Editor's Choice


Security for operational technology: Part 2: How much of a cyber threat are people to OT systems and what can be done?

September 2021 Editor's Choice

The recent cyber-attack on Transnet is a wake-up call that South African companies are not immune from cyber threats. The incident impacted logistics on a national scale. A cyber breach is highly probable if basic defences are not in place and someone with the right resources decides to target you.

Cybersecurity controls can be categorised into people, process and technology. Technology normally gets the most attention and budget. The reality is that operational technology (OT) systems are designed, implemented, supported and used by people. People are the weakest link in terms of cybersecurity and therefore the easiest to exploit. Cybersecurity awareness training is often generic, neglected or the first cost to be cut.

According to Sun Tzu’s Art of War: If you know your enemy and know yourself, you need not fear the results of a hundred battles. Or in other words, the best form of defence is to learn the tactics that hackers use. Initial steps in the cyber kill chain are recce (using open-source intelligence), weaponisation (malware) and delivery (phishing and social engineering).

Open-source intelligence

Open-source intelligence (Osint) is used to collect and analyse information available in the public domain. There is a surprising amount of information openly available on people, companies and products that can be used to exploit systems. Sources of useful information are annual financial statements, social media and specialised sites. Shodan, for example, can be used to find exploits for PLC manufacturers for equipment connected to the Internet https://www.shodan.io.

When data is exfiltrated in a breach, hackers share or sell their bounty on the dark web. This includes dumps of user account names and passwords. This information, combined with Osint can make it easier to breach sites as people use the same passwords for multiple systems. For example, my data was leaked in breaches at eThekwini (2016) and Adobe (2013). Somebody could have tried these passwords to try to access my work systems if my passwords were the same. This is called ‘credential stuffing’. It pays to check to see if your or your employee’s account details have been breached on https://haveibeenpwned.com/. Sites are available to find or help to guess corporate email or login account details i.e.: https://hunter.io/.

Traditionally, companies have relied on air-gapping OT systems as a primary defence. This is no longer sufficient according to a recent report from Honeywell. USB media usage has increased by 30% in 2020 from 2019 and 79% of these threats are capable of disrupting OT. Consider the number of times USB media is connected to OT systems by users who are unaware of the risks. Threat actors know this vulnerability and design malware to be delivered by USB media to target OT systems.

Malware

Malware or malicious software is any software intentionally designed to cause damage to a computer, server, client, or computer network. Content-based malware (altered or infected documents using embedded scripts and macros) and Trojans (malware disguised as legitimate software) are the latest threats. Once the initial exploit is successful, backdoors are opened, remote access established to download additional threats, exfiltrate data and/or establish ‘command and control’ to potentially disrupt OT systems.

Social engineering

Social engineering is the art of influencing people into doing things they would not normally do. People can be unwittingly manipulated to download or execute malware, give up confidential or sensitive information such as account usernames, passwords, bank account numbers, credit card details and identity numbers. These actions and information can be used to breach systems. Risks have increased as more people are now working remotely due to the Covid-19 pandemic. Social engineering tactics can use intimidation, urgency, scarcity, authority, impersonation, familiarity and consensus. These are red flags that users need to be trained to identify.

Phishing

Phishing uses fraudulent emails or websites combined with soc ial engineering to trick users into providing sensitive information or to download malware. This malware can then find its way onto USB media. Phishing usually starts with an email urging you to click on an attachment or weblink to confirm details about online accounts. These emails often appear to originate from popular online institutions or someone you may know. When you click on the link, you are directed to a page where you are asked for information.

A physical firewall protects your IT network by identifying and stopping suspicious network traffic. One of the best defences is to turn people into human firewalls. This means continuous education about cyber threats and how to mitigate them.

Generic cybersecurity awareness training should be provided for all computer users. This will also benefit them when using the Internet for personal use. Specialised training is critical for high risk/influence groups such as executives, procurement, human resources, audit, risk, software development and OT.

Guidelines to consider:

• Ensure passwords are greater than eight characters long, do not re-use them and use a password manager i.e., Lastpass – https://www.lastpass.com).

• Use multifactor authentication for sensitive systems. This is where two or more verification factors are required to gain access.

• Be careful of what personal and work information you publish on social media.

• Keep personal and work systems separate. Use private email for personal use i.e. banking, medical aid, social media, insurance, etc.

Training can only go so far. Companies should run ongoing phishing simulations to check how effective their ‘human firewalls’ are performing. This will highlight users that are repeat offenders and need attention.

References

Shapshak T, 2021, Note to Transnet: Cyberattacks only work when there are vulnerabilities to exploit, https://www.dailymaverick.co.za/opinionista/2021-08-04-transnet-ports-closed-and-were-in-the-dark/

Dholakiya P, What Is the Cyber Kill Chain and How It Can Protect Against Attacks, https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks

Zerofox, 2021, Understanding Credential Stuffing for Effective Protection, https://www.zerofox.com/blog/understanding-credential-stuffing/

Honeywell, 2021 Industrial cybersecurity USM Threat Report 2021, https://www.honeywell.com/content/dam/honeywellbt/en/images/content-images/cybersecurity-threat-report-2021/Industrial%20Cybersecurity%20USB%20Threat%20Report%20v5.pdf

Wikipedia, Malware, https://en.wikipedia.org/wiki/Malware

Wolfpack, 2021, PHISHING SURVIVAL GUIDE, https://store.alertafrica.com/advice-and-guidance/devices/phishing-survival-guide/

Chiwanza S, 2020, PASSWORDS, https://store.alertafrica.com/advice-and-guidance/applications/passwords/

Steel A, 2012, New study: Passwords are still the weakest link, https://blog.lastpass.com/2012/03/latest-review-of-security-issues-and/

Please contact me to share your ideas, or if you have been breached or need help. You can also report breaches at the national Computer Security Incident Response Team (CSIRT) at cshubcsirt@cybersecurityhub.gov.za.


About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Case History 179: Some unusual measurement and control problems
September 2021, Michael Brown Control Engineering , Editor's Choice
The example given in this article illustrates some mistakes made by the system integrators and control engineers at a metals extraction plant that used a well-known make of PLC and scada for its controls.

Read more...
Tag-specific requirements in RFID systems for track and trace
September 2021, Turck Banner , Editor's Choice, Industrial Wireless
The BL ident complete RFID system from Turck Banner offers solutions in the HF or UHF range with interfaces for use in a plant or switch cabinet.

Read more...
Loop Signatures 8: Final control elements – Part 4: the infamous stick-slip cycle
August 2021, Michael Brown Control Engineering , Editor's Choice
An inherent phenomenon occurring in most control valves that few people are aware of is ‘stick-slip’.

Read more...
How safe are our factories? Part 1: Cybersecurity for operational technology.
August 2021, Wolfpack Information Risk , IT in Manufacturing
If companies are regularly being subjected to cyber hacks overseas, isn’t it only a matter of time before someone with enough motivation, skill and resources targets us?

Read more...
OT the executor, IT the overseer, IIoT the enabler
August 2021 , Editor's Choice
It is a fascinating and daunting time to be working as professionals in the OT and IT worlds.

Read more...
Of gorillas and swarms – the manufacturing CIO’s new dilemma
July 2021, Absolute Perspectives , Editor's Choice
Back in the heyday of integrated business systems, the manufacturing CIO was faced with a relatively simple choice: which big ERP vendor to select and what database technology to run the system on?

Read more...
Case History 178: An over-filtered hydrogen flow loop
July 2021, Michael Brown Control Engineering , Editor's Choice
A good example that shows how lack of knowledge of the practicalities of control can result in terrible control characteristics.

Read more...
Loop Signatures 1: Introduction to the Loop Problem Signatures series
May 2020, Michael Brown Control Engineering , Editor's Choice
Over the years I have had many requests to write a book giving more detailed explanations of some of the problems I have encountered in my work on practical loop optimisation. I am by nature and inclination ...

Read more...
Loop Signatures 7: Final control elements – Part 3 hysteresis and deadband
June 2021, Michael Brown Control Engineering , Editor's Choice
Some of the biggest problems associated with the final control element are hysteresis and backlash.

Read more...
MES, OT and the IIoT – what’s required for digitalisation?
May 2021 , Editor's Choice
Hand over the data decisions to the OT guys? Calm down IT professionals, there is a time and a place for everything.

Read more...