Editor's Choice


Security for operational technology: Part 2: How much of a cyber threat are people to OT systems and what can be done?

September 2021 Editor's Choice

The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats. The incident impacted logistics on a national scale. A cyber breach is highly probable if basic defences are not in place and someone with the right resources decides to target you.

Cybersecurity controls can be categorised into people, process and technology. Technology normally gets the most attention and budget. The reality is that operational technology (OT) systems are designed, implemented, supported and used by people. People are the weakest link in terms of cybersecurity and therefore the easiest to exploit. Cybersecurity awareness training is often generic, neglected or the first cost to be cut.

According to Sun Tzu’s Art of War: If you know your enemy and know yourself, you need not fear the results of a hundred battles. Or in other words, the best form of defence is to learn the tactics that hackers use. Initial steps in the cyber kill chain are recce (using open-source intelligence), weaponisation (malware) and delivery (phishing and social engineering).

Open-source intelligence

Open-source intelligence (Osint) is used to collect and analyse information available in the public domain. There is a surprising amount of information openly available on people, companies and products that can be used to exploit systems. Sources of useful information are annual financial statements, social media and specialised sites. Shodan, for example, can be used to find exploits for PLC manufacturers for equipment connected to the Internet https://www.shodan.io.

When data is exfiltrated in a breach, hackers share or sell their bounty on the dark web. This includes dumps of user account names and passwords. This information, combined with Osint can make it easier to breach sites as people use the same passwords for multiple systems. For example, my data was leaked in breaches at eThekwini (2016) and Adobe (2013). Somebody could have tried these passwords to try to access my work systems if my passwords were the same. This is called ‘credential stuffing’. It pays to check to see if your or your employee’s account details have been breached on https://haveibeenpwned.com/. Sites are available to find or help to guess corporate email or login account details i.e.: https://hunter.io/.

Traditionally, companies have relied on air-gapping OT systems as a primary defence. This is no longer sufficient according to a recent report from Honeywell. USB media usage has increased by 30% in 2020 from 2019 and 79% of these threats are capable of disrupting OT. Consider the number of times USB media is connected to OT systems by users who are unaware of the risks. Threat actors know this vulnerability and design malware to be delivered by USB media to target OT systems.

Malware

Malware or malicious software is any software intentionally designed to cause damage to a computer, server, client, or computer network. Content-based malware (altered or infected documents using embedded scripts and macros) and Trojans (malware disguised as legitimate software) are the latest threats. Once the initial exploit is successful, backdoors are opened, remote access established to download additional threats, exfiltrate data and/or establish ‘command and control’ to potentially disrupt OT systems.

Social engineering

Social engineering is the art of influencing people into doing things they would not normally do. People can be unwittingly manipulated to download or execute malware, give up confidential or sensitive information such as account usernames, passwords, bank account numbers, credit card details and identity numbers. These actions and information can be used to breach systems. Risks have increased as more people are now working remotely due to the Covid-19 pandemic. Social engineering tactics can use intimidation, urgency, scarcity, authority, impersonation, familiarity and consensus. These are red flags that users need to be trained to identify.

Phishing

Phishing uses fraudulent emails or websites combined with soc ial engineering to trick users into providing sensitive information or to download malware. This malware can then find its way onto USB media. Phishing usually starts with an email urging you to click on an attachment or weblink to confirm details about online accounts. These emails often appear to originate from popular online institutions or someone you may know. When you click on the link, you are directed to a page where you are asked for information.

A physical firewall protects your IT network by identifying and stopping suspicious network traffic. One of the best defences is to turn people into human firewalls. This means continuous education about cyber threats and how to mitigate them.

Generic cybersecurity awareness training should be provided for all computer users. This will also benefit them when using the Internet for personal use. Specialised training is critical for high risk/influence groups such as executives, procurement, human resources, audit, risk, software development and OT.

Guidelines to consider:

• Ensure passwords are greater than eight characters long, do not re-use them and use a password manager i.e., Lastpass – https://www.lastpass.com).

• Use multifactor authentication for sensitive systems. This is where two or more verification factors are required to gain access.

• Be careful of what personal and work information you publish on social media.

• Keep personal and work systems separate. Use private email for personal use i.e. banking, medical aid, social media, insurance, etc.

Training can only go so far. Companies should run ongoing phishing simulations to check how effective their ‘human firewalls’ are performing. This will highlight users that are repeat offenders and need attention.

References

Shapshak T, 2021, Note to Transnet: Cyberattacks only work when there are vulnerabilities to exploit, https://www.dailymaverick.co.za/opinionista/2021-08-04-transnet-ports-closed-and-were-in-the-dark/

Dholakiya P, What Is the Cyber Kill Chain and How It Can Protect Against Attacks, https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks

Zerofox, 2021, Understanding Credential Stuffing for Effective Protection, https://www.zerofox.com/blog/understanding-credential-stuffing/

Honeywell, 2021 Industrial cybersecurity USM Threat Report 2021, https://www.honeywell.com/content/dam/honeywellbt/en/images/content-images/cybersecurity-threat-report-2021/Industrial%20Cybersecurity%20USB%20Threat%20Report%20v5.pdf

Wikipedia, Malware, https://en.wikipedia.org/wiki/Malware

Wolfpack, 2021, PHISHING SURVIVAL GUIDE, https://store.alertafrica.com/advice-and-guidance/devices/phishing-survival-guide/

Chiwanza S, 2020, PASSWORDS, https://store.alertafrica.com/advice-and-guidance/applications/passwords/

Steel A, 2012, New study: Passwords are still the weakest link, https://blog.lastpass.com/2012/03/latest-review-of-security-issues-and/

Please contact me to share your ideas, or if you have been breached or need help. You can also report breaches at the national Computer Security Incident Response Team (CSIRT) at cshubcsirt@cybersecurityhub.gov.za.


About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com




Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Attaining a sustainable legacy
Technews Publishing (SA Instrumentation & Control) Editor's Choice News
Through this quagmire of crises and uncertainties, the wheels of industry must continue to turn if we are to sustain our modern way of life, and those wheels are, either directly or indirectly, powered by electricity.

Read more...
Meeting the challenges of water management with sensor technology
ifm - South Africa Editor's Choice Analytical Instrumentation & Environmental Monitoring
Holistic solutions for the automation and monitoring of plants are a key element for the efficient and sustainable water supply of the future.

Read more...
From Industry 4.0 to Industry Green.0
Rockwell Automation Editor's Choice News
As sustainability becomes a business imperative for manufacturing organisations, they must incorporate sustainability goals into every step of the business lifecycle – because purpose and profit must go hand in hand.

Read more...
Combining the best of hydraulics with the advantages of electric
Parker Hannifin - Sales Company South Africa Editor's Choice
While battery technologies continue to evolve and overcome challenges that have previously restricted more rapid electrification adoption rates, hybrid electric systems are well positioned as an ideal interim solution.

Read more...
The route to proactive maintenance
Comtest Editor's Choice Maintenance, Test & Measurement, Calibration
What were once complex tasks can now be accomplished by less experienced technicians with easy-to-use tools such as vibration screeners and thermal imagers.

Read more...
LED strips enhance efficient pick-to-light C-parts management
Turck Banner Editor's Choice Operator Interfaces, Switches & Relays
KEB Automation used Turck’s WLS15 strip lights to refine its assistance system for C-parts management into an efficient and failsafe pick-to-light solution.

Read more...
Young unemployed graduate gets kickstart to his career
ABB South Africa Editor's Choice News
The training provided by ABB is hands-on and will see Momelezi Sifumba rotate through different departments and activities to ensure his practical experience is as well-rounded as possible.

Read more...
Case History 183: Bad valve split-ranging causing problems
Michael Brown Control Engineering Editor's Choice System Integration & Control Systems Design
Pressure control is one of the processes that can be self-regulating or integrating, and it is sometimes very difficult to determine which type it is.

Read more...
Sensors train many eyes on FMCGs
VEGA Controls SA Editor's Choice Sensors & Transducers
Profit margins on consumer goods are small, which makes it all the more important for producers to have smooth, efficient operating processes.

Read more...
Optimised, PC-based food production
Beckhoff Automation Editor's Choice System Integration & Control Systems Design
Foodjet’s MDL food printers can portion and deposit toppings with maximum precision, whether coating pizza dough with a perfect layer of tomato sauce, or icing doughnuts with seasonal decorations.

Read more...