Sectrio

Featured

My reflections from GISEC 2023 (1)

My reflections from GISEC 2023 and the cybersecurity challenges we are faced with in the Middle East region.

According to a new report from analyst firm Frost and Sullivan, the Middle East’s cybersecurity market is expected to reach $31 billion by the year 2030, up from $7.5 billion in 2022. This exponential growth is a clear reflection of the state of the market and the level of priority that enterprises are giving to cybersecurity in addressing the increased risks they face. With the uptick in digital transformation and AI-powered automation projects, cybersecurity will gain even more prominence. While such transformations are necessary to retain a competitive edge and are good for businesses, there are areas that need improvement to ensure a holistic approach. Sectrio was among the handful of OT security vendors at the GISEC event. This meant that we were able to participate in many discussions with businesses on embracing a robust ICS/OT security framework that secures operational assets from all types of sophisticated attacks. Regional businesses are now looking at OT security from a fresh perspective, decoupling it from traditional IT security, and the age-old approach of meeting the bare minimum compliance mandates to avoid fines or regulatory penalties. Many are waking up to OT threats and in the process of setting up a specific OT-security roadmap with clear milestones. As some of you may already be aware, the OT threat environment in the region is deteriorating rapidly due to the emergence of new advanced persistent threat actors, cybercriminals, a growing volume of targeted attacks, and increasing sophistication of cyber-attacks. It will only be a matter of time before such attacks breach the kinetic threshold and take shape of large-scale attacks causing unacceptable losses. APT actors and new hacker groups using easy-to-obtain malware such as Lockbit 3.0 are redefining the threat landscape and underscoring the need for improving cyber hygiene and expanding the scope of investments in cybersecurity. While at the event, I met with many OT security leaders from the region and multiple industry verticals. They were all nearly unanimous when it came to their outlook for the region, cyber threats faced, and what businesses need to focus on to improve their security posture and ensure risk-free operations. I am sharing a few of those insights here; please feel free to reach out to me in case you wish to have a deeper conversation on any of these areas or wish to learn more. At the end of three packed days at GISEC, I am certain of a few things: They are looking up to specialists like Sectrio to step up and work with them to secure their OT networks so that they can continue on their digital transformation journeys. And guess what? We are ready to take on this challenge. Wish to connect with us? Sign up here: request a demo and check out our solution in action today.

My reflections from GISEC 2023 and the cybersecurity challenges we are faced with in the Middle East region. Read More »

The cybersecurity link to the Chinese spy balloons

The cybersecurity link to the Chinese spy balloon episode

In the last eight days, US fighter jets have eliminated 4 Chinese spy balloons. The fourth one was shot along the border of Alaska and Canada last Saturday.  The US Defense Department has attributed the increase in the detection – and shoot-downs – of suspicious flying objects to increased scrutiny of U.S. airspace and the enhancements it has made to its radar systems to detect these very balloons. The US is currently on a state of high alert to detect and neutralize similar air space violations in the days to come. While the episode has been evaluated threadbare by analysts, there is one aspect that has been overlooked – China’s growing appetite for raw intelligence data. This article examines the reason behind this growing appetite and its implication for governments and enterprises.  The cyberspace/cybersecurity link In the second half of 2022, China moved up a notch to become the country harboring the most active APT groups in the world. Cyberattacks from China have picked up both in volume and quality in the last 9 months. In addition to diplomatic cables and Intellectual Property, Chinese APT groups also went after defense vendors, healthcare providers treating (or holding records of) politically important persons, and infrastructure connected with critical manufacturing facilities.   Chinese intelligence operates at four levels viz., data gathering, validation, analysis, and deployment. Various enablers are involved at each stage. In recent times, China has paid extraordinary attention to data validation by recruiting more information sources to cross-check the information already on record. It has also figured out ways to hack into non-traditional sources of data to assess the quality and significance of information already collected. The validation used to happen at two facilities located in Eastern China. Now, however, China’s Ministry of State Security (MSS) has started commandeering private sector companies to help in refining collected data to derive intelligence value. This includes firms with big data analysis capabilities and those with proven and working AI models to determine the link between unconnected data sets and the validation of raw data by looking for pre-established patterns of authenticity.   Also Read: How to get started with OT security Intelligence data processing occurs at huge scales in China. Thanks to the availability of facilities from private enterprises, China doesn’t have to invest in building these facilities in-house and spend time, resources, and energy in recruiting manpower and maintaining them. This frees up a big chunk of manpower to focus on upstream intelligence-gathering activities.    Every event of significance is validated from multiple independent data sources to confirm its strategic utility. For instance, if an asset of interest is moved across locations, then this movement can be confirmed by not just tapping into different sources of intelligence data but also looking for post-event indicators residing in petabytes of collected data. Such bits of intelligence are priceless from a strategic decision-making standpoint. Private sector participation in intelligence data processing is encouraged by the Chinese government. Some of the private companies participating in this effort do receive some form of discrete funding or non-monetary and tax benefits from the MSS or the Chinese government. Those that don’t readily agree are coaxed and forced to participate.         Why is China investing in newer methods of intelligence data collection? With the establishment of a huge capacity for crunching raw intelligence, China ran into a problem in the early half of the last decade. It had to figure out a way to keep these facilities churning. China then started to look for new sources of intelligence information to continue utilizing the established capacity. China is aware that any break in data collection, validation, or analysis could lead to a partial degradation of intelligence processing capabilities in the long term. Thus the entire intelligence information assembly line is kept active with information and datasets fed at regular intervals. This is why China needs to constantly harvest information across HUMINT and SIGINT channels. Further, China is also testing newer military hardware that performs optimally under certain atmospheric and local weather conditions.  With greater awareness of atmospheric conditions and other regional factors including accurate views of strategic military installations, China can afford to work with more operational insights to better plan and execute the use of military hardware, systems, and personnel in the event of a formal/informal declaration of hostilities.  This also offers a strategic advantage in times of geo-political crisis, trade negotiations or confrontation such information gives a clear advantage to the country involved. It can even help factor in a potential response from an adversary. Also Read: Complete Guide to Cyber Threat Intelligence Feeds Given this backdrop, we expect China to stay invested in expanding its intelligence-gathering capabilities and facilities. Such efforts will also be augmented with other means as the raw data processing and refining capabilities improve. The growing capabilities of Chinese APT groups in cyberspace is another undisputable evidence that points to the adoption of this approach by China. With its increasing appetite for intelligence data, this trend will define China’s approach toward cyberspace and beyond in the days to come.        Nine key points We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

The cybersecurity link to the Chinese spy balloon episode Read More »

APT41’s expanding capabilities pose a significant economic threat

APT 41’s expanding capabilities pose a significant economic threat

Chinese hacker group APT 41 has been in the news for multiple instances of cyberattacks, espionage, cyber piracy, and cybercrimes for at least a decade now. In 2022, however, APT 41’s activities have expanded significantly to net more data and geo-political leverage for its backers. This trend does have implications for governments and institutions of economic significance in various countries as they will now be targeted with multi-tactic and multi-platform tactics that will not just be hard to detect but hard to counter as well. While APT 27 the other Chinese APT group is now more or less focused on Taiwan and quite open (and vocal) with its threats, APT 41 has adopted an entirely different doctrine towards cyber espionage. Understanding APT 41’s information gathering approach rests on: APT 41 has been focusing a lot on intercepting government conversations, high-tech research, and select targets using spear phishing, listening,  water holes, RATs and backdoors, and communication chain attacks. The group specializes in attacks on large and tough-to-breach targets including telcos and defense projects. Its training regimen includes making trainees start their stint with APT 41 with first-level attacks on select Taiwanese targets. They are then deployed on select projects across South and South-East Asia. The group is also known to pursue subtle monetization options and has been known to sell stolen IP in closed forums through intermediaries. What APT 41 does with the money it earns is not fully known. While North Korean Lazarus is known to hand over its earnings to the government, some part of APT 41’s revenues may be shared with their handling agency within the Chinese government.      The economic threat from APT 41 The rising activity levels of APT 41 will eventually lead to an economic impact on various countries where its targets reside. APT 41 can theoretically connect attacks across critical infrastructures to create a single attack wave that causes business shutdowns, and exfiltration of confidential economic information including impending regulations or data that could lead to lowering of sentiment in the stock markets and pressures on the currency of countries. This wave could also degrade the ability of a nation to respond to an economic or military threat or an internal disturbance. Overall, such a destabilization could impact not just the target country but the region and many multilateral institutions as well. If the past attacks of APT 41 are anything to go by this group is being prepared for attaining much larger objectives of the government agencies that they report to.  The long-term stealthy intervention-driven network, communications, and asset reconnaissance point to a larger game plan.    Connect with Sectrio’s Cybersecurity Awareness Month initiatives to learn more about APT 41 and other threat actors. Want to learn more about OT and ICS security tactics and strategies? Speak to an OT security expert. Find out what is lurking in your network. Go for a comprehensive 3 layer threat assessment now See our OT security solution in action. Sign up for a free demo now. Get your free threat intelligence feeds here.   Understanding APT 41’s information gathering approach in 10 steps

APT 41’s expanding capabilities pose a significant economic threat Read More »

Threats to air force assets too real to ignore

Threats to air force assets too real to ignore

Imagine a scenario where hackers take control of ground-based command and control systems and connected networks to either shut down a critical system or manipulate feeds leading to wrong decisions being taken on the battlefield. Communication systems, guidance systems, and situational awareness management systems could be targeted with intrusion or extended scans to exfiltrate data. An international geopolitical event may even be triggered by a cyber attack with many countries getting involved thanks to regional defense agreements. Mission level cyber-threats    During peacetime, air force teams participate in multi-geography and multi-hardware training missions. Such missions often involve exercises to test response readiness, target acquisition and engagement, tactical advantage preservation, and testing of hardware and battlefield coordination. Such exercises use dedicated communication networks where sometimes new and untested systems (from a security perspective) and hardware are added. Such hardware could have a trojan code added inadvertently through stealthy supply chains. Modification of systems during training (for compatibility with systems belonging to air force teams from other countries) could also open up new vulnerabilities. Such vulnerabilities could also open systems up for long-term scans for a potential malware insertion at a suitable time in the future. The use of old systems that may carry unpatched vulnerabilities could also contribute to an overall degradation of the overall security posture. Also read: Why IoT Security is Important for Today’s Networks? The type of mission and the number of nations involved can all contribute to the threats and risks that emerge. For instance, if the hardware diversity increases during a training exercise involving many countries, chances are that systems will be modified to ensure interoperability. This opens the system to cyber threats it may not be ready to deal with. This is why training exercises are keenly watched by adversarial nations as they could expose not just the strategic and tactical shortcomings, but such missions also bring together hardware and systems or varied origins and vintage. Training missions can therefore introduce new threats and risks to systems. These threats could play out in the long or short term and reduce the ability of an air force entity to respond to or engage an adversary in the air or on the ground.  Electronic warfare in the air – Cyberwarfare in the air Most unmanned and manned platforms have an electronic warfare suite embedded or added to them. These suites help in improving situational awareness, reducing the effectiveness of enemy radar, denying unrestricted access to the electromagnetic spectrum, misleading SAMs, electronic reconnaissance, improving stealth, or simply acquiring targets by intercepting communication. These electronic pods that house the electronic warfare suite could technically be jammed or remotely acquired by an adversarial nation’s cyberwarfare group and rendered inoperable. Nuclear capable and non-nuclear capable ballistic missiles pose another major concern for air defense planners. The guidance systems of ballistic missiles could be targeted using a software-programmable radio frequency or modified electronic warfare signals that could jam or alter an ICBM’s flight trajectory toward a target.    Electronic warfare in space – Cyberwarefare in Space Ground to space communications could be hacked into by APT actors who can then send a satellite off balance by manipulating its orbit control systems. The satellite could be made to lose its earth lock and turn into a threat to all space assets. Tracking such attacks will be a tough challenge especially if the satellite is lost or destroyed later. Considering the significance of space as a medium for communications through satellites any successful hacking will invariably lead to the shutdown of many systems on the ground including those related to GPS. Complex multi-function satellites providing various services could be sitting ducks to such cyberattacks.  Are redundancy systems part of the solution or the problem? There is a common myth about the use of redundant systems as a security layer. Nothing could be further from the truth at least in this context. Redundancy systems cannot be equated with security. In the case of a fighter jet, redundancy systems could prevent a crash in case the fly-by-wire systems are hacked into or disabled. But they do not provide any level of security to a system or render it more robust. In fact, redundancy systems could even introduce new vulnerabilities into the network as they are often picked for their ability to serve as ready backups for key systems rather than for their security robustness.      In summary, hacking of assets and networks connected with an air force could lead to: Want to learn how to secure your air force and its entire digital footprint across connected and air-gapped networks? Talk to us now. See our solution in action, book a demo now: Request Demo Try our curated threat intelligence feeds for defense entities.

Threats to air force assets too real to ignore Read More »

Supply chain cybersecurity tips from NSA and CISA

Supply chain cybersecurity tips from NSA and CISA are timely and critical

Supply chains have become a preferential target for hackers. Government reports from the UK, USA and many other parts of the world confirm the growing attacks on supply chains impacting businesses and even government agencies. Such attacks often involve secondary or even tertiary targets that are attacked through a series of breaches across organizations connected through a supply chain How are supply chains targeted? A chain is only as strong as the weakest link and this adage is true even in the digital world. Hackers target supply chains by studying the entire supplier network for identifying weak points for entry into a network. This network is then used as a conduit to target networks belonging to other organizations upstream or downstream. A single breach could potentially expose a whole chain and many service providers. Also Read: Why Supply chain poisoning is an imminent concern Using specific data, hackers target multiple employees across various organizations. This is done through a phishing email or a waterhole attack. While earlier attacks were not targeted, most of the attacks we have seen this year are targeted at specific individuals and involve state-backed actors. The whole approach is more structured and organized and hackers are clear about what they are looking for or want from these organizations.   The ultimate targetsThe more sophisticated the hacker, the more distant would the ultimate target be. In the case of a large defense hardware manufacturer in Europe, the first point of entry for the hackers was a firmware-linked entity based in Asia. The hackers used the first breach to move across continents and more targets downstream till the ultimate target was breached nearly 11 months later. The target organizations and their supply chain connects are mapped and observed over a period of time before an attack attempt is made. Software supply chain cybersecurity tips from NSA and CISA, US Software supply chain compromise is a common form of supply chain attack. The most common compromise methods involve exploitation of inherent design flaws in the software, addition of vulnerable third-party components into a software product, breach and infiltration of multiple supplier’s networks with malicious code before the final software product being delivered, and injection of malicious software which is finally deployed by the customer. The U.S NSA and CISA recently shared tips to secure the entire software supply chain. This is certainly a welcome move. The recommendation document covers security across: The document states that “stakeholders must seek to mitigate security concerns specific to their area of responsibility. However, other concerns may require a mitigation approach that dictates a dependency on another stakeholder or a shared responsibility by multiple stakeholders”. This points to a collaborative approach towards identifying and mitigating threats within and outside a supplier’s own area of responsibility.  The document while articulating the need to focus on vulnerabilities, states “dependencies that are inadequately communicated or addressed may lead to vulnerabilities and the potential for compromise”. Areas where these types of vulnerabilities may exist include: We recommend that all supply chain entities across verticals read, understand, and adhere to these tips. It will go a long way in securing not just supply chains but also the entire digital footprint of various enterprises and governments.  Sectrio Learn more about supply chain security by interacting with our cybersecurity experts today Do a complete cyber threat assessment now to find out your security gaps   To learn how you can protect your business, book a free consulting appointment with our IoT and OT security experts and see our IoT and OT security solution in action now: Schedule a time now Try our threat intelligence feeds for free now: Sign up for free threat intelligence feeds today.

Supply chain cybersecurity tips from NSA and CISA are timely and critical Read More »

What are Chinese APT groups up to?

In the last 48 hours, Chinese threat actors APT 27 and 41 have shown extraordinary levels of activity. The fallout from the recent geopolitical events continue to define the sequence of events in the region.   APT 27 which is a decade-old threat actor, was at the forefront of the latest spike in cyberattacks on Taiwan. The targets were chosen to create a sense of panic and to showcase the ability of Chinese threat actors to strike anywhere at will.  Here is the latest on some of the Chinese threat actors we are tracking: Industrial security on your mind? Find out how your IoT, OT, and IoT deployments can benefit from our converged cybersecurity solution: Request Demo Sign up for our threat intelligence feeds and experience the power of our global honeypot network: Sign up now. Find out what is lurking in your network. Sign up for our threat assessment program.  

What are Chinese APT groups up to? Read More »

China assigns APT actors to initiate revenge attacks

China assigns APT actors to initiate revenge attacks for the Shanghai police data leak

As per a series of conversations intercepted by Sectrio’s threat research team from various forums, China is learned to have identified Beijing-based APT 41 and Haikou, Hainan-based APT 40 as nodal cyber offense teams to initiate revenge attacks against many countries. Through these attacks, China may try to gain control over the narrative that has emerged in wake of the recent revelation of a large data breach that has impacted over a billion Chinese citizens. Who are the Chinese APT groups targeting? These attacks may primarily be aimed against countries with whom China has had an uneasy relationship in the past. It could also include a few other countries to enhance the magnitude of the breach and to bring in an element of plausible deniability. Understanding the Shanghai Police data leak incident It may be remembered that in one of these most expansive breaches reported so far, the data belonging to nearly a billion Chinese citizens was breached some time ago. The 23 TB of data, a sample of which was released online, belonging to the Shanghai police department includes names, phone numbers, government ID, and law enforcement reports of citizens. An extortion attempt was made and hackers who asked the Police department to pay $200,000 to prevent the data from being leaked to a wider audience. China is known to keep massive amounts of data concerning its citizens and persons of interest from around the world in databases with various levels of security. In this instance, it is claimed that while the database was protected, a dashboard linked to the database was not. Also read: How to get started with OT security On Friday, the site where the data was put for sale removed the post advertising the data for sale. The site however indicated that it has other databases that it is willing to sell to prospective buyers. The scale of the breach left many questions unanswered primarily regarding the security of information collected by the government. While it has not made any direct references to the breach, China did ask all public bodies and citizen information managers to secure all information submitted to the government so that people and businesses feel safe while sharing their data with the government of China or public bodies under it. In addition to increasing confidence in the government’s ability to securely harvest and store data, China is also getting ready to go on the offensive to prove that such breaches can happen to the citizens of any country. This will also help China downplay the gravity of the original event while offering Chinese social platforms a convenient diversionary topic to discuss. Gameplan Revenge China is planning to launch new ransomware families and multi-loader malware for this operation. The designated APT groups identified for this breach campaign are APT 40 and 41. APT 40 also goes by monikers BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper. In the past, it has targeted government agencies, healthcare facilities, AI-based projects and even scientific research. APT 40 is no stranger to harvesting stolen data and is known to maintain a long-term reconnaissance presence extending to many victims in countries considered to be adversaries by the PRC government. This also includes friendly countries that have signed up for the Belt and Road initiative and nations that have received aid from China in one form or another. Also read: Complete Guide to Cyber Threat Intelligence Feeds APT 40 actors often employ non-malicious tools in non-standard folders as part of an attack. Thus, if the location of a non-malicious tool is found to be non-standard, the tool becomes an IOC for a breach. The malware libraries used by APT 40 are often shared with other Chinese APT groups. Post-breach data is also shared with other groups as a standard practice. Beijing-based APT 41 AKA Double Dragon Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, Blackfly) is known to have links with the Chinese Ministry of State Security (MSS). Between 2021 and the early months of 2022, this group is known to have conducted extensive operations against the governments of the US, Canada, a few NATO member states, and the UK. This group is known to have multiple breach tactics in its inventory and is hard to detect. This group also has the capacity to modify a malware post-injection to work in conjunction with the host environment and adapt to any changes that the victim may make to their networks. Also read: Why IoT Security is Important for Today’s Networks? Both these groups are well versed in large-scale data harvesting, processing, and transfer of data and are known to be among the most stealthy APT groups in China. This is why China has chosen them to carry out a series of revenge attacks across many countries. These attacks could occur as early as this month as China seeks to bury the Shanghai Police leak episode. The speed with which these actors were assigned to this project indicates a sense of urgency.   The gameplan: Learn more about these actors in our 2022 IoT and OT Threat Landscape Assessment Report Go for a complete threat assessment program now to learn about the threats lurking in your network Learn more about Key Advanced Persistent Threat (APT) Clusters Under Observation explained by Prayukth K V, Speaker & Published Author cybersecurity, CMO, Sectrio, the market leader in IoT, OT & IT Security.

China assigns APT actors to initiate revenge attacks for the Shanghai police data leak Read More »

Rising ransomware attacks point to a larger cybersecurity problem

Rising ransomware attacks point to a larger cybersecurity problem

In January 2022, we witnessed a huge rise in ransomware attacks specifically on IoT and IT networks. Most of these attacks were designed to lock up the data, copy parts or whole of it and then dump the data on the Dark Web. If media reports are to be believed, many organizations that ended up paying a ransom didn’t get their data back. If we break up the ransomware problem, we can identify these as the key attributes of the bigger challenge posed by ransomware to businesses: Insider threat: emerging from employees or partners willingly or unwittingly ending up aiding hackers. Learn more about dead drops Rising potency of ransomware: hackers have invested extensively in ramping up the facilities behind ransomware production and distribution and this is the reason behind 2021 turning into a very successful year for hackers Growing ransom demand: there are contrasting reports on what was the highest ransom demand placed last year but it can be easily inferred that the ransom rates have certainly grown significantly in 2021 The rising role of enablers: while the number of ransom developers is growing, so is the role of the enablers. These include negotiators and even professional breach enablers who help in placing the ransomware in the target networks Bleeding data: in December 2021, the volume of new data dumped on the Dark Web rose by nearly 3 TB.  Hackers are now more aware of the vulnerabilities, cybersecurity gaps, and process deficiencies associated with IoT, IT, and OT in businesses and they are using this information to breach assets and networks    What can businesses do to protect themselves from ransomware attacks? In sectors like manufacturing, pharma, defense, and retail, cybersecurity needs to be embedded into supply chains and feeder processes For small and medium businesses, operational visibility and visibility into networks at all times is a must. Oil and gas (upstream and downstream operators) is a sector that has been traditionally vulnerable to a range of threats. Oil and gas companies need to harden their operations from a cybersecurity perspective and revisit their processes and cybersecurity practices to align them with the new cyber threats and challenges that are emerging in the background Healthcare firms need to ramp up their IT security and invest extensively in securing their data Micro-segmentation: involving fragmenting networks to enable greater visibility and granular enforcement of cybersecurity policies is a must deploy cybersecurity measure    Industrial Control Systems and health and safety systems should be especially protected as these could not just create an operational challenge for businesses but more importantly, could create a health and safety hazard for employees working in manufacturing plants that deal with oil and gas products and other complex and dangerous chemicals Cybersecurity audits should be conducted at least once a month. There are many available formats for conducting this. We have created one for you here that is aligned with the NIST framework Encourage employees to report incidents and incentivize them to proactively detect and report vulnerabilities or security gaps Businesses connected with a long tail and short tail supply chains should collaborate to arrive at common security standards and measures that they can deploy together Enforce a no-click policy for suspicious emails Look at opting for multiple vendors for obtaining your threat intelligence feeds Looking at improving your IoT, OT, and IT cybersecurity, consult an expert from Sectrio for free. Book your slot now. Try out our threat intelligence feeds and improve your threat hunting capabilities. See how our OT-IoT-IT security solution can handle such threats to your enterprise. Book a no-obligation demo.  Get access to enriched IoT-focused cyber threat intelligence for free for 15 days   Download our CISO IoT and OT security handbook   Access our latest Global Threat Landscape report  

Rising ransomware attacks point to a larger cybersecurity problem Read More »

Improving OT security by understanding key security challenges

Improving OT security by understanding key security challenges

The convergence of IT-OT and IoT has opened new avenues for hackers to target systems based on those three technologies. OT however, has been impacted uniquely as the security dimensions of OT have not been fully understood by security practitioners. With the collapse of the traditional air-gapped systems, OT devices are now being targeted extensively by various hacker groups. To counter them, we need to get to understand how are hackers breaching OT systems.   There are two main routes of entry for hackers into OT Security. One involves using networks as conduits to access a production facility in a connected OT environment. In an unsegmented network, all (compromised) connected assets could serve as entry points for hackers. This is especially true for OT operators in traditional industries such as manufacturing, power plants, oil and gas refineries, and pipelines that are now embracing some form of digital transformation and large-scale automation.   The second conduit involves a physical breach by an intruder carrying a USB drive with the malware payload and connecting it to the OT network from within. Such a modus operandi is often used to target OT systems within the defense, maritime, and power companies that still house unconnected or air-gapped OT security systems.    OT cyberattacks are thus not accidental episodes and require significant planning and execution finesse on the part of the hackers.  In the case of many defense facilities such as radar stations, communication, and signals hubs, we have seen hackers or their enablers throw infected pen drives into the campuses of these defense entities to be used by an unsuspecting employee. Though the use of USB drives is strictly regulated, such devices still manage to become part of some of the large OT breaches we have seen in the last few years.   OT Security challenges and targets Safety and control systems are high on the wish list of hackers. These are the systems that when accessed and modified can cause tremendous disruption and loss. Such breaches are also hard to contain and soon the news of the breach reaches the external world and the hackers through media. ICS and SCADA systems have been traditional targets for hackers and they continue to be targeted.    A safety instrumentation system or even an environment control system both of which are key to ensuring safety in plants and other locations which are accessed by plant personnel. This puts their lives at risk and could also pose a danger to critical instrumentation including their calibration which is often quite sensitive and even a minor change could trigger a series of production errors downstream.   Improving OT security  Start by viewing IT and OT as extensions of the overall digital infrastructure and cover them through a unified security policy that takes into account unique cybersecurity aspects for them individually as well.   The above policy should also contain common goals for both IT, IoT and OT security teams. Key KPIs and milestones should also be formulated that they can achieve in collaboration   Conduct periodic joint digital security audits across the enterprise to evaluate the institutional cybersecurity posture and to eliminate gaps  NIST cybersecurity framework and the IEC 62443 can be used as guides to secure parts of the network or as a whole   Micro segmentation: can be used as an excellent tactic to isolate the overall digital infrastructure into fragments. This will not just help contain an attack but will also prevent malware from moving laterally   For digital transformation or large-scale OT automation projects or those involving phased transition to IIoT, OT security teams should be roped in to develop a comprehensive security roadmap that doesn’t just end with the transition. Instead, the roadmap should cover long term operational security for all assets and must take into account converged threats or threats that might emerge in the future    As part of the unified security, policy, an OT security specific policy can also be developed to bring OT security on par with IT security   Operate with OT-focussed threat intelligence to detect unique threats that may affect OT but not IT  Vulnerability assessments and gap analysis should be conducted at regular intervals and such processes should be further documented through regular audits   Security for IT, IoT and OT assets should be owned by a joint cybersecurity team including members from both sides. This will ensure the evolution of a common minimum standard for security across the organization    Deploying an OT security solution that works to secure all aspects of OT is also recommended   Sectrio is offering its threat intelligence feeds for trial for free for 15 days. Our feeds work with the best SIEM solutions out there and meet all the parameters listed above. To access our threat intelligence feeds for free, sign up now. Talk to our cybersecurity experts to learn how Sectrio’s IoT security solution and threat intelligence can help your business See how our OT-IoT-IT security solution can handle such threats to your enterprise. Book a no-obligation demo.  Get access to enriched IoT-focused cyber threat intelligence for free for 15 days   Download our CISO IoT and OT security handbook   Access our latest Global Threat Landscape report  

Improving OT security by understanding key security challenges Read More »

Scroll to Top