Cyber attacks on internet-exposed operation technology (#OT) systems are increasing in frequency, FireEye reveals.
NCSC also has good tips on what to consider when buying cyber insurance.
OT Systems' Latest Threat - Attacks are Unsophisticated and Not Targeted
Operation Technology (#OT) systems were once viewed as complex due to access requirements, but there are now many more internet-facing endpoints. This offers more options of remote access (something which we have all found to have more significance during #COVID), but it also offers a wider attack surface.
FireEye writes an excellent Threat Research report on the current #OT threats, finding that attacks have now simplified. Mandiant Threat Intelligence demonstrates how current #OT systems' exposure leaves them highly vulnerable to very basic attacks from cybercriminals targeting whatever is available on the internet.
Because of the attacks not having a specific target (range), this threat has impacted a variety of targets across different industries; this ranges from solar energy panels and water control systems; to building automation systems (BAS); to home security systems in academic and private residences. Some targets have been very sensitive in nature, which one could say is a 'lucky hit' in the hacker's mind but a disaster in everyone else's (Colonial Pipeline, anyone?); other targets can present very little risk and repair can be nearly insignificant.
A consistent observation among low sophisticated compromises is that actors most often exploit unsecured remote access services. Virtual network computing (VNC) connections can be one of these vulnerabilities used to remotely access the compromised control systems. The #OT systems used to be difficult for the intruders to modify control variables without prior knowledge of a process, but with graphical user interfaces (GUI), such as human machine interfaces (HMI), the systems become easier to use and easier to invade. In many cases of the exploits on record, the actors showed evidence of compromised control processes via images of GUIs, IP addresses, system timestamps, and videos.
There are some #hacktivist groups that indicate they have compromised #OT systems and some have gone to the extent of trying to train sympathetic parties on how to identify and compromise internet-accessible #OT assets. The tutorials typically described basic methodologies, such as using VNC utilities to connect to IP addresses identified in searches for port 5900.
FireEye's advice around the security best practices for avoidance of the low sophistication compromises include implementing security best practices and gaining situational awareness about the threat exposure of assets and data:
Whenever feasible, remove #OT assets from public-facing networks. If remote access is required, deploy access controls and monitor traffic for unusual activity to minimise unintended interaction and safeguard asset information.
Apply common network-hardening techniques to remotely accessible and edge devices, such as disabling unused services, changing default credentials, reviewing asset configurations, and creating whitelists for access.
Determine if relevant assets are discoverable using online scanners such as Shodan and Censys. Leverage support from knowledgeable security researchers to identify exposed assets and leaked information. Mandiant Threat Intelligence offers subscription content, custom analysis, and black box assessments that help organisations identify internet-exposed assets and information.
Maintain situational awareness on threat actors’ interest in cyber physical systems and the development of #OT exploits, with particular interest in attention driven to your organisation, third party providers, or original equipment manufacturers (OEM).
Configure HMIs and other control system assets to enforce acceptable input ranges and prohibit hazardous variable states. Similar to web application security, automation programmers should treat all operator input as potentially malicious and gain security assurances by validating that the operator input is within acceptable thresholds.
Cyber Insurance
Take-up of cyber insurance has become a more common day-to-day occurrence now, due to the rise in cyber attack frequency. With this increase in demand has also come an increase in the cost of insurance premiums, which is no surprise.
The main question is if your business knows what protection is offered by its cyber insurance policies. Even if you currently have cyber insurance, it's well worth reading the NCSC's cyber insurance guidance to better understand if your insurance is providing you what you think you're paying for.
The full NCSC report can be downloaded here as a pdf article.