As cybersecurity breaches by threat actors and advanced persistent threat (APT) countries continue to wreak havoc on systems around the world, a new vulnerability has emerged: attacks on equipment and non-internet facing systems. Micah Howser, NetDiligence’s eRiskHub® Manager, learns more about these latest physical cybersecurity breaches from Robert Smith, Incident Response Manager and Senior Cybersecurity Engineer at CyberClan.
CyberClan is a cybersecurity company established over a decade ago to provide expert Breach Response and post-breach remediation services in the US, Canada, the UK, and worldwide. CyberClan also has a Vulnerability Assessment and Penetration team and in 2019 added a 24/7/365 global Security Operations Center that manages security for small to midsize enterprises. Robert Smith brings additional experience to his role from his background in law enforcement as a digital forensic examiner and cyber crime investigator.
Where Do You See the Newest Cyber Risks Coming From?
Companies have long been comforted by the belief that if a system or physical machine isn’t internet-facing, there is no reason to worry about them being accessed or compromised by a threat actor or APT. Unfortunately, we are finding that is no longer the case, with less difference between physical security and cybersecurity. Equipment and non-internet facing systems need to be secured from exposure to a potential cybersecurity breach. In fact, the IBM X-Force Threat Intelligence Report Index 2020, reported a 2000 percent increase in incidents targeting operational technology (OT) environments.
Any equipment used to run your business is exposed to a potential breach—even a printer. As a physical cyber attack example, take a system running a thermostat and heater. The system sends and receives data to make sure all components are running correctly—or—to notify you if the temperature is too hot, the furnace is overheating, or something else is malfunctioning. This system may not be internet-facing, but it eventually sends information to you or a database (both of which are internet-facing.)
While it all seems unconnected and far-fetched, it’s now a backdoor pathway cyber criminals are exploiting more and more.
Beyond heaters, of course, any equipment or system you use to run your business and manage industrial operations is at risk. This compromises anything that falls under operational technology (OT) and covers industrial control systems (ICS)—which is the umbrella—including supervisory control and data acquisition (SCADA) and distributed control systems (DCS).
Why are There Safety Concerns for Security Professionals When it Comes to OT, ICS, and SCADA?
As mentioned before, many believe that SCADA systems and networks are secure because they are disconnected from the internet. They rely on SCADA systems’ specialized protocols and proprietary interfaces as the primary method of security. But, those protocols and interfaces don’t stop attacks when there are physical and logical links between information technology and operational technology assets.
Another safety concern for security professionals is that many companies use OT software that only works on older systems such as Windows Server 2003 and Windows XP. Windows Server 2003 has over 400 vulnerabilities that can be easily exploited. This is troublesome because Microsoft will no longer be releasing patches going forward, and software may only work on the older system. Software will need to be rebuilt to have a long-term security impact.
The use of the Internet of Things (IOT) also brings a greater risk of exposure because of its interconnectedness between people, technology, and devices.
Interestingly enough, of every breach that Smith has seen over the last year, he hasn’t seen any anti-virus vendor that hadn’t been circumvented. Antivirus is great at what it does but it won’t stop a ransomware threat actor or another determined actor to get into your network.
Who Are The Bigger Threats—Threat Actors or APTs/Hacking Groups?
Today, the line is blurring between threat actors and APTs, with both groups starting to use the same tools to exploit any weaknesses they find—such as APT28 using Trickbot for their hacking campaigns. And, it’s helped Stuxnet, Flame, and Duqu campaigns become well-known for their operational technology attacks.
Has Covid-19 had any Effect on These Breaches?
COVID-19 has created a big opportunity for threat actors because it has changed how the majority of the world is working. Employees need to remotely access systems from home or other locations. Traditional non-internet facing systems have to become internet-facing systems, or they need to link to one that is so it can be remotely accessed. This, in turn, offers cyber criminals more exploitable weaknesses than ever before.
Can Betterment and Remediation Help Strengthen a Company’s Security?
Companies need to include betterment in their insurance policies in case they are breached. That way, they can receive funds to improve systems to strengthen their environment based on the finding of cybersecurity breaches and remediation efforts.
In terms of remediation, it’s vital to consult with an expert in IT restoration and remediation when considering equipment use post-breach and how to restore your network. Don’t rush to dump older technology—a move that could have a detrimental impact—but instead, plan on how to work with and improve current systems. If you’re serious about securing your network, you need to consider intruder detection systems (IDS), endpoint detection and resolution systems (EDRs), and security operation centers (SOC) to monitor for ongoing threats.
Would You Like to Share any Parting Thoughts?
It’s important for companies to insure and secure themselves. Our partners in the insurance industry can help with the former, and CyberClan is happy to help with the latter.
We thank Robert for sharing his insights into cybersecurity’s newest vulnerabilities to help keep our customers aware of threats they may soon face. Watch the video to see more of Robert and Micah’s critical discussion. You can learn more about CyberClan at their website or inside the NetDiligence eRiskHub® portal. CyberClan speakers also regularly present at NetDiligence Cyber Risk Summit events. If you have any questions about data breach planning and response, contact us at NetDiligence.