Search Results

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://selinc.com/company/podcast/texas-blackout/ Safe, reliable, and economical electric power is essential to our daily lives. The recent events in Texas are a reminder of just how important these adjectives are when it comes to providing power for homes, daycares, schools, businesses, hospitals—and the power generation facilities themselves. In this episode, Dave Whitehead talks with SEL power systems experts Dr. Ed Schweitzer and David Costello about what happened and how to prevent it from happening again.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Register: https://icsvillage.us12.list-manage.com/track/click?u=ca4975df02e0625e3721731c7&id=f05e918fbf&e=f3e775d837 The ICS Village, in partnership with the R Street Institute, the Cyber Bytes Foundation, and the National Security Institute, presents Hack the Capitol 4.0. This event will be held virtually on Tuesday, May 4th from 9:00am - 5:30pm EDT. Hack the Capitol 4.0 is a day-long, multi-track event designed to educate congressional staffers, scholars, and press on some of the most critical cybersecurity challenges facing our nation today. Hack the Capitol 4.0 delivers programming along three tracks: 1) Policy Panels and Presentations, including keynotes and fireside chats by leading government officials; 2) “Technical Talks” designed to offer a deep dive into leading issues in cybersecurity; and 3) An Exhibition Hall, with demonstrations (including hands-on) of industrial control systems. RSVP < https://icsvillage.us12.list-manage.com/track/click?u=ca4975df02e0625e3721731c7&id=f05e918fbf&e=f3e775d837 > to participate in this free virtual conference with leading experts in cybersecurity. Attendees at last year’s Hack the Capitol 3.0 heard keynote speeches by Rep. Mike Gallagher (R-WI), Sen. Maggie Hassan (D-NH) and Sen. Mike Rounds (R-SD), and heard first-hand from top officials at the Departments of Energy and Homeland Security, leading national security journalists, and industry experts.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Discover Tools: https://facilitycyber.labworks.org/ FCF helps facility owners and operators manage their cyber security risks in their OT & IT networks. FCF strictly follows the NIST Cybersecurity Framework (CSF).

By Derek Harp, (CS)²AI Founder, Chairman and Fellow January, 2021 Happy New Year Colleagues, It is hard to believe 2020 has finally come and gone as there were moments where it seemed it would never end. What an unprecedented year (to say the least) for our modern society. Like myself, I am sure most of you suffered some unexpected challenges. I hope yours were not too severe, that you also found a few silver linings and that you enjoyed the best of recent holidays with your loved ones. That was the case for my own family and (CS)²AI. During the recent holiday period as we discussed what we are thankful for, we discovered that, even this past year with some disappointments and loss, we still have much to be grateful for. There were more than a few things that (CS)²AI could celebrate at the end of 2020. One is our committed and growing group of strategic alliance partners and the other is our members growing direct involvement in support our workforce development goals. What started as just a single meetup meeting in Atlanta over five years ago has morphed into the fastest growing control systems cyber security, workforce development/support group in the world. Without more members helping members each quarter we simply could not be doing what we are now! We welcome more feedback, ideas and additions to the global committee teams. Just click here and register your interests or send us an email at Input@cs2ai.org It is a certain silver lining for (CS)²AI that we were already serving members virtually as most of our 19,000 associate members are distributed all around the globe. With some new found time on our hands, we just dug in to membership requests and simply did more. This was met with so much involvement and positive feedback that we are committed to a much higher operational tempo from here on. Our membership and partner support are now increasing every quarter and our corresponding abilities and outreach are increasing as well. I’d like to share quick summary of some of the (CS)²AI 2020 highlights. We now have more than 19,000 associate members. We are still adding nearly 1000 associate members a quarter and many of you are choosing to support the organization directly by upgrading to our paid Global Membership level. We will honor that commitment by steadily adding more program and member benefits this year. We are now regularly adding to our list of member benefits. Benefits include access to our entire recording’s library of past sessions and symposiums as well as discounts to a growing list of industry products or services. If you have a member benefit you would like to extend to our Global Members, please let me know. Our current list of benefits can be found here. We have expanded our online events in frequency and scope, and our members have responded in ever greater numbers. This includes our first ever Symposium, a half-day of content with a stellar group of leaders in health care cyber security. It was a solid success and established a significant new registration/attendance/attentive level for our organization. As a result, we will hold more Symposiums in 2021. We already have five new monthly (CS)2AI Seminar educational events published for the first quarter of 2021. If you or your company has great continuing education content to share with the membership please contact us at CE@CS2AI.org This year we added a long-desired (CS)2AI Job Board. The job board serves both our members seeking new opportunities and as a platform for companies looking to hire out of a specific talent pool. Let us know what we can do to improve this tool for you. We published the first annual (CS)²AI - KPMG Control System Cyber Security Report, a product of our ongoing – and growing – research efforts, which have been strengthened by an increasing number of external SMEs. The report can be downloaded for free and is getting excellent feedback. Work has begun on the 2021 edition. We could not have achieved this goal without the support of our title partner, KPMG and key support from Airbus Cyber, Fortinet, and Palo Alto Networks We have begun the project to develop the 2021 report and the steering committee is forming as we speak. It is our goal to complete critical review entire 2020 survey question bank before end of January and launch the 2021 survey shortly thereafter. During our early years it was sometimes a bit of a hard sales job to get companies to believe in the (CS)²AI vision and I am truly grateful to our first three SAP pioneers, KPMG, Waterfall Security, and Sable Lion Cyber for signing on in our early days and continuing to support us today. They were, of course, shortly followed by others, and today the landscape of our supporters is much broader and increasingly diverse. I cannot thank all of our Strategic Alliance Partners enough. Without you we could not do we what we do. We are happy to report that over 90% of our SAP’s have or are currently renewing. I am excited to make a difference together and encourage you to thank people you know at these companies for their commitment to workforce development in our industry. Their commitment to the goals and missions of this not for profit go beyond simple marketing ROI. These companies know that when they support (CS)²AI the are directly supporting the most important aspect of our current cyber security challenge; the human beings! Our newsletter is only in its second year and we have already increased our publication from quarterly to monthly. Along with rapidly increasing circulation we’ve established a solid stream of original articles complementing for the present - and soon to entirely displace - our reprinted content. This is now integrated with our ongoing research projects, including our monthly survey activity. Each month Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at the Department of Defense and (CS)²AI Fellow submits roughly 8 – 10 articles he believes to be important for our members to read. Those get posted on our blog site as News You Can Use and are published as well in our newsletters. If you want to join the (CS)²AI Editorial Board and contribute to this effort, please email us at Input@cs2ai.org ***Copy and Paste Links**** Get Involved https://www.cs2ai.org/get-involved (CS)²AI Member Benefits https://www.cs2ai.org/member-benefits (CS)²AI Online™ direct link https://www.cs2ai.org/cs2ai-online Job Board direct link https://www.cs2ai.org/jobs 2020 Annual Report https://www.cs2ai.org/reports Strategic Alliance Partners https://www.cs2ai.org/our-strategic-alliance-partners New You Can Use https://www.cs2ai.org/newsyoucanuse

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://facilitycyber.labworks.org/assessments Facility Cybersecurity Framework (FCF) provides a set of voluntary, risk-based standards and best practices to help facility owners and operators better manage cybersecurity risks. For facility stakeholders, FCF provides a common taxonomy and mechanism to enable you to: Describe your current posture Describe your current target state Identify and prioritize improvement opportunities Assess your progress

By Fred Gordy Director of Cybersecurity at Intelligent Buildings, LLC, (CS)²AI Fellow December, 2020 Threats to building control systems (BCS’s) have grown exponentially in the past two years. More importantly, the attacks on BCS has grown at an even higher rate. How can that be? Easy—There have always been threats to control systems. However, successful attacks are becoming more frequent, growing in intensity, and wreaking more havoc. In 2019, there was a 400% increase in attacks and 2020 is shaping up to a 600% increase(1). Attacks are not the only thing causing disruption of service to BCS’s. Informational technology (IT) is becoming more involved in securing control systems and their networks. This is a good thing; however, IT software, processes, and procedures are also causing interruptions in operations and damage. These systems and their devices require a different approach. The National Institute of Standards and Technology (NIST) realized that control systems cannot be managed like IT systems. The NIST report IR 8228(2) summarizes three key statements: Many Internet of Things (IoT) devices interact with the physical world in ways conventional IT devices usually do not. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. Over the past few years, Intelligent Buildings, LLC (IB) has completed cybersecurity risk assessments across the U.S., Canada, and overseas. The results of these assessments showcase that attacks and self-inflicted wounds are typically caused by well-meaning facility personnel not following basic best practices. The most common attack is ransomware. Ransomware is malicious software that locks all the files on a PC or server until either a ransom is paid, or the PC or server is wiped clean and reloaded. The delivery of ransomware is typically through email, but it can come from social media sites. Ransomware makes up 80% of the attacks to control systems(1). In all the cases IB has seen, ransomware was 100% avoidable. Historically, the BCS is located in the engineer’s office and is used like a workstation. Facility management (FM) staff tend to use it to check their company and personal email and to look at social media, all of which have been the ransomware delivery mechanism. Had operational technology (OT) policies been in place and enforced, these attacks could have been avoided. BASIC OT POLICY AND PROCEDURE Policies are important because they address issues, which reduces risk to the control systems. Procedures are the steps necessary to follow the policy guidelines. Policy and procedure are often missing from the building control space when it comes to OT cybersecurity. Ransomware can be avoided if policy is implemented that outlines the proper use and physical security of the application server/front-end server and compliance is enforced. Some basic policies that should be implemented are shown below: Some of these policies are not what you would find in a typical IT policy library. This list is not a full list of OT policies, but by enacting just these few, an organization can reduce risk to the building systems that supply comfort and safety and reduce financial and brand damage impact. CONSEQUENCES OF NOT HAVING AN OT POLICY AND PROCEDURE MISUSE OF THE APPLICATION HOST As stated earlier, using the application host as a personal PC/workstation puts it at high risk, especially for a ransomware attack. Ransomware is continually evolving and the consequences to an organization are ballooning. In recent history, two types of ransomware have emerged that can cause major reputation and financial damage, as well as negatively impact operations: 1) Nuclear and 2) Snake (Ekans). Nuclear ransomware has elevated ransomware to a lose-lose situation. Prior to nuclear ransomware, your choices were either to pay the ransom (not recommended) and get your files unlocked, or—if you had a good backup—ignore it and wipe your system clean, starting with a fresh copy. With this latest iteration, you can still pay the ransom; however, if you have good backups and refuse to pay, the threat actors will release your sensitive, private data to the web. This happened to Visser Precision, a third-party vendor for Tesla, SpaceX, Lockheed Martin, and Boeing—all of whom had non-disclosure agreements with Visser(3). The other ransomware type is Snake, also known as Ekans (snake spelled backward), Ransomware. Unlike typical ransomware that targets Windows and Linux operating systems, Snake targets industrial control systems (ICS’s). What makes it really nasty is its ability to climb outside of one system and spread throughout the network, infecting other devices. (4)(5) As nasty as these variations of ransomware are, the fix/prevention is easy. Remove the application host from the engineer’s office, place it in a locked location, and remove the keyboard, mouse, and monitor. Just like with IT application servers, no one should ever physically touch the machine unless they are performing maintenance or repair. You wouldn’t check your email on a SharePoint server, so why would do it on machine that is running your building? PUBLIC EXPOSURE It is easy to find exposed systems and no special tools are required. There are several free device search engines that anyone can use to search for publicly exposed systems. What does exposed mean? It means that the control system can be accessed by anyone, anywhere in the world. The only thing that stands between the attacker and access to the system is the application’s credential management. What makes this even more risky is the fact that the majority of BCS’s are not configured to withstand password cracking tools and shared user accounts are rampant. There is typically no access monitoring to indicate if the system is being attacked. Additionally, there is a large number of systems that are running outdated/unsupported operating systems and applications with well documented vulnerabilities that the threat actor can exploit. These search engines continually scour the Internet 24/7/365. A simple search at the time of this article revealed that are 37,622 exposed BCS’s. Don’t assume none of these are yours. In over 60% of the assessments, IB was told that there was nothing exposed; however, in every case, we found at least one system or one part of the system that was exposed. What is the consequence? Wasted time and money? In the past 18 months across eight IB-led assessments, there have been approximately 18,816 manhours lost for an approximate total of $1,505,280 for an average cost of $188,160 per incident. This does not include self-inflicted wounds, which will be discussed in the next section. To drive this point home, IB performed an assessment for a company that believed they had zero exposed devices. They had invested significant time and money on revamping their network architecture—IT was monitoring the networks using the tools they were accustomed to and would not believe they had any holes. Although IT was monitoring the switches, PC, and servers, they were not watching beyond these devices. Once we began hunting using the same free search tools that anyone could use, we found a single BACnet broadcast management device (BBMD), which is essentially a router. From this, IB discovered over 1,000 BACnet devices in locations throughout the U.S. No username and password is required for legacy BACnet. From here, we would have been able to fully control any or all of the devices. This is a good example of how IT cannot fully manage OT with the tools at their disposal. SELF-INFLICTED WOUNDS IT is beginning to engage in securing OT systems, which can be a good thing or a bad thing. IT and OT have to become partners in protecting systems, but only after OT policy is developed and IT has been educated on the dos and don’ts when interacting with OT systems. We have seen numerous examples of IT’s zealous attempts to manage control systems, such as: Patching the front-end application caused the local staff at 50 hospitals to be locked out of their control systems. Surgeries had to be cancelled for two days at these 50 hospitals. An employee was fired and IT began removing their user from central application server. This user was also the user that allowed communication and control between the application server and the supervisory control at numerous locations throughout the U.S. Communication and control was lost to over 100 locations before it was realized there was a problem. It over six weeks to fully recover. IT scanned the OT networks in a location with thousands of controllers. Over 60% of the controllers were locked up and required each individual device to be power cycled in order to bring them back online. After they were back online, each had to be checked to ensure functionality was fully restored. Over 96,000 manhours were lost. What is the consequence? Wasted time and money. In the past 18 months over 10 IT-induced events, there have been approximately 107,924 manhours lost for an approximate total of $8,633,920 for an average cost of $863,392 per incident. This does not include external attacks from threat actors. VENDORS ARE IN CONTROL Without policy, there are only verbal understandings. It’s great to have an understanding; however, these understandings have to backed up with written guidelines. We see time and again that the vendor is the primary knowledge keeper, user administrator, controller of remote access, controls data, and may or may not be backing up systems. Even if they are backing up systems, these backups are not usually readily accessible to onsite staff. The other risk a vendor usually introduces is a single, admin user in your system for all of their employees at every location they service, which hasn’t been changed in years. This means any of their employees, past or present, can get into your system anytime they choose without your knowledge. Some very basic policies you can enact now for vendor management are: Vendor training for staff to increase understanding regarding vendors and the abilities of systems. This will allow your staff to self-perform for better response to system events. Remote vendor access controlled by owner and not vendor. Unique users for each vendor employee. Vendor must provide a list of employees that need access to the system and no longer leave it open for any employee to access your system. Vendor must notify immediately when an employee either no longer needs access to your system or is no longer employed by the vendor. If the vendor is contracted to maintain backups, the vendor must provide you a copy of backups to be stored under your control. Create a vendor separation agreement to establish such things as turning over data, intellectual property, etc. By no means should this be considered a full list of policies. It will get you started and help you minimize risk. NO LONGER A POSSIBILITY, IT IS REALITY In 2010, Stuxet (6) was the first major attack on a control system. It was an attack on an Iranian nuclear facility (7). Most people didn’t see this as the beginning of attacks on control systems, regardless of their function. They believed that these types of attacks would only happen to large industrial systems and not to BCS’s. This opened a new attack vector for other threat actors to take advantage of, showcasing that control systems are vulnerable and easy to exploit in several different ways. The industry is seeing an increase in these types of attacks, occurring at an exponential rate, with no sign of slowing. If you haven’t taken a serious, unbiased look at your OT risk profile, you should. You can start by seeing if you have exposure to the world, if your application server is being used for anything other than its designed function(s), and who is in control of your system. Are you in control or is your vendor? The policies listed earlier can help you take control of your system(s), preventing external threats and internal self-inflicted wounds.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html?referringSource=articleShare By: David E. Sanger and Nicole Perlroth December 8, 2020 The same Russian spies who penetrated the White House and State Department several years ago and have attempted to steal coronavirus vaccine research have carried off another brazen hack, this time breaking into the servers of one of the world’s premier cybersecurity firms, FireEye, according to people familiar with the matter. The breach was disclosed by FireEye on Tuesday, though the firm did not attribute it to Russia’s foreign intelligence service. It was detected in recent weeks, said one of the people, who like others interviewed for this story spoke on the condition of anonymity because the investigation is ongoing. FireEye CEO Kevin Mandia said the hackers stole sensitive hacking tools that the company uses to detect weaknesses in customers’ computer networks and that could be turned back against the same customers or others. He said they primarily went after information related to certain government customers. “We are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a blog post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.” The firm went public with the incident to ensure that its 9,600-plus customers around the world and the cybersecurity industry were aware and could take steps to ensure that they won’t be breached with the stolen tools. The tools are used by FireEye “Red Teams” to test a company’s cyber defenses. The FBI is investigating the breach. “Preliminary indications show an actor with a high level of sophistication consistent with a nation-state,” said Matt Gorham, assistant director of the bureau’s cyber division. In 2015, hackers with the Russian SVR intelligence service compromised the servers of the Democratic National Committee. That group, known among private-sector security firms as APT29 or Cozy Bear, also hacked the State Department and the White House during the Obama administration. The SVR, however, did not leak the hacked DNC material. Rather, U.S. officials have said, a rival Russian intelligence service, the military spy agency GRU, separately hacked the DNC and leaked its emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the 2016 presidential campaign. The SVR, by contrast, hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Its operators have filched industrial secrets, hacked foreign ministries and gone after coronavirus vaccine data. At this point, Mandia said, although the hackers were able to access internal systems, the firm has seen no evidence that they removed data from primary systems that store customer information. The governments targeted did not necessarily include the United States, said a person familiar with the investigation. The hackers “operated clandestinely, using methods that counter security tools and forensic examination,” Mandia said. “They used a novel combination of techniques not witnessed by us or our partners in the past.” It was the equivalent, said one person familiar with the investigation, of a “sniper shot.” The attackers made off with a significant number but not all of the firm’s tools, the person said. Mandia said FireEye has seen no evidence that any hacker to date has used the tools. Nonetheless, he said, the firm has developed more than 300 countermeasures for its customers to help shield them from attack. FireEye has skilled people developing its Red Team tools by building off techniques observed in incidents and publicly available capabilities. None of the tools used “zero days” or previously unknown exploits that help a hacker compromise a system. “These would be tools primarily we’ve seen used by attackers that we want to emulate,” the person said. “Security companies are one of the top targets of nation-state operators and many have been successfully compromised over the years, including Kaspersky, RSA and Bit9,” said Dmitri Alperovitch, who co-founded a leading cyber firm, CrowdStrike, and is chairman of the Silverado Policy Accelerator think tank. “The primary goals of these operations are typically to get access to capabilities that would make it easier for them to hack companies all over the world,” he said. “It is impressive how transparent FireEye has been at disclosing the breach, the details of what happened and providing mitigations for their stolen ‘Red Team’ tools to help minimize the chance of others getting compromised as a result of this incident.” The motive behind the breach is unclear. Besides obtaining hacking tools, a nation-state might also have wanted to learn what FireEye knows about its capabilities and adjust its techniques accordingly, or it could study the tools for weaknesses that can be exploited, said Gregory Touhill, president of AppGate Federal Group and former federal chief information security officer. Mandia founded the cyber firm Mandiant, which was bought by FireEye in 2014. Mandiant made headlines with a2013 report < Caution-https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf > detailing the exploits of a prolific Chinese military hacking unit that targeted victims around the world, including in the United States. Microsoft is assisting FireEye with the investigation.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://icitech.org/threats-to-industry-4-0/ The Institute for Critical Infrastructure Technology (ICIT) provides objective, nonpartisan research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders. One of their focus areas is “Threats to Industry 4.0, OT, and IIoT.” The convergence of IT and OT and the rapid growth of Industrial Internet-of-Things (IIoT) has created new threats which organizations much understand and control. This initiative will focus specifically on this emerging area which impacts our commercial sectors, government agencies, and ultimately our national security.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://cyware.com/news/ransomware-attacks-have-surged-drastically-during-remote-working-30d4e732 12/07/20 The COVID-19 pandemic forced millions of people to work remotely and cybercriminals are taking advantage of it. According to Group-IB‘s annual Hi-Tech Crime Trends 2020/2021 report, ransomware attacks wreak havoc on businesses and cost the world over $1 billion as a financial loss. Key insights Since late 2019, ransomware attacks have surged drastically, targeting both the private and government sectors. Around 500 ransomware attacks spanning over 45 countries were reported around the world during this period. The U.S., the U.K, France, and Germany together make up 20% of all ransomware attacks. Attacks on North and South American countries are 10%, while that of Asian states is 7%. The five most attacked sectors include retail (51 victims), manufacturing (94 victims), government agencies (39 victims), construction (30 victims), and healthcare (38 victims). The operator’s Maze and REvil are believed to be behind more than half of all successful attacks. Other ransomware families included Ryuk, NetWalker, and DoppelPaymer came second. Ransomware operators are using targeted brute-force attacks on remote access interfaces (such as RDP, SSH, VPN), downloaders, and new types of botnets (or brute-force botnet). Recent Attacks Though there have been hundreds of attempts ever since lockdown was imposed due to COVID-19, here a few as of late. Recently, U.S. Fertility, one of the largest networks of fertility clinics located in the U.S., was hit by a ransomware attack. The Baltimore County Public Schools were hit by a ransomware attack that compromised distributed virtual learning. Conclusion Existing security solutions used by a lot of companies usually fail to spot and block ransomware activity at early stages. Thus, experts recommend taking a backup of important data, patching software and operating systems regularly, and providing training to identify spam emails with malicious intent.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.tripwire.com/state-of-security/risk-based-security-for-executives/ceo-personally-liable-cyber-physical-security-incidents/ By TRIPWIRE GUEST AUTHORS 11/17/20 Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined. Converging Worlds The growth in the number of attacks discussed above is at least partially tied to OT’s ongoing convergence with Information Technology (IT). Previously, IT and OT were worlds unto themselves. IT personnel mainly helped to maintain the PCs, servers, and other technology assets that interacted with or, in some way, handled enterprise-related information. In contrast, OT staff members primarily managed controllers and segmented the industrial network. There was some collaboration, but this was limited to specific purposes like submitting work orders and billing. These worlds converged when many organizations began undergoing a digital transformation. Through this transformation process, organizations arrived at the belief that they could optimize their OT assets’ performance by connecting them to the Internet and IT systems. This convergence has introduced an abundance of network and computing devices into industrial environments that weren’t previously accessible via the web, thus expanding the IT systems attack surface in OT environments. Malicious actors didn’t waste any time in modifying their attacks. Indeed, TRITON (also known as TRISIS), WannaCry, and other malware made headlines for successfully targeting organizations’ industrial environments. Each of these attacker groups shaped their malicious activity to accord with their motivations. Some infiltrated organizations surreptitiously to conduct espionage and leverage whatever knowledge they gained about their targets to give a leg up to a competing country or organization. Others were a bit “louder” in their approach by seeking to disrupt their victims’ industrial systems in the hopes of undermining the economy, national security, and/or public safety of the country in which the targeted organization resided. With these threats in mind, it’s sobering for IBM X-Force to report that over 200 new ICS-related CVEs were released in 2019. This discovery led researchers to predict that attacks against OT and ICS targets will continue to increase in 2020 and beyond. Limiting Factors Organizations with industrial environments aren’t blind to these threats. Even so, some feel that they aren’t in a position to do anything about those dangers because of the costs associated with purchasing an industrial security solution. MarketsandMarkets found that organizations specifically need security measures that cover their entire industrial environments. This requirement causes OT security solutions to be expensive and organizations to opt for multi-threat solutions that don’t require high upfront costs like licenses or maintenance activities. But if you think industrial cybersecurity is expensive, try an accident. An unintended or malicious cyber incident can cause catastrophic failures similar to the Buncefield oil storage facility explosion, Taum Sauk dam failure, and Texas City refinery explosion. The issue here is what’s at stake. Organizations with industrial environments tend to operate Cyber-Physical Systems (CPS) that are responsible for ensuring smooth operations in plant environments such as critical infrastructure. If they are disabled or compromised, CPS can cause malfunctions in the plant environment that endanger public safety, threaten property destruction, and/or cause natural disasters. Hence, Gartner predicts that the financial impact of attacks against CPS will continue to rise, with the total cost reaching $50 billion by 2023 in compensation, regulatory fines, and reputation loss. (Those costs don’t even account for the value of human life.) The Issue of Accountability There’s an important development in the works, however. Indeed, Gartner also sees liability for CPS attacks ultimately extending to 75% of CEOs by 2024. This personal liability for CEOs reflects the fact that many enterprises are not aware of their organizations’ CPS and their vulnerabilities. This situation could result from rising shadow IT as personnel from outside IT install hardware and software to drive automation and modernization efforts at work. But even when they’re aware of which CPS the organization is responsible for managing, CEOs and the Board might not be pursuing a sound security strategy for these assets. The reality is that CEOs and the Board are unaware that typical CPS risk assessment reports shared with them have an underrepresented view of the real operational, public health, and safety and environmental risks. These assessment reports are developed through a ‘coordinated view’ approach. Assessors and plant operations and engineering stakeholders exchange information as part of this approach, but with a limited common understanding of the cyber-physical systems’ nature and complexity. This approach leads to an unbalanced focus on prioritizing IT network and system risks, which are generally more well understood than the more significant CPS risks in OT that require further assessment of their physics and engineering. While the coordinated view approach to risk assessment is in some ways better than isolated cyber risk assessments conducted by IT, operations, and engineering in their respective domains, it does not offer a ‘converged view’ of the CPS risk problem. Hardening Their Industrial Assets Organizations need a way to harden their industrial assets to avoid the costs of an industrial cybersecurity incident both in terms of corporate fees and personal liability to CEO and board members. Organizations must leverage frameworks like ISA/IEC62443, NERC CIP, and MITRE to strengthen their OT assets’ security and select industrial cybersecurity solutions that help create a reliable cyber operational resilience program. To develop a better understanding of industrial frameworks, to align IT/OT, and to use the right tools for the job while obtaining executive buy-in, take a read of the eBook by Tripwire, “Navigating Industrial Cybersecurity: A Field Guide.”

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.linkedin.com/posts/jpitlik_cybersecurity-htb2020-activity-6736497456554618880-YLEY/ Lucian Niemeyer, Assistant Secretary of Defense, Office of Management & Budget, discusses the importance of protecting our operational technology from cyber-attacks at MISIS’s Hack the Building Conference https://www.hackthebuilding.tech/

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: http://www.cisa.gov/publication/cyber-essentials-toolkits The final Cyber Essentials Toolkit has arrived: Chapter 6: Your Crisis Response. This chapter focuses on responding to and recovering from a cyberattack. In addition to resource links, this chapter also includes an exercise that information technology and cybersecurity managers can use to engage company leaders in thought-provoking discussions about cybersecurity. The exercise is designed to raise leaders’ awareness of the risks and the need to integrate cybersecurity decision-making with day-to-day risk management processes and procedures. The Cyber Essentials Toolkit is a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential. Each chapter focuses on recommended actions to build cyber readiness into the six interrelated aspects of an organizational culture of cyber readiness.