A multi-national group of government cyber security agencies have combined to issue an urgent warning to OT operators to safeguard against the continued malicious cyber activity conducted by pro-Russia hacktivists. Agencies from the USA including Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), from Canada, the Canadian Centre for Cyber Security (CCCS) and from the UK, the National Cyber Security Centre (NCSC) have jointly authored a fact sheet with the information and are urging immediate action to be taken to defend against the activity.

Overview

The CISA fact sheet (opens a new window) explains that the co-authors are aware of pro-Russia hacktivists seeking to compromise Operational Technology (OT) systems such as those running water and waste water systems, energy providers and food and agriculture manufacturers. Whilst actions to date have been limited to manipulating equipment to cause nuisance effects, it is understood that the hacktivist groups are capable of more sophisticated techniques which would pose a physical threat against vulnerable OT systems.

Activity

To date, the activity has been focussed on gaining access to internet exposed OT networks and then to access software components such as human machine interfaces (HMIs) to cause critical equipment to run outside normal operating parameters. Threat actors have made use of Virtual Network Computing (VNC) software to take remote control of the networks either using default credentials, accounts with only simple password authentication, or by exploiting vulnerabilities in the outdated software being used to provide remote access.

Action

The recently released fact sheet recommended applying some immediate mitigations listed on their fact sheet today – you can find a copy of the fact sheet here (opens a new window).

Everfox Response

While the immediate response to this news might be to attempt to remove internet access from OT networks, the reality is that to remain operational an organization often requires some form of external connection. This need is only going to increase as critical infrastructure organizations move towards Industry 4.0 and make more use of remote interconnected services.

The short-term mitigations identified in the fact sheet should be followed as soon as possible – actions such as changing default passwords, implementing multi factor authentication, and patching out of date software. However, it is not just technology that will prevent successful attacks of this nature. As with all cyber related challenges, there are also people and process to consider. All three need to be considered together when forming a successful cyber defense strategy.  People are often the first line of defense but can also be the weakest link. Human error can lead to significant security breaches and insider threats pose substantial risks while robust processes can ensure the basics are in place such as software updates, auditing and backups.

Longer term, organizations should be looking to implement security solutions that provide robust, assured defenses against the recent attacks highlighted, but more importantly against the more sophisticated ones that are surely coming. An organization’s defenses must stop attacks while still enabling the necessary remote access and transfer of information that enable critical infrastructure organizations to work efficiently.

The Solution

This issue is not dissimilar to the need for government agencies to provide connectivity into their networks which once would have been isolated. In that case, the need to share information quickly and efficiently outweighs the risk of attackers using the connection to get into the sensitive networks.

For over 25 years, Everfox has provided solutions to safely connect the unconnectable. As the threat levels have increased, our defenses have been improved. Where once, a firewall may have provided adequate protection, now application layer proxies and deep content inspection provide much stronger control over data flowing into and out of a network. Where defenses previously just relied on general purpose security appliances, such as firewalls, VPNs, and routers. There are new, more advanced security technologies that provide additional improved protection. 

These can include Data Guards, available in both software and hardware. Built to only allow very specific data to pass between the OT, IT, and public networks, thus offering the next level of protection. Both software and hardware data guards offer similar protection by relying on high assurance foundations. Software guards operate on security enhanced operating system to include SELinux, which was developed by the US National Security Agency. 

Hardware solutions are implemented with hardware logic applied in Field Programmable Gate Arrays (FPGAs). These may not be as flexible as software guards but the offer high assurance that attackers cannot find and exploit vulnerabilities in the key security enforcing components of a gateway. Both solutions offer far more security than what is currently used today.

The key takeaway here is that there are solutions that deliver operational connectivity alongside robust cybersecurity – to find out more about Everfox and the solutions we provide contact us today.