Security for operational technology: Part 2

Issue 6 2021 Editor's Choice, Information Security, Industrial (Industry)

The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats. The incident impacted logistics on a national scale. A cyber breach is highly probable if basic defences are not in place and someone with the right resources decides to target you.

Cybersecurity controls can be categorised into people, process and technology. Technology normally gets the most attention and budget. The reality is that operational technology (OT) systems are designed, implemented, supported and used by people. People are the weakest link in terms of cybersecurity and therefore the easiest to exploit. Cybersecurity awareness training is often generic, neglected or the first cost to be cut.


Bryan Baxter.

According to Sun Tzu’s Art of War: If you know your enemy and know yourself, you need not fear the results of a hundred battles. Or in other words, the best form of defence is to learn the tactics that hackers use. Initial steps in the cyber kill chain are recce (using open-source intelligence), weaponisation (malware) and delivery (phishing and social engineering).

Open-source intelligence

Open-source intelligence (OSINT) is used to collect and analyse information available in the public domain. There is a surprising amount of information openly available on people, companies and products that can be used to exploit systems. Sources of useful information are annual financial statements, social media and specialised sites. Shodan, for example, can be used to find exploits for PLC manufacturers for equipment that is connected to the Internet (www.shodan.io).

When data is exfiltrated in a breach, hackers share or sell their bounty on the dark web. This includes dumps of user account names and passwords. This information, combined with OSINT can make it easier to breach sites as people use the same passwords for multiple systems. For example, my data was leaked in breaches at eThekwini (2016) and Adobe (2013). Somebody could have tried these passwords to try to access my work systems if my passwords were the same. This is called ‘credential stuffing’. It pays to check to see if your or your employee’s account details have been breached on https://haveibeenpwned.com/. Sites are available to find or help to guess corporate email or login account details i.e. https://hunter.io/.

Traditionally, companies have relied on air-gapping OT systems as a primary defence. This is no longer sufficient according to a recent report from Honeywell. USB media usage has increased by 30% in 2020 from 2019 and 79% of these threats are capable of disrupting OT. Consider the number of times USB media is connected to OT systems by users who are unaware of the risks. Threat actors know this vulnerability and design malware to be delivered by USB media to target OT systems.

Malware

Malware or malicious software is any software intentionally designed to cause damage to a computer, server, client, or computer network. Content-based malware (altered or infected documents using embedded scripts and macros) and Trojans (malware disguised as legitimate software) are the latest threats. Once the initial exploit is successful, backdoors are opened, remote access established to download additional threats, exfiltrate data and/or establish ‘command and control’ to potentially disrupt OT systems.

Social engineering

Social engineering is the art of influencing people into doing things they would not normally do. People can be unwittingly manipulated to download or execute malware, give up confidential or sensitive information such as account usernames, passwords, bank account numbers, credit card details and identity numbers. These actions and information can be used to breach systems.

Risks have increased as more people are now working remotely due to the Covid-19 pandemic. Social engineering tactics can use intimidation, urgency, scarcity, authority, impersonation, familiarity and consensus. These are red flags that users need to be trained to identify.

Phishing

Phishing uses fraudulent emails or websites combined with social engineering to trick users into providing sensitive information or to download malware. This malware can then find its way onto USB media. Phishing usually starts with an email urging you to click on an attachment or web link to confirm details about online accounts. These emails often appear to originate from popular online institutions or someone you may know. When you click on the link, you are directed to a page where you are asked for information.

A physical firewall protects your IT network by identifying and stopping suspicious network traffic. One of the best defences is to turn people into human firewalls. This means continuous education about cyber threats and how to mitigate them.

Generic cybersecurity awareness training should be provided for all computer users. This will also benefit them when using the Internet for personal use. Specialised training is critical for high risk/influence groups such as executives, procurement, human resources, audit, risk, software development and OT.

Guidelines to consider

• Ensure passwords are greater than eight characters long, do not re-use them and use a password manager like Bitwarden (www.bitwarden.com).

• Use multi-factor authentication for sensitive systems. This is where two or more verification factors are required to gain access.

• Be careful of what personal and work information you publish on social media.

• Keep personal and work systems separate. Use private email for personal use i.e. banking, medical aid, social media, insurance, etc.

Training can only go so far. Companies should run ongoing phishing simulations to check how effective their ‘human firewalls’ are performing. This will highlight users that are repeat offenders and need attention.

Please contact me to share your ideas, or if you have been breached or need help. You can also report breaches at the national Computer Security Incident Response Team (CSIRT) at [email protected].

For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com

References

Shapshak T, 2021, Note to Transnet: Cyberattacks only work when there are vulnerabilities to exploit, https://www.dailymaverick.co.za/opinionista/2021-08-04-transnet-ports-closed-and-were-in-the-dark/

Dholakiya P, What Is the Cyber Kill Chain and How It Can Protect Against Attacks, https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks

Zerofox, 2021, Understanding Credential Stuffing for Effective Protection, https://www.zerofox.com/blog/understanding-credential-stuffing/

Honeywell, 2021 Industrial cybersecurity USM Threat Report 2021, https://www.honeywell.com/content/dam/honeywellbt/en/images/content-images/cybersecurity-threat-report-2021/Industrial%20Cybersecurity%20USB%20Threat%20Report%20v5.pdf

Wikipedia, Malware, https://en.wikipedia.org/wiki/Malware

Wolfpack, 2021, Phishing Survival Guide, https://store.alertafrica.com/advice-and-guidance/devices/phishing-survival-guide/

Chiwanza S, 2020, Passwords, https://store.alertafrica.com/advice-and-guidance/applications/passwords/

Steel A, 2012, New study: Passwords are still the weakest link, https://blog.lastpass.com/2012/03/latest-review-of-security-issues-and/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Read more...
Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

Read more...
AI enables security solutions to define business strategies
Regal Distributors SA Editor's Choice
While allowing technologies to do exactly what they should do with even more efficiency and precision, AI is also empowering these same technologies to break through their traditional boundaries and create an ecosystem where one interface delivers outcomes across highly segmented verticals.

Read more...
Putting cyber into surveillance
Dallmeier Electronic Southern Africa Cathexis Technologies Technews Publishing Editor's Choice
Cybersecurity has become an essential part of the physical security industry. However, unlike other IoT technologies, of which security products are a part, surveillance technologies have more to protect.

Read more...
Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

Read more...
2024 State of Security Report
Editor's Choice
Mobile IDs, MFA and sustainability emerge as top trends in HID Global’s 2024 State of Security Report, with artificial intelligence appearing in the conversation for the first time.

Read more...
Cyberthreats facing SMBs
Editor's Choice
Data and credential theft malware were the top two threats against SMBs in 2023, accounting for nearly 50% of all malware targeting this market segment. Ransomware is still the biggest threat.

Read more...
Are we our own worst enemy?
Editor's Choice
Sonja de Klerk believes the day-to-day issues we face can serve as opportunities for personal growth and empowerment, enabling us to contribute to creating a better and safer environment for ourselves and South Africa.

Read more...
How to spot a cyberattack if you are not a security pro
Editor's Choice
Cybersecurity awareness is straightforward if you know what to look for; vigilance and knowledge are our most potent weapons and the good news is that anyone can grasp the basics and spot suspicious activities.

Read more...
Protecting IP and secret data in the age of AI
Editor's Choice
The promise of artificial intelligence (AI) is a source of near-continuous hype for South Africans. However, for enterprises implementing AI solutions, there are some important considerations regarding their intellectual property (IP) and secret data.

Read more...