May 30 2023

The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals

Category: CISA,OT/ICS,Security ToolsDISC @ 9:27 am

The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.

These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.

In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).

Recently, CISA updated the CPGs to align with NIST’s standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.

In this article, we will look in more detail at CISA’s revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.

CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment

CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.

Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.

At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. It’s also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.

CPG 2.0 Protect: Safeguarding privileged access to OT assets

CISA’s second CPG is “Protect”, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.

Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.

It’s also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.

CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment

CISA’s third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.

Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.

A critical aspect of threat detection in OT environments — and meeting the CPG mandate — is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.

CPG 4.0 and 5.0: Respond and Recover

The final two CISA’s CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in today’s interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.

Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.

Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.

Conclusion

Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.

CISA’s OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISA’s recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.

InfoSec tools | InfoSec services | InfoSec books

Tags: CISA, Cybersecurity Performance Goals, ICS, Industrial Cybersecurity, OT


Feb 17 2023

How hackers can cause physical damage to bridges

Category: OT/ICS,Scada SecurityDISC @ 11:48 am

In this Help Net Security video, Daniel Dos Santos, Head of Security Research at Forescout, talks about recent research, which has revealed how attackers can move laterally between vulnerable networks and devices found at the controller level of critical infrastructure. This would allow them to damage assets such as movable bridges physically.

This lateral movement lets attackers access industrial control systems and cross often-overlooked security perimeters to cause physical damage. From sensors that measure and detect pressure, temperature, flow and levels of liquids, air, and gases, to analyzers that determine chemical compositions and actuators that enable machines to move. Moving through these devices at the lowest levels, attackers can circumvent built-in functional and safety limitations to cause significant damage or disruption to services, or worse, pose a potential threat to life.

To demonstrate the potential implications, Forescout has built an industry-first proof-of-concept (PoC) which shows how attackers can move laterally on the controller level (Purdue level 1) to cause cyber and physical impact, as illustrated through the scenario of damaging a movable bridge during a closing sequence.

As part of the research, two new vulnerabilities are also being disclosed for the first time – CVE-2022-45788 and CVE-2022-45789 – which allows for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon Unity Programmable Logic Controllers (PLCs).

Modicon PLCs are used in a wide range of industrial processes and critical infrastructure, including in industries such as water and wastewater, mining, manufacturing, and energy. Whilst these devices should not be accessible online, Forescout has found that close to a thousand PLCs have been exposed, with France (33%), Spain (17%), Italy (15%), and the United States (6%) revealed as the countries with the most exposed devices.

The number of devices visible is just a small indication of the popularity of these PLCs, but these devices also highlight some of the critical facilities that rely on them. For example, several devices were connected to hydro power plants, solar parks and airports.

bridge open

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Industrial Cybersecurity, OT/ICS critical infrastructure


Dec 29 2022

INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2022

Category: OT/ICSDISC @ 11:52 am
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2022 – by Honeywell Forge

OT, ICS & SCADA Security

Infosec books | InfoSec tools | InfoSec services

Tags: Industrial Cybersecurity, Threat Report


Jun 30 2022

OT security: Helping under-resourced critical infrastructure organizations

Category: OT/ICSDISC @ 7:59 am
Supply chain risks are compounded for organizations that must protect both their IT and the OT from cyber-attacks. What technologies and approaches should they consider implementing? What specific pitfalls should they avoid, and how?

Most third party risk programs are IT-focused – including suppliers that have access to the organization’s intellectual property or network. But some OT suppliers have access – physical and remote – to the OT environment, for troubleshooting, maintenance, etc., and it’s important that the risk posed by those suppliers is included in the enterprise third party risk program, since remote access to OT poses obvious security risks, and on-site access often involves USB drives and other direct electronic access which also can introduce malware into the OT environment. The good news is that these vendors can simply be included in existing third party risk programs.

On the other hand, more and more suppliers are being impacted by ransomware hitting their OT environment. This impacts their ability to provide their products and services to their customers, which can in turn impact their customers’ operations. Therefore, the scope of third party risk programs needs to be broadened once again to include critical suppliers in OT – those whose products or services are critical to the organization’s own OT operations. Now the bad news: existing third party risk programs typically do not assess security risk in OT environments. In fact, although frameworks and best practices are emerging in OT security, organizations usually need to rely on OT security experts to assist in these assessments and remediation recommendations.

Finally, we have seen increasing cyber attacks against the software supply chain, as well as attacks targeting vulnerabilities in critical OT products. When choosing suppliers of critical OT products, it is important to determine whether the vendor is certified to ISA/IEC 62443 – the leading security certification in OT. Those certifications should be an important factor in choosing products for the OT environment.

How can IT and OT Sec teams improve their cooperation towards their common goal (of keeping all systems working to support the company in achieving its business objectives)?

The future of ICS security depends on OT-centric security solutions - Help  Net Security

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

Practical Industrial Cybersecurity: ICS, Industry 4.0, and IIoT

Tags: Industrial Cybersecurity, OT security


Apr 14 2022

US gov agencies e private firms warn nation-state actors are targeting ICS & SCADA devices

Category: OT/ICS,Scada SecurityDISC @ 8:35 am

The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.

“APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices” reads the advisory.

“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”

The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (“AsrDrv103.sys“) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devices’ operation.

Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.

“PIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.” reads the report published by Dragos. “Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.”

Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.

“The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.” reads the analysis published by Mandiant. “INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;”

The joint report also included the following recommendations for all organizations with ICS/SCADA devices:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation. 
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 

Cisa ICS

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: ICS & SCADA devices, Industrial Cybersecurity