Sectrio

footer-logo
Contact Us

Eng

[google-translator]
footer-logo
Contact Us

Eng

[google-translator]

OT

NIST 800-82 R2/R3

NIST 800-82 R2/R3: A Practical Guide for OT Security Professionals

OT, Cybersecurity awareness month, ICS /

“Is our critical infrastructure truly secure in the face of ever-evolving cyber risks and insider threats?” This question resonates with an urgency that cannot be disregarded in a world where technology is woven into every facet of our existence. The pulse of modern industries relies on the seamless convergence of Operational Technology (OT) and digital systems. While this fusion promises efficiency and progress, it also opens the floodgates to potential cyber vulnerabilities that could cripple vital infrastructure. Recommended Reading: How to get started with OT security As industries become increasingly interconnected, the need for robust security measures has birthed the National Institute of Standards and Technology (NIST) 800-82 Revision 2 (R2) and Revision 3 (R3). These seminal documents offer more than just guidelines; they are a beacon guiding OT security professionals in safeguarding our critical systems from digital perils. In the subsequent sections, you’ll embark on a journey deep into the heart of NIST 800-82 R2/R3. You’ll explore its significance and practical implementation and understand how it weaves a protective cocoon around our operational technology landscape.  This is not just a technical endeavor; it’s a call to action, a rallying cry to ensure that our industries stand fortified against the tides of cyber threats. Let’s unravel the layers of NIST 800-82 R2/R3 and discover how its wisdom can pave the way to a safer digital future and be a practical guide for OT security professionals. Understanding the Significance of NIST 800-82 R2/R3 Framework Picture a world where power grids, manufacturing plants, and transportation networks suddenly come to a grinding halt. The lights go out, production lines cease their rhythmic hum, and vehicles stall on highways. The very fabric of our modern society frays at the edges, all because of a few lines of malicious code.  This scenario isn’t a dystopian fantasy; it’s a chilling reality that underscores the fragility of our critical infrastructure in the face of cyber threats. Operational technology, the backbone of these infrastructural giants, wields the power to shape economies and societies. Yet, this power also paints a bullseye on its back. As the world transitions into the digital era, the convergence of Information Technology (IT) and OT systems opens Pandora’s box of vulnerabilities.  It’s a landscape where an attack on a single OT component could trigger a cascading catastrophe affecting countless lives. NIST 800-82 R2/R3 Framework:  The National Institute of Standards and Technology (NIST) 800-82 R2/R3 framework offers a comprehensive roadmap designed to empower OT security professionals with the necessary guidance to secure their infrastructure. NIST 800-82 R2: Built on Experience, Forged by Challenges The evolution from the original NIST 800-82 to Revision 2 is a testament to the rapid transformation of the threat landscape. Every breach, every incident, and every challenge that emerged since the inception of the original framework has been meticulously woven into the fabric of R2. It’s a living document, breathing in past lessons to arm us against present and future threats. NIST 800-82 R3: Holistic Resilience in a Digital Age But NIST didn’t stop there. With the emergence of Revision 3, the framework blossoms into a more holistic approach, emphasizing risk management, resilience, and adaptability. R3 encourages us to transcend the traditional notions of security and embrace a mindset that anticipates, mitigates, and recovers from threats. It underscores the urgent need for organizations to not only shield themselves but also to build a shield that evolves and strengthens over time. The Essence of NIST 800-82 R2/R3 Template These documents transcend technical jargon; they encapsulate a philosophy that acknowledges the dynamic interplay between technology, strategy, and human behavior.  In a world where change is the only constant, NIST 800-82 R2/R3 becomes the rock on which organizations can build their defenses. It’s a promise that, regardless of the shape-shifting nature of cyber threats, we stand united with a framework that equips us with the right strategies to secure what matters most. Key Components of NIST 800-82 R2/R3 Risk Management: Illuminating the Path Ahead In OT security, ignorance is not bliss—it’s a ticking time bomb.  NIST 800-82 R2/R3 acknowledges this reality and places risk management at the very core of its philosophy. It’s a call to arms, urging OT security professionals to proactively identify vulnerabilities and assess threats before they manifest into full-blown crises. Categorizing Assets: Know Your Terrain Imagine embarking on a journey without a map. Chaos would reign, and progress would be hampered by uncertainty. Similarly, in the world of OT security, understanding the lay of the land is paramount.  NIST 800-82 R2/R3 advocates for the meticulous categorization of assets—both physical and digital. This comprehensive inventory lays the foundation for effective risk assessment, enabling security professionals to identify potential weak points and allocate resources where they matter most. Security Controls: Building the Bastions While risk assessment is the compass, security controls are the fortress walls. NIST 800-82 R2/R3 presents a comprehensive list of security controls and countermeasures that collectively bolster the defense mechanisms of OT systems.  From access control and network segmentation to intrusion detection and incident response, each control serves as a sentinel, vigilant against threats that may attempt to breach the barriers. Layered Defense: The Power of Synergy The strength of NIST 800-82 R2/R3 lies in its emphasis on a layered approach to security. It recognizes that a single defense mechanism is insufficient to thwart the myriad of threats lurking in the digital landscape.  Just as a medieval castle featured multiple layers of walls, moats, and gates, OT systems must employ diverse security measures that, when combined, create a formidable defense against adversaries. Adaptive Strategies: Navigating the Unknown In the world of cybersecurity, stagnation is akin to defeat. NIST 800-82 R2/R3 champions the concept of adaptability—a strategy that acknowledges the dynamic nature of threats and the need to evolve defenses in response.  By incorporating the principles of continuous monitoring, organizations can swiftly detect anomalies, assess their potential impact, and recalibrate defenses to address emerging threats. Practical Implementation of NIST 800-82 R2/R3 Building the Foundation: Asset Inventory and Management Imagine

NIST 800-82 R2/R3: A Practical Guide for OT Security Professionals Read More »

OT Attack Path Analysis: A Comprehensive Guide

ICS, OT, Threat Intelligence /

The convergence of Information technology (IT) and Operational technology (OT) networks, resulting in the exposure of OT networks to threats, paved the way for OT cybersecurity. OT is the use of hardware and software in critical infrastructure industries like, power, energy, water treatment, manufacturing, etc. Compromise to the security in these industries can result in cascading effects. To secure the safety of industries from cyberattacks, organizations come up with many solutions, with attack path analysis being one of them.  What is attack path analysis? Attack path analysis is the graphical representation of pathways to crucial data in your organziation, which cybercriminals adapt to gain access. Through attack path analysis, organizations are structured to think the way a bad actor thinks. It is the simulation of ways used by attackers to implement mitigation strategies.  With the help of attack path analysis, organizations can prioritize threats and take remediation measures accordingly. The need for attack path analysis A typical organization, on an average, has 11,000 exploitable security exposures in just one month. The need for attack path analysis cannot be emphasized more! The following are some more points to highlight the need: Increased spectrum of threats There has been an increase in the kinds of threats, and new ones also emerge every day. Every threat is based on some financial, political and other motives, and cybercriminals work toward the disruption of the OT systems to attain them.  OT systems manage critical infrastructure, and as such, they are easy targets for attackers. This necessitates that you should keep the OT environment alert with an analysis of the possible path taken by hackers and other cybercriminals. The complexity of the OT environment OT environment is complex and depends on different devices, systems, and networks. With high interdependency, an attack on one could lead to devastating effects on the OT environment.  With the help of attack path analysis, you can understand how attacks could surface and ways to tackle them. Some attacks may appear unrelated, but the analysis could lead to insightful findings that could save the organization thousands of dollars. Compromise due to insider attacks OT environments are greatly impacted by insider attacks, as people having access have immense technical knowledge and operational expertise to misuse them. This can be kept under check through attack path analysis. The exploration of ways insiders could use their expertise to scan through systems and exploit them helps to locate threats much before they could happen. This saves the organization from potential attacks that could otherwise be severe. Regulatory requirements Attack path analysis is also needed as a part of compliance with regulatory requirements. Industries with OT systems have certain mandatory requirements. This is required for data protection in view of the increased possibility of attacks on cybersecurity systems.  Keep business operations on track There could be total mayhem when a successful cyberattack disrupts business continuity. This can potentially lead to a loss of several millions of dollars and negatively impact the business’s reputation. With attack path analysis, companies are always on the lookout for attacks, and this helps reduce downtime. The company can also bounce back easily when they are proactive and prepared with an assessment of security. Assess the priority of exposure In many organizations, security concerns that require attention are often overlooked. This is because there are too many assets on their network and identifying risks becomes difficult.  This can be avoided with the help of attack path analysis.  It helps analyze the priority of exposure of assets and thereby to be ready with protection mechanisms before an attack can surface.  Visualize the way a hacker could think Seeing the attack paths like a hacker could provide complete visibility of the risks involved. It helps visualize the potential attack chains so that it is easy to understand the assets that could be targeted. Factors like host reachability, misconfigurations, vulnerabilities, etc., are all risk factors that can be correlated to help fix security issues. Steps to perform OT attack path analysis A series of steps, as listed below, need to be followed for effective attack path analysis: 1. Definition of scope The scope and goals of your analysis must be laid down in clear terms. What are the OT systems, assets, etc., you want to analyze? What is the purpose of your analysis? These are some questions you should answer before you start. List out the possible vulnerabilities and attack vectors that you wish to uncover through this analysis. This definition gives a proper direction to your activity. 2. Identify the critical systems There are several critical assets and systems in the OT environment that are exposed to threats. These should be identified so that the priority of threats can be ascertained. Threats need to be addressed in the order of their criticality so that the most crucial ones can be dealt with first. This can help an organization greatly as serious threats are easily identified and thwarted.  3. Mapping of the flow of data Data moves through multiple points, of which some may be prone to weaknesses. Mapping data flows can help locate the weak points so that they can be addressed. Understanding the flow of data enables the identification of paths attackers may emerge from.  4. Identify threats and vulnerabilities You should conduct a vulnerability assessment and threat analysis that is specific to the OT environment. This helps identify the various weaknesses and probable impacts they could cause. Timely assessment is an important step as it prevents attacks from happening and thereby maintains business continuity. 5. Assess the attack vectors An attack vector is the pathway attackers enter the OT environment. They could be credential theft, malware, social engineering attacks, insufficient protection, etc.  Analysis of the attack vectors helps identify ways to avoid them. For example, the data and network access of every employee have to be assessed to prevent insider attacks.  6. Identify the attack scenario The mode of operation that the attacker might opt has to be defined. All paths that

OT Attack Path Analysis: A Comprehensive Guide Read More »

Fundamentals of attack path analysis in an OT environment

Fundamentals of attack path analysis in an OT environment

OT, ICS, Threat Intelligence /

At its core, an attack path analysis presents a powerful visual and impactful representation covering a potential path that cyber threat actors or malicious payloads may tread to breach asset or network targets. The benefits justify resource and attention investments in an APA exercise. In addition to helping disrupt the changes of a successful cyberattack, it can also improve the maturity of your OT security team.    The depiction of a compromise path, so to speak, presents a visual dimension to a possible attack and enables security teams, SOC analysts, CISOs, and security decision-makers to derive and deploy countermeasures. Attack Path Analysis also helps prioritize vulnerabilities for action based on a deeper understanding of the impact a possible cyberattack could have.   How to approach Attack Path Analysis in an OT environment  An OT environment can present several challenges to the smooth conduct of an Attack Path Analysis effort. Knowledge of the environment, operational dynamics, asset topology and vulnerabilities are essential. As we have seen many times before, many OT operators do not have such information or lack information at the level required to conduct an APA in a structured manner. The relevance of the outcome of the APA for your organization depends on many factors.    To conduct an APA in an OT environment and to get results that matter, these pre-requisites have to be in place:  Once the above data is in place, a model can be derived to map the possible attacks and the targets along with the path an attack could potentially take. Contextual information that enables a direct correlation between targets, breach points, conduits, and the overall path can then be ascertained.   Reccommended reading: Complete Guide to Cyber Threat Intelligence Feeds APA should not be seen as a drawing board/whiteboard exercise to be conducted on paper. Instead, APA should be conducted as an objective exercise to identify and break existing attack paths and reduce the changes of a new one appearing in the future.    Charting the course of an attack   It is not essential for an attack to move horizontally in a network in a linear manner. Thus, when drawing the attack path, the model must be able to offer multiple paths with the probability of the attacker choosing a specific path to a target and link that with the probable success ratio. This will help security teams focus their attention on breaking the attack path through specific interventions starting with the most probable paths.   When deciding on prioritizing interventions the following aspects can be used to derive a path score:  Benefits of an Attack Path Analysis   Conducting an APA can lead to many benefits for your organization. Some of these include:  Interested in learning more about how you can deploy APA in your organization? Talk to our APA expert.    Watch our On-Demand webinar here: How to conduct OT attack path analysis in your organization

Fundamentals of attack path analysis in an OT environment Read More »

Deconstructing-the-CL0P-ransomware-group-and-understanding-the-MOVEit-breach-in-2023

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023

ICS, OT, Threat Intelligence /

The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems. OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks. With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited. Recommended Reading: How to get started with OT security CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses. This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more! Who is CL0P? CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates. CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505. CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection CL0P Ransomware The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim. Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials. In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation. Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide. CL0P Darkweb page On the Dark web page, they upload notes, news, and data published information and steps to contact them. Steps for Companies Attacked by CL0P Ransomware Gang CL0P Gangs uploads published data and victim organization names on their dark web page. Companies name attacked by CL0P Ransomware Gang CL0P Email IDs for communication The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges. Timelines of CL0P Ransomware and MOVEit The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks. Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks. Affected Countries by CL0P Ransomware Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware Malware FlawedAmmyy SDBOT Get2 Loader Malwares used by CL0P Tools Cobalt Strike TinyMet Tools used by CL0P List of vulnerabilities exploited by CL0P ransomware The exploits built are prepared using the vulnerabilities below: CVE ID Vulnerability Type CVSS Score and Severity CVE-2023-34362 SQL injection vulnerability 9.8 Critical CVE-2023-35036 SQL injection vulnerability 9.1 Critical CVE-2023-0669 Pre-authentication command injection 7.2 High CVE-2021-27101 SQL injection vulnerability 9.8 Critical CVE-2021-27102 OS command execution. 7.8 High CVE-2021-27103 SSRF via a crafted POST request 9.8 Critical CVE-2021-27104 OS command execution 9.8 Critical CVE-2021-35211 Remote code execution (RCE) vulnerability 10.0 Critical vulnerabilities exploited by CL0P ransomware Analysis of CL0P Ransomware TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace. Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment. Sometimes, SDBot has been

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023 Read More »

A Complete Guide to OT/ICS Vulnerability Management in 2023

A Complete Guide to OT/ICS Vulnerability Management

ICS, OT /

Are Your Operational Technologies Truly Secure? In the present landscape of digital interconnections, where operational technology (OT) serves as the lifeblood of industries, ensuring the robust security of these systems emerges as more crucial than before. Imagine a world where an organization’s crucial infrastructure remains safeguarded from online menaces, ensuring the confidentiality of your information and preserving the integrity of your production procedures.  This reality is within reach, with the solution lying in adept vulnerability management! Welcome to the ultimate guide to managing vulnerabilities in 2023, serving as your guiding light in the cybersecurity domain for OT. Within this all-encompassing exploration, we unveil the mysteries surrounding systems and utilities for vulnerability management. This gives you the information you need to confidently navigate the always-changing environment of potential hazards. Our guide explores vulnerability management in great detail, not just on the surface. From understanding the fundamentals to implementing cutting-edge tools, we’ve got you covered.  We comprehend the nuances of your concerns—balancing system uptime while staying impervious to cyber threats is no easy feat. But fear not, for we bring you actionable insights that empower you to bolster your defenses without sacrificing productivity.   Did you Know? Enterprises that use risk-based vulnerability management will suffer 80% fewer breaches. What is Vulnerability Management? Vulnerability Management in the context of OT is a proactive strategy to safeguard industrial systems from potential cyber threats. It involves systematically identifying, assessing, and mitigating vulnerabilities that could compromise the integrity, availability, or confidentiality of critical assets.  A robust vulnerability management program tailored for OT environments establishes a structured framework for continuously monitoring and addressing vulnerabilities. Vulnerability Management as a Service (VMaaS) takes this further by offering expert assistance and tools to organizations, often including specialized solutions for OT settings. This service-driven approach streamlines vulnerability scanning, risk assessment, and remediation efforts, providing businesses with a comprehensive shield against evolving threats. In essence, Vulnerability Management in OT combines strategic planning, regular assessments, and timely mitigation to identify and address vulnerabilities proactively before they can be exploited.  It ensures that critical industrial systems remain resilient and secure, even in the face of ever-changing cyber challenges. Why is Vulnerability Management Important for Organizations? It’s more crucial than ever to stay one step ahead of potential dangers in the constantly changing world of cybersecurity, especially when it comes to operational technology. OT has advanced into the future as a result of the widespread use of digital technologies, helping firms achieve new levels of productivity and innovation. Threat actors constantly search for gaps to attack within these complex systems.  Therefore, this shift has also cast a shadow. Your organization’s readiness to deal with cyberattacks, not resistance to them, is what matters. So, Are You Ready to Elevate Your OT Security? Let’s Begin. Here’s why effective vulnerability management is non-negotiable in the world of OT: Preserving Operational Continuity Disruptions can lead to catastrophic consequences in OT environments. Vulnerabilities in industrial control systems (ICS) or SCADA systems can not only halt operations but also compromise safety. Implementing a robust vulnerability management strategy ensures that operational processes continue smoothly without compromising the integrity of the systems. Mitigating Cyber Risks Malicious actors constantly seek vulnerabilities to exploit. For OT, this could result in unauthorized access to critical systems or even the manipulation of processes, leading to financial losses and reputational damage. Effective vulnerability management is a proactive shield against cyber threats, reducing the organization’s risk exposure. Compliance and Regulations Many industries operating in the OT sector are subject to stringent regulations and compliance standards. Adhering to these requirements necessitates a comprehensive vulnerability management approach. Failure to do so not only invites legal consequences but also puts the organization at risk of cyber incidents. Let’s explore some notable standards that regulate OT security ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission) This comprehensive standard outlines the cybersecurity requirements for industrial automation and control systems. With its multi-part framework, IEC 62443 addresses various aspects of OT security, from network design to system lifecycle management. Its global recognition underscores its significance in safeguarding industrial processes against cyber threats. Download Checklist: The IEC 62443 Checklist NCAs OTCC-01: 2022 (National Cybersecurity Agency of Saudi Arabia) The Saudi Arabian regulatory body provides a set of guidelines, OTCC-01, focusing on securing industrial systems against cyber risks. These guidelines encompass risk management, security architecture, incident response, and more, providing organizations with a structured approach to OT security. Read about: Operational Technology Cybersecurity Controls by NCA NIST 800-82R3 (National Institute of Standards and Technology) Specifically tailored for industrial control systems, NIST 800-82R3 offers guidelines for protecting these critical assets. It covers security assessments, access control, and anomaly detection as a crucial reference for OT security practitioners. NIST SP 800-53 Rev. 5 While not exclusively focused on OT, this NIST publication provides an inclusive catalog of security and privacy controls for information systems and organizations. Its relevance also extends to OT security, offering a robust foundation for implementing security measures. NERC CIP Enforced within the North American electricity industry, NERC CIP standards ensure the reliability and security of the bulk power system. It encompasses a range of requirements, from physical security to cybersecurity, to mitigate risks associated with power generation and distribution. EU Mandate NIS 2 (Network and Information Systems Directive) Building upon its predecessor, NIS 2 aims to enhance the cybersecurity posture of essential and digital service providers within the European Union. With specific provisions for OT systems, this directive emphasizes incident reporting, risk management, and cross-border cooperation. Protecting Valuable Assets OT systems manage valuable physical assets, from energy production to manufacturing equipment. A breach could disrupt these operations and lead to permanent damage. Vulnerability management safeguards these high-value assets against potential exploitation. Securing Supply Chains In interconnected industries, a vulnerability in one part of the supply chain can cascade through partners and suppliers, leading to widespread vulnerabilities. A thorough vulnerability management system ensures that the entire ecosystem remains resilient. Building Stakeholder Trust In an era where cybersecurity incidents dominate headlines, organizations that demonstrate a proactive

A Complete Guide to OT/ICS Vulnerability Management Read More »

An-integrated-OT-SOC-Cost-or-Investment

An integrated OT SOC: Cost or Investment?

ICS, OT /

A dedicated OT Security Operations Center offers a strong foundation for launching and supporting many institutional security measures such as continuous threat detection, unified view and visibility, and OT governance and policy implementation.  When done well, a managed OT SOC can serve as a nerve center for all OT security efforts while reducing risk exposure and resource requirements by significantly reducing redundancies. OT SOC also institutionalizes all security measures and ensures the allocation of adequate levels of attention to OT security in line with the growing threats and cyber risks related to OT. Cost Vs investment: building a case for an OT SOC In an era dominated by the convergence of technologies, security blind spots can derail even the best security plans and approaches. Such blindspots can emerge due to many reasons one of which has to do with a general lack of a unified and evolving approach to OT security that keeps pace with the rising sophistication of cyberattacks, rising insider threat, and increasing threat surface area. Having an OT SOC reduces the chances of such blind spots existing for periods long enough to cause their impact to manifest. Through a mix of policies, interventions, best practices, and solutions, such blind spots can be addressed fairly early in their lifecycle. Efficiency is another area where businesses can gain significantly with a dedicated OT SOC. With an OT businesses can run automated processes that minimize time to respond to an incident, reduce manual tasks, and gain deeper insights to manage resources while keeping costs under control. These automated tasks can also help improve the quality of incidence response as well by offering the right data and decision-making context to security analysts or to workflows that serve as policy triggers. An OT SOC should be seen as an investment rather than a cost. In addition to reducing needless redundancies, an OT SOC can also offer information to an IT SOC to improve coordination between the two teams. It also makes security operate in a more proactive manner to contain threats, identify vulnerabilities (and patch them), and stop cyberattacks early. Thus security investments as a whole are rendered more effective and efficient. Keeping pace with changing threats and regulatory environment dynamics A managed SOC can bring flexibility and scale to your security initiatives. A good OT SOC vendor can bring in best-of-breed solutions, implement proven practices, identify and mitigate risks early, and ensure compliance with existing and new compliance mandates on an ongoing basis. This helps CISOs focus on strategic and operational improvements.   A good OT SOC pays for itself In addition to all the benefits mentioned above, a good OT SOC can make a huge difference to your margins. How do you ask? Well, for one, with a well-managed OT SOC, your security team can invest time, resources, and attention in improving skills, operations, and other aspects without worrying about cyberattacks or breaches on an everyday basis. Businesses can also save through a managed OT SOC through: Want to learn more about how a managed OT SOC can make a significant difference to your business? Talk to our OT SOC expert now: Contact Us

An integrated OT SOC: Cost or Investment? Read More »

ics-security-assessment-sectrio

A Complete Guide to ICS Security Assessment

Leave a Comment / OT, ICS /

Did you know that the average cost of data breaches worldwide was $4.35 million in 2022, with phishing being the most common form of attack? Demand for ransom, locking critical data files, stealing sensitive data, etc., are common forms of attacks. Many industries bear the brunt in the form of high costs for data recovery, lack of reputation, poor business relationships, legal complications, etc. All these bring to light the need for cyber security assessment and analysis to provide an effective defense against threats. What is ICS security assessment? Industrial Control Systems (ICS) security assessment involves evaluating the ICS of an organization for vulnerabilities and weaknesses and ensuring that effective controls are in place to defend against cybersecurity attacks. The assessment encompasses: Evaluation of safety with cybersecurity audit A cybersecurity audit is an evaluation of the security and strength of the ICS environment of an organization. Some of the essential steps in a cybersecurity audit are: The scope of the audit, the networks that will be assessed, and the standards that must be adhered to are required to be defined as a first step. The relevant ICS security policies and standards should be reviewed to understand what is in place at present. The network architecture for critical and non-critical systems should be analyzed to check the segmentation of networks. Cybersecurity audit also ensures that the ICS environment adheres to the industry standards, like IEC 62443. A thorough network scanning should be done to assess the weaknesses of the ICS environment. Get a free copy of the template here: Incidence response plan & Template Logging of incidents should be as per the best practices for an incident response plan. An audit will review this and provide information on lapses. Once the audit of the ICS environment is complete, an audit report on the findings about vulnerabilities should be prepared. The report should also contain relevant recommendations for further action. On the basis of the report, necessary follow-up actions should be taken to address the issues and weaknesses identified. Effective follow-up also helps keep a watch on emerging threats. CIA triad: The ICS security assessment model The CIA triad is a popular method for security assessment. CIA stands for Confidentiality, Integrity, and Availability. All three aspects carry importance while reviewing the system for vulnerabilities and risk assessment. For safe operations of industrial processes, there should be a balance in confidentiality, integrity, and availability. Confidentiality Maintaining the privacy of the data of an organization and restricting unauthorized access are key parts of confidentiality. In this digital age, there are frequent attempts to compromise the safety of industrial control systems. Maintaining confidentiality involves maintaining safety by way of encryption, multi-factor authentication, labeling data, etc. Integrity Integrity ensures that the data is reliable and trustworthy. Data is protected from unauthorized alteration to maintain the authenticity of the information through non-repudiation. Availability Data that is secure must also be available and accessible to the stakeholders. Timely availability of data without any interruption is of prime importance. Various acts, like natural disasters, ransomware attacks, denial-of-service, etc, can compromise availability.  The CIA triad method offers a comprehensive methodology for the assessment of security lapses. It helps identify what went wrong and how well the existing systems were able to protect the data. The need for ICS cybersecurity assessment Even technology leaders had to mitigate an average of 1,435 Distributed Denial-of-Service (DDOS) attacks daily in 2022.  This statement is an indicator of the gravity of the situation. Cybersecurity assessment is the need of the hour when the digital landscape is deluged with multiple types of cyberattacks. There have been instances of severe losses and compromises in many industries due to overlooking cyber security assessments. Here are some cyber incidents that shook industries due to the lack of assessments. All these necessitate timely intervention by assessments so that potential threats can be identified and defense mechanisms can be put into action. ICS security standards Organizations follow different security standards based on industry requirements. We will discuss some of them here: 1. ISA/IEC 62443 The set of standards in IEC 62443 offers guidelines for securing industrial automation and control systems. Such control systems are found in power plants, oil and gas plants, water treatment plants, etc. These standards provide assistance by way of informing the type of controls to be put in place in ICS platforms. IEC 62443 is mainly used by industries in the industrial automation and control sector. With a comprehensive set of policies, they are considered one of the best to be followed by industries. 2. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP)  The NERC CIP are standards that are specific to the power grid sector. They are used to protect the security of electricity industries. These include: Some common ICS tools used for cyber security assessment These tools are widely used by analysts to identify and track vulnerabilities to amplify protection. NMAP With this tool, analysts identify hosts that reside in a network. It helps detect threats and discover open ports and services. It can map an entire network and detect open ports easily.  This is a simple tool with a powerful ability. It can instantly recognize all routers, servers, switches, and mobile devices on single and multiple networks. It helps identify web servers and DNS servers that are running on a system. It has a GUI called Zenmap through which you can develop visual mappings of a network.  Visit Now: NMAP SHODAN Shodan is a search engine that helps find servers, routers, etc., on the internet using various filters. With Shodan, you can identify if any devices on the ICS are accessible through the internet.  Data collected by Shodan is comprehensive. It is in metadata format and contains data like hostname, geographical location, OS, and properties related to application layer protocols. This helps identify insecure devices. Visit Now: Shodan Sectrio you can leverage Sectrio to conduct host discovery and vulnerability analysis and provide solutions to correct the vulnerability detected in the

A Complete Guide to ICS Security Assessment Read More »

QILIN-Ransomware-Report

QILIN Ransomware Report 

ICS, OT /

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization.  Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key Ransomware Details & Working  It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS.  Here are some pointer’s to be noted:  Victim Selection   First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.   As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States.  Fig1: Victim Countries  As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries.  Darkweb Analysis  of Qilin Ransomware Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site.   They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.   Also Read: How to get started with OT security Let’s go through their Darkweb site  Qilin Darkweb front page where they publish the information about their victims.   Login page present in the Qilin ransomware site  They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image)  IOCs  76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e  fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039  Mitigation For Securing OT Environment:  Remediations  Reference  https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_in/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html https://www.group-ib.com/blog/qilin-ransomware/ Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.

QILIN Ransomware Report  Read More »

Why the new AI cybercrime tool is just the tip of the iceberg

Why the new AI cybercrime tool is just the tip of the iceberg

OT, ICS /

Recent reports about the appearance of a new generative AI tool point to the levels of maturity that hackers have attained as far as leveraging AI is concerned. In the latest edition of our IoT and OT threat landscape report, we had predicted this trend with supporting data. Our prediction on the use of AI covered these points: If you wish to read more and understand how things got this far, I would encourage you to check out the AI section in this report available for free download. Now that that is out of the way, let’s focus on why we should look beyond just the tools to understand how hackers are preparing themselves for launching new waves of AI-powered cyberattacks. We will also look into ways to prepare our infrastructure to withstand these waves and continue operations without disruption. Not merely a tool for script kiddies and lazy hackers AI-based tools, while lowering the entry barriers for hackers, are also enabling them to reuse data that they used to sell or simply discard earlier. This data includes network access credentials, traffic baselines, packet composition, asset vulnerabilities, bandwidth usage patterns, and more. Such data can now be used to derive the best windows for a cyberattack or even figure out how to confuse security mechanisms by generating lots of false positives.       SOC operations and data on incident response frameworks can also be derived from the stolen data using AI. Generative AI can place these predictions in buckets and then craft a cyberattack tool armed with the relevant know-how to conduct another attack on the same victim in case they have not changed their processes and tools much (which is often the case). Here are a few more ways in which hackers will leverage AI-based tools to further their disruptive agenda: AI-based reconnaissance AI tools can also be used to run reconnaissance campaigns more effectively. A typical AI campaign could involve guised packets that could hide modular reconnaissance malware that could assemble itself within the network of the victim or on a device running on their network. The net result will be a clearer view of the victim’s network including weak points and unguarded threat surfaces. This also increases the level of situational awareness for the hacker or the group.   Supply chain manipulation AI-based tools can also be used to carve a path for adding embedded malware at various points in the supply chain. Using such tactics, the hackers can open up multiple points for embedding malware or snooping payload in the supply chain and enable it to travel upstream or downstream. Visit our compliance center to download free compliance kits New models and frameworks for hacking    With AI-based tools, hackers are also able to try out new breach tactics faster and eliminate tactics that do not work or work partially or may take much longer to succeed. Successful tactics can be further refined and fine-tuned. Co-opting insiders through campaigns   Hackers can run large-scale campaigns to target susceptible insiders across channels, platforms, and apps. This could lead to more such campaigns turning successful and providing hackers with a new avenue for high-quality data exfiltration. AI can also be used to identify susceptible profiles that can be targeted through persistent campaigns. AI-driven bot farms AI can also be used to manage bot farms that can run large-scale targeting across geographies. AI can also be used to minimize the footprint and signatures of individual bot farms to obscure them. Such bot farms can also be turned on and off sequentially to minimize the load on individual bots. This can have significant implications for projects and businesses that use the Internet of Things (IoT) in their infrastructure.  Asset profiles, vulnerabilities, and Zero Days    AI can profile OEMs and their components to discover Zero Days through a systemic study of design principles and production processes to determine flaws and unpatched vulnerabilities. This can make a big difference to Operational Technology security measures implemented at a plant/unit level.  These are just a few use cases related to the use of AI by hackers. What we are seeing now is just a preview of how things will evolve in the days to come. With greater attention and resource involvement, hackers will be able to gain a clear upper hand when it comes to breaching targets with ease. How to defend your IoT and OT infrastructure against AI-powered cyberattacks The following steps can be taken to secure against AI-powered cyberattacks: Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio

Why the new AI cybercrime tool is just the tip of the iceberg Read More »

OT-security-challenges-solutions-og-image

OT Security Challenges and Solutions

Leave a Comment / OT, ICS /

OT Security – Though the term sounds familiar, global SRM leaders are yet to develop robust OT security solutions for protecting OT networks. Sectrio’s The IoT and OT CISO Peer Survey 2022 highlights that close to 90% CISOs reported one major cyber incident in the last 12 months. Most respondents stated that operations were halted for over four days, incurring losses of over $2.5 Million. The stats mirror the current situation. As if this is not enough, here is another wake-up call. According to a survey, over 30% of critical infrastructure organizations will likely be the victims of OT attacks and threats by 2025. Many point out fingers at the rapid digitization of technologies that propels critical infrastructure. On the same lines, we cannot ignore the fact of the underspending when it comes to establishing and realizing OT security. It took a mammoth effort of countless ransomware attacks, data breaches, and cybersecurity attacks to make us recognize the need for cybersecurity. This transition happened over a decade. Cyber-attacks on IT systems primarily affected individuals and firms, and government organizations. Also read: How to get started with OT security It will not be the same in case of an OT attack. A nation’s security would be at stake if it were a large-scale OT attack. Despite an ever-growing list of OT security vendors, many companies still choose not to opt for OT security solutions. The reason can either be due to budget constraints or failing to acknowledge the consequences of an OT attack. More worrying is that over 80% of the CISOs believe their supply chains are vulnerable to cyber-attacks and OT security attacks. Cyber-attacks on OT networks are an ever-growing concern in the industry. One can minimize exposure to such attacks by following protocols and identifying commonly experienced OT security challenges. This approach will help a CISO and the company’s C-Suite to understand their needs while discussing with various OT Security vendors. Top 10 OT Security Challenges and Solutions: The digitization might have exposed OT networks to more frequent and sophisticated cyber-attacks. But there are other reasons that one needs to understand to address the problem. Subscribing a random OT Security Solutions suite may not protect an OT network entirely. Evaluating the security posture of an OT network prior helps in understanding the kind of security solutions needed. Before addressing the common OT security challenges an OT network might face, it is essential to understand the difference between Challenges and Threats. Challenges are the adversaries that one can address using available resources. Threats are those adversaries that require additional or highlight the lack of resources in a specific domain. The following are the most common OT security challenges on an OT network. To keep you less worried, we also listed the solutions that can help you to handle these challenges. 1. Attrition of Network Architecture Most OT Networks currently existing were designed in the early ’90s and built into the late ’90s, with few in the early 2000s. The security of an OT network work’s on the design philosophy of isolation – completely separated from other networks. This technique ensured default protection of an OT network, irrespective of the advancement of IT-related threats. The OT networks were often guarded by strict protocols at their respective sites, eliminating most threats. The decades-old OT networks need continuous maintenance and installation of upgrades. Rather than periodic and broad-scale upgrades, most manufacturing plants opt for ad-hoc upgrades. This pattern can lead to a gradual attrition of security. Most OT networks’ security architecture follows the Purdue Model of Control Hierarchy – a six-layered, well-defined security protocol. Security erodes with time. One can attribute Ad-hoc updates and those changes made to machinery without considering the impact at a broader level to this. Adding to this, the adoption of ‘wireless communication’ has further worsened the security woes. Despite robust OT security solutions in place, having these vulnerabilities puts the OT network at risk in its entirety. Solution: Managers at manufacturing plants should plan for a complete assessment of the OT network’s security posture ahead of the scheduled updates. It is better to replace obsolete components with new ones on the network than to opt for ad-hoc updates. Trying to extend the lifespan of outdated components through patching and ad-hoc updates weakens the security posture. The cybersecurity team must understand the broad impact of any update before installing it on any device. No one should override the ‘Purdue Model of Control Hierarchy’ or the established set of security protocols to facilitate the installation of any device on a network.   As we speak, OT and IT networks are consolidated into a giant complex network. Enterprises should have a comprehensive suite of OT security solutions, preferably from multiple OT Security vendors. 2. Obsolete Machinery and Legacy OS The obsolete machinery and the legacy OS add more weight to a weakening OT network. While obsolete machinery is directly responsible for low productivity, it is solely responsible for ‘incompatibility’ across various systems. Given that every vendor’s software and protocols are proprietary, compatibility across components from different vendors is impossible.  Adding to it are the ever-growing cybersecurity concerns. Despite the availability of many OT security vendors, securing obsolete machinery running on legacy OS is impossible. The history of vulnerabilities in Microsoft XP and Windows 7 are well covered. With Microsoft discontinuing the support for these Operating System software, enterprises are left bare in cyberspace, waiting for an attack to occur. These archaic machines and systems do not support modern-day security protocols and have no room for flexibility and scalability. A system crash on this infrastructure results in data loss and a recovery time of hours. If a component fails, this downtime runs into days and even weeks, given the scarce availability of spare parts. High maintenance costs further hit the margins. Knowing that data is the oil of the 21st century, these obsolete machines and legacy OS systems cannot make the most of it. The utilization of data is what decides the fortunes in the present and future. Many enterprises fail to comply with statutory and other regulations by

OT Security Challenges and Solutions Read More »

Scroll to Top