Analysis
Critical infrastructure
Events
Features
Malware, Phishing & Ransomware
Threat Landscape

GovWare 2022 conference turns to holistic, integrated cybersecurity ecosystem to build resilience

October 23, 2022
GovWare 2022 conference turns to holistic, integrated cybersecurity ecosystem to build resilience

The recently concluded GovWare 2022 conference zeroed in on the need to drive a holistic, integrated security ecosystem across organizations to build resiliency in their cybersecurity posture in the future. The GovWare 2022 event provided policymakers, cybersecurity, and business leaders worldwide an opportunity to address fundamental challenges, discuss best practices and identify new opportunities. It also enables the discovery of the latest cybersecurity solutions, connecting with peers and learning from industry experts as stakeholders work towards fortifying the cybersecurity ecosystem in the post-COVID era. 

Held in person and digitally in Singapore, the GovWare 2022 event comes at a time when the U.S. is preparing to step up its cybersecurity regulations. GovWare 2022, as part of the Singapore International Cyber Week, symbolizes ‘the next evolution of cutting-edge cybersecurity solutions to enhance our collective defences into a unified approach, address real-world cyber threats and identify salient opportunities.’

The Cybersecurity and Infrastructure Security Agency (CISA) said last week that it expects to issue cross-sector performance goals for voluntary adoption of critical infrastructure companies. In addition, the administration has released its National Security Strategy, building a comprehensive approach to ‘lock our digital doors’ and carry out aggressive action to strengthen and safeguard its cybersecurity. Governments worldwide are also taking various measures to step up and boost their cybersecurity attitude from adversarial attacks. 

Conference Highlights

Industrial Cyber reached out to some of the attendees of the GovWare 2022 conference to provide readers with a feel of the atmosphere at the event, along with the key takeaway from the conference.

Dorit Dor, chief product officer of Check Point Software Technologies
Dorit Dor, chief product officer of Check Point Software Technologies

“People are excited about having physical events again. Everybody whom I have met is really happy about having an in-person event after missing it over the past few years,” Dorit Dor, chief product officer of Check Point Software Technologies, told Industrial Cyber. “I think that cybersecurity has become trivial as a topic, as it is frequently in the news and no longer a question. But people are really struggling with what to do about new angles around cybersecurity—what to do about critical infrastructure, with cyber state nation attacks, and how to deal with new technologies such as IoT, AI, and 5G. There is even a discussion about ESG and cybersecurity as well as gender participation,” she adds.

Dor said that she thinks there are many technologies, keywords, buzzwords, IT technologies, and innovations, and sometimes it’s all too confusing. “I believe that most people are not lost in the noise that has arisen around cybersecurity and are still focused on how to build a strategy to stop attacks and how they build their networks and infrastructure that enables them to be responsive in preventing attacks,” she adds.

Dor presented a session at the GovWare 2022 conference on the need to build organizational cyber resiliency for an insecure world. Since the pandemic, the world has been facing an unprecedented peak of cyberattacks, especially attacks of the fifth generation, which are more sophisticated and dangerous than ever. She highlighted in her presentation that large-scale corporate breaches, state-sponsored attacks, and personal data being compromised daily require a new approach by entities of all sizes.

Dick Bussiere, technical director at Tenable APAC, told Industrial Cyber that the event is extremely busy and coincided with Singapore’s Cyber Security Week. 

Dick Bussiere, technical director at Tenable APAC
Dick Bussiere, technical director at Tenable APAC

“What I’ve noticed is a growing level of maturity in terms of the types of concerns that customers are expressing,” according to Bussiere. “We are now way past the fundamentals, and customers are concerned with the security of their cloud, IoT, and critical infrastructure. Also, there is a lot of interest in the Cyber Security Code of Practice Version 2.0, which mandates enhanced monitoring and configuration control of devices inside of critical infrastructure,” he adds.

Bussiere presented at the GovWare 2022 conference on the threats to the maritime sector. With the rise of cybersecurity threats, emerging regulatory guidance has made cyber risk management part of daily business operations. As cyber-attacks move from traditional enterprise-level IT to OT (operational technology) domains, the industry is beginning to see cyber threats emerge to shipside OT. That cybersecurity has become an operational risk to vessels is clearly illustrated by the IMO 2021 guidelines. However, as of now, most companies in the maritime sector have not yet built out cyber-risk assessment and monitoring of ship-critical OT systems.

Bussiere dug into shipboard network architectures, vulnerabilities, consequences, and cyber-sabotage opportunities. He estimates that the maritime industry is five years behind the rail industry cybersecurity-wise. 

“The event was well attended. It seems somewhat fewer people than the last time I was here in Oct/2019, but still a respectable turn-out,” Andrew Ginter, vice president for industrial security at Waterfall Security Solutions, told Industrial Cyber. “Everyone here is happy to be back talking to each other face-to-face for the first time since 2019.”

Andrew Ginter, VP Industrial Security at Waterfall Security Solutions
Andrew Ginter, VP Industrial Security at Waterfall Security Solutions

Providing more details, Ginter said that maybe two-thirds of the people who come by the Waterfall booth are service providers and potential partners, and one-third are end users. “As to vendors – the trade show floor seems pretty much full. There seem to be more booths and vendors here this time than in 2019, but I don’t have the numbers,” he adds.

Ginter presented at the GovWare 2022 conference on cyber-sabotage production outages in the last decade, how ransomware was behind most of them, the different ways ransomware could bring about those outages, and what to do about the problem. In 2022, there were nearly 100 production outages on the public record due to 22 cyber attacks. “In the last part of my presentation, I provided my interpretation of some important ideas in the US DOE’s new Cyber-Informed Engineering strategy that was published a couple of months ago,” he adds.

In his presentation at the GovWare 2022 event, Ginter says that the OT threat landscape has changed forever. Before 2020, cyber attacks with physical consequences were largely a theoretical threat. In 2020-2021, however, the record showed 32 attacks that shut down production at over 100 sites. 

Almost all of the attacks were ransomware, with over half of the attacks shutting down either discrete manufacturing or food and beverages sites in these sectors not renowned for strong security, Ginter said. “An apparent surprise was the number of attacks in the rails sector, which one would expect to be heavily defended,” according to Ginter. “The attacks make more sense when we dig into them, however – it turns out they did not impair life-critical safety systems, but rather triggered operations shutdowns by impairing IT-exposed support systems, such as station signage and passenger ticketing,” he adds.

With the cyber incidents with physical consequences more than doubling in 2020-21, Ginter predicts an exponential growth of cybersecurity incidents. He also expects nation-state hackers to be able to breach two-factor authentication by 2025, with OT consequences such as production losses, damaged equipment, or worse, from cloud-seeded ransomware expected in 2023. He also expects IT dependencies to cause OT shutdowns when attackers cripple IT-hosted systems that support OT networks. Those IT systems can range from industry-specific ticketing and container contract tracking systems to basic IT infrastructure such as Active Directory password managers.

Ginter called for the adoption of unidirectional gateways which combine hardware and software at the GovWare 2022 event. The hardware sends information in only one direction, while the software makes copies of database or historian servers from the industrial network out to the enterprise network.

Anastasia Tikhonova, head of APT research, Group-IB
Anastasia Tikhonova, head of APT research, Group-IB

“The atmosphere at the conference has been amazing. Everyone seems happy to be meeting offline after more than two years spent in front of the screens,” Anastasia Tikhonova, head of APT research, Group-IB, told Industrial Cyber. “I spoke virtually during GovWare 2021, but this year obviously feels different. I’m very excited to finally meet my colleagues and fellow researchers in person. It’s crucial that the cyber threat research community meets face-to-face, as these interactions help to establish trust, which is at the heart of what we do.”

The core theme of GovWare 2022 – ‘Fostering a Safe and Sustainable Cyberspace Amidst Disruption’ – is greatly relevant in light of current events, Tikhonova said. “This conference will allow experts to establish, maintain, or rejuvenate contacts, which down the line will allow our community to actively exchange data and conduct joint research to bolster our common defense against existing and future threats.”

“Singapore is already one of the most important cybersecurity hubs in the world, and by hosting GovWare 2022, it is clear that the cybersecurity industry here is going from strength to strength,” according to Tikhonova. “Events such as these are crucial to maintain the connections between Singapore’s local cybersecurity talent and foreign experts, which serves to bolster the expertise and experiences of both groups.”

Tikhonova presented at the GovWare 2022 conference on the cyclical attacks by state-sponsored hackers and came back with another try. Although the attackers’ methods remained unchanged, Group-IB compared these two waves of attacks and found changes in the group’s main trojan – Bisonal. Tikhonova spoke about the TTPs of the group, tools, goals, and opportunities in her session.

ICS Vulnerabilities Threat Assessment

Given the threat landscape, analyzing the greatest industrial control systems (ICS) vulnerabilities that the OT and critical infrastructure sectors face is necessary. Additionally, the experts rated the resiliency that the critical infrastructure sectors across geographies currently possess as cybersecurity stakeholders gather at GovWare 2022.

The dangerous thing about OT is that a majority of the system consists of old technology and devices that were typically not updated for years and are not going to be updated for the next few years—because nobody touches them as they are running over a network that was assumed to be unconnected to the outside world, Dor said. “Then all of a sudden when this critical infrastructure is open to commercial usage and commercial events, it is less defendable than a reasonable infrastructure if it were to be built today. That is because it combines very old devices and networks which are assumed to be disconnected,” she adds. 

“So, IoT devices in critical infrastructure are in some senses more sensitive than the regular IoT devices because of the impact if it gets attacked,” Dor said. “Lastly, we now live in a very connected world, so the number of things that are being called critical infrastructure increases significantly. Something that, in the past, was considered a side network, all of a sudden becomes critical, and it is yet another challenge we need to address.”

Addressing the resiliency across critical infrastructure sectors, Dor said, “I think that there is an understanding that we are at a critical point, and we need more security on IoTs. That has led to all kinds of government initiatives and regulations such as labelling IoT devices to their safety level, for example, differentiating a $1 webcam that has no protection at all to an enterprise-grade one with some protection.” 

“We now need to focus right down to the infrastructure to understand how resilient we end up being. We can’t just stop at the high-level theory level. We need to architect everything to make sure that it is really secure; what is the network, how are the devices set up, what is the identity, and so on,” Dor said. “You have to combine all the tools to an architecture of security. So, while I think that in theory, we are more resilient because we understand the threats, in practice, many organisations are trying to find their way about it and haven’t yet implemented something that will take them to the right resilient levels. Progress has been made, but we need more action on this.”

Bussiere said that first is the lack of adequate monitoring of the critical infrastructure. “Some, but not all CIIs have implemented monitoring, while others are just getting started. Additionally, the commercial sector is still weak in addressing risks to business essential (e.g., the production plant) areas of the environment,” he adds.

“Second, with regards to critical infrastructure, many operators who have installed monitoring solutions have focused on Levels 1 and 2 of the Purdue model,” Bussiere said. “This leaves an incredible gap as much of the infrastructure is composed of traditional computing devices (routers, workstations, PCs, etc.). These devices, more often than not, go unpatched or age into obsolescence, which increases the threat surface. We would estimate that 80% of the risk to critical infrastructure comes from the non-OT devices within a given facility.”

Bussiere adds that, lastly, there is great concern surrounding IoT and IIoT. “Often, such devices come from dubious sources, and the risks that such devices expose an enterprise to are not fully understood.”

“The new pervasive threat is ransomware,” Ginter said. “This is not so much a vulnerability as a kind of attack/threat. Waterfall’s numbers show ransomware incidents that take down industrial operations and critical infrastructures – these incidents are more than doubling annually.”

“In the national briefings, national authorities are also concerned about the potential of Russian and other nation-state cyber attacks on critical infrastructures,” Ginter said. “Most of the observed Russian activity thus far, however, has been fairly targeted attacks on the Ukrainian government and IT infrastructures with little spill-over into other countries – with the satellite incident being a noteworthy exception. Russians are also very active in manipulating media and public opinion with fake news, which is of concern to the national representatives and is an area where the national authorities are taking steps (not specified) to counteract Russian campaigns.”

With each passing year, nation-state threat actors continue to be intent on carrying out attacks on critical infrastructure, according to Tikhonova. “What we also see now is that financially motivated cybercriminals are starting to get involved in the attacks on CII by providing initial access to their most advanced counterparts. Nation-state attackers were seen exchanging malicious tools with other cyber criminals which complicates attribution. Ransomware operators obviously pose an immediate risk to CII organizations.”

According to Group-IB’s annual ransomware report, between Q1 2021 and Q1 2022, the data belonging to 355 companies from the Asia-Pacific region was uploaded to ransomware-dedicated leak sites, Tikhonova said. Ransomware is definitely a threat number one.

“Often, unfortunately, negligence among equipment suppliers or IT/cybersecurity specialists helps threat actors to break through defenses,” Tikhonova said. “There are cases when experts find vulnerabilities in the software of industrial switches supplied by a third-party company, but the manufacturer shows no urgency to release updates. This failure to release timely updates leaves critical infrastructure objects under threat of future attacks.”

Tikhonova also pointed out that critical infrastructure systems are incredibly complex, and it can take an extraordinarily long time for these systems, and their information security processes, to be upgraded or updated. “When left with the choice between process improvement or protection upgrades, many organizations choose the former.”

Evaluating Stakeholder Readiness

With rising cybersecurity attacks, especially ransomware threats, there is a need to assess how prepared stakeholders are to work on a more holistic and comprehensive approach to cybersecurity attacks. Furthermore, it also calls for evaluating a  consensus and identifying the key measures outlined at GovWare 2022 to fortify the cybersecurity ecosystem in the post-COVID era.

“I think we are talking more about cybersecurity with increased recognition of its importance in today’s business planning, and there is more openness. But as mentioned, the action for implementing cybersecurity starts at the practical level of securing the infrastructure at the specific organisations,” Dor said. “At high levels, we can set up regulations, which are effective in bringing awareness and setting the baseline standards. Sometimes, to get to the best levels of security, regulations serves as a checklist.” 

Dor added that, however, sometimes it becomes a cover-up to the actual security to be implemented because some would ask, ‘have already answered this and implemented these regulations,’ and there is no ownership to actually look at the real issues or the remaining gaps to cover the security of the organization. 

“So, regulations and cross-country agreements do not always serve the best deep security that we can get to, it delivers at most a very shallow level of hygiene that is needed,” Dor said. “So the point I am making is we need to achieve not only the shallow levels but the deeper levels of security implementation. I think that this is something that still needs to be resolved.”

“As expected, we heard about more regulations that are focussed on security. There were also some cross-border agreements between nations and states, but at the same time we need to consider that today, we also have ongoing wars in the world,” Dor said. “In wars, malicious groups use cyber as one of the tools to negatively impact the opposing side. Our world is not one world anymore, as there are multiple stakeholders and opinions, with some stakeholders cyber attacking other stakeholders, so I don’t think the world will reach a consensus easily, certainly not in a global sense.” 

There would be consensus in parts between groups of countries where there may be agreements between them, and perhaps they will set up consistent policies which will improve the posture to a certain base level, with the next level to be taken by the security personnel in the organization, Dor adds.

Bussiere said that there is much more attention focused on the risk to the environment. “We have mentioned cloud/IoT/OT already.”

The key measures are outlined not by GovWare itself but by the new Cybersecurity Code of Practice Version 2.0, which was written to embrace the technological changes that have emerged since the initial version of CCoP, according to Bussiere. “Much of these changes, for example, remote working, have emerged directly in response to the COVID-19 pandemic. CCoP includes requirements for cloud, outsourcing, IoT, and critical infrastructure, and is prescribing more monitoring of these assets. Additionally, it emphasizes that despite the implementation (e.g., outsourced) the organization itself will be held accountable. This makes organizations concerned with how they comply,” he adds.

“The owners and operators I spoke with at the show so far seem very sophisticated in their understanding of threats, solutions, and what residual risks they still face,” Ginter said. “It’s hard to tell if this is self-selection, though – do only the most sophisticated end users think to visit a show like this? I know that in other parts of the world, in other forums, the average user is much less up to speed on these topics.” 

In conversations with national authorities with the U.S. Chamber delegation, those authorities report that the average owner and operator in their jurisdictions is still ‘starting at zero’ – sophistication in understanding of ICS security threats, solutions and risks is the exception in most geographies, not the rule, according to Ginter.

He adds that there is the occasional discussion of ‘more remote access’ in the era of COVID, but what can change there seems to have changed already. It is not a focus of discussion. “Supply chain risks and regulations and best practices are the hot topics of discussion more than post-COVID changes,” he points out.

Tikhonova says that participating in a conference, such as GovWare, already shows an organization’s concern for its safety and the safety of its customers. During the event, companies from various sectors which take cybersecurity seriously are able to approach cybersecurity vendors and compare their offerings.

“The COVID-19 pandemic, and the subsequent switch among many companies and organizations to remote or hybrid working, has become a boon for threat actors,” Tikhonova said. “Millions and millions of people across the world are still working remotely, and this has created a number of substantial tests for the integrity of a company’s security infrastructure. Over the past two years, we have seen an acceleration in the number of sophisticated cyberattacks against organizations and companies, and these attacks have caused severe damage and cost to those affected,” she adds.

Tikhonova said that with 2023 around the corner, it is clear that the ranks of cybercriminal gangs are growing, threat actor groups that lay low for several years are resuming operations, and cybercriminals are carrying out attacks on critical infrastructure targets in many sectors, such as the energy, government, telecom, etc.

Response to federal action

Various initiatives, regulations, and directives have been rolled out by the U.S., U.K., Australian, and Singapore governments in recent months seeking to improve cybersecurity posture. It is important to take stock of these initiatives effect on OT and critical infrastructure sectors and how long it will be until we see these measures making a difference. 

Dor said there are many discussions about this and many other topics and necessary changes around cybersecurity at any security conference. 

“Unfortunately, it takes years to change the landscape, though we have seen changes over the past few years. Today more people are deploying more control than they did, say ten years ago, but it takes time and is not a linear chart, as not everything progresses in the same way.” 

“Some people are already very concerned about security and have already deployed the measures now, but in some places, it is either very hard to deploy control over critical infrastructure or they have too many IoTs to understand,” Dor adds. “To build a comprehensive approach, it takes them more time to figure out how to do it without disrupting their business.”

The effect of these initiatives on cybersecurity will be demonstrable action on the part of the impacted stakeholders, Bussiere said. “In most cases, implementing these measures is mandatory – they are no longer ‘suggestions.’”

He adds that in the case of Singapore, CIIs were given a 12-month grace period. “We will see stringent enforcement in 2023, so we expect the implementation of these measures to be fairly quick.”

Ginter spoke of reports of almost every government laying down more regulations for critical infrastructures and industries with large amounts of PII. “And they are publishing guidelines and creating education programs for everyone else. Concerns among vendors, especially multinationals, is the incredible diversity of regulations across different jurisdictions throughout this region and throughout the world.” 

He highlights the amount of effort and money that large organizations need to spend to keep ahead of local regulations, and to be seen to be keeping up with local guidelines, is huge. “Product and service provider certifications, where required, are even more expensive. Worse, trade liberalization agreements rarely address these inconsistencies between jurisdictions, instead focusing on tariffs and duties, rather than other impediments to trade.”

“As to how these initiatives will affect security, I’m thinking the result will be more expensive, especially for vendors, owners, and operators big enough to span jurisdictions, but security will probably see a material improvement,” Ginter said. “I say this because, if the average organization is really starting at zero, it looks like they need something – a penalty or an incentive – to get them moving down the road to security improvements. That said, the organizations with sophisticated ICS-security programs already in place are just going to find the new rules costly and annoying.”

Again though, there is a discussion of supply chain rules and concerns about a worst-case scenario where supply chains in the future fragment entirely because of geopolitical tensions, he adds. 

“As cyberattacks continue to grow in both their frequency and complexity, critical sector organizations need to better monitor cyberattack trends and place greater focus on strengthening their security infrastructure,” Tikhonova said. “If left unchecked, cyber threats can cost people their lives and livelihoods. We have continuously recommended that organizations consider sharing their knowledge and data on any cyberattacks they face.”

By highlighting attacks/attempted attacks on their infrastructure/products, a company is able to close gaps and improve its cybersecurity posture, as well as encourage other companies in their industry to do the same, according to Tikhonova. “Regulators help at the legislative level to increase the responsibility of companies to their customers/users. An increased sense of responsibility among companies will lead them to strengthen their security posture,” she concludes.

Anna Ribeiro

Related

Global alarm intensifies as state-sponsored cyberattacks raise risks to critical infrastructure, national security
Global alarm intensifies as state-sponsored cyberattacks raise risks to critical infrastructure, national security
CISA issues ICS advisories covering hardware vulnerabilities in Rockwell, Mitsubishi Electric equipment
US CISA issues ICS advisories on hardware vulnerabilities in Rockwell Automation, alpitronic, Delta Electronics
Transnational cybersecurity agencies release guidance on secure procurement of digital products, services
Transnational cybersecurity agencies release guidance on secure procurement of digital products, services
68 software manufacturers commit to CISA's Secure by Design pledge for enhanced product security
68 software manufacturers commit to CISA’s Secure by Design pledge for enhanced product security
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
National Cybersecurity Strategy Implementation Plan (V2)
US administration updates National Cybersecurity Strategy Implementation Plan to meet growing challenges
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
US administration rolls out international cyberspace and digital policy strategy focused on digital solidarity
US administration rolls out international cyberspace and digital policy strategy focused on digital solidarity
DHS, CISA announce changes to Cyber Safety Review Board membership 
DHS, CISA announce changes to Cyber Safety Review Board membership