A recent report ‘OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT’ from Forescout Technologies’s cyber security unit Vedere Labs found that ‘serious vulnerabilities still exist in the products of many of the largest control systems vendors even though many are sold as secure by design or have been certified with OT security standards’. Vedere analyzed products from ten of the largest control system vendors and found 56 cyber security vulnerabilities. Hackers exploiting these could gain network access to a target device, remotely execute, bypass authentication and create havoc. What’s perhaps worse is that three quarters of the product families affected by such vulnerabilities have some form of security certification. Vedere accused some vendors of ‘persistent insecure-by-design practices’. These can occur in products carrying security certifications such as IEC 62443 and Achilles L1.
The report was brought to our attention in a blog post from Bedrock Automation’s Robert Bergman who has also warned that the US Transport Safety Administration’s is rolling-back on its 2021 Pipeline Cyber Security Directive following pressure from operators. At issue is the requirement for operators to review and fill gaps between their current cyber security practices and the TSA’s 33-page cyber security guidelines which was deemed ‘too IT focused and not relevant to OT security’. CSO magazine reported that the original TSA recommendations were to disable Microsoft macros, and programmable logic controllers and change all passwords. Lobbying by the American Petroleum Institute has resulted in the TSA’s backtracking.
Aaron Smith, blogging on the ISA
website offers five tips to protect your business from cybercrime These
are 1) create a plan, 2) backup your data, 3) secure your network, 4)
schedule updates (for software and operating systems) and 5) install
security software. Read Smith’s blog here.
In a similar vein, but at considerably greater length, Carnegie-Mellon University’s Software Engineering Institute
(SEI) has published a ‘Commons sense guide to mitigating insider
threats’, now in its seventh edition. Insider threats come from
individuals with access to an organization’s critical assets who use
this to ‘act a way that could negatively affect the organization’. The
Guide summarizes the SEI’s work since the publication of the 2017 US
State of Cybercrime Survey that found that 20% of electronic crime
events were suspected or known to be caused by insiders. Examples
include stealing information such as trade secrets and customer
information and sophisticated crimes that sabotage an organization’s
data, systems, or network. More from SEI’s 174 page Guide.
French startup RFence has
raised €1.3 million to develop its ‘Horus’ radio frequency scanning
technology for securing critical infrastructure. Horus monitors the
entire radio spectrum (GSM, 2G, 3G, 4G, 5G, Bluetooth, Wifi …) to
detect emitting devices including Walkie-Talkies, IoT devices, vehicles
and homemade radio transmitters. More from RFence.
A study, ‘Sensitive Data in the Cloud’ by the Cloud Security Alliance found that 67% of organizations store sensitive data in public cloud environments. The report somewhat confusingly found that although ‘89% of respondents found that cloud security controls are effective’, organizations ‘are not confident in their own ability to protect sensitive data in the cloud’. A quarter of the respondents leveraged another layer of security in the form of ‘confidential computing’ from Anjuna Security which sponsored the CSA study.
To celebrate Cybersecurity Awareness Month (October), CybeReady has released an Interactive Learning Kit to prepare employees and organizations against cyberattacks. Cybersecurity Awareness Month was established by the President of the United States and Congress some 19 years ago with backing from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) to raise cybersecurity awareness nationally and internationally. Download CybeReady’s complete guide to cyber awareness and get the learning kits here.
On the subject of cybersecurity training, the ISA’s Sourabh Suman recently blogged on how to better train automation engineers on IEC 62443. The Colonial Pipeline attack has exposed an ongoing problem facing the nation’s critical infrastructure, a gap in the cybersecurity workforce. ‘Future wars will no longer be traditional and the country needs to be prepared on both the defensive and offensive sides, which starts by addressing this shortage. Read how in Suman’s blog. To train the cyber army’s commanders, ISA has also launched a microlearning module for chief information security officers, a majority of whom believe, according to yet another study, that ‘their organizations are unprepared to fend off potential cyberattacks’.
A Cyber Readiness Report by Trellix https://trellix.com based on research conducted by Vanson Bourne, surveyed 900 cybersecurity professionals and found that the majority of US providers in oil and gas (and other sectors) have not implemented full cybersecurity capabilities due to lack of in-house cyber skills. Specifically, 75% of US oil and gas sector survey respondents have not yet fully deployed multifactor authentication ‘making remote access to systems much easier for bad actors’.
And again, according to BreachBits,
a cyber risk rating and monitoring company, ‘the majority of companies
across the US oil and gas industry are at risk of a successful cyber
breach’. The analysis of 98 representative upstream, midstream,
downstream and supply chain companies across the energy sector, is now
available as BreachRisk: Energy 2022.
DNV has pitched in on the cyber scaremongering scene with new research into the ‘Cyber Priority’ that found ‘energy professionals believe that cyber-attacks on the industry are likely to cause harm to life, property and the environment in the next two years’. Moreover, ‘only 47% believe that their operational technology security is as robust as their IT security’. More in a similar vein from DNV.
The EU Commission has presented a proposal for an ‘EU Cyber Resilience Act’ XXXX https://ec.europa.eu/newsroom/ECCC/items/757902/en to protect consumers and businesses from products with inadequate security features. The Act heralds EU-wide legislation with mandatory cybersecurity requirements for digital products throughout their lifetime.
If, you think you know all this stuff already, you may qualify for NIST’s (the US National Institute for Science and Technology) program solicitation NSF 22-632 for a Cyberinfrastructure for Sustained Scientific Innovation (CSSI). The program is seeking recipients for some $34 million per year in government funding to be shared across about 35 participating organizations.
The Open Group recently hosted a cyber event that looked into zero trust architectures and supply chain security with input form NIST, NASA, Microsoft, IBM and others. The Open Group is to explore how open standards can provide actionable insights in these important and developing topics. More in the TOG blog.
Finally, ISA blogger Sagar Yadav sets out to explain just why ICS/OT infrastructure is so hard to secure. In essence this is down to a reversal of priorities between IT and OT. In OT infrastructure, availability is the highest priority while security comes in second. In IT it’s the other way round. At least that’s what we understood from a quick spin through Yadav’s blog.
© Oil IT Journal - all rights reserved.