Security for operational technology: Part 2

Issue 6 2021 Editor's Choice, Cyber Security, Industrial (Industry)

The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats. The incident impacted logistics on a national scale. A cyber breach is highly probable if basic defences are not in place and someone with the right resources decides to target you.

Cybersecurity controls can be categorised into people, process and technology. Technology normally gets the most attention and budget. The reality is that operational technology (OT) systems are designed, implemented, supported and used by people. People are the weakest link in terms of cybersecurity and therefore the easiest to exploit. Cybersecurity awareness training is often generic, neglected or the first cost to be cut.


Bryan Baxter.

According to Sun Tzu’s Art of War: If you know your enemy and know yourself, you need not fear the results of a hundred battles. Or in other words, the best form of defence is to learn the tactics that hackers use. Initial steps in the cyber kill chain are recce (using open-source intelligence), weaponisation (malware) and delivery (phishing and social engineering).

Open-source intelligence

Open-source intelligence (OSINT) is used to collect and analyse information available in the public domain. There is a surprising amount of information openly available on people, companies and products that can be used to exploit systems. Sources of useful information are annual financial statements, social media and specialised sites. Shodan, for example, can be used to find exploits for PLC manufacturers for equipment that is connected to the Internet (www.shodan.io).

When data is exfiltrated in a breach, hackers share or sell their bounty on the dark web. This includes dumps of user account names and passwords. This information, combined with OSINT can make it easier to breach sites as people use the same passwords for multiple systems. For example, my data was leaked in breaches at eThekwini (2016) and Adobe (2013). Somebody could have tried these passwords to try to access my work systems if my passwords were the same. This is called ‘credential stuffing’. It pays to check to see if your or your employee’s account details have been breached on https://haveibeenpwned.com/. Sites are available to find or help to guess corporate email or login account details i.e. https://hunter.io/.

Traditionally, companies have relied on air-gapping OT systems as a primary defence. This is no longer sufficient according to a recent report from Honeywell. USB media usage has increased by 30% in 2020 from 2019 and 79% of these threats are capable of disrupting OT. Consider the number of times USB media is connected to OT systems by users who are unaware of the risks. Threat actors know this vulnerability and design malware to be delivered by USB media to target OT systems.

Malware

Malware or malicious software is any software intentionally designed to cause damage to a computer, server, client, or computer network. Content-based malware (altered or infected documents using embedded scripts and macros) and Trojans (malware disguised as legitimate software) are the latest threats. Once the initial exploit is successful, backdoors are opened, remote access established to download additional threats, exfiltrate data and/or establish ‘command and control’ to potentially disrupt OT systems.

Social engineering

Social engineering is the art of influencing people into doing things they would not normally do. People can be unwittingly manipulated to download or execute malware, give up confidential or sensitive information such as account usernames, passwords, bank account numbers, credit card details and identity numbers. These actions and information can be used to breach systems.

Risks have increased as more people are now working remotely due to the Covid-19 pandemic. Social engineering tactics can use intimidation, urgency, scarcity, authority, impersonation, familiarity and consensus. These are red flags that users need to be trained to identify.

Phishing

Phishing uses fraudulent emails or websites combined with social engineering to trick users into providing sensitive information or to download malware. This malware can then find its way onto USB media. Phishing usually starts with an email urging you to click on an attachment or web link to confirm details about online accounts. These emails often appear to originate from popular online institutions or someone you may know. When you click on the link, you are directed to a page where you are asked for information.

A physical firewall protects your IT network by identifying and stopping suspicious network traffic. One of the best defences is to turn people into human firewalls. This means continuous education about cyber threats and how to mitigate them.

Generic cybersecurity awareness training should be provided for all computer users. This will also benefit them when using the Internet for personal use. Specialised training is critical for high risk/influence groups such as executives, procurement, human resources, audit, risk, software development and OT.

Guidelines to consider

• Ensure passwords are greater than eight characters long, do not re-use them and use a password manager like Bitwarden (www.bitwarden.com).

• Use multi-factor authentication for sensitive systems. This is where two or more verification factors are required to gain access.

• Be careful of what personal and work information you publish on social media.

• Keep personal and work systems separate. Use private email for personal use i.e. banking, medical aid, social media, insurance, etc.

Training can only go so far. Companies should run ongoing phishing simulations to check how effective their ‘human firewalls’ are performing. This will highlight users that are repeat offenders and need attention.

Please contact me to share your ideas, or if you have been breached or need help. You can also report breaches at the national Computer Security Incident Response Team (CSIRT) at cshubcsirt@cybersecurityhub.gov.za.

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com

References

Shapshak T, 2021, Note to Transnet: Cyberattacks only work when there are vulnerabilities to exploit, https://www.dailymaverick.co.za/opinionista/2021-08-04-transnet-ports-closed-and-were-in-the-dark/

Dholakiya P, What Is the Cyber Kill Chain and How It Can Protect Against Attacks, https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks

Zerofox, 2021, Understanding Credential Stuffing for Effective Protection, https://www.zerofox.com/blog/understanding-credential-stuffing/

Honeywell, 2021 Industrial cybersecurity USM Threat Report 2021, https://www.honeywell.com/content/dam/honeywellbt/en/images/content-images/cybersecurity-threat-report-2021/Industrial%20Cybersecurity%20USB%20Threat%20Report%20v5.pdf

Wikipedia, Malware, https://en.wikipedia.org/wiki/Malware

Wolfpack, 2021, Phishing Survival Guide, https://store.alertafrica.com/advice-and-guidance/devices/phishing-survival-guide/

Chiwanza S, 2020, Passwords, https://store.alertafrica.com/advice-and-guidance/applications/passwords/

Steel A, 2012, New study: Passwords are still the weakest link, https://blog.lastpass.com/2012/03/latest-review-of-security-issues-and/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

Read more...
The worst of times
Technews Publishing Editor's Choice
Cyber resilience in terms of people, processes and technology is where it’s at when it comes to prevailing in a world beset with cybercriminals.

Read more...
Cyber trends for 2022
Editor's Choice
In the last six months, an organisation in South Africa was attacked on average 1737 times per week. This is more than double the global average (819) of attacks per organisation per week.

Read more...
Cybersecurity for the board of directors
Editor's Choice
Bike-shedding is a common distraction in boardrooms, especially when discussing issues board members are responsible for, but don’t understand – like cybersecurity.

Read more...
Cybersecurity is now a digital transformation imperative
Editor's Choice
New research from the IDC reveals cloud security is the number one priority for investment, 50 percent of South African business leaders are concerned with the consequences of security breaches.

Read more...
Providing real-time visibility
Technews Publishing Editor's Choice
Comprehensive visibility is critical, but not always attainable without the support of a managed service provider dedicated to monitoring and securing your cyber environment around the clock.

Read more...
Getting the basics right
Technews Publishing Editor's Choice
Cybersecurity is like any other discipline, you can’t start at the top, you need to get the basics right. Hi-Tech Security Solutions asks how to best do this.

Read more...
Partnering to make South Africa more cyber secure
Editor's Choice
Cybersecurity professionals from the public and private sectors as well as academia have joined forces to establish the Cybersecurity Digital Alliance.

Read more...
Turnstar ramps up countermeasures
Turnstar Systems Editor's Choice Access Control & Identity Management News Products
Turnstar has developed and patented an early warning and deterrent system which will alert security, and anyone nearby, of any attempt to place ramps over the raised spikes.

Read more...
The state of the distribution market
ESDA (Electronic Security Distributors Association Bosch Building Technologies Dark Horse Distribution Elvey Security Technologies Regal Distributors SA G4S Secure Solutions SA Editor's Choice Security Services & Risk Management
The distribution industry has evolved over the years and its current challenges simply mean another change is in the wind, for those who can take the next step.

Read more...