Author name: Abhay S K

Are Your Operational Technologies Truly Secure? In the present landscape of digital interconnections, where operational technology (OT) serves as the lifeblood of industries, ensuring the robust security of these systems emerges as more crucial than before. Imagine a world where an organization’s crucial infrastructure remains safeguarded from online menaces, ensuring the confidentiality of your information and preserving the integrity of your production procedures.  This reality is within reach, with the solution lying in adept vulnerability management! Welcome to the ultimate guide to managing vulnerabilities in 2023, serving as your guiding light in the cybersecurity domain for OT. Within this all-encompassing exploration, we unveil the mysteries surrounding systems and utilities for vulnerability management. This gives you the information you need to confidently navigate the always-changing environment of potential hazards. Our guide explores vulnerability management in great detail, not just on the surface. From understanding the fundamentals to implementing cutting-edge tools, we’ve got you covered.  We comprehend the nuances of your concerns—balancing system uptime while staying impervious to cyber threats is no easy feat. But fear not, for we bring you actionable insights that empower you to bolster your defenses without sacrificing productivity.   Did you Know? Enterprises that use risk-based vulnerability management will suffer 80% fewer breaches. What is Vulnerability Management? Vulnerability Management in the context of OT is a proactive strategy to safeguard industrial systems from potential cyber threats. It involves systematically identifying, assessing, and mitigating vulnerabilities that could compromise the integrity, availability, or confidentiality of critical assets.  A robust vulnerability management program tailored for OT environments establishes a structured framework for continuously monitoring and addressing vulnerabilities. Vulnerability Management as a Service (VMaaS) takes this further by offering expert assistance and tools to organizations, often including specialized solutions for OT settings. This service-driven approach streamlines vulnerability scanning, risk assessment, and remediation efforts, providing businesses with a comprehensive shield against evolving threats. In essence, Vulnerability Management in OT combines strategic planning, regular assessments, and timely mitigation to identify and address vulnerabilities proactively before they can be exploited.  It ensures that critical industrial systems remain resilient and secure, even in the face of ever-changing cyber challenges. Why is Vulnerability Management Important for Organizations? It’s more crucial than ever to stay one step ahead of potential dangers in the constantly changing world of cybersecurity, especially when it comes to operational technology. OT has advanced into the future as a result of the widespread use of digital technologies, helping firms achieve new levels of productivity and innovation. Threat actors constantly search for gaps to attack within these complex systems.  Therefore, this shift has also cast a shadow. Your organization’s readiness to deal with cyberattacks, not resistance to them, is what matters. So, Are You Ready to Elevate Your OT Security? Let’s Begin. Here’s why effective vulnerability management is non-negotiable in the world of OT: Preserving Operational Continuity Disruptions can lead to catastrophic consequences in OT environments. Vulnerabilities in industrial control systems (ICS) or SCADA systems can not only halt operations but also compromise safety. Implementing a robust vulnerability management strategy ensures that operational processes continue smoothly without compromising the integrity of the systems. Mitigating Cyber Risks Malicious actors constantly seek vulnerabilities to exploit. For OT, this could result in unauthorized access to critical systems or even the manipulation of processes, leading to financial losses and reputational damage. Effective vulnerability management is a proactive shield against cyber threats, reducing the organization’s risk exposure. Compliance and Regulations Many industries operating in the OT sector are subject to stringent regulations and compliance standards. Adhering to these requirements necessitates a comprehensive vulnerability management approach. Failure to do so not only invites legal consequences but also puts the organization at risk of cyber incidents. Let’s explore some notable standards that regulate OT security ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission) This comprehensive standard outlines the cybersecurity requirements for industrial automation and control systems. With its multi-part framework, IEC 62443 addresses various aspects of OT security, from network design to system lifecycle management. Its global recognition underscores its significance in safeguarding industrial processes against cyber threats. Download Checklist: The IEC 62443 Checklist NCAs OTCC-01: 2022 (National Cybersecurity Agency of Saudi Arabia) The Saudi Arabian regulatory body provides a set of guidelines, OTCC-01, focusing on securing industrial systems against cyber risks. These guidelines encompass risk management, security architecture, incident response, and more, providing organizations with a structured approach to OT security. Read about: Operational Technology Cybersecurity Controls by NCA NIST 800-82R3 (National Institute of Standards and Technology) Specifically tailored for industrial control systems, NIST 800-82R3 offers guidelines for protecting these critical assets. It covers security assessments, access control, and anomaly detection as a crucial reference for OT security practitioners. NIST SP 800-53 Rev. 5 While not exclusively focused on OT, this NIST publication provides an inclusive catalog of security and privacy controls for information systems and organizations. Its relevance also extends to OT security, offering a robust foundation for implementing security measures. NERC CIP Enforced within the North American electricity industry, NERC CIP standards ensure the reliability and security of the bulk power system. It encompasses a range of requirements, from physical security to cybersecurity, to mitigate risks associated with power generation and distribution. EU Mandate NIS 2 (Network and Information Systems Directive) Building upon its predecessor, NIS 2 aims to enhance the cybersecurity posture of essential and digital service providers within the European Union. With specific provisions for OT systems, this directive emphasizes incident reporting, risk management, and cross-border cooperation. Protecting Valuable Assets OT systems manage valuable physical assets, from energy production to manufacturing equipment. A breach could disrupt these operations and lead to permanent damage. Vulnerability management safeguards these high-value assets against potential exploitation. Securing Supply Chains In interconnected industries, a vulnerability in one part of the supply chain can cascade through partners and suppliers, leading to widespread vulnerabilities. A thorough vulnerability management system ensures that the entire ecosystem remains resilient. Building Stakeholder Trust In an era where cybersecurity incidents dominate headlines, organizations that demonstrate a proactive

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization.  Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key Ransomware Details & Working  It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS.  Here are some pointer’s to be noted:  Victim Selection   First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.   As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States.  Fig1: Victim Countries  As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries.  Darkweb Analysis  of Qilin Ransomware Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site.   They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.   Also Read: How to get started with OT security Let’s go through their Darkweb site  Qilin Darkweb front page where they publish the information about their victims.   Login page present in the Qilin ransomware site  They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image)  IOCs  76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e  fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039  Mitigation For Securing OT Environment:  Remediations  Reference  https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_in/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html https://www.group-ib.com/blog/qilin-ransomware/ Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.

You may also be interested in reading: Industrial control systems (ICS) refer to control systems used in a wide range of industrial processes. It’s a component of operation technology that involves hardware, software, and systems that help manage industrial operations. Some basic aspects of ICS include sensors, controllers, local supervisory systems, business systems, and management systems. The need for remote access connectivity for industrial control systems has never been greater as it allows businesses and industries to enjoy more efficient and reliable operations. But for successful remote access, businesses have to establish network connections between the ICS infrastructure and the remote user. This comes with its own set of security risks. Cybercriminals constantly target remote users to steal sensitive information, gain financial advantages, or blatantly cause damage. The consequences of such security breaches can be devastating as they lead to operational disruptions, reputational damage, financial losses, and data corruption. This is why organizations must ensure secure remote access (SRA) for industrial control systems. In this article, we’ll explore some of the best ways to ensure secure remote access for industrial control systems (ICS) Best Practices for Secure Remote Access for Industrial Control Systems Remote users should authenticate with multi-factor authentication (MFA) Multi-factor authentication (MFA) is a form of added security measure that requires users to provide several ‘pieces’ of verification before being granted access to an account. Examples of MFA authentication include one-time passwords (OTPs) and biometric data like fingerprints, voice recognition, or iris scans For most accounts, users require only a password when logging in. But an MFA system combines multiple authentication factors, including a password and other confirmation processes. This adds an extra layer of security, making it hard for unauthorized people to access an account. To ensure secure remote access for industrial control systems, consider a multifactor authentication system done over a secure channel. But when doing so, be careful, as some multifactor solutions can be ineffective because of the speed or process control reliability requirements. Ensure secure communication through encryption tools and tunneling techniques Encryption protocols and secure tunneling techniques ensure the information exchanged between the remote user and the ICS remains confidential and protected from unauthorized access. For example, Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols establish secure encrypted connections between client and server applications. They provide authentication and data encryption. And this is just one example of encryption protocols and secure tunneling techniques. Implementing such protocols ensure secure communication channels for remote access to ICS. Consider dedicated client hardware and software It’s standard for organizations looking for remote access solutions to empower their users with both the software and hardware required to connect. However, even in doing so, cybercriminals still remain a huge concern as they typically target such users. As part of the remote access solution, your organization should issue personal computers or laptops. This PC or laptop should have the appropriate cyber security countermeasures, such as host-based intrusion detection systems and antivirus software. But perhaps one effective solution that has profited most organizations involves using VPNs for secure remote access. The best VPNs establish a secure and encrypted connection between the user and the ICS network. They create a secure “tunnel” over an insecure network, such as public wifi, ensuring that sensitive information remains protected. Employing dedicated client hardware, such as laptops, and dedicated software, such as VPNs and antivirus, ensures that organizations can effectively establish secure remote access for industrial control systems Session Termination Session termination is a fundamental concept when discussing remote access. Session termination is paramount when establishing a remote access solution because it terminates the link between the remote user and the internal network or system. It’s an essential and non-negotiable element of a secure remote access solution. Because of this, organizations need to ensure that sessions are promptly terminated, either upon request or automatically based on system configurations. Conduct regular patching and updates Regular patching and updates are essential in discovering vulnerabilities and security weaknesses in software systems. By promptly applying security patches, you will easily address the vulnerabilities and protect the entire ICS infrastructure from potential cyberattacks. Through proper patch management, it will be easy to close security gaps and strengthen the entire security of the system, significantly reducing the risk of unauthorized access and disruptions. Since ICS is highly critical for an organization, you must be keen to plan and execute updates to minimize disruption of operational continuity. The best approach is to conduct the process in phases, whereby you will test the patch in an isolated environment before distributing it to the entire ICS infrastructure. Ensure you also adopt a redundant architecture and backup system to provide uninterrupted operations. Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio Outline definitive remote access policies and procedures Most organizations fail to define and communicate clear policies pertaining to rules and procedures for remote access to ICS. It’s important to outline who can access the system clearly, define the circumstances, and indicate the necessary authentication mechanisms. For example, a good place to start would be to adopt a role-based access control (RBAC) policy. This policy framework regulates access to resources and equipment within an organization based on roles. In an RBAC policy, users are assigned specific roles that determine their level of access to systems, applications, and data. As an administrator, you should ensure all users looking to connect remotely use a named account. And not only that, but remote access users should only access systems that are directly associated with their line of work and nothing more. Compliance Kit: OT/ICS Cyber Security Policy template by Sectrio You should go further and assign specific access privileges remote workers require to carry out their duties. This limits accessibility based on job functions and needs. It’s essential in reducing the risk of insider threats and maintaining the overall security of the ICS environment. Schedule security awareness and training sessions A big part of security

With the increasing digitization and connectivity of operational technology (OT) networks, the threat landscape has expanded, making it imperative for organizations to proactively hunt for potential cyber threats. Threat hunting in OT networks involves actively and continuously searching for signs of compromise or malicious activity that traditional security measures might miss. This article dives deep into the concept of threat hunting in OT networks, its significance in protecting critical infrastructure, and effective strategies to unleash proactive cybersecurity. Understanding Threat Hunting in OT Networks Threat hunting in OT networks is a proactive approach that aims to identify and mitigate advanced threats, including sophisticated attacks, zero-day exploits, and insider threats. It involves leveraging both human expertise and advanced technologies to detect anomalies, patterns, and indicators of compromise (IOCs) within the OT environment. By proactively seeking out threats, organizations have the ability to stay ahead of adversaries and minimize risks to operational continuity. The Importance of Threat Hunting in OT Networks Threat hunting in OT networks offers several key advantages 1. Detection of Advanced Threats Traditional security measures often struggle to identify sophisticated attacks targeting OT systems. Threat hunting fills this gap by actively seeking out signs of compromise, enabling early detection and response to emerging threats. 2. Reduction of Dwell Time Threat hunting reduces the dwell time, which is the duration that adversaries remain undetected within the network. By shortening the dwell time, organizations can minimize the potential damage and disruption caused by an ongoing cyber attack. 3. Mitigation of Insider Threats Insider threats pose a significant risk to OT networks. Through threat hunting, organizations can proactively identify any abnormal or suspicious behavior exhibited by employees or contractors, mitigating the risk of insider threats. 4. Enhanced Incident Response By adopting a proactive approach, threat hunting equips organizations with actionable OT/ICS specific threat intelligence and insights necessary for effective incident response. This allows security teams to rapidly contain, eradicate, and recover from any security incidents, minimizing the impact on critical operations. Also Read: Complete Guide to Cyber Threat Intelligence Feeds Strategies for Effective Threat Hunting in OT Networks To conduct successful threat hunting in OT networks, organizations should implement the following strategies: 1. Define Clear Objectives Establish clear goals and objectives for threat hunting activities, aligned with the organization’s risk tolerance and operational priorities. 2. Leverage Threat Intelligence Utilize OT/ICS specific threat intelligence feeds and external sources to gain insights into the latest attack techniques, indicators of compromise (IOCs), and threat actor behaviors specific to OT environments. 3. Use Advanced Analytics and AI Employ advanced analytics, machine learning, and artificial intelligence (AI) techniques to analyze vast amounts of OT data in real-time. These technologies enable the detection of anomalies, patterns, and potential indicators of compromise. 4. Combine Human Expertise with Automation Human analysts with deep knowledge of OT systems should collaborate with automated tools and technologies. This combination enhances the effectiveness of threat hunting by leveraging human intuition and expertise alongside the scalability and speed of automation. 5. Adopt Endpoint Detection and Response (EDR) EDR solutions play a crucial role in threat hunting by providing real-time visibility into endpoint activities, enabling proactive threat hunting and faster response to potential threats. 6. Conduct Regular Red Team Exercises Simulate realistic attack scenarios through red team exercises to test the effectiveness of existing security measures and identify any potential weaknesses or blind spots in the OT network. Compliance Kit: Cybersecurity Tabletop Exercise Planning Manual Overcoming Challenges in Threat Hunting for OT Networks While threat hunting in OT networks brings significant benefits, it also presents certain challenges that organizations must address. 1. Lack of OT-Specific Expertise Finding skilled personnel with expertise in both OT systems and cybersecurity can be challenging. 2. Access to Comprehensive OT Data Gathering and analyzing comprehensive data from OT networks can be complex due to various legacy systems, proprietary protocols by the OEMs, and limited visibility into OT environments. To find out how Sectrio’s solution can help get over this challenge, watch us in action now: Request a Demo 3. Integration with Existing Security Infrastructure Ensuring seamless integration between threat hunting activities and existing security infrastructure, such as security information and event management (SIEM) systems and intrusion detection systems (IDS), can pose challenges. 4. Balancing Security and Operational Requirements OT environments prioritize operational continuity, which can sometimes conflict with the security measures implemented during threat hunting. Striking a balance between security and operational requirements is crucial to prevent disruptions while maintaining robust cybersecurity. 5. Adapting to Evolving Threats Threat actors continually evolve their tactics and techniques, necessitating constant updates and adjustments to threat hunting strategies and methodologies. Sectrio eBook: OT Security Challenges and Solutions Real-Life Examples of Threat Hunting in OT Networks Illustrating the effectiveness of threat hunting in OT networks, here are a few real-life examples 1. Identifying Malware Infections Through threat hunting, an energy company discovered signs of malware infection in their OT network. By proactively investigating the anomalies, they were able to isolate and remove the malware before it caused any operational disruption. 2. Detecting Insider Threats During a threat hunting exercise, an industrial manufacturing company identified suspicious activities indicating a potential insider threat. The timely detection allowed them to investigate further, identify the compromised user account, and mitigate the risk before it led to significant damage or data exfiltration. 3. Uncovering Hidden Vulnerabilities By conducting thorough threat hunting activities, a transportation organization discovered previously unknown vulnerabilities in their OT systems. They promptly patched the vulnerabilities, reducing the risk of exploitation by threat actors. 4. Mitigating Advanced Persistent Threats (APTs) A critical infrastructure provider proactively engaged in threat hunting to identify indicators of an advanced persistent threat (APT) targeting their OT network. Through continuous monitoring and analysis, they were able to detect the APT’s presence, gather intelligence, and collaborate with law enforcement agencies to mitigate the threat effectively. For CISOs: Simplify the RoI for an OT Threat Hunting program Getting buy-in from the board can always be tough, here are a few pointers on the ROI that can be