CS1907

More documents

Recommendations

Info

industrial cyber security CRITICAL MASS CRITICAL ASSET OWNERS INCREASINGLY HAVE TO PROTECT THEIR ICT INFRASTRUCTURES AGAINST CYBER ATTACKS. IT'S NO LONGER ENOUGH FOR THE SUPPLIER OF A SINGLE MACHINE COMPONENT OR SUBCOMPONENT TO CLAIM IT IS CYBER-SECURE - THE ENTIRE MACHINE MUST BE SO Quite recently, hacking group Xenotime reportedly started to probe industrial control systems of power grids in the US. Xenotime are the group behind the infamous Triton malware, designed to disable safety systems at petrochemical plants. This malware was used in December 2017 to attack the safety systems of an unidentified power station in Saudi Arabia. Dragos, which specialises in industrial control system (ICS) security, found evidence of Xenotime collecting open source research on targeted electric companies, externally scanning those companies' networks and attempting to gain access through either credential stuffing or stolen credentials. "The Trisis malware used in the attack on Saudi Arabian petrochemical plants and now recurring in probes conducted against US industrial control systems is just one example of the increasingly complex threats posed by modernising legacy software," says John Titmus, director EMEA, CrowdStrike. "Across many of these facilities, previously air-gapped systems are now being connected to public internet, in order to make use of internet of things (IoT) technologies. "This news highlights the critical importance of leveraging threat intelligence to mount a proactive, rather than a reactive, cybersecurity defence. For groups like Xenotime, who have proven their capability at acquiring, reverse engineering and developing attack packages for industrial control system equipment, reactive measures are insufficient to address critical infrastructure threats," he states. As supply chain attacks from nation-states and other cybercriminals persist in plaguing organisations and government agencies, the effectiveness of current cyber-security methods is called into question. "While individual components may be labelled as cyber-secure, it only takes a single vulnerability to compromise the entire supply chain. To remedy this and improve OT (Operational Technology) hygiene, continuous monitoring and enhanced detection below the OS-level is essential. Today, most security products remain blind to attacks that attempt to leverage vulnerabilities in, for instance, BIOS firmware. Accessing endpoints in this way compromises the entire system and can even persist across reboots and reinstallation of the operating system." Titmus believes that firmware and hardware-level visibility into these vulnerabilities and attacks is the best option for protecting the supply chain - and can even prevent attacks before they have a chance to take off. "Importantly, this level of visibility allows cyber security teams to discover dormant threats that have not yet been detected. Industrial networks are particularly at risk to these types of attack, since their security has often been neglected for years; malware can spread rapidly from individual infected devices to the whole office, to plants in other countries." 30 computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
industrial cyber security MULTIPLE CHALLENGES How do you stop a wave of innovation from becoming a tsunami? Cyber security specialists will know this dilemma well, acknowledges Mike Nelson, VP of IoT Security, DigiCert. "The IoT promises to revolutionise not just how we live at home, but how we do business and, more importantly, how we provide those critical resources that society runs on: gas, water, electricity and so on. Given the opportunities that are being offered to seemingly every level of society - who could say no? Then again, a cyberattack on a Fitbit is a very different thing to a cyberattack on a water treatment facility." Securing each, he adds, will take very different efforts and before we even start doing that we're presented with several problems. "First, critical assets were built for failure, not attack. The legacy systems that run those facilities have often been doing so for many years and were never created to withstand a cyberattack, let alone an attempt to penetrate their pitiful security by the concerted effort of a nation state. As we fill in the decades-old airgap between critical assets and the internet, we are introducing them to a whole environment full of threats that they are largely unprepared for." Secondly, there’s the simple, well-known fact that the IoT is insecure. Just behind the rapturous applause for the IoT's arrival has been a quieter, but no less impassioned, warning about its vulnerabilities, Nelson states. "Throughout this period, there has been little oversight - government or otherwise - as manufacturers have produced insecure devices and retailers have sold them on to an eager public. That insecurity could have to do with the whole device or it could have been inserted along the often long and labyrinthine supply chain that these devices are assembled on. Even if a manufacturer says their product is secure, there are plenty of potential points of failure from the factory floor to the customer's hands." And we are only beginning to address these problems now, he says. "A variety of governments and industry bodies are attempting to introduce regulation and standards that seek to protect this wave of innovation. Though these efforts are encouraging, they are not going to patch over mistakes already made and they won't pay the security debts that have already been racked up by the over-eager adoption of insecure technology. Hopefully, the regulation stick will lead to better, more standardised, approaches to IoT security." That insecurity is not going to be solved soon and new vulnerabilities will always crop up, but device manufacturers can use technology available now to protect devices, suggests Nelson. "Public Key Infrastructures [PKI] with digital certificates, for example, are already being used to secure IoT devices from the factory floor to use across distributed networks. PKIs' ability to authenticate device identities, protect the integrity of code and firmware updates, and encrypt data are proven to be scalable and are interoperable. Well-run PKIs can police the connections between large networks of devices and that makes them a good fit for industrial IoT." MULTIPLE CHALLENGES The supply chain for IoT products is often so complex that it's hard to trace - let alone make reasonable security judgements about. "Just because a vendor can vouch for the integrity of its supplier and that supplier can vouch for the integrity of its manufacturers, it doesn't mean that trust, or even security considerations, are present at all of the critical stages of development," says Scott Gordon, CMO, Pulse Secure. That problem becomes bigger when we're talking about the IIoT (Industrial Internet of Things) - "not because the supply chain is less trustworthy, but because human safety is inextricably linked to cyber security". Defending these often undependable devices is just as much of a problem for the Mike Nelson, DigiCert: critical assets were built for failure, not attack. John Titmus, CrowdStrike: firmware and hardware-level visibility is the best option for protecting the supply chain. www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security 31
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment NATION IN TRANSFORMATION In
Page 5 and 6: p ent est INFORMATION SECURITY ASSU
Page 7 and 8: editor's focus from the public and
Page 9 and 10: True multi-factor authentication wi
Page 11 and 12: GDPR fine is preliminary," states A
Page 13 and 14: case study "Equally, it does not he
Page 15 and 16: product review WEBROOT BUSINESS END
Page 17 and 18: financial focus an online banking u
Page 19 and 20: inside track EDUCATION, EDUCATION,
Page 21 and 22: Webroot empowers businesses with pr
Page 23 and 24: threat intelligence have seen an im
Page 25 and 26: 12th edition of the most recognized
Page 27 and 28: cyber espionage a "sobering story"
Page 29: CYBER SECURITY europe 9-10 October
Page 33 and 34: endpoint detection and response GET
Page 36: Brookcourt Solutions (A Shearwater

CS1907

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?