NewsBites Drilldown for the Week Ending 24 July 2020

John Pescatore
– SANS Director of Emerging Security Trends

IT/OT Security

This week’s Drilldown addresses two items (included below) from NewsBites Issue 57 and Issue 58, which focused on warnings of attackers targeting internet-connected operational technology at critical infrastructure systems.

While critical infrastructure systems are obviously top priorities for securing and protecting, they are not the only places where operational technology (OT) is in use and vulnerable. OT is typically defined very narrowly as industrial control systems (ICS), such as this definition from Gartner:

“Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”

However, from a security perspective, the important aspect isn’t what OT does. The critical issues are how OT is procured, managed and protected. So I’ve always loosely defined OT as “everything with software or firmware in it that isn’t a PC, server or network appliance that was procured by and/or managed by the IT organization.”

This often includes point of sale systems, various forms of kiosks, building management systems, turnkey devices and systems provided by logistics vendors for inventory and shipping, and so on.

Whatever you want to call it, the real need is to make sure good
basic security hygiene does extend to all those types of devices. That’s because OT is subject to the usual “bad security hygiene” risks of misconfiguration, lack of patches, overprivileged access, default passwords, etc., but often is not subject to mature processes for configuration management, patching, privileged management, access auditing, segmentation, and so on.

The first step is discovery: Does your approach to asset inventory and vulnerability assessment have the visibility into where OT is in use, and can it even identify nonstandard assets?

A great root source for basic security hygiene guidance has long been the Critical Security Controls. The Center for Internet Security publishes the “CIS Controls ICS Companion Guide.” NIST has published SP 800-82, “Guide to Industrial Control Systems (ICS) Security” as well.

______________________________________________________________________________

CISA and NSA Urge “Immediate Action” to Secure Critical Infrastructure Operations Technology and Control Systems

(July 23, 2020)

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that foreign hackers are targeting systems that support U.S. critical infrastructure, The advisory urges critical infrastructure operators to secure their operational technology and control systems as soon as possible. The advisory lists several “recently observed tactics, techniques, and procedures,” including spearphishing, ransomware, connecting to internet-accessible PLCS that do not require authorization for initial access, and modifying control logic and parameters on PLCs.

[Editor Comments][Pescatore] This is a critical time to refocus on phishing prevention. By 2019, more than 80% of businesses had at least turned on DMARC services to fight spoofed emails, but only around 20% have moved to active prevent policies. Disruption for those that have turned on active prevent has been minimal, and security gain enormous. Also, do a user education revisit, especially about all the new messaging/conferencing/collaboration channels that are in use with work-from-home operations. Finally, try to get at least IT admins moved to two-factor authentication and plant the flag to fight for wider adoption after that.

[Neely] I shuddered when I read “internet accessible PLC.” PLCs are not designed to be internet accessible. Fundamentally separate OT from IT. Further, separate experiment control systems from environmental health/safety systems. For example, keep the C&C machine separated from the oxygen safety monitor, neither of which should be directly accessible. Use a controlled interface, or air gap. While remote access is desirable in the current work environment, controls must be maintained to prevent direct attack on these systems, including not providing some remote access. Finally, have processes for verifying transfer of data and software to and from these systems to prevent introduction of malware.

[Murray] In addition to following the recommendation that we made earlier in the week that strong authentication should be considered essential for infrastructure controls connected to the public networks, and in addition to implementing DMARC, give strong consideration to isolating email and browsing from operational networks.

Read more in:

The Hill: Federal agencies warn foreign hackers are targeting critical infrastructure

https://thehill.com/policy/cybersecurity/508748-federal-agencies-warn-foreign-hackers-are-targeting-critical

U.S. Department of Defense: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems (PDF)

https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF

Cyberattacks Targeted Two Israeli Water Management Facilities in June

(July 20, 2020)

Israel’s Water Authority said that two more of its water management facilities were targeted by cyberattacks in June. Another attack targeting Israeli water treatment systems was reported in April. The Israel National Cyber Directorate has issued an alert, urging water treatment facilities to change passwords for internet-connected equipment and recommending that facilities take systems offline if they cannot change passwords.

[Editor Comments][Murray] Strong authentication, not “passwords,” is essential for infrastructure controls that are connected to the public networks.

Read more in:

ZDNet: Two more cyber-attacks hit Israel’s water system

www.zdnet.com/article/two-more-cyber-attacks-hit-israels-water-system/