After a week of observation and pondering, one question comes to mind:
Have we had enough yet?
Solarwinds software supply chain attack followed by Oldsmar Water Treatment attack followed by Colonial Pipeline attack. It begs this question at this time:
Should companies running with OT environments, companies which control devices managing our critical infrastructure be held to a higher cybersecurity standard?
Suppose the result of a Cybersecurity attack against an OT companies has a significant subsequent impact on customers and citizenry. Should these OT companies not have equal or better Cybersecurity protections as IT?
Yes, we're talking about utilities that we citizens rely on to survive and execute our pursuit of happiness. Yes, we understand that the OT world is cost averse to change, impacting their bottom line. Their position is that updating hardware, software and even adding security capabilities will increase the cost of their service to the customers. However, when a Cybersecurity attack succeeds, given the age of their software without security updates (for example), there should be consequences when the general public is impacted. We, the citizenry, expect better from the companies managing utilities we rely on.
I submit that OT environments should be secured at high levels, thereby becoming more secure than their IT counterparts. Why?
Let's get real:
For the past five years, OT control system attacks have increased 600%.
Studies from the University of Maryland show a computer connected to the internet is attacked every 39 seconds on average. That’s greater than 2200 attacks per day.
In 2019, the New York Times in May & June ran articles on how a Russian organization proved they could get inside the US energy grid. They left tracks advertising they had been there.
In 2019, the show 60 Minutes ran two articles in May and September on how Ransomware can be purchased on the Dark Web for less than the cost of a week's worth of groceries. Yes, RaaS - Ransomware as a Service! Unlike traditional ransomware, RaaS doesn’t require the attacker to be necessarily skilled at writing computer code to launch attacks. That is because the RaaS delivery model is similar to a monthly subscription service. It is simple enough to execute cybersecurity attack campaigns, finding vulnerable servers, giving detail information to perform a subsequent attack campaign, so simply that a 12-year-old with average video games skills could run it. No technology knowledge or skills required. Rather scary!
All the industry reports at the beginning of 2021 demonstrated that Ransomware is the #1 attack in 2021.
Now, we add in the tens to hundreds of millions of new attack surfaces, IoT active sensors, that will go into production in 2021 with the enablement of them through 5G communication services. What could possibly go wrong?
It's not as if we are unaware! Common sense seems to be lost in this age. It's time it is found anew in this area quickly.
Should it be the fiduciary responsibility of executives at OT companies to provide a level of Cybersecurity to protect the country's citizenry? In the Colonial Pipeline case, it impacted the entire east coast of the US, the citizens who planned their survival strategy for their families while wait in a gas line that mimicked those of 1973, only longer in many cases. And it only cost Colonial paying 5 million dollars for Colonial, a ransom cost, not a cost to address their technology vulnerabilities in their OT environment? Could they have spent 15% protectively to prevent the event?
It's time for a significant change in the OT industry. It is possible something as ominous as the Dodd-Frank equivalent, which was thrust upon the financial sector after the 2008 financial crisis, to occur in the OT industry.
One CEO of a firm I worked for 20+ years ago would on occasion meet with the associates of his company and say when necessary, "We're failing on the basic blocking and tackling." It's necessary to state this now. OT technology companies are failing at providing the necessary cybersecurity protections on their enterprises, impacting their constituents.
Let's use some common sense and be proactive, changing OT operations before it comes to the oversight from the regulatory actions!
It's time to increase your Cybersecurity Hygiene!
What are some things that can be done now? We know we need better everything, but where do you start?
Consider the most significant impact of items to change in your environment. The following is not a complete list, NIST did that for us (see #2 below). The shortlist to consider is:
As a precursor, understand your risk of doing nothing. Yes, change is risky. However, doing nothing is more so.
Ask yourself, what's the Greatest Common Factor - GCF - to most successful cybersecurity attacks? Most attack vectors breach at the network perimeter, the network edge for your enterprise. There's an answer for addressing this issue: it's called Zero Trust. The National Institute of Standards and Technology - NIST, has an in-depth read of the one architecture when implemented correctly, will go a very long way to resolving this GCF. Determine how to implement it. Zero Trust - https://bit.ly/3tTztpW - is your most significant bang for your buck, it will take time, and you can't succeed at it all very quickly. So...
Look at your enterprise network map and ask yourself how many areas connect to the internet? Seriously consider reducing it to 2, a primary and a secondary. For combined IT / OT environments, 2 for IT and 2 for OT. Everything on the internet should go through your enterprise firewalls and Intrusion Detection/Protection appliances to leave or enter your enterprises digitally. And execute through your Software Defined Perimeter - SDP.
Engage with vendors who supply a Software Defined Perimeter at an enterprise level.
Take inventory of any software on your computers that has not taken an upgrade recently, and upgrade. This can be viewed as a double-edged sword; however, not upgrading, doing nothing, is worse considering there's most likely at least one attack vector on any software more than 6-12 months old. Take inventory and test in a pre-production zone verifying in regression tests proven functionality has not been damaged.
If any hardware/OS combination no longer has an upgrade path for security and feature patches any longer, it's time to retire that computer!
If Remote Desktop Protocol, RDP ports are open to the internet, close them. You're simply asking for a RaaS attack on these computers with the ports exposed.
Similarly, if your database systems are open to the internet, segregate them from internet access. You're one event away from a SQL injection attack losing the data in those databases.
Work through a migration path of end-to-end encryption for your data-in-transit. It's long past the decade where the internet was this new, bright and shiny thing to build on, trusting implicitly giving you all these great new capabilities. Your target should be: Any network traffic leaving or entering your enterprise should have end-to-end encryption on it.
Need help on these topics? Please contact NCoded Communications to work through them, and move down the path of Increasing your Cyber Resiliency.