IoT, IT and OT Merging and Needs Integrated Defense

First of all what is the alphabet soup: IoT, IT and OT?

Internet of Things, Information Technology, Operational Technology are explained best in the sans.org white paper: https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf

Operational Technology (OT) consists of hardware and software systems that monitor and control physical equipment and processes, often found in industries that manage critical infrastructure, such as water, oil & gas, energy, and utilities, but also in automated manufacturing, pharmaceutical processing, and defense networks.  It even forms the foundation of building control systems, air and road traffic controls, shipping systems and, increasingly, management of distributed data storage and processing networks, i.e., cloud services.

In other words this OT is going to be the backbone for all IoT devices (anything that will be eventually be on the Internet), like refrigerators, Alexa, Google, and Apple devices that are voice responsive. It seems to me that the utility companies will develop Asset management and IT management software so that the rest of us can also buy a type of software that can manage all our IoT/IT/OT stuff.

Here is another document from ABB (A manufacturer of PLC’s) https://search.abb.com/library/Download.aspx?DocumentID=9AKK106713A9904&LanguageCode=en&Action=Launch

You can see that integrations in a factory floor environment are important, even if not ‘very’ important. There is also a kind of urgency to this endeavor, since the future build out of IT/OT/IoT is only going to be bigger and more integrated.

Next note the 2014 IT/OT convergence survey from Siemens http://etsinsights.com/infographics/infographic-2014-utility-itot-convergence-survey/

As you can see lots of data is being collected, but costs are the reason that companies are still waiting to implement more automation and integration.

this was an interesting note: “By 2019, 35% of Large Global Manufacturers with Smart Manufacturing Initiatives Will Integrate IT and OT Systems to Achieve Advantages in Efficiency and Response Time (IDC)”

The image is from iebmedia.com document: https://iebmedia.com/index.php?id=11673&parentid=63&themeid=255&hft=95&showdetail=true&bb=1

You can see from the above images the need for IT and OT to become one, as it would be beneficial for control. but interesting to note in all of these images, where is the Cybersecurity angle?

Searching for ICS(Industrial control Systems) Cybersecurity comes up with the following:

from Automation World webpage https://www.automationworld.com/article/technologies/security/making-sense-ics-cybersecurity-market

The IT and OT commonalities are Endpoint protection, Perimeter Firewalls, and Network Segmentation(VLAN). I have also seen IDS/IPS to be used in OT. It seems to me most of the IT items could be used in OT, so the only item that is not useful or well known to iT is the One-way data diode. which only means that data will flow one way and not the other. (in the case of a critical asset). from Microarx.com

https://www.microarx.com/data-diodes

 

The differences between IT and OT devices with regards to Cybersecurity are not significant so the only stumbling block for convergence is resources and will.  It seems after some more data breaches this convergence will speed up.  It is true that ICS factory devices sometimes are legacy devices with little chance of upgrade, so the vulnerabilities are inherent to the device.This is the difference between OT and IT. OT has to have a way of defending these legacy mission critical devices, whereas most IT environments can upgrade and patch… thus making the environment less vulnerable. Legacy devices get replaced in IT. Not in the factory floor. So auditing the different environments require more expertise and preparation than an IT network where one can see all devices.

Contact Us to review your environment.

Stopping Social Engineering Attacks No, Slow Down Yes!

Elements of an Attack:

From the article at TechNewsWorld.

Social Engineering is equivalent to scammers trying all types of methods to gain information or money.

What does it mean to have an image above that shows many possible Social engineering attacks?

Let’s list them:

  1. Techniques
    1. Phishing
    2. Pretexting
    3. Baiting
    4. Quid Pro Quo
  2. Compliance principles
    1. Friendship or liking
    2. Commitment or Consistency
    3. Scarcity
    4. Reciprocity
    5. Social Validation
    6. Authority
  3. Target
    1. Individual
    2. Organization
  4. Goal
    1. financial Gain
    2. Unauthorized Access
    3. Service Disruption
  5. Medium
    1. E-mail
    2. Face-to-face
    3. Telephone
    4. SMS
    5. Paper Mail
    6. Storage Media
    7. Webpage
    8. Pamphlets

And the above methods are only the current or ‘older’ attacks. Each heading is followed by the specific attack method. And these methods are all focused on taking resources or information to eventually relieve you of money.

Now social engineeringattack advances  has added Vishing – which is attempting to influence an action by calling/contacting a mobile phone which requires a quick action.

Impersonation is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. (another newer method)

Sometimes the goal is to gain information not actually steal resources($  or computer time) at first. Only after a lot of information gathering is a unique social engineering attack going to go for the jugular and the money they are all after.

 

So what can be done to slow down or reduce the attacks (Under no illusion to completely stop all attacks).

Introduce a process or method – let me take your information and I will call you back. (most phishers will not want to give a number). Authenticate the person’s number to make sure it is legitimate.

Also make a rule never to give out personal information on an incoming call – have a standard response available. ” Mr./Mrs./Ms/ you can understand that with all of the possible hacker attacks we do not give out any(or xyz) information via phone” If needed I can call you back tomorrow, am busy now.

No matter how you are being contacted the response can be changed… On an incoming text we do not give out personal information. Please give me another phone # so I can contact you tomorrow.

Do not respond to texts with information, require a call and other contacts to verify the authenticity of caller.

A social engineering attack can be complex but it really has the same goal as all hacker attacks to take resources and information from you. If you can slow them down, make them work harder to get what they want. then you are most of the way to a secure and safe network.

We can help you rewrite your security policy: contact us.

October is Cybersecurity Awareness Month

In a year of many problems and issues the Department of Homeland Security decided to make October the National Cyber Security Awareness Month (NCSAM) since 2003.

https://www.dhs.gov/national-cyber-security-awareness-month

 

The Theme is Own IT. Secure IT. Protect IT.

Own IT is reminding you to travel with cybersecurity in mind (at least some of the time), Social media usage and online privacy should be connected and though about how to use social media. the Internet of things devices should be sought out and updated or reviewed to make sure they are secure.

Secure IT is typical, a focus on Strong Passwords, but we could talk about just changing default passwords would be good too.  The famous xkcd image is interesting:

passwords leads to MFA or Multi-Factor-Authentication.

MFA is required or suggested for in NIST 800-171.

Phishing we discussed in a recent blogpost: https://oversitesentry.com/top-cybersecurity-problem-for-small-business/

Securing your ecommerce may be simple or common sense…  But has to be guided by OWASP as I discussed in https://oversitesentry.com/owasp-has-new-testing-guidelines-document/

 

The Secure IT portion is a combination of things:

  • Patch your software
  • Be aware of how you share personal information of employees or customers PII (Personally Identifiable Information)

Keep in mind a simple strategy to  protect yourself and your company ZeroTrust

ZeroTrust  means do not implicitly  trust. First verify trustworthiness before doing business and granting access.

Zero Trust is used in many manufacturer network architectures, such as Cisco:

https://www.cisco.com/c/en/us/products/security/zero-trust.html

or Palo Alto:

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

“In Zero Trust, you identify a “protect surface.” The protect surface is made up of the network’s most critical and valuable data, assets, applications and services – DAAS, for short. Protect surfaces are unique to each organization. Because it contains only what’s most critical to an organization’s operations, the protect surface is orders of magnitude smaller than the attack surface, and it is always knowable.”

 

This is a good strategy for 2019 Cybersecurity awareness… Do not assume a social media connection until verified. Email link, email attachment, phone call and many other possible attacks to your business.  Unfortunately this means sometimes mistaking or requiring a possible customer to prove who they are, but with some thought this can be done tactfully so that a potential customer can see why this is being done.

 

Contact Us to go into detail for some more awareness for you and your business.

Top Cybersecurity Problem for Small Business

The top Cybersecurity problem (or risk) is phishing emails and ransomware downloaded to your computer or your website.

 

When a phishing email somehow gets you to click a link that then downloads an infected “payload” into your computer you can only hope that the anti-virus you have (and/or firewall) will protect you from the payload.   So that a dangerous payload may not be able to take advantage of your inaction.  The bad software is either in an attachment (in email) or on a website that you download (from a link).

 

Obviously if you can learn to recognize phishing scams that  would be a good thing. but there are other things to do even if you click on a bad link or attachment.

4 things to help prevent getting hacked:

  1. Phishing email spotting  (this is the trickiest one)
  2. Update your computer and software (easiest to setup and manage)
  3. Use multi-factor authentication wherever you can
  4. Backup your computer regularly

if you are up-to-date with your patching with as much software as possible, many attacks will fail. There are some ‘zero-day’ attacks that would still be successful against you, but those are expensive for hackers ‘usually’, so the risk is low for a ‘silver bullet attack’.

Osterman Research created a white paper for Trend Micro: “New Methods for Solving Phishing, Business Email Compromise, Account Takeovers and Other Security Threats”.

First the paper explains how ineffective a number of people have been in managing phishing attacks.

The central theme in the paper are phishing attempts that reach end users and employees who fail to recognize phishing and social engineering attacks.

One of the paper’s recommendations is to move your security operation to the cloud. The plan is that the cloud provider is more advanced than you and will reduce your risk.

What is clear though is that even on the cloud certain scams are always going to take advantage of any system. For example if someone calls you and you give them your credentials after some story that seems believable then any new technology that you paid for is useless. because now the bad guys can log in with your username and password.

You can set up MFA (Multi-factor Authentication) which means the hacker has to defeat another level of authentication (connected to your cellphone or a physical secure id mechanism).

 

I do not want to get into the technical details of MFA, since that  is beyond the scope of this article.  But MFA would cut down attacks by a large percentage.

So education and MFA with a better anti-phishing  email solution would reduce successful attacks and a proper patching environment may cover the rest.

Contact me to discuss this.