How To Interpret and Act on the Government’s ‘Shields Up’ Advisory

As tensions with Russia mounted in the early weeks of the war in Ukraine, the FBI and the Department of Homeland Security issued a strong advisory to Critical Infrastructure owners, urging them to adopt a “shields up” strategy, hardening their systems against possible Russia-sponsored cyberattacks against U.S. electricity, gas and other systems.

The “who” and the “what” were easy to grasp. But the “how” wasn’t so clear. The advisory didn’t include additional guidance to help industrial leaders better understand what goes into a “shields up” posture.

The announcement mentioned some basic security steps companies could take right away, such as enabling multifactor authentication, conducting regular antivirus and antimalware scans, and strengthening spam filters. A subsequent Shields Up page from the Cybersecurity & Infrastructure Security Agency (CISA) offered more detailed advice. But neither mentioned what should be at the core of a truly effective shields up strategy: zero trust.

Industrial leaders are familiar with the idea of zero trust, and many companies have started working toward adopting the strategy. But there are some unique challenges in implementing zero trust, which organizations can address by answering several questions. What are the key elements for zero trust in an industrial setting? How best can organizations go about implementing it? And how can they anticipate and deal with the complications that may arise?

Read More

Remote work demands industrial businesses secure critical infrastructure

Complex market forces and various sets of challenges have converged over the last decade, leading to the rapid adoption of new digital solutions in power plants. The growing use of renewables and the digitization of the grid have put competitive pressure on traditional gas-operated power plants to evolve to be more competitive.

The primary challenges driving this change include:

  • Multigenerational workforce – the shortage of experienced plant operators and managers is growing, driving a need for more flexible remote work options and training
  • Global shift to remote work – uncertainty and social-distancing protocols created by the COVID-19 epidemic hastened the urgency of a new remote operational model.

This second trend is, arguably, the most important.

Power generators are beginning to adopt technologies that enable remote or mobile control procedures to ensure business continuity and optimal staffing flexibility and efficiency. Due to growing uncertainties in plant operations, industrial organizations must build their security stack with the goal of controlling their critical infrastructure from a remote location. Plant managers and technicians need the ability to interface with the plant assets from anywhere, at any time.

Industrial businesses and enterprises must rethink their security stack. Rather than building defenses around the office, organizations must enable:

  • Collaborate with remote staff and experts
  • Increase on-site mobile staff effectiveness and flexibility
  • Improve employee health and safety
  • Operate reliably with reduced staffing
  • Centrally monitor plant operations.
  • Diagnose and troubleshoot alarms and issues
  • Instruct, guide and dispatch on-site personnel
  • Remotely operate, startup and/or shutdown control system assets

Today’s most power plants are equipped with firewall products, which have become standard-issue appliances when needing to secure a network. Today’s next-generation firewalls (NGFW) are more powerful and provide multiple functions such as sandboxing, application-level inspection and intrusion prevention. While NGFWs do a great job at these functions, they are not designed for accessing devices remotely, and there are inherent risks for those who have used them for remote access.

Firewalls can encrypt data streams over a virtual private network (VPN) and tunnel critical information through an untrusted network, such as the internet. However, with today’s technology and the high number of tools and information available to threat actors, it is possible to hack the data communication protocols at the endpoint device where these encrypted data streams are terminated and potentially conduct malicious activities to access critical power plant assets.

Additional areas businesses should consider for their remote security include:

  • Organizations must identify all their critical infrastructure. While this may sound intuitive, it’s crucial to account for system interdependencies. For instance, an IT billing system is vital if it is interdependent on operational technology.
  • Encrypted browser-based display (VDI) for remote or mobile operator HMI display to desktops, laptops and tablets.
  • Multifactor authentication (MFA) is a given. There are many MFA types, but industrial organizations should implement closed-loop, hardware-based token access without cloud access to meet both onsite mobile operator and remote access requirements.
  • Moderated secure file transfer provides either bidirectional or uni-directional file transfer capabilities for each system connection.
  • Application and system segmentation ensures systems and applications are logically segmented to limit cyberattacks’ blast radius.
  • Time-Based access controls limit the time vendors, contractors and plant technicians interact with critical systems.
  • HMI access sessions by mobile operators and remote users need to be recorded for forensics and training purposes.

As the power industry adapts to the changes presented by a changing workforce and the convergence of IT and OT, remote user access will become even more essential.

Read More

Cyber Defense: Bill Moore of Xona Systems On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Bill Moore.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in the suburbs of Washington D.C. — Alexandria, Virginia to be exact. My father worked for the Federal Government and was a longtime engineer at NASA, and my uncle also worked in the intelligence community. So, from a young age I was exposed to the ins and outs of the engineering field. I stayed local and then I went to college a couple hours away at James Madison University, where I majored in Economics.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

That’s a great question, not sure if I can distill it into one story. If I had to pick, I would say it’s because I got into IT in the mid 90s and I really enjoyed the whole idea of networking computers, I was a LAN administrator in IT and the internet was in its infancy at that time, but I started recognizing that there were a lot of cybersecurity issues like viruses. Computers weren’t nearly as locked down as they are today. I remember I was working a contract for the Navy when the Melissa Virus happened over 20 years ago and just seeing how impactful hacking was on our networks, it really piqued my interest to the point where I said “Okay, this is what I want to do, this is what I want to get into moving forward.” I then started looking for job opportunities that were more related to encryption and securing networks. I got a job at a wireless encryption company. I was so fascinated by the mobility, the internet, ability to do networking over wireless but also being able to go in and see how hacking wireless played out in its early stages before anyone really knew of the real impacts. I would even mess around to see how easy it was to hack certain things before it became more locked down just to understand it. I remember I was at an accounting firm, and they had a wide-open access point that anyone could have hacked. It wasn’t locked down at all, so I went in and mapped every computer and every server to a text file and sent it to their CISO and recommended they shut down the access point. When they saw what I had done, I’m sure their heart skipped a beat, but I just wanted to let them know — sort of a white hat thing to do.

Can you share the most interesting story that happened to you since you began this fascinating career?

When I worked at FireEye in the 2010s…

Read More

Russia’s Cyberwar Targets Western Critical Infrastructure

endpoint

Cyberwar isn’t just coming to the West. It’s already here.

On May 10, the U.S. and European governments formally declared that Russia’s invasion of Ukraine began with a state-sponsored cyberattack on critical communications infrastructure—an attack that spilled over from Ukraine to satellite internet networks throughout Europe. It is a foretaste of disruptions on a global scale, officials have warned, with critical infrastructure like utilities, food production, and emergency services at risk.

In fact, there’s strong evidence that these kinds of attacks have already begun.

A number of wind-power companies fueling Germany’s rapid transition away from Russian energy have recently experienced cyberattacks that took some systems offline. Off the record, Western governments assigned blame on Russian military intelligence services for an alarming hack that disabled Viasat, a major satellite company based in California that Ukraine, wind-energy utilities, and many other European companies use for internet service.

Nation-state attacks on critical infrastructure predate the war, of course. The North American Electric Reliability Corporation (NERC) found a 170 percent increase in ransomware activity targeting power companies from 2019 to 2020. And on a recent episode of 60 MinutesJen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said that Russia is almost certainly planning to attack U.S. infrastructure directly, and that organizations—and all of us—need to brace ourselves for the inevitable….

“[Oldsmar] was an example of improper isolation of data communications and weak authentication from the water plant control room out to the internet,” says Bill Moore, CEO and founder of Xona Systems, which focuses on OT security. The Oldsmar facility did not employ multifactor authentication, compounding the problem. In an analysis, CISA said Windows TeamViewer software based on the widely used remote desktop protocol (RDP) was a critical weakness that allowed hackers to infiltrate the treatment plant. Moore notes that RDP is the top weakness that ransomware attacks exploit to this day.

Read More

Hackers target US industrial control systems

Four federal agencies have warned that hacking groups have developed tools to attack technology used in factories, utilities, and other industrial settings, potentially allowing hackers to shut down parts of the U.S. energy grid and water services.

The April 13 alert from the FBI, the Department of Energy, and other agencies warns of advanced persistent threats, typically large cybercriminal groups and government-supported hackers, targeting three broad groups of industrial control system and supervisory control and data acquisition devices.

The targeted technologies are used in a wide range of settings, including the U.S. energy sector, the oil and gas industry, water and wastewater services, and manufacturing, transportation, and government agencies, such as the Department of Defense, noted Bill Moore, CEO and founder of Xona , an industrial controls security vendor.

“Chances are your life has been touched somehow by these systems unless you … live way off the grid,” added Andy Rogers, senior assessor at Schellman , a global cybersecurity assessor. “These systems control everything imaginable and to some degree make our lives a little more comfortable or safer on a daily basis.”

Moore called these threats “extremely concerning,” particularly during the current geopolitical tensions sparked by Russia’s invasion of Ukraine.

Read More

3 urgent cybersecurity realities that the energy sector can’t ignore

In May 2021, an unthinkable cyberattack crippled the Colonial Pipeline’s digital infrastructure, capturing 100 gigabytes of data and preventing the US’s most significant refined fuel pipeline from maintaining normal operations. This critical pipeline, which provides 45% of the fuel for the East Coast, was inoperable for six days, initiating panic buying, gas lines, and a cacophony of internet hot takes critiquing the company’s response.

The incident cost the company millions in recovery costs while doing irreparable reputational damage to their brand, which is inextricably associated with this defining cybersecurity failure.

It’s also emblematic of the unique cybersecurity challenges facing the energy sector.

Energy companies are a top target for threat actors. The energy sector accounts for 16% of all officially documented cyberattacks, a number that has only increased alongside the recent pandemic. Collectively, the energy sector is the third most targeted industry by cybercriminals. Meanwhile, energy companies are protecting increasingly expanding attack surfaces as companies initiate new connections between informational technology (IT) and operational technology (OT).

Unfortunately, the energy sector shouldn’t expect cybersecurity risks to subside anytime soon. Instead, they should anticipate that cybersecurity failures will become more expensive, consequential, and disruptive moving forward.

#1 Cybersecurity incidents will be more expensive

#2 Cyberattacks will be more consequential

#3 Threat actors will be more disruptive

 

Read More

3 Priorities for Securing OT Network Infrastructure

Alongside the COVID-19 pandemic, cybersecurity threats soared. Ransomware attacks, phishing scam campaigns, and other attack methodologies reached all-time highs, prompting companies to spend a record amount to enhance their defensive postures.

However, always ready to capitalize on vulnerabilities, threat actors are now targeting critical infrastructure, including water and energy facilities. While the ransomware attack on Colonial Pipeline attracted the most media coverage because of the startling scenes of supply shortages and gas lines, a new joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, and the U.S. EPA, highlights more expansive challenges for critical infrastructure.

According to the report, several water facilities were targeted in 2021, disrupting both information technology (IT) and operational technology (OT) systems and exploiting vulnerabilities in critical IT and OT systems, which can pose major risks to operations as well as public safety.

Specifically, the report notes, “The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels.”

In response, utilities must recalibrate their cybersecurity efforts, ensuring that they can secure OT operations. For those tasked with making or evaluating those decisions, here are three priorities for securing OT infrastructure.

Read More >

Critical Infrastructure Is Under Attack: How Industry Can Secure OT Remote Operations Before It’s Too Late

Cybersecurity has quickly become a top challenge for manufacturers and industrial services around the world. According to a September 2021 survey of manufacturing executives, 61 percent identify cybersecurity as a “high/very high priority.”

These challenges are especially pronounced as manufacturers turn to remote and hybrid teams to attract and retain top talent while maintaining operational continuity.

As a result, manufacturers are introducing remote operations capacity for OT systems, allowing employees, contractors, and trusted third parties to operate on-site infrastructure from anywhere in the world. While the benefits are multifaceted, the risks to critical systems are real. Off-site workers are more likely to compromise OT integrity as everything from phishing scams to distractions undermine cybersecurity initiatives.

Read More >

Operational Technology: Remote Operations Introduce New Risks

water environment and technology logo

How to secure critical systems for a hybrid workforce

In January 2021, Oldsmar, Florida, a small city in the shadow of Tampa Bay with fewer than 15,000 residents, became the target of a high-profile hacking operation. Threat actors accessed the city’s municipal water treatment facility and attempted to use their network access to increase the sodium hydroxide intake to lethal levels.

The municipal water facility relied on commercial grade remote access software that allows employees to share screens and troubleshoot IT. Threat actors compromised this software, which provided front-door access to the facility’s operational technology (OT) infrastructure.

This incident is emblematic of a frightening trend as critical infrastructure increasingly becomes a target for threat actors.

Notably, in October 2021, a disgruntled Australian IT consultant hacked into a municipality’s waste management system, subsequently dumping millions of liters of untreated wastewater into local parks, rivers, and businesses.

Troublingly, the threat isn’t limited just to water systems. The April 2021 ransomware attack on the Colonial Pipeline Co., the largest fuel pipeline in the U.S., cost the company millions of dollars to recover its digital assets, while brand erosion will have even more long-lasting repercussions. In addition, JBS Foods, the world’s largest meat supplier, was similarly victimized by a ransomware attack that crippled the company’s operations, impacting food prices and operational continuity in a critical sector.

Read more >

Security Sessions | OT Remote Operations Introduce New Risks to Today’s Utilities How to Secure Critical Systems for a Hybrid Workforce

The recent pandemic radically reoriented public utilities as they empowered remote and hybrid teams to maintain operational continuity in any environment. Moving forward, it’s clear that hybrid teams composed of remote and on-site employees will become more common among utilities. While this presents unique opportunities to curb expenses while boosting certain capabilities, it also presents novel cybersecurity challenges that utilities can’t ignore.

Most importantly, according to a survey of 1,726 utility professionals, cybersecurity challenges are amplified as utilities connect OT assets to existing IT systems. In other words, engaging and operating infrastructure using OT resources empowers teams to work effectively from anywhere in the world. However, when not adequately protected, these systems create cybersecurity vulnerabilities that put people, profit and critical resources at great risk. In response, utilities need to secure their OT remote operations with solutions that combine resiliency, security and affordability.

Read More >