It’s no secret that Nation-State attackers are targeting US government agencies and organizations. As seen inthe Solarwinds breach and the more recentColonial Pipeline ransomware attack, cybercriminals are more motivated than ever to harm US government agencies and their infrastructures.
It’s been over a decade since the headline-grabbing Stuxnet virus was introduced and the concept of nation-state-sanctioned cyber attacks was presented by security professionals. The concern about different cyber threats which could exploit and potentially destroy physical assets and even human lives grabbed the attention of different industrial organizations. Cyber attackers’ pursuit of the different vulnerabilities in these organizations’ assets could lead to exploitation in operational technology networks.
Despite the early warnings in 2010, only in the past five years has there been an increase of nation-state attackers becoming more prevalent as seen in the recent Solarwinds attack, which was credited to nation-state actors with alleged Russian ties. Cybercriminals are deploying ransomware attacks as their method of choice when attacking different industrial organizations. Over the past 12 months, there have been different successful ransomware attacks on different industrial industries which include the Colonial Pipeline attack and SNAKE / EKANS attack.
Figure 1: The rising growth of ransomware attacks
These attacks have put a focus once again on the vital importance for all industrial organizations to secure their Operational Technology (OT) environments. OT networks and devices are the heart of automation for industrial assets and unlike newer technology, they are less segmented by virtue of the older industrial infrastructures connecting to the internet and integrating new services in their equipment.
Industrial organizations have been forced with new obstacles, such as remote access and third-party services, which has created a larger attack surface for cybercriminals to exploit OT networks and organizational physical assets (such as the attack on the city of Oldsmar, Florida.) This increasing attack sector has created a newer approach concerning how to secure OT networks and devices while ensuring the more modern IT security methods don’t create new doors for cybercriminals to exploit. Traditionally OT security teams were not in charge of advanced threats and IT security, and thus the need to converge OT and IT networks and systems are becoming more popular by the day with industrial organizations.
When organizations begin to converge their IT and OT systems, they must align their OT network with the same concrete security controls which are deployed on their IT network. By enforcing the same level of IT security controls on the OT network, it provides industrial organizations the ability to detect and mitigate different cyberattacks with an additional layer of defense. Implementing an effective OT security strategy demands a complete audit trail of security incidents while providing full visibility of any lateral movement in the OT network.
Nothing in life is a simple task and this is especially true when it comes to securing OT systems and networks. With the increasing usage of IP-based communications with OT devices, there is a bigger challenge between OT & IT teams in understanding who is in charge of securing OT systems. Additionally, securing this space is not an easy task. Many traditional networks that were once disconnected, for example, power plants and water systems, are now connected with cloud-based smart management tools. This has created more security risks as OT technologies are updating with the modern Internet.
As more Industrial Control Systems (ICS) are moving to be digitalized, the result is an increased attack surface which has allowed these systems to become a favorite target for mischievous cyber attacks. Over the past decade, IT environments have quickly evolved to adopt and implement security as a key element of managing IT environments. However, OT hasn’t evolved to the quick pace of the attacks and only now are implementing the right amount of security for OT systems and networks. On top of being late bloomers to adopting and implementing security, OT industrial engineers did not think about security when creating the industrial protocols which have been in place for years.
Moving forward to the present day, the industrial industry has adopted a plethora of protocols that cover productivity and security in the newly adopted smart production environments. These industry protocols have created a massive challenge for asset owners as they are hindered to strive with security due to not having complete visibility of their OT networks and devices, lack of monitoring and not having effective security solutions to detect and respond to security attacks.
On top of not being able to completely secure and monitor OT systems, it’s a challenge for OT teams to have a better understanding of their OT equipment as they are sensitive to network scanning. When an OT system is sent unexpected data or more data than it can handle, it can result in a failing activity log which creates the idea of making monitoring a bit more challenging. Additionally, ICS networks use more PC servers and remote workstations which is a recipe for a more twisted attack surface that is a combination of enterprise services and cyber physical systems. To solve these complex security challenges, the approach that industrial organizations need to take is to adopt security for both fronts and get a better understanding of which systems are more perceptive to OT active monitoring.
With these different security challenges in place, industrial organizations can surmount the challenges by adopting a security system that provides complete monitoring of OT systems and networks. The security system should provide an assessment of different vulnerabilities in both the IT and OT environments. Security teams need to have a clearer understanding of what is occurring with OT systems and networks and how cybercriminals are designing their attacks to exploit the OT systems through the IT environment. Additionally, industrial operators need a better understanding of all their assets and devices in their production environment, especially in their IT and OT equipment.
To help industrial organizations improve their IT and OT visibility we have partnered with Rapid7. Now, customers can integrate SCADAfence with Rapid7’s leading vulnerability risk management solution to leverage visibility into their OT assets and devices. Additionally, customers gain in-depth information around OT networks and identification of cross-site communications and connections between devices with potentially exploitable vulnerabilities.
By integrating SCADAfence and Rapid7 all under one roof, organizations can detect, assess and mitigate across the IT and OT infrastructures while improving the visibility of all their assets. By automating OT and IT security with SCADAfence and Rapid7, customers are achieving full coverage of their IT and OT systems. This is the right step to accurately defend against cybercriminals and nation-state cyberattacks on operational technology systems.
To learn more about our partnership with Rapid7, please visit: https://l.scadafence.com/rapid7-scadafence-joint-partnership
On top of our joint technical partnership and integration, SCADAfence’s research team is continually working with Rapid7’s on their annual vulnerabilities report. Read the Rapid7 2020 Vulnerability Intelligence Report to learn more about our researchers work in securing physical systems in a digital world and the OT threat landscape.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.
Following the Colonial Pipeline Ransomware incident, Twitter exploded in to an orgy of blather from people demanding that we “air-gap” ICS. Those righteous keyboard warriors know what is best, I’m sure.
There are new vulnerabilities discovered every day, and new patches issued to fix them. As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
On May 8th, news broke that Colonial Pipeline, one of the largest fuel pipelines in the US, was forced to stop all operations due to falling victim to a ransomware attack. The attack on Colonial Pipeline, which supplies close to half of the oil and gas used on the East Coast, is just the latest example of why cybercriminals target the oil and gas sectors.
According to a report by The Wall Street Journal, Colonial Pipeline, the operator of the biggest gasoline pipeline in the United States was forced to shut down operations late May 7 following a ransomware attack. The cybercriminals threaten to roil energy markets and upend the supply of gas and diesel to the East Coast.
Colonial Pipeline is a key passage for the eastern half of the United States. It’s one of the main sources of gasoline, diesel and jet fuel for the East Coast with a capacity of close to 4 million barrels a day. They published a statement Saturday saying they were victims of a ransomware attack that affected their corporate IT network. This attack didn’t exploit their operational network that controls its pipelines and distributes fuel which is separate from the corporate network. Colonial Pipeline announced they did indeed shut down the pipelines as a precaution to prevent the attack from spreading.
Initial thoughts led many people in the security industry to believe that this was another attack by a foreign government. However, Bloomberg published a report on Saturday, May 8th that the attack appeared to be spearheaded by the ransomware group called DarkSide. Known for their “double-extortion” schemes, Darkside took nearly 100 gigabytes of data from Colonial’s network in just two hours on Thursday.
The attackers threatened Colonial Pipeline that if the ransom was not paid, they would leak all the stolen data to the internet, encrypt the data on the attackers’ computers and Colonial’s network would remain locked. It’s not clear how much money the cybercriminals are asking for and how the attackers exploited their network. One thing that is clear, is that this attack is a concrete example that cybercriminals are moving their attention to attacking industrial organizations regardless of size or sector.
Over the years, the oil and gas industry has steamrolled into becoming one of the most powerful and economical global industries as it is critical for global and national economies. This has created a major target on their back, as adversaries see these sectors as valuable targets to exploit Industrial Control Systems (ICS) vulnerabilities. In the past, operational technology (OT) needed in oil and gas operations was isolated and “air-gapped,” and today these operational technology networks are connecting more often to different IT infrastructures and to the internet which has created a new door for attacks. The convergence of OT and IT environments in the oil and gas operations has created an endless amount of vulnerabilities from both the IT and the OT environments. There are also emerging risks from Internet-of-Things (IoT) devices and ongoing and growing priorities centered on compliance.
As seen in recent attacks on gas and oil organizations such as Pemex and Colonial Pipeline, it is justifying how attackers have gained an interest in the industry from understanding the different behaviors to how to exploit the organizations. This has resulted in oil and gas organizations needing to protect against any method of cyberattacks to ensure the global economy and civilian safety is not affected due to an attack.
While in the case of the Colonial Pipeline attack, the details of how the adversaries successfully exploited their corporate network are not public yet, it has brightened the light that now is the time for gas and oil organizations to implement a strong OT security strategy.
Last month, the NSA released a report describing the importance of protecting industrial control systems (ICS) and operational technology (OT) from cyber attacks. In the report the NSA states, “Without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk.”
Additionally, the NSA report expressed that organizations and operators need to protect critical operations. “While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness.”
Before the NSA released this report of their recommendations, many oil and gas organizations have taken the right measures to secure their OT systems and networks. Over the last seven years, SCADAfence has been working with many critical infrastructure organizations, including oil & gas operators to ensure their OT networks are safe. We provide them with full network visibility, accurate detection of any anomalous behavior and malicious activities – including anomalies that originate from ransomware attacks.
The above diagram shows how SCADAfence helps organizations in the Oil & Gas and pipeline industries to have full visibility between their IT and OT networks. This lets them know where the attack vectors are located and they can identify all of the connections between these networks with pinpoint accuracy. This approach has helped hundreds of organizations to successfully mitigate any anomalous activities on their operational networks, which can later turn into a cyber attack.
Basic cybersecurity practices can help to prevent these attacks going forward. This includes getting visibility into the entire network, as it’s hard to protect what you cannot see. Additional security practices include network segmentation or even micro-segmentation if possible, and getting continuous network monitoring is even more crucial in preventing similar attacks going forward.
Numerous oil & gas operators have already adopted continuous network monitoring and threat detection technologies to gain increased visibility into their OT networks and keep their critical infrastructure networks secure.
With this holistic approach, of network monitoring, anomaly detection, remote access visibility, and compliance, many oil & gas organizations are already reducing 95% of their risk level of future attacks.
A key element of these solutions is that they are all agentless, not intrusive, and can perform superhuman tasks at a fraction of the cost of one human worker.
If your organization is looking into securing their industrial networks, download our case study with a fortune 100 Oil & Gas Industry Leader to learn how SCADAfence provides complete visibility in their OT networks and provides real-time threat detection of any malicious activities.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.
Click one of our contacts below to chat on WhatsApp
