Cyber security round-up

Siemens strengthens OT cyber posture in deal with Google Chronicle. NIST’s Risk management framework 2.0. Schneider Electric joins Cybersecurity Coalition. AFPM’s Cybersecurity 101 for refining and petrochemicals. Beyond Trust’s Microsoft Vulnerabilities 2019. McAfee Grand Theft Data II. UK ‘Petras’ National Centre of Excellence for IoT Systems Cybersecurity. MIT ‘IT security is largely impotent in protecting critical infrastructure’.

Siemens has announced the ‘Charter of Trust’, a suite of minimum cybersecurity requirements that are now included in all new contracts. The requirements will apply primarily to suppliers of security-critical components such as software, processors and electronic components for certain types of control units with the goal of protect its digital supply chain against hacker attacks. Siemens has also collaborated with TÜV SÜD to address the growing risk of cyberattacks on critical infrastructure by providing digital safety and security assessments, as well as industrial vulnerability assessments to global energy customers. More from Siemens. In yet another cyber deal, Siemens has partnered with Google-owned Chronicle, an Alphabet unit, to provide industrial monitoring and detection for the energy industry. The partners are to provide a single integrated platform and managed service that leverages analytics to ‘centralize and unlock the value of security data’. The system will leverage Chronicle’s Backstory platform to provide visibility across IT and OT systems and to ‘confidentially act’ on threats. More from Siemens.

The US NIST has released its ‘next generation’ Risk management framework RMF 2.0 aka NIST Special Publication 800-37. RMF offers a ‘holistic methodology’ to manage information security, privacy and supply chain risk. The executive summary states that ‘As we push computers to the edge, building a complex world of interconnected information systems and devices, security and privacy risks (including supply chain risks) [ are ] topics of great importance. The increase in complexity of the hardware, software, firmware, and systems within the public and private sectors (including US critical infrastructure) represents a significant increase in the attack surface that can be exploited by adversaries. Moreover, adversaries are using the supply chain as an attack vector and effective means of penetrating our systems, compromising the integrity of system elements, and gaining access to critical assets’. The 187 page publication provides a ‘disciplined, structured, and flexible process’ for managing such risks along with management training activities to prepare organizations to execute the framework.

Schneider Electric has joined the Washington DC-based Cybersecurity Coalition. The CC is developing consensus-driven solutions that promote a robust cybersecurity ecosystem with the development and adoption of cybersecurity innovations and by encouraging organizations to improve their cybersecurity. Schneider’s cybersecurity by design approach is exemplified by its EcoStruxure IoT offering, said to align with the US NIST cybersecurity framework. EcoStruxure cyber security is being enhanced through a global partnership with cybersecurity boutique Vericlave whose encryption technology is to ‘further secure and protect’ customers’ critical IT and OT systems. More from the Cybersecurity at Schneider Electric white paper.

The American Fuel & Petrochemical Manufacturers have published a short blog titled, Cybersecurity 101 in refining and petrochemicals. Author Dan Strachan warns of ‘radicals’ who are out to disrupt manufacturing and cause chaos at refining and petrochemical facilities. The AFPM’s Cybersecurity Subcommittee works around the clock to keep these folks from its IT and control systems. The AFPM sits also a member of the Department of Homeland Security’s Industrial Control Systems Joint Working Group and the independent Cyber Resiliency Energy Delivery Consortium. AFPM also sponsors the annual Department of Energy’s Cyberforce competition.

Beyond Trust has just published its 2019 Microsoft Vulnerabilities Report, the sixth edition. While Windows 10 was touted as the ‘most secure Windows OS to date’ when it was released, Microsoft continue to report vulnerabilities with twice the number reported in 2018 as in 2013. In 2018 across all Windows editions some 169 ‘critical’ vulnerabilities were caught. Beyond Trust reports that of these, 85% could have been mitigated by removing admin rights from end users. Critical vulnerabilities in Microsoft’s latest ‘Edge’ browser have increased six-fold since its inception two years ago. Beyond Trust observers that in the near future, Edge will have a Chromium-based engine, meaning that both Google Chrome and Edge could have the same flaws at the same time, leaving no ‘safe’ mainstream browser to use as a mitigation strategy*. Vulnerabilities in Microsoft Office continue to rise year over year, and they hit a record high of 102 in 2018. Here, removing admin rights would mitigate 100% of critical vulnerabilities in all Microsoft Office products. The question then arises as to how to restrict access and still ‘maintain a positive user experience’. Beyond Trust advocates leveraging ‘POLP’, the principle of least privilege, to mediate between security and productivity. The report also lists the ‘Top 4’ security mitigations as determined by the Australian Signals Directorate viz. application whitelisting, patching applications, restricting administrative privileges and patching operating systems. You probably knew this already ... but have you done it yet?

* What about Firefox?

A new report from McAfee, ‘Grand Theft Data II: the drivers and shifting state of data breaches’ finds that data breaches are getting more serious, with almost three-quarters of all breaches requiring public disclosure and/or affecting financial results. The top three vectors for ‘exfiltrating’ data are database leaks, cloud applications and removable USB drives. While insider theft is down 6% from 2015, it still accounts for 45% of all incidents. IT is implicated in 52% of breaches. While cloud applications and infrastructure do not generate a disproportionate amount of breaches, IT professionals are most concerned about Microsoft OneDrive, Cisco WebEx, and While 61% said that executives expect more lenient security policies for themselves, a similar number believed that such leniency results in more incidents. Security technology continues to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security brokers (CASBs) and data loss prevention (DLP). However, over half of respondents have yet to install (or properly configure) at least one of these.

The UK has announced a National Centre of Excellence for IoT Systems Cybersecurity aka Petras’ (for privacy, ethics, trust, reliability, acceptability and security). Petras is to research the opportunities and threats that arise as technologies like edge computing, artificial intelligence and machine learning move from centralized systems to being run at the periphery of the internet and local IoT networks. Petras received a £13.85 million award from the UK Strategic MA Priorities Fund. The program aims to ensure that the Internet of Things systems are safe and secure as more critical applications emerge, making for increased vulnerability to sophisticated cyber-threats.

The US CERT National Insider Threat Center has published the sixth edition of its Common sense guide to mitigating insider threats. The report covers new research on unintentional insider threats and workplace violence, alongside fresh insights on the primary categories of insider threat: intellectual property theft, information technology sabotage, fraud, and espionage. The report also expands its organizational practices for mitigating insider threats to include positive workforce incentives, and it maps these practices to recent standards and regulations. The study includes analysis of more than 1,500 insider threat incidents across public and private industries. CERT director Randy Trzeciak observed ‘Many organizations feel insider threats are a greater risk to critical assets than external threats.’

The Spring 2019 edition of MIT’s Energy Futures, the MIT Energy Initiative bulletin, includes a five-page spread on Protecting our energy infrastructure. Using a new, holistic approach called ‘Cybersafety’, an MIT team has shown that today’s energy systems are rife with vulnerabilities to cyberattack—often the result of increased complexity due to high interconnectivity between devices and the greater use of software to control system operation. A spectrum of factors influence system operation, from physical design to operator behavior and managerial actions. Cybersafety provides a framework for studying how interactions among such factors affect system safety, and points to specific steps a company can take to harden its facilities. Recent events have demonstrated that traditional IT security measures are largely impotent in protecting critical infrastructure from advanced cyber adversaries. There is an urgent need to identify and mitigate cyber vulnerabilities, as future cyberattacks could cause unimaginable disruptions such as interrupting the flow of fuels or shutting down the US electric grid.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.