How to manage your cyber risks
Minimising the chances of attacks Cyber threats are evolving and escalating at an alarming rate for asset-intensive industries such as the energy sector.
ARE organisations only concerned with undertaking the right measures to mitigate cyber risk after they have been cyberattacked? This may be the case in most situations but the more important question to ask is – what are the cybersecurity controls that should be considered by organisations? The answer is straightforward – the controls that have the biggest impact on reducing the likelihood or the impact of a successful cyberattack.Cyber risk is generally defined as the threat to the system, the system’s vulnerability and the resulting consequences.
Therefore, to successfully protect information technology (IT) and operational technology (OT) systems, companies must understand the tactics, techniques and procedures (TTPS), which threat actors use to achieve their desired objective.
Here are several examples of well documented cyberattacks on critical national infrastructure over the past two decades:
In 2010, arguably, the most sophisticated cyberattack was executed on an Iranian uranium enrichment facility that exposed the weakness of cybersecurity controls and vulnerability of OT environments.
The STUXNET worm was designed specifically to target these environments which allowed the threat actor to exploit and disrupt production operations causing downtime and business impact. STUXNET was the eureka moment for the energy and manufacturing industries that OT environments can be breached and what impact it can have on their business, human lives, environment and economies. Unfortunately, it was also an eureka moment for threat actors too. OT cyberattacks surged rapidly and suddenly the attack techniques from threat actors, in terms of creativity and smartness of achieving their malicious objectives, evolved since then. In 2015, Ukraine was hit by another massive cyberattack that shut off power at 30 substations and left millions of people without electricity for up to six hours. SCADA equipment was rendered inoperable and power restoration had to be completed manually, which further delayed restoration efforts. So how was this achieved – must have been very sophisticated? Actually, not. Spear phishing was used to introduce the Blackenergy malware that exploited the macros in excel-based documents on computer systems at the plants. Meaning that the threat actors did nothing different than using known TTPS for cyberattacks on IT environments. The same exploitation tools were used to find user credentials to escalate their privileges to move laterally in the network or to send malicious commands to disrupt plant operations. The 2015 cyberattack seemed like an experiment as barely a year later the Ukraine Power Grid was attacked again and this time the capital city Kiev went dark, breakers tripped in a large number of substations. However, this time the threat actors also jammed the utility’s call centres to prevent customers from reporting the outage by launching Telephone Denial of Service (TDOS) attack. The approach was more sophisticated as the threat actors directly manipulated the SCADA systems using CRASHOVERRIDE – the first known malware specifically designed to target the power grids directly around the globe with the ability to wipe or delete files, disable processes like malware protection and even the software from OT vendors. This was another eureka moment – national power grids are not safe from threat actors either. One of the most concerning cyberattacks was in 2017 where the TRITON malware targeted the specific safety critical Programable Logic Controller’s (PLCS) in the Middle East. The function of these PLCS is to protect plants and people from disasters caused by mechanical failure. In 2018, advanced persistent threat attacks on industrial environments continued to rise, and industrial espionage increased. After 2019, there was a drastic increase in ransomware activities in OT environments including the manufacturing, water treatment and pipeline industries. Recently, Cybersecurity and Infrastructure Security Agency launched the Cross-sector Cybersecurity Performance Goals as a prioritised subset of IT and OT cybersecurity practices, aimed at meaningfully reducing risks to critical national infrastructures and the community it supports. These cybersecurity controls are not meant to be the only considerations for organisations. The purpose is to form the foundation to protect IT and OT infrastructures against cyberattacks as part of the defence-in-depth cybersecurity strategy. These are some of the logical first steps to consider:User account security
User accounts are generally one of the first gateways for threat actors to gain access to the network to establish a foothold and move laterally. On the surface, this may seem simple but maintaining user account security hygiene has been a long-standing challenge for many organisations. Here are the suggested foundational controls that should be considered: > enable the detection of unsuccessful user login attempts > change all default passwords and implement multi-factor authentication > update the minimum password strength > separate user and privilege accounts > enforce unique user credentials (not just email addresses as commonly used) > revoke the credentials of departing employees.Device security
Device security are measures taken to secure computing devices (hardware and software) from cyber threats but also to maintain service continuity. Here are the suggested foundational controls that should be considered: > approval process for new hardware and software deployment > the disablement of macros by default > maintaining an up-to-date asset inventory > prohibiting the connection of unauthorised devices > documenting device configurations.Data security
The purpose is to protect sensitive and confidential data from unauthorised access, theft, loss and destruction. Here are the suggested foundational controls that should be considered: > strong and agile encryption > enable log collection > secure storage of the said logs.Governance and training
A strong governance structure is a key success factor for any cybersecurity strategy and operations to manage cyber risks effectively and to ensure adequate protection of data and systems. Here are the suggested foundational controls that should be considered: > appointment and empowerment of a single leader to be accountable for cybersecurity > a single leader to be responsible for Ot-specific cybersecurity > basic cybersecurity training for all employees and third parties > OT specific cybersecurity training for OT managers and operators > establish an effective relationship between IT and OT cybersecurity to improve the response effectiveness for OT cyber incidents.Vulnerability management
To reduce the likelihood of threat actors exploiting known vulnerabilities in IT and OT systems, the following foundational controls should be considered: > mitigate known vulnerabilities > gather vulnerability intelligence by security researchers and enable the researchers to submit discovered weaknesses or vulnerabilities faster > blacklisting of exploitable services on the Internet > limit OT connections to public Internet > conduct third-party validation of control effectiveness.Supply chain/third party
To ensure the integrity and reliability of supplier products and services the following foundational controls should be considered: > establish supplier cybersecurity requirements > immediate disclosure of known cybersecurity incidents and vulnerabilities to enable rapid response.Detection, response and recovery
Here are the suggested foundational controls that should be considered: > capability to detect relevant threats and TTPS > a comprehensive response and recovery plan (including appropriate back-ups) in place helps organisations be prepared for the inevitable security incidents that will occur and ensures that they have the processes and resources in place to minimise the impact and recover effectively.Network segmentation
Network segmentation reduces the likelihood of threat actors accessing the OT network after compromising the IT network and vice versa. Here are the suggested foundational controls that should be considered: > segment IT and OT networks > segment safety critical systems form other systems > segmentation of temporarily connected devices > segmentation of wireless communications > segmentation of devices connected via untrusted networks/internet.Email security
By implementing effective email security measures, organisations can reduce the risks from common email-based threats and ensure the confidentiality and integrity of email communications. Here are the suggested foundational controls that should be considered: > Email encryption > Email account authentication > and email filtering. In conclusion, cyber threats are evolving and escalating at an alarming rate for asset-intensive industries such as the energy sector. Strengthening the cybersecurity foundations are imperative to build a defence-indepth model that would reduce the chances of cyberattacks and safeguard IT and OT environments.By JACO BENADIE Jaco Benadie is partner, Ernst & Young Consulting Sdn Bhd. The views expressed here are the writer’s own.
Related:
Exclusive: Hacker group with members from Europe, North America found to have launched cyberattacks against China
Chinese cybersecurity experts have exposed a hacker group, with its core members coming from Europe and North America, which has been launching sustained cyberattacks against China as its primary target, posing a serious threat to the country's cybersecurity and data security, the Global Times learned from a Beijing-based cybersecurity lab on Sunday.
Related posts:
Beware links asking for banking details, it's likely a scam, say cops. With online businesses on the rise, the scammers are getting more..
THE FIGHT AGAINST CYBERCRIME IN FINANCIAL SERVICES
China captures powerful US NSA cyberspy tool