Security for operational technology: Part 2

Issue 6 2021 Editor's Choice, Cyber Security, Industrial (Industry)

The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats. The incident impacted logistics on a national scale. A cyber breach is highly probable if basic defences are not in place and someone with the right resources decides to target you.

Cybersecurity controls can be categorised into people, process and technology. Technology normally gets the most attention and budget. The reality is that operational technology (OT) systems are designed, implemented, supported and used by people. People are the weakest link in terms of cybersecurity and therefore the easiest to exploit. Cybersecurity awareness training is often generic, neglected or the first cost to be cut.


Bryan Baxter.

According to Sun Tzu’s Art of War: If you know your enemy and know yourself, you need not fear the results of a hundred battles. Or in other words, the best form of defence is to learn the tactics that hackers use. Initial steps in the cyber kill chain are recce (using open-source intelligence), weaponisation (malware) and delivery (phishing and social engineering).

Open-source intelligence

Open-source intelligence (OSINT) is used to collect and analyse information available in the public domain. There is a surprising amount of information openly available on people, companies and products that can be used to exploit systems. Sources of useful information are annual financial statements, social media and specialised sites. Shodan, for example, can be used to find exploits for PLC manufacturers for equipment that is connected to the Internet (www.shodan.io).

When data is exfiltrated in a breach, hackers share or sell their bounty on the dark web. This includes dumps of user account names and passwords. This information, combined with OSINT can make it easier to breach sites as people use the same passwords for multiple systems. For example, my data was leaked in breaches at eThekwini (2016) and Adobe (2013). Somebody could have tried these passwords to try to access my work systems if my passwords were the same. This is called ‘credential stuffing’. It pays to check to see if your or your employee’s account details have been breached on https://haveibeenpwned.com/. Sites are available to find or help to guess corporate email or login account details i.e. https://hunter.io/.

Traditionally, companies have relied on air-gapping OT systems as a primary defence. This is no longer sufficient according to a recent report from Honeywell. USB media usage has increased by 30% in 2020 from 2019 and 79% of these threats are capable of disrupting OT. Consider the number of times USB media is connected to OT systems by users who are unaware of the risks. Threat actors know this vulnerability and design malware to be delivered by USB media to target OT systems.

Malware

Malware or malicious software is any software intentionally designed to cause damage to a computer, server, client, or computer network. Content-based malware (altered or infected documents using embedded scripts and macros) and Trojans (malware disguised as legitimate software) are the latest threats. Once the initial exploit is successful, backdoors are opened, remote access established to download additional threats, exfiltrate data and/or establish ‘command and control’ to potentially disrupt OT systems.

Social engineering

Social engineering is the art of influencing people into doing things they would not normally do. People can be unwittingly manipulated to download or execute malware, give up confidential or sensitive information such as account usernames, passwords, bank account numbers, credit card details and identity numbers. These actions and information can be used to breach systems.

Risks have increased as more people are now working remotely due to the Covid-19 pandemic. Social engineering tactics can use intimidation, urgency, scarcity, authority, impersonation, familiarity and consensus. These are red flags that users need to be trained to identify.

Phishing

Phishing uses fraudulent emails or websites combined with social engineering to trick users into providing sensitive information or to download malware. This malware can then find its way onto USB media. Phishing usually starts with an email urging you to click on an attachment or web link to confirm details about online accounts. These emails often appear to originate from popular online institutions or someone you may know. When you click on the link, you are directed to a page where you are asked for information.

A physical firewall protects your IT network by identifying and stopping suspicious network traffic. One of the best defences is to turn people into human firewalls. This means continuous education about cyber threats and how to mitigate them.

Generic cybersecurity awareness training should be provided for all computer users. This will also benefit them when using the Internet for personal use. Specialised training is critical for high risk/influence groups such as executives, procurement, human resources, audit, risk, software development and OT.

Guidelines to consider

• Ensure passwords are greater than eight characters long, do not re-use them and use a password manager like Bitwarden (www.bitwarden.com).

• Use multi-factor authentication for sensitive systems. This is where two or more verification factors are required to gain access.

• Be careful of what personal and work information you publish on social media.

• Keep personal and work systems separate. Use private email for personal use i.e. banking, medical aid, social media, insurance, etc.

Training can only go so far. Companies should run ongoing phishing simulations to check how effective their ‘human firewalls’ are performing. This will highlight users that are repeat offenders and need attention.

Please contact me to share your ideas, or if you have been breached or need help. You can also report breaches at the national Computer Security Incident Response Team (CSIRT) at cshubcsirt@cybersecurityhub.gov.za.

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com

References

Shapshak T, 2021, Note to Transnet: Cyberattacks only work when there are vulnerabilities to exploit, https://www.dailymaverick.co.za/opinionista/2021-08-04-transnet-ports-closed-and-were-in-the-dark/

Dholakiya P, What Is the Cyber Kill Chain and How It Can Protect Against Attacks, https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks

Zerofox, 2021, Understanding Credential Stuffing for Effective Protection, https://www.zerofox.com/blog/understanding-credential-stuffing/

Honeywell, 2021 Industrial cybersecurity USM Threat Report 2021, https://www.honeywell.com/content/dam/honeywellbt/en/images/content-images/cybersecurity-threat-report-2021/Industrial%20Cybersecurity%20USB%20Threat%20Report%20v5.pdf

Wikipedia, Malware, https://en.wikipedia.org/wiki/Malware

Wolfpack, 2021, Phishing Survival Guide, https://store.alertafrica.com/advice-and-guidance/devices/phishing-survival-guide/

Chiwanza S, 2020, Passwords, https://store.alertafrica.com/advice-and-guidance/applications/passwords/

Steel A, 2012, New study: Passwords are still the weakest link, https://blog.lastpass.com/2012/03/latest-review-of-security-issues-and/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

Read more...
Turnstar ramps up countermeasures
Turnstar Systems Editor's Choice Access Control & Identity Management News Products
Turnstar has developed and patented an early warning and deterrent system which will alert security, and anyone nearby, of any attempt to place ramps over the raised spikes.

Read more...
The state of the distribution market
ESDA (Electronic Security Distributors Association Bosch Building Technologies Dark Horse Distribution Elvey Security Technologies Regal Distributors SA G4S Secure Solutions SA Editor's Choice Security Services & Risk Management
The distribution industry has evolved over the years and its current challenges simply mean another change is in the wind, for those who can take the next step.

Read more...
The cities best facilitating remote work
Editor's Choice
Study uses data to reveal which global cities are most accessible and attractive for remote workers by assessing factors related to employment compliance, living costs, infrastructure and liveability, in addition to showing current location trends.

Read more...
Training that delivers
Technews Publishing Leaderware ESDA (Electronic Security Distributors Association BTC Training Africa Editor's Choice Security Services & Risk Management Conferences & Events Training & Education
Hi-Tech Security Solutions hosted a virtual conversation to address the challenges and solutions related to effective and measurable training and education in the security industry.

Read more...
The importance of traceable records
Technews Publishing Editor's Choice Security Services & Risk Management
Traceable records streamline performance management, training, evidence records and reduce fraud, corruption and criminal activities.

Read more...
Intelligently adapting African cities for a better as well as a safer life
Government and Parastatal (Industry) Cyber Security
Smart buildings and cities therefore require as much a security-centric approach as they do an environmentally sustainable one.

Read more...
Smart city, smarter security
Government and Parastatal (Industry) Cyber Security
Henk Olivier, MD of Ozone Information Technology Distribution, unpacks the importance of smart and secure in the city of the future.

Read more...
Very early warning fire detection
Editor's Choice
Early warning in case of smoke or fire is a major element of disaster risk reduction, it prevents loss of life and reduces the economic and material impact of disasters.

Read more...
The year resilience paid off
Editor's Choice Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Read more...