Reducing the attack surface within CNI OT environments using RevBits' Native Security Solutions
The Problem
Global geo-political conflicts are aggressively ramping up activity from state sponsored threat actors in what is being considered an enduring and significant threat to National Security. Seventy-five percent of cybersecurity decision makers within CNI organisations, reported a stark rise in cyberattacks since the start of the Ukraine war. Cyber Attacks Against UK CNI Increase Amidst Russia-Ukraine War | Bridewell
Operational Technology (OT), including Industrial control systems (ICS), Programmable Logic Controllers (PLCs) and supervisory control and data acquisition (SCADA) systems amongst other legacy components, form the bedrock to the Nation’s Critical National Infrastructure - Transportation, Communications, Health, Defence, Energy, Water and so on.
OT systems and networks were originally designed to operate industrial processes safely and reliably ‘without’ connections to external networks. This has changed. The need and desire for business agility and cost reduction has led to the integration of such air-gapped environments into business networks and cloud infrastructures. Other contributory factors: -
- The convergence of Information Technology (IT) and Operational Technology (OT).
- The introduction of Industrial Internet of Things (IIoT) systems into OT environments.
- Covid accelerated digital transformation resulting in largescale remote and hybrid working, often divorced from appropriate policies, processes, and procedures.
All these have greatly increased the size, complexity, and elasticity of underlying networks - and massively expanded the potential attack surface. Perpetrators are able to exploit vulnerabilities within the IT environment, to move laterally within organisations, turning IT problems into much more impactful OT system issues.
Where the potential disruption of a cyber-attack is great, as in the case with the Critical National Infrastructure, the ideological or/and financial gain to the perpetrator is accordingly immense.
One of the first sophisticated cyber-attacks was considered to be Stuxnet (2010). This State sponsored ‘digital weapon’ malware was introduced via a compromised USB flash-drive to target programmable industrial control systems within an air-gapped environment. Four different zero-day security vulnerabilities plus the installation of kernel mode rootkit and stolen digitally signed certificates, culminated in the malfunction of almost one fifth of Iran’s nuclear centrifuges.
In 2021 hacked credentials and an unprotected legacy VPN were at the root of the Colonial Pipeline cyber-attack, which caused major disruptions to gas delivery up and down the East Coast, and finished up costing the US fuel pipeline nearly $5m (£3.6m) in ransom payment to the cyber-criminal gang ‘DarkSide’ (Colonial hack: How did cyber-attackers shut off pipeline? - BBC News).
‘Human error’ continues to rank as the greatest intentional or unintentional threat (e.g. weak passwords, USB misuse, clicking on a ‘phish’), paving the way for malware and ransomware to gain their initial foothold.
In both CNI attacks above, critical assets were breached through the exploitation of existing vulnerabilities in the network -i.e. the introduction of a contaminated USB stick; capability constraints of incumbent security solutions to secure against zero-day exploits and kernel/registry level malicious activity; weak password control and inappropriate permissions to critical assets.
The Solution
In an era where cyber-breaches break seemingly impenetrable barriers, ‘lessons learned’ from these past attacks should help inform the selection of appropriate security solutions.
Risks may be mitigated, and the attack surface greatly reduced through a combination of air gapping, appropriate security software and endeavouring to simplify the overly complex.
Lessons learned:
- Keep critical systems physically isolated and ‘air gapped.’
- Principles of ‘Least Privilege’ underpinning such solutions as Privileged Access Management (PAM) and Zero Trust Networking (ZTN) should have an underlying golden thread running through the entire organisation. Good information governance is crucial in identifying all critical assets, appointing accountable asset owners, and ensuring all potential weaknesses and vulnerabilities are accounted for and placed firmly on the appropriate Asset and Risk Registers.
- The chosen PAM technology deployed to prevent unauthorised access should further support such capabilities as real-time tracking, monitoring, and recording of privileged user activities, plus be able to immediately block malicious or unauthorised sessions. Providing such assurances not only lessens the risk of breach and accords with regulatory and legislative requirements – it also prevents the possibility of hefty fines for non-compliance and enables those accountable to sleep at night!
- Fortify critical OT infrastructure against evolving zero-day threats. As in the Stuxnet breach, the four Zero Day attacks could have been blocked had the incumbent Endpoint security solution possessed AI-enablement with machine learning and behavioural analysis at the core.
- Endpoint Security solutions should be able to work at the kernel level to identify, ‘unhook’ and ‘block’ rootkit exploits. Ultimately, if the brain (kernel) of the system is under the perpetrators control, any number of peripheral security solutions will be superfluous.
- Use Endpoint solutions with granular policies to prevent contaminated USB.
- Deployment methods chosen should be based on the most appropriate level of security required to protect critical assets against increasingly complex and sophisticated cyber threats. Chose Endpoint Protection, PAM and Deception Technology solutions which may also operate fully within an air-gapped environment.
- Linux systems are widely deployed across OT environments to configure and manage ICS, SCADA systems and PLCs which are typically running bespoke operating systems such as VxWorks and QNX. Given the propensity of these systems within OT environments, it is logical to choose PAM, Endpoint and ZTN solutions which natively run on Linux.
- Go on the offensive! Employ a Deception Technology Solution as an ‘advanced early warning notification system’ to lure and trap the perpetrator with realistic server-based honeypots and decoy credentials. This will provide crucial insights into the attackers’ tactics, significantly reducing dwell time and enhancing incident response capabilities.
Each of the above areas can be fully addressed using more advanced cyber security solutions such as those offered by RevBits, currently deployed within CNI organisations operating air-gapped and on-prem OT environments. You can find out more about how RevBits is assisting clients within the OT arena here.
Furthermore, to simplify and improve visibility, a Cyber Intelligence Platform may provide a centralised ‘single pane of glass’ view, to enable ‘cross modular actionable intelligence’ across all of those aforementioned ‘solutions’ for rapid response, improved security outcomes and a vastly reduced ‘attack surface.’
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.