How preparing for cyber risks can minimize the chances of cyberattacks

Foundational cybersecurity controls form the basis to prevent cyberattacks, as part of a defense-in-depth cybersecurity model

In brief

• Cyber threats and risks are growing significantly, particularly for asset-intensive industries such as the energy sector
• In strengthening the foundational cybersecurity controls, there are some logical first steps to consider including user accounts, which are generally one of the first gateways for threat actors to gain access to the company network.

Are organizations only concerned of undertaking the right measures to mitigate cyber risk after they have been cyberattacked? This may be the case in most situations but the more important question to ask is – what are the cybersecurity controls that should be considered by organizations?

The answer is straightforward – the controls that have the biggest impact on reducing the likelihood or the impact of a successful cyberattack.

Cyber risk is generally defined as the threat to the system, the system’s vulnerability, and the resulting consequences. Therefore, to successfully protect Information Technology (IT) and Operational Technology (OT) systems, companies must understand the tactics, techniques, and procedures (TTPs), which threat actors use to achieve their desired objective.

Here are several examples of well documented cyberattacks on critical national infrastructure over the past two decades:

In 2010, arguably, the most sophisticated cyberattack was executed on an Iranian uranium enrichment facility that exposed the weakness of cybersecurity controls and vulnerability of OT environments. The STUXNET worm was designed specifically to target these environments which allowed the threat actor to exploit and disrupt production operations causing downtime and business impact.

STUXNET was the eureka moment for the energy and manufacturing industries that OT environments can be breached and what impact it can have on their business, human lives, environment, and economies. Unfortunately, it was also an eureka moment for threat actors too. OT cyberattacks surged rapidly and suddenly the attack techniques from threat actors, in terms of creativity and smartness of achieving their malicious objectives, evolved since then.

In 2015, Ukraine was hit by another massive cyberattack that shut off power at 30 substations and left millions of people without electricity for up to six hours. SCADA equipment were rendered inoperable, and power restoration had to be completed manually that further delayed restoration efforts. So how was this achieved – must have been very sophisticated? Actually. Not.

Spear phishing was used to introduce the BlackEnergy malware that exploited the macros in excel based documents on computer systems at the plants. Meaning that the threat actors did nothing different than using known TTPs for cyberattacks on IT environments. The same exploitation tools were used to find user credentials to escalate their privileges to move laterally in the network or to send malicious commands to disrupt plant operations.

The 2015 cyberattack seemed like an experiment as barely a year later the Ukraine Power Grid was attacked again and this time the capital city Kiev went dark, breakers tripped in large number of substations. However, this time the threat actors also jammed the utility’s call centers to prevent customers from reporting the outage by launching Telephone Denial of Service (TDoS) attack. The approach was more sophisticated as the threat actors directly manipulated the SCADA systems using CRASHOVERRIDE – the first known malware specifically designed to target the power grids directly around the globe with ability to wipe or delete files, disable processes like malware protection and even the software from OT vendors.  

This was another eureka moment - national power grids are not safe from threat actors either.

One of the most concerning cyberattacks was in 2017 where the TRITON malware targeted the specific safety critical Programable Logic Controller’s (PLCs) in the Middle East. The function of these PLCs is to protect plants and people from disasters caused by mechanical failure.

In 2018 advanced persistent threat (APT) attacks on industrial environments continued to rise, and industrial espionage increased. After 2019, there was a drastic increase in ransomware activities in OT environments including the manufacturing, water treatment and pipeline industries.[1]

Recently, Cybersecurity & Infrastructure Security Agency (CISA)[2] launched the Cross-Sector Cybersecurity Performance Goals (CPG)[3] as a prioritized subset of IT and OT cybersecurity practices aimed to meaningfully reducing risks critical national infrastructures and the community it supports.

These are some of the logical first steps to consider:

User account security

User accounts are generally one of the first gateways for threat actors to gain access to the network to establish a foothold and move laterally. On the surface, this may seem simple but maintaining user account security hygiene has been a longstanding challenge for many organizations.

Here are the suggested foundational controls that should be considered:

• enable the detection of unsuccessful user login attempts
• change all default passwords and implement multi-factor authentication (MFA)
• update the minimum password strength
• separate user and privilege accounts
• enforce unique user credentials (not just email addresses as commonly used)
• revoke the credentials of departing employees

Device security

Device security are measures taken to secure computing devices (hardware and software) from cyber threats but also to maintain service continuity.

Here are the suggested foundational controls that should be considered:

• approval process for new hardware and software deployment
• the disablement of macros by default
• maintaining an up-to-date asset inventory
• prohibiting the connection of unauthorized devices
• documenting device configurations

Data security

The purpose is to protect sensitive and confidential data from unauthorized access, theft, loss, and destruction.

Here are the suggested foundational controls that should be considered:

• strong and agile encryption
• enable log collection
• secure storage of the said logs.

Governance and training

A strong governance structure is a key success factor for any cybersecurity strategy and operations to manage cyber risks effectively and to ensure adequate protection of data and systems.

Here are the suggested foundational controls that should be considered:

• appointment and empowerment of a single leader to be accountable for cybersecurity
• a single leader to be responsible for OT-specific cybersecurity
• basic cybersecurity training for all employees and third parties
• OT specific cybersecurity training for OT managers and operators
• establish an effective relationship between IT and OT cybersecurity to improve the response effectiveness for OT cyber incidents.

Vulnerability management

To reduce the likelihood of threat actors exploiting known vulnerabilities in IT and OT systems the following foundational controls should be considered:

• mitigate known vulnerabilities
• gather vulnerability intelligence by security researchers and enable the researchers to submit discovered weaknesses or vulnerabilities faster
• blacklisting of exploitable services on the internet
• limit OT connections to public internet
• conduct third-party validation of control effectiveness.

Supply chain/Third party

To ensure the integrity and reliability of supplier products and services the following foundational controls should be considered:

• establish supplier cybersecurity requirements
• immediate disclosure of known cybersecurity incidents and vulnerabilities to enable rapid response.

Detection, response and recovery

Here are the suggested foundational controls that should be considered:

• capability to detect relevant threats and TTPs
• a comprehensive response and recovery plan (including appropriate backups) in place helps organizations be prepared for the inevitable security incidents that will occur and ensures that they have the processes and resources in place to minimize the impact and recover effectively.

Network segmentation

Network segmentation reduces the likelihood of threat actors accessing the OT network after compromising the IT network and vice versa.

Here are the suggested foundational controls that should be considered:

• segment IT and OT networks
• segment safety critical systems form other systems
• segmentation of temporarily connected devices
• segmentation of wireless communications
• segmentation of devices connected via untrusted networks/internet.

Email security

By implementing effective email security measures, organizations can reduce the risks from common email-based threats and ensure the confidentiality and integrity of email communications.

Here are the suggested foundational controls that should be considered:

• Email encryption,
• Email account authentication
• and email filtering