Chris Grove, security strategist for industrial control systems (ICS) for Nozomi Networks Labs, recently talked with me about the latest research they’ve conducted. The important takeaways concern the rise of ransomware, increased targeting of industrial control systems, and (surprisingly to me) vulnerability of networked security cameras.
The report finds attacks are driven largely by the emergence of Ransomware as a Service (RaaS) gangs that are cashing in on critical infrastructure organizations. Analysis of rising ICS vulnerabilities found critical manufacturing vulnerabilities was the most susceptible industry while a deep dive into IoT security cameras highlights how quickly the attack surface is expanding.
“Colonial Pipeline, JBS and the latest Kaseya software supply chain attack are painful lessons that the threat of ransom attacks is real,” said Nozomi Networks Co-founder and CTO Moreno Carullo. “Security professional must be armed with network security and visibility solutions that incorporate real time threat intelligence and make it possible to quickly respond with actionable recommendations and plans. Understanding how these criminal organizations work and anticipating future vulnerabilities is critical as they defend against this unfortunate new normal.”
Nozomi Networks’ latest “OT/IoT Security Report,” gives cybersecurity professionals an overview of the OT and IoT threats analyzed by Nozomi Networks Labs security research team. The report found:
- Ransomware attacks rose 116% between January and May of 2021.
- Average ransom grew 43% to $220,298 – with payments expected to reach $20 billion this year
- Analysis of DarkSide, REvil and Ryuk highlight the growing dominance of RaaS models
- REvil set a new record for ransom demands, surpassing $50 million – the infamous RaaS also successfully executed a supply chain attack – tactics typically only seen from sophisticated nation-state actors.
- ICS-CERT vulnerabilities increased 44% in the first half of 2021
- Vulnerabilities in the critical manufacturing sector rose 148%
- The top 3 industries affected included critical manufacturing, a grouping identified as multiple industries, and the energy sector
- Software supply chain-related vulnerabilities continue to surface – as do medical device vulnerabilities
- With more than a billion CCTV cameras expected to be in production globally this year, insecure IoT security cameras are a growing concern. The report includes an analysis of the Verkada breach and security vulnerabilities in Reolink cameras and ThroughTek software – discovered by Nozomi Networks Labs.
“As industrial organizations embrace digital transformation those with a wait and see mindset are learning the hard way that they weren’t prepared for an attack,” said Nozomi Networks CEO Edgard Capdevielle. “Threats may be on the rise, but technologies and practices to defeat them are available now. We encourage organizations to adopt a post-breach mindset pre-breach and strengthen their security and operational resiliency before it’s too late.”
While I am on a cybersecurity marathon today, here is information about a round table discussion I watched last week. Long-time acquaintance and cybersecurity guru Eric Byers drew my attention. And the event was hosted by old friend Greg Hale of ISSSource. To be honest, I’d never heard of Red Balloon. This was the more intriguing of the press releases I received regarding Biden’s Executive Order on security.
Although this reminds me of a comment in the history of JFK’s presidency by Arthur Schlesinger, Jr., “A Thousand Days”, which I read at university. Kennedy issued an executive order and commiserated with Schlesinger about how nothing really happened because of it. Yep, that’s the way government works. But there is the power of setting the agenda and priorities.
Embedded system cybersecurity provider, Red Balloon Security, and ISSSource.com are teaming up to host a discussion on the effects of industrial security incidents and the Biden Administration’s Executive Order on embedded device security.
With all the ransomware incidents in the news lately, the attention of the industry has focused on the effects on industrial control systems. However, one area that has been overlooked is the critical role embedded devices play. A panel of experts will discuss why embedded devices are critical, what the current state of security is and if the current focus and the executive order are specific enough to drive improvements.
Members of the panel include Ang Cui, Chief Executive at Red Balloon Security and embedded device expert; Eric Byers, Chief Executive at aDolus, software bill of materials (SBoMs) provider for the ICS/OT sector; Ian Crone, former DARPA/I2O Program Manager, and Enrique Salem, Managing Director at Bain Capital Ventures and former Chief Executive of Symantec. The panel will be moderated by Gregory Hale, Editor and Founder of Industrial Safety and Security Source (ISSSource.com).
The webcast will be June 30 at 4 p.m. eastern time. Click here to register for the event.
While I’m on a cybersecurity kick today, following is a news release from Hexagon which acquired PAS Global a few months ago. PAS had brought its holistic, enterprise-wide view of risk analytics to OT cybersecurity solution to drive remediation efforts. News release follows.
PAS Global, part of Hexagon, announced the availability of Cyber Integrity 7.2, a leap forward in visualizing, comprehending, and directing resources to mitigate vulnerability risk. As the cyber risk for critical infrastructure and process industries continues to escalate, with recent attacks including the JBS cyberattack impacting OT environments and a war on the country’s infrastructure with 65,000 ransomware attacks in 2020 alone, there has never been a more important time to safeguard these systems.
Within just a few clicks, Cyber Integrity 7.2 uniquely enables users to rapidly identify the highest risk assets, expediently prioritize and select a remediation method while deploying remediation assets and adhere to best practices with closed loop documentation. Cyber Integrity 7.2 provides the following capabilities:
● Reduces the attack surface and quickly conducts remediations in the order that reduces the greatest risk.
● Develops an enterprise-wide, holistic image of vulnerability risk and develops enhanced risk-based decision-making.
● Maintains situational awareness of the attack surface and vulnerability severity, aging and propagation paths as they relate to known weaknesses in the infrastructure.
● Rapidly identifies locations in the environment with the highest number of vulnerabilities while simultaneously considering the patching level of various assets.
● Instantly reviews meaningful and actionable data regarding patches and upgrades paths providing the highest value.
“We are excited to launch Cyber Integrity 7.2 to provide the industry’s best situational awareness and rapid remediation of vulnerabilities,” said Scott Plunkett, Senior Product Owner, Cyber, Hexagon’s PPM division. “While we could previously show vulnerabilities en masse, this version provides much more direction for customers by rapidly uncovering the most critical problems, easily prioritizing those problems and offering automated selection of the most efficacious route to remediation.”
“This is another excellent example from PAS of the practical application of analytics that enable end users to make better decisions about how to address the most pressing and impactful vulnerabilities at the OT level. OT is unique because it incorporates such a diverse range of systems and assets, from decades-old control system platforms to brand new IoT-based systems, containers, and cloud computing. This makes it even harder for end users to achieve a truly holistic view of cyber risk. PAS brings the OT level knowledge to the table to make the holistic view possible, enabling users to make good, actionable decisions to reduce risk quickly across multiple sites,” said Larry O’Brien, Vice President of Research at ARC Advisory Group.
Cyber Integrity 7.2 will be available to new and existing partners today at little to no additional deployment cost. A demo video is available here for more information.
This survey reveals that most end users in the industry lack awareness of many basic cybersecurity issues. I told the marketing person, “I’m hardly surprised.” But a little data is useful confirmation. Take a hint (although readers of this blog are probably not the problem on either side of the issue).
The news release follows. Note that the many superlatives come from Armin marketing, not me or independent studies.
Armis, the leading unified asset visibility and security platform provider, today released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene. The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major cybersecurity attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office. In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.
From the Colonial Pipeline attack shutting down services, to the Florida Water Facility hack endangering the water supply, to the ransomware attack on JBS, which could raise meat prices and also restrict access to necessary nutrients in developing countries — the impact of cyber attacks on our critical infrastructure has been evident. We’ve also seen ransomware hit healthcare in a major way, with attacks on Scripps Health’s technology systems and a chain of Las Vegas hospitals. Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves.
As the risk of attack continues to rise, and businesses move toward a hybrid in-office/work from home model, it is imperative that businesses are considering security and ensuring the proper policies and protections are in place. Thinking critically about security early on, and weaving it into your company’s everyday practices, can be the difference-maker as employees return to the office.
“The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players,” said Curtis Simpson, CISO at Armis. “It is also an unfortunate example of the huge vulnerability of an aging infrastructure that has been connected, directly or indirectly, to the internet. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operations. This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”
Key Findings of the Survey include:
● Education and Awareness Of Cyberattacks Is Still Lacking: Despite these major attacks making headlines on the national stage, respondents showed a lack of awareness of these attacks and their impact on consumers and businesses. Over 21% of respondents have not even heard about the cyberattack on the largest U.S. fuel pipeline, and almost half (45%) of working Americans did not hear about the attempted tampering of Florida’s water supply.
● The Severity Of The Attacks Is Not Sticking: Despite the complete shutdown of the Colonial Pipeline following the attack, and the halting of production at JBS, consumers don’t see the lasting effects of these attacks. 24% of respondents believe that the Colonial Pipeline attack will not have any long-lasting effects on the U.S. fuel industry.
● Healthcare Could be The Next Frontier For Hackers: According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 63% of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices over the past two years. Yet today’s data shows that when it comes to device security, over 60% of healthcare employees believe that their personal devices do not pose any security threat to their organization. What’s more, 26% said that their companies do not have any policies in place to secure both work and personal devices.
● Employees are Putting Businesses at Risk Through Devices: As COVID restrictions begin to lighten, enterprises are starting to talk about the return to the office, but as we go back, businesses need to be thinking about overall enterprise security, especially as employees have expressed their intention to continue some potentially risky habits. The data shows that over 71% of employees intend to bring their WFH devices back to the office, with over 82% of that group being IT professionals, whose main job function is to ensure the security of the organization. Despite the risks prevalent, 54% don’t believe their personal devices pose any security risk/threat to their organization.
Censuswide conducted the survey on behalf of Armis of more than 2,000 professionals in various industries from across the United States in May 2021.
Armis is the leading unified asset visibility and security platform designed to address the new threat landscape that connected devices create. Fortune 1000 companies trust our real-time and continuous protection to see with full context all managed, unmanaged, and IoT devices, including medical devices (IoMT), operational technology (OT) and industrial control systems (ICS). Armis provides passive and unparalleled cybersecurity asset management, risk management, and automated enforcement. Armis is a privately held company and headquartered in Palo Alto, California.
Open source is a topic that pops up often these days. I have seen this blog from Google’s open source team about some advances in cybersecurity based upon the recent US Executive Order—something that has spurred many news releases, if not a lot of work.
For you security and open source geeks, check out this Blog post for security.googleblog.com,Thursday, June 24 @ 9 AM ET by Authors: Oliver Chang, Google Open Source Security team and Russ Cox, Go team.
In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work. It is essential to have a precise common data format to triage and remediate security vulnerabilities, particularly when communicating about risks to affected dependencies—it enables easier automation and empowers consumers of open-source software to know when they are impacted and make security fixes as soon as possible.
We released the Open Source Vulnerabilities (OSV) database in February with the goal of automating and improving vulnerability triage for developers and users of open source software. This initial effort was bootstrapped with a dataset of a few thousand vulnerabilities from the OSS-Fuzz project. Implementing OSV to communicate precise vulnerability data for hundreds of critical open-source projects proved the success and utility of the format, and garnered feedback to help us improve the project; for example, we dropped the Cloud API key requirement, making the database even easier to access by more users. The community response also showed that there was broad interest in extending the effort further.
Today, we’re excited to announce a new milestone in expanding OSV to several key open-source ecosystems: Go, Rust, Python, and DWF. This expansion unites and aggregates four important vulnerability databases, giving software developers a better way to track and remediate the security issues that affect them. Our effort also aligns with the recent US Executive Order on Improving the Nation’s Cybersecurity, which emphasized the need to remove barriers to sharing threat information in order to strengthen national infrastructure. This expanded shared vulnerability database marks an important step toward creating a more secure open-source environment for all users.
A simple, unified schema for describing vulnerabilities precisely
As with open source development, vulnerability databases in open source follow a distributed model, with many ecosystems and organizations creating their own database. Since each uses their own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each completely separately. Sharing of vulnerabilities between databases is also difficult.
The Google Open Source Security team, Go team, and the broader open-source community have been developing a simple vulnerability interchange schema for describing vulnerabilities that’s designed from the beginning for open-source ecosystems. After starting work on the schema a few months ago, we requested public feedback and received hundreds of comments.
Check out the blog if interested in contributing.
Security of networks and compute platforms will continue to be news for quite some time. After all, Putin didn’t agree to terminate all hacking emanating from Russia (surprise). But according to my firewall statistics, I’m hacked from a large number of geographic sites, and I’m just a blog site! This news came to me. Typical of security news, there are superlatives and claims that I have not been able to verify. The gist is that there is an attempt to bring OT and IT together in a secure network.
Tenable.ot showcased in Deloitte’s Smart Factory at Wichita initiative, providing its industry-leading capabilities for securing today’s modern OT environments
Tenable Inc. the Cyber Exposure company, announced a strategic collaboration with Deloitte to accelerate and secure smart manufacturing across Fortune 500 environments. Tenable and Deloitte have developed and implemented industrial-grade security solutions to help organizations understand, manage, and reduce cyber risk in their manufacturing environments around the world.
According to a smart factory study from Deloitte and Manufacturers Alliance for Productivity and Innovation, eighty-six percent of manufacturers believe smart factories will be the main driver of competitiveness in the next five years. These modern environments represent a massive business opportunity, but they also contribute to an expansive and converged attack surface of legacy information technology (IT) and new operational technology (OT). Increasingly, boards of directors and executives consider OT security a top business priority and risk. As such, smart factories require strategic, risk-based vulnerability management to defend and secure mission- and safety-critical systems.
Deloitte’s ecosystem for smart manufacturing provides organizations with greater speed, scale and security over their digital transformation initiatives. By deploying Tenable.ot — the industry’s first unified solution for securing IT/OT environments — as part of a secure-by-design model, joint customers benefit from unmatched visibility and control over their converged industrial environments, with advanced threat detection and mitigation to identify weak points before an attack ever occurs.
“Make no mistake, industrial environments run the global economy. They build, power and protect the world around us. Ensuring these smart factories are secure by design is paramount,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “Strategic cybersecurity must be foundational to all smart factory initiatives. Without it, you’re building on pillars of sand. Securing modern, converged environments requires unified visibility across both IT and OT assets. We’re very excited to collaborate with Deloitte to do just that for customers around the world.”
In addition to the existing deployments around the world, Tenable.ot will also be showcased in Deloitte’s Smart Factory @ Wichita initiative — a 60,000-square-foot immersive experience equipped with the latest smart factory advancements — designed to demonstrate how manufacturers can embrace digital transformation in a secure, scalable way. In the facility opening this fall, joint customers will experience the power of a unified, risk-based view of their IT and OT environments, arming them with the visibility, security and control required to secure Industry 4.0.
“The Smart Factory at Wichita is designed to explore the full range of innovation with Industry 4.0 technologies and maintaining cybersecurity is a critical piece to the manufacturing life cycle,” said Stephen Laaper, principal, Deloitte Consulting LLP. “With Tenable onboard as a builder sponsor, clients walking through the doors of the Smart Factory will have the ability to experience a secure industrial environment and can take solace in knowing critical organizational data is protected by a top leader in the industry.”