You’re Not Too Small for Hackers
EP Editorial Staff | December 4, 2019
There is little validity in the belief that your enterprise is not important enough to warrant a cyberattack.
By Dave Weinstein, CSO, Claroty
All too often organizations, large and small, adopt the (naïve) mindset that, “I won’t be attacked. I’m not worth it.” These are fast becoming the famous last words for companies that are victimized by targeted and non-targeted attacks.
There are two essential components to every cyberattack. First, the person or people behind the attack must possess the capability to execute an attack. Second, they must command the will to execute their capability. Both of these variables take into some consideration the ultimate target, be it a specific endpoint or network, an organization, or a group of organizations united by some common characteristic.
This might sound comforting to those who subscribe to the “I won’t be attacked. I’m not worth it.” theory. As long as they avoid the attacker crosshairs, they won’t have anything to worry about. They can simply neglect security and expend their limited resources—time and money—elsewhere.
This thinking, however, ignores two key considerations. First, what you, as an end user, might think is interesting and what an attacker thinks is interesting are, more than likely, two very different things. Second, most of the havoc wreaked by hackers over the past several years falls into the category of collateral damage. Countless victims have been caught up in recent attacks despite no supposed intention on the hacker’s part to target them.
Case in point is NotPetya, the global ransomware campaign from 2017. Researchers and governments have attributed the attack to Russian government actors. However, we know that many infections were reported in Russia. In other words, while the people who developed NotPetya and exercised the will to launch it were not targeting organizations in their own country, the malware nonetheless made its way into Russian networks.
The lesson of NotPetya is about more than just the malware’s boomerang effects. It is a story of malware that spread like an uncontrollable and fast-moving wildfire around the globe. The entire campaign registered damages of more than $10 billion, with multinational giants such as Merck, Maersk, Mondelez, and FedEx among the victims. Aside from each suffering tens and hundreds of millions of dollars in downtime and recovery costs—not to mention reputational harm—they share one thing in common: They all represent NotPetya’s powerful “spillover” effect, i.e., none were the (intended) targets of the attack.
By all accounts, NotPetya was developed and executed to produce disruptive effects in Ukraine, Russia’s neighbor and geopolitical rival. The attackers targeted a popular Ukrainian tax-preparation software company, M.E.Doc, which propagated the malware through a software update. The malware was so scalable that it quickly found its way outside of Ukraine through all of M.E.Doc’s customers and its customers’ third parties. Before long, it was everywhere.
Buried in this narrative is the fact that M.E.Doc hadn’t patched its servers since 2013, making life that much easier for the Russian attackers. Perhaps they subscribed to the belief that nobody would ever target them. It’s worth noting here that organizations often underestimate their value to an attacker. Remember, from the hacker’s perspective, the cost of conducting a cyberattack is minimal. Not only are most organizations susceptible to relatively basic and cheap tactics such as spearphishing, but the likelihood of a hacker being held accountable for their actions is extremely low. In fact, the lower the profile of the target, the lower the risk to the hacker. In the case of M.E.Doc, it was too late by the time investigators arrived on the scene.
Of course, M.E.Doc wasn’t the only violator of good cyber hygiene. The NotPetya malware used an exploit known as EternalBlue that was allegedly leaked from the U. S. National Security Agency and repurposed for criminal use. It exploited a known vulnerability in the Windows server message block (SMB) protocol. Microsoft released an emergency patch in March 2017 in the wake of WannaCry, another global ransomware attack. However, by June, many organizations had not yet patched the vulnerability, including those victimized by NotPetya. Not surprisingly, the consequences were dire.
The moral of NotPetya is simple: Organizations shouldn’t be asking themselves if they will be attacked. They should be considering how to prepare themselves for when they are attacked. When you’re in the midst of an incident response, it doesn’t matter who attacked or how you were attacked. All that matters is mitigating the damages and recovering as quickly as possible.
Much of the focus on cybersecurity these days is on the threat. Indeed, threat is a fundamental component of cyber risk and organizations must remain vigilant of the different actors and their tactics, techniques, and procedures (TTP) to maintain a solid defensive posture. But much of the cyber risk these days, particularly as it relates to industrial networks, is inextricably linked to the evolution of the technological ecosystem and rapidly changing business requirements.
First and foremost, information technology (IT) and operational technology (OT) networks are converging at a rapid pace, and often in an ungoverned manner. Long gone are the days of the “air gap,” when plant operators had the luxury of relying on isolation for security. The inherent trust in our industrial-control systems is evaporating due to increased connectivity among process-control environments and, more critically, a lack of segmentation between IT and OT networks. This phenomenon, combined with growing demands for remote access for the dual purpose of maintenance and predictive analytics, is introducing new attack vectors with very few, and sometimes no, compensating security controls in place.
Complicating matters even more is the massive increase of Internet of Things (IoT) devices residing in OT networks. The oft-quoted Gartner research forecasts 14.2-billion connected things will be in use in 2019. The market-research firm also projects that the total number will reach 25 billion in 2021. Legitimate business requirements are driving this IoT proliferation in the name of increasing efficiency, productivity, and convenience. However, the resulting digital transformation is not without cost or risk.
Managing the Risk
The first step to managing the new risks brought about by these technological and business innovations is to gain full visibility of your IoT and OT devices. As the cybersecurity maxim goes, “you cannot protect what you cannot see.” Unfortunately, most owners and operators of industrial and IoT equipment are too often oblivious to what’s on and connected to their networks. Once you establish broad visibility of the devices on your network, the next step is to go deep.
Given the nature of plant networks, unless you’re performing deep packet inspection (DPI) on your OT network, you’re simply not going to detect operational anomalies or security threats that can lead to downtime or even physical damage and hazardous conditions. It’s this type of monitoring, for example, that will detect remnants of WannaCry, the aforementioned ransomware that still lingers on OT networks all over the world.
But DPI does more than just detect and prevent threats. It can also identify vulnerabilities and support a variety of response functions. Like IT devices, OT devices are often vulnerable to known exploits. Patching is not a trivial exercise in a plant environment, but it’s critical to manage your vulnerabilities by correlating each device based on its model and firmware version with published and unpublished vulnerability data. Doing so empowers owners and operators to make informed decisions about which vulnerabilities to patch, which to apply compensating security controls, and which to leave alone.
Once you’ve established full visibility of your assets and implemented continuous security monitoring and vulnerability management, it is essential to control the remote-access attack vector. Third-party connections are a hacker’s dream when it comes to OT networks. Any solution should not only control these access points, but also continuously monitor and enforce policy violations.
In addition to leveraging technologies such as DPI, vulnerability management, and remote-access control, there are many valuable industry resources that offer guidance designed to improve your cybersecurity posture. Recognizing the risks inherent in IoT devices, the National Institute of Standards and Technology (NIST), Gaithersburg, MD (nist.gov), recently published a report titled The Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The first in a series on the topic, NIST cites a complementary report, Guide to Industrial Control Systems (ICS) Security, within the recent publication. Both are worthy reads for plant-operations personnel.
It’s no secret that OT networks were never built with security in mind; safety and resilience were the key design goals. Our increasingly ever-connected world—despite its “triple promise” of greater efficiencies, productivity, and convenience—makes industrial-control systems that much more attractive and vulnerable to hackers. So, yes, believe it, you are indeed worthy of being hacked, or (arguably) worse, represent a spillover target of the next major ransomware attack. EP
Dave Weinstein is the chief security officer at Claroty, New York (claroty.com). Prior to joining the company, Weinstein was the chief technology officer for the state of New Jersey. He began his career as an operations planner at U. S. Cyber Command, where he served for three years. Weinstein holds a Bachelor’s degree from Johns Hopkins Univ., Baltimore, and a Master’s degree from the Georgetown Univ. School of Foreign Service in Washington. He is also a non-resident Cybersecurity Policy Fellow at New America, Washington (newamerica.org).