that details likely points of entry and identifies ways to harden the target. Sometimes this is in the form of patching, network segmentation, policies, procedures, etc. In almost all cases, increased visibility makes everything easier to manage. From having a detailed asset inventory, to monitoring network traffic patterns, to inspecting traffic for attacks or operational anomalies…. visibility is a crucial component of successfully defending operations. Finally, the third and final thing that operators should consider is Consequence Reduction. As part of a post-Breach mindset, operators should consider the fact that eventually the attackers will breach the perimeter, and one should be prepared for that day. How do we limit the blast radius of the attack? How do we hold them at bay, and subsequently eradicate them from the system? How do we carefully maintain, safely shutdown, or restore operations potentially affected by the breach? These are tough questions to be asked before that day comes.
Mark Bristow, SANS:
· It’s great that we now have monitoring programs in place, but we are still mostly looking at the IT aspects of our OT environments. We need to be correlating our IT and OT security telemetry as well as process data to truly understand potential impacts to safety and operations.
· Focus on fundamentals. Too many respondents do not have a formal program for asset identification and inventory. Without this foundational step, further security investments may be invalid or misplaced.
· Ransomware is a huge risk, but it’s not one that is specifically targeting ICS. A malicious actor who is specifically targeting your ICS environment will not be as blunt or noisy as ransomware is, and we are struggling to defend against ransomware.
