Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
Malware, Phishing & Ransomware
OT Network security
Perimeter security
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure Remote Access
Supply Chain Security
Tech Solutions
Threat Landscape
Vulnerabilities

Evolving cyber threats push organizations to chalk out improved incident response, business continuity, disaster recovery plans

December 18, 2022
Evolving cyber threats push organizations to chalk out improved incident response, business continuity, disaster recovery plans

With the growing threat of cybersecurity incidents targeting critical infrastructure installations, governments and organizations around the world are forced to roll out their best defense in a rapidly evolving cyber threat environment and work on building resilience. As vulnerabilities and interdependencies increase, preventative cybersecurity measures are proving to be insufficient, driving organizations to constantly upgrade, develop and test incident response, business continuity, and disaster recovery plans.

Last week, Industrial Cyber reviewed how the industrial cybersecurity sector in 2022 continued to face adversarial attacks in critical infrastructure networks that illustrated knowledge of control system components, industrial protocols, and engineering operations. The Russia-Ukraine war reshaped the threat landscape and proved to be an abject lesson for all those tasked with protecting critical infrastructure. Fighting these attacks requires a different set of security skills, technologies, processes, and methods to manage the different risks and risk surfaces, setting ICS (industrial control systems) apart from traditional IT enterprise networks. 

Read on as we take an in-depth look into the cybersecurity threat landscape across critical infrastructure organizations in Asia-Pacific and Australia, as rising interconnectivity has led to malicious hackers increasingly looking to compromise multiple victims across a range of sectors using a single entry point. Malicious actors are also increasingly viewing the supply chain as a priority target and a vector for compromise, driving organizations to conduct a suite of incident response transformation activities to increase information sharing and reporting and growing the scale and maturity of commercial providers and the cybersecurity sector as a whole.

Clare O’Neil, Minister for Home Affairs and Minister for Cyber Security

“In the category of old work in new ways, there’s no better place to start than cyber security,” Clare O’Neil, Australia’s Minister for Home Affairs and Minister for Cyber Security, said at a recent National Press Club Address. “In September and October this year, Australia experienced the two worst cyberattacks in our history, within three weeks of each other. Two months ago, the National Australian Bank told Australians that they are subject to 50 million attempted cyberattacks a month; the Australian Taxation Office, 3 million a month. This threat is huge, it is relentless and it is only getting bigger.”

O’Neil added that she wants Australia to be the world’s most cyber-secure country by 2030. “I believe that is possible. But we need a reset, and a pathway to get there. That’s why today, I am announcing a major program of work to develop a new Cyber Security Strategy for Australia.”

The Cyber Security Strategy will help Australia “bring the whole nation into the fight to protect our citizens and our economy, strengthen critical infrastructure and government networks, build sovereign cybersecurity capabilities, so we can stand on our own two feet, and strengthen our international engagement so Australia can be a global cyber-leader, and work in partnership with our Pacific neighbours to lift cybersecurity across our region,” O’Neil said.

These measures come in the wake of Australia witnessing an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale, over the 2021–22 financial year, with the deterioration of the global threat environment reflected in cyberspace. 

The Australian Cyber Security Centre (ACSC) leads the Australian government’s efforts to improve cybersecurity and delivers technological expertise, advice, and support for operational technology (OT) environments. The agency received over 76,000 cybercrime reports, an increase of nearly 13 percent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.

In November, the ACSC released the Essential Eight Maturity Model, based on the agency’s experience in producing cyber threat intelligence, responding to cybersecurity incidents, conducting penetration testing, and assisting organizations to implement the Essential Eight. 

In October, the Australian government announced that it has begun consulting on the Risk Management Program Rule under Part 2A of the Security of Critical Infrastructure Act 2018. The initiative works towards a strong and effective government-industry partnership that is central to achieving the government’s vision for critical infrastructure security and resilience. 

Earlier in March, the government passed the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. The SLACIP Act will boost the security and resilience of the nation’s critical infrastructure framework to safeguard the essential services that Australian citizens rely on from physical, supply chain, cyber, and personnel threats.

The ACSC assesses that ransomware remains the most destructive cybercrime threat, as all sectors of the Australian economy were directly impacted by ransomware in the last financial year. The agency provides tailored advice on ransomware mitigation, including for individuals and small businesses. Over 2021–22, there were further examples of ransomware groups targeting critical infrastructure organizations. For instance, the BlackCat ransomware group targeted government and critical infrastructure organizations and the finance and construction sectors globally. The threat to critical infrastructure is not limited to large utilities such as electricity providers.

The ACSC observed an increasing trend of state actors and cybercriminals rapidly exploiting publicly reported critical security vulnerabilities. Rapid and comprehensive patching is vital, along with constant monitoring for indicators of compromise. Malicious actors are exploiting Australians’ desire for interconnected digital services. Furthermore, the agency said that organizations can improve their cyber posture by implementing Essential Eight.

Another nation in the region that is focusing on the growing threat of cybersecurity attacks against critical infrastructure organizations is Singapore. The government recently released its Counter Ransomware Task Force (CRTF) report which serves as a blueprint to drive the nation’s efforts to foster a resilient and secure cyber environment, domestically and internationally, to counter growing ransomware threats. The CRTF document identified how ransomware threats have grown significantly in scale and impact, emerging as an urgent problem for countries around the world, including Singapore.

In October, the Cyber Security Agency of Singapore (CSA) announced that the government has convened an inter-agency Counter Ransomware Task Force (CRTF) to develop and make recommendations on possible policies, operational plans, and capabilities. The CRTF works towards improving the nation’s counter-ransomware efforts on the principle that for measures to be effective, the ransomware threat must be tackled as a cross-domain challenge.

The CSA ​published in July the Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation of owners of Critical Information Infrastructure (CII), following the Cybersecurity Act. The CCoP 2.0 (Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition) is the Cybersecurity Code of Practice for Critical Information Infrastructure (Second Edition) and comes into effect from Jul. 4, 2022, superseding previous versions of the Code.

Industrial Cyber reached out to industrial cybersecurity experts in Asia and Australia to evaluate the effect ransomware attacks have had on the operational resilience of targets, such as government agencies, critical information infrastructure, and businesses. Additionally, the experts also analyze how the threat of ransomware changed qualitatively and quantitatively in 2022 for industrial and manufacturing organizations.

Dick Bussiere, technical director at Tenable APAC
Dick Bussiere, technical director at Tenable APAC

“From a qualitative perspective, we can say that a ransomware attack against any operational technology (OT) target will have serious consequences, usually resulting in disruption,” Dick Bussiere, technical director at Tenable APAC, told Industrial Cyber. “Typically, the attack will begin with phishing against the IT infrastructure with an eventual pivot to OT. Once the attack enters the OT world, lateral movements can take place quickly because most OT environments ‘implicitly’ trust all communications within. Add to this the fact that many systems in OT are poorly maintained from a vulnerability management perspective, making them easy to penetrate. Once systems are infected with ransomware, operators are blind to what is happening and the plant will need to shut down for remediation.”

Bussiere added that whether or not the ransom will be paid is a simple trade-off: a given industrial facility loses a sum of money per hour of disruption, and this cost needs to be weighed against the ransom. “On one hand, you don’t want to incentivise bad actors by paying up but you also want to restore systems as quickly as possible. Ultimately, this is a decision for each organisation to make based on its unique situation.”

In quantitative terms, data published by Statisca.com indicates that during the first half of 2022, there were a total of 236.1 million ransomware attacks worldwide, Bussiere said. “What’s been seen in the first half of 2022 exceeded the total attack volume for 2017, 2018, and 2019 combined.”

“Lastly, in 2022, we have the ongoing trend of IT/OT convergence, IoT, IIoT, and the emergence of the cloud into the OT world,” Bussiere pointed out. “There’s no doubt the threat surface is expanding and ransomware continues to be a clear and present danger that should not be ignored.”

Terence Liu, CEO of TXOne Networks
Terence Liu, CEO of TXOne Networks

Cybercriminal groups primarily targeting government agencies and financial institutions are common due to the nature of the Internet-facing infrastructure for accessibility and mobility convenience, Terence Liu, CEO of TXOne Networks, told Industrial Cyber. “The ransomware threat landscape has changed. OT (Operational Technology) suffered massive ransomware attacks in the last two years and became the most favored target vertical, including manufacturing and critical infrastructure. We have not seen any stop signs recently.” 

“Based on our observation, there are three main reasons behind this. Covid-19 accelerated the entire digitalization in OT, but a proper cybersecurity countermeasure has yet to take place during the transformation,” Liu said. “Compared with IT, OT will take longer to recover after the ransomware attack because the assets are distributed in a vast location with insufficient cybersecurity staff. The second reason is that the Ransomware as the Service (RaaS) business model operated by cybercriminal groups increased the number of ransomware attacks. Launching a ransomware attack is much easier and faster than before.” 

The third reason is the double extortion technique of disclosing sensitive data on the Internet to force victims to pay the ransom since the sensitive data may relate to their buyers or trade secrets, he added.

In the past three years, Liu said that “we have witnessed several manufacturers working toward unifying cybersecurity guidelines across IT and OT within the enterprise. Asset owners and factory IT are following and executing the security guidelines defined by a cross-departments security team to level up the security defense by solution deployments. Of course, it will take time, but it is a good approach for a large enterprise to consider OT cybersecurity. The corporate level of security guidelines is a very effective execution methodology; endorsement from the executive level is a must.”

Christopher Beggs, founder and principal ICS security consultant of SIS Industrial Cyber Security
Christopher Beggs, founder and principal ICS security consultant of SIS Industrial Cyber Security

“Ransomware impacting OT environments will still remain a challenge in the future. Ransomware has made organisations realise that ‘air-gapped’ solutions are not foolproof and they can still be compromised by common threats, resulting in a greater focus on budgets for cyber-security in OT environments,” Christopher Beggs, founder and principal ICS security consultant of SIS Industrial Cyber Security, told Industrial Cyber. “Further, critical infrastructure organisations require a focused OT approach to ransomware attacks. Because IT & OT operate in different environments, serve different purposes and have their own unique requirements.” 

Backups, anti-malware updates, patching updates, access control, and network segregation control requirements are still lacking in many OT environments typically because the end users’ methodology and processes are not refined enough to ensure these security controls are tailored for OT environments and are working effectively, Beggs added. 

The experts address the biggest efforts adopted in the region over 2022 to foster a resilient and secure cyber environment, domestically and internationally to help counter the growing ransomware threat across organizations. Furthermore, they weigh in on the proposed mitigation strategies that asset owners and operators across critical infrastructure sectors must adopt immediately.

Bussiere said one effort of note is the publication of the Singapore CCoP V2.0 in July 2022. “This document offers significant guidance on what steps should be taken to secure critical infrastructure. Significant requirements include the segregation of external networks from sensitive OT environments, the use of multifactor authentication, and the restriction of data flow into the environment to be just what is absolutely necessary.”

Other requirements include the careful monitoring of sensitive networks, according to Bussiere. “This would require the baselining of the infrastructure, then looking for deviations from that baseline. Detecting Indicators of Compromise would also be performed. These two steps provide early warning of the presence of malicious activity. Taking these steps would help to significantly reduce the risk of a successful ransomware attack,” he added.

“In the last two years, we have considered security regulation by verticals and regions, which are a key driving force, Liu said. “For example, the NIS2 Directive expands the scope to cover and respond to massive ransomware attacks, including supply chain security across the EU. Last year, US President Joe Biden’s administration issued an executive order on improving national cybersecurity, which also led to enhancing the security of the software supply chain (SBOM) to deliver a secure government experience. And in semiconductors, both E187 and E188 focus on supply chain security and endpoint security in the foundry process,” he added. 

Lui also pointed to ISO/SAE 21434 cybersecurity throughout a vehicle’s entire lifecycle, including supply chain security. “Supply chain security becomes the first security approach to mitigate the ransomware attack because the nature of OT is highly dependent on the supply chain for operation continually, including materials, equipment, software, and maintenance,” he added.

Beggs highlighted the regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act). “The SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the SOCI Act applies to, and to introduce new obligations.” 

Reporting cyber incidents is a key obligation and hence why a specific OT- SOC focused incident detection, monitoring, and reporting capability is required as part of immediate actions to respond to the growing escalation of ransomware threats, Beggs added.

Looking into the ​​focus areas from a cybersecurity perspective for industrial and manufacturing organizations in 2023, as OT systems become more complex and interconnected, Bussiere said they believe that securing OT environments is still in its infancy. “Technically, organizations should focus on understanding what is present. This means having an accurate asset inventory of everything! Only when you know what is present can you begin to secure it. This applies to OT-specific devices and IT devices co-resident in the environment.”

“Organizations need to understand the risks imposed by co-resident IT devices. In fact, the typical ratio of IT to OT devices in a given plant is 5:1, meaning that the vast majority of the threat surface is the ordinary computers within. Remember, with ransomware, it is these devices that are the target,” according to Bussiere. “The risk of the perforation of the traditional plant boundary must be analyzed. At present this is poorly understood. External connections must be enumerated, their purpose verified, and traffic restricted to just what is necessary to accomplish the purpose of the connection.”

Lastly, Bussiere said that environments must be continuously monitored for vulnerabilities and indicators of compromise. “Detected vulnerabilities must be either patched or compensating controls implemented. Indicators of compromise must be addressed immediately as this is an indication that there may be an ongoing attack. Reacting fast is essential to prevent the injection of any possible ransomware,” he added.

“As we predict, OT is facing four main challenges in 2023. The geopolitical landscape will bring more attention to the government’s conservative approach to preserving natural resources, and critical infrastructure will be one of the main attack targets,” Liu said. “As a result, vertical and national cybersecurity regulations will force OT to comply. The slowing down economy may impact the investment in new assets and equipment upgrades, and they will continue to use those vulnerable legacy machines on the production site to preserve productivity.”

Finally, Liu added that the shortage of talented cybersecurity staff in OT puts the industrial and manufacturing sector in a challenging position if they adopt existing IT-based solutions, which require more human interaction.

Liu recommends the following steps for the enterprise to consider. “Define the security guideline, including both IT and OT. Identify the cybersecurity ownership in solution evaluation, deployment, and maintenance. Form a security team supported by an executive with authority to perform cross-departments communication and measurement.”

To be more aggressive, effective security OT native protection solutions across endpoints and networks are critical for asset owners to avoid collateral damage and avoid the long process of recovery efforts, he added.

Beggs points towards dedicating resources (personnel and budgets) for OT security to ensure the security of OT assets. “This should be separate from IT resources due to the complexity and nature of OT. Further, developing a specific OT-SOC focused capability.”

“There is also a concern that some vendors are saying that an IT-SOC approach is acceptable when it’s definitely not,” Beggs said. “An IT-SOC focused driven approach is not acceptable for OT environments because there are too many IT logs that overshadow OT logs, imprecise correlation of OT logs leading to loss of key security events, limited access to OT specific knowledge leading to incorrect actions possibly being taken and in-adequate monitoring of legacy OT systems with use cases that don’t work effectively,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights