Cyber security round-up

Petronas security training. US Pipeline security update. ISA on IT/OT security. Dragos and DNG-ISAC initiative. 2021 Microsoft vulnerabilities. EU moots joint cyber unit. Honeywell USB threat report. University of Waterloo and critical infrastructure cyber security. Top 20 PLC coding tips.

A blog from the ISA reports on how Petronas’ has leveraged training programs based on the ISA/IEC 62443 specification covering control system component security. Petronas’ Sharul Rashid describes the ‘ever-increasing threat of cyber-attacks’, the ongoing strategy of IT-OT convergence and the formation on an IT/OT cybersecurity taskforce, guided by ISA/IEC 62443 best practices. Following a review of OT cybersecurity trainings, Petronas selected the ISA’s Cybersecurity Fundamental Specialist (CFS) ISA/IEC 62443 and Expert Level (Risk, Design, and Maintenance) qualifications for task force members. Task force members communicate Petronas’ cybersecurity goals to stakeholders and vendors. The standards have also informed the company’s cybersecurity governance framework.

The Transportation Security Administration (TSA) of the US Department of Homeland Security has announced new cybersecurity requirements for critical pipeline owners and operators, issued ‘in response to the ongoing cybersecurity threat to pipeline systems’. A new security directive requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement ‘a number of urgently needed protections against cyber intrusions’. The Department’s Cybersecurity and Infrastructure Security Agency (CISA) advised TSA on cybersecurity threats to the pipeline industry, as well as technical countermeasures. These include the implementation of measures to protect against ransomware attacks and other known threats to IT/OT systems and the development of contingency and recovery plans and an architecture review. An earlier security directive issued following the Colonial Pipeline ransomware attack called for improved cyber incident reporting and the designation of a cybersecurity coordinator, available 24/7.

Those wishing to look further into the ISA’s cyber security offering* should download a new ISA publication, Applying ISO/IEC 27001/2 and the ISA/IEC 62443 Series for Operational Technology Environments. Securing both IT and OT systems has proved challenging with potential issues of operator screen locking creating unsafe conditions, incompatible antivirus products and patching practices that disrupt production. ISA/IEC 62443 series addresses such issues and helps an organization conform with the overarching ISO/IEC 27001 approach to information security. The white paper also addresses the issue of remote access to OT systems, with ISO 62443-specific requirements extending the approach to teleworking.

* ISA also issued a position statement in response to President Biden’s Executive Order 14028 (12 May 2021) that charts a ‘new course to improve the Nation’s cybersecurity’.

Industrial control system cybersecurity specialist Dragos has teamed with the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) on an initiative to ‘strengthen security and community-wide visibility for industrial cybersecurity in the North American natural gas industry’. DNG-ISAC is an information sharing facility between distribution companies, the federal government and other stakeholders. Dragos’s Neighborhood Keeper is scheduled to be deployed via the DNG-ISAC, providing analysts with ‘greater visibility into industrial control system cyber threats facing the natural gas sector’.

* Incredibly the DNG-ISAC entry point is non https and gives a ‘site not secure’ warning. The portal (‘powered by Cyware’) fortunately is!

The 2021 Microsoft Vulnerabilities Report from Beyond Trust, a compilation of Microsoft security bulletins, provides an overview of the threat landscape of the Microsoft ecosystem. Vulnerabilities are on the rise, a record 1,268 vulnerabilities were discovered in 2020, up 48% year on year. One simple way of mitigating some 56% of all critical vulnerabilities is to remove ‘elevation of privilege’ from users’ software, the number 1 vulnerability category. But be prepared for some push-back as, ‘tension between security and productivity is often the barrier that prevents the removal of users’ admin rights’. Enter Beyond Trust’s Endpoint Privilege Management solutions that promise ‘granular control of access to applications, tasks, and scripts, elevating application access but not user privileges’. Other interesting findings from the report... In January 2020, Microsoft Edge moved to a Chromium-based engine so now it shares the same flaws as Google Chrome, there is now ‘no safe mainstream browser for Edge vulnerabilities. While Windows 10 was touted as the most secure Windows OS to date when it was released, it still experienced 132 critical vulnerabilities in 2020. Covid-induced remote working has also introduced a ‘greatly expanded digital attack surface; phishing attacks are up 600%, including Covid-19-themed attacks aimed at workers mixing personal and work devices over non-secure Wi-Fi networks’.

The EU Commission has published a Recommendation to build a ‘Joint Cyber Unit’. Currently there is no mechanism for providing assistance to EU cyber communities or for combating cybercrime and conducting cyber-defense. The JCU is to provide a technical and operational cooperation in situational awareness, preparedness as well as response, between all communities. More from the pitch.

Honeywell has just published the 2021 Industrial Cybersecurity USB Threat Report. Covid-induced work from home has led to increased movement of digital data, mostly via removable media and network connectivity. The Honeywell study found a 30% hike in the use of USB in 2020 in industrial control/OT environments with concomitant rise in threats. Honeywell’s USB security solution: Honeywell Forge Secure Media Exchange (SMX) analyzes USB devices used in industrial facilities across oil and gas, energy and chemicals. The threat of USB-borne malware is a ‘serious and growing concern’. USB-specific threats rose from 19% in 2019 to just over 37% in 2020 with Trojans (76%) the main risk. Often these provide remote access, acting as an initial attack vector from which hackers can ‘download additional payloads, exfiltrate data, and establish command and control’. USB removable media are being used to penetrate the air-gapped environments found in many industrial and OT environments. To mitigate such risks, active USB cybersecurity controls are needed, perhaps leveraging early detection from the Honeywell Forge cybersecurity platform.

Natural Resources Canada has awarded a $407,000 grant to the University of Waterloo to develop a cyber security system to protect Canada’s critical energy infrastructure. The hardware assurance system will detect compromised components and devices, ‘ensuring the safety and reliability of Canada’s energy delivery by mitigating supply chain risks’. Bruce Power will provide equipment, evaluate machine learning processes and the overall performance of the new system, while Palitronica, a Canadian cyber security hardware and software company and part of University of Waterloo’s innovation ecosystem, will provide hardware sensors for technology development. The University of Waterloo and Bruce Power also contributed to the project, bringing the total investment to over $830,000. More from NRC.

PLC Security has just published a 44 page document outlining the ‘Top 20’ secure PLC coding practices. These could be summarized as ‘validation, validation and validation’, along with advice on modular coding with function blocks (sub-routines), independent testing of modules, tracking and alarming operating modes and more. The Top 20 list was compiled by the Secure PLC Programming project running on an ephemeral platform, hosted by ISA.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.