Author: Neil Walker

Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

Agency News, Cyber Security CII sector, Industry News

(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs).
Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.

The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed Darkside ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the
entity’s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs). Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.

The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed Darkside ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the
entity’s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Mitigations
CISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks.
- Require multi-factor authentication for remote access to OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and reenforce the appropriate user responses to spearphishing emails.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
- Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.

Leave a comment , , ,

Mitigating the Impacts of Doxing on Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
CISA has produced an insight designed to help mitigate the impact of doxing: Mitigating the Impacts of Doxing on Critical Infrastructure:
WHAT IS DOXING?
Doxing refers to the internet-based practice of gathering an individual’s personally identifiable information (PII)—or an organization’s sensitive information— from open source or compromised material and publishing it online for malicious purposes. Although doxing can be carried out by anyone with the ability to query and combine publicly available information, it is often attributed to state actors, hacktivists, and extremists.
Doxers compile sensitive information from compromises of personal and professional accounts and a wide range of publicly available data sources to craft invasive profiles of targets, which are then published online with the intent to harm, harass, or intimidate victims.
POTENTIAL IMPACT TO CRITICAL INFRASTRUCTURE
Like many other businesses, critical infrastructure organizations maintain digital databases of PII and organizationally sensitive information, making them ripe targets for doxing attacks. Threat actors may target critical infrastructure organizations and personnel with doxing attacks as a result of grievances related to organizational activities or policies. Incidents of doxing that target personnel and facilities often serve to harass, intimidate, or inflict financial damages, and can potentially escalate to physical violence.
Doxing also poses a threat to senior leadership of critical infrastructure organizations, who may be targeted due to their elevated position with the organization or stance on a particular issue. Doxing attacks targeting senior leaders often serve as “reputation attacks” and could lead to activities seeking to embarrass, harass, or undermine confidence in an official.
Leave a comment , , , ,

CISA Launches Space Systems Critical Infrastructure Working Group

Agency News, Industry News, Space Sector

The Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a Space Systems Critical Infrastructure Working Group, a mix of government and industry members that will identify and develop strategies to minimize risks to space systems that support the nation’s critical infrastructure. The Working Group will operate under the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, bringing together space system critical infrastructure stakeholders.

The critical infrastructure on which the United States depends relies on space systems. Increasing the security and resilience of space systems is essential to supporting the American people, economy, and homeland security.

“Secure and resilient space-based assets are critical to our economy, prosperity, and our national security,” said CISA Acting Director Brandon Wales. “This cross sector working group will lay the foundation for our collective defense against the threats we face today and in the future.”

This working group will serve as an important mechanism to improve the security and resilience of commercial space systems. It will identify and offer solutions to areas that need improvement in both the government and private sectors and will develop recommendations to effectively manage risk to space based assets and critical functions.

The working group is co-chaired by Jim Platt, Chief, Strategic Defense Initiatives, CISA and John Galer, Assistant Vice President, National Security Space, Aerospace Industries Association. Current members represent government and industry organizations from the communications, critical manufacturing, defense industrial base, information technology, and transportation sectors, including leading-edge satellite and space asset infrastructure firms with expertise in emerging technology areas.

Leave a comment , ,

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Agency News, Cyber Security CII sector, Industry News
Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors
Leave a comment , , , , ,

US and UK agencies release cybersecurity advisory on recently modified tactics by Russian intelligence agency

Agency News, Cyber Security CII sector, Industry News
The FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency collaborated with the United Kingdom's National Cyber Security Centre to release a Joint Cybersecurity Advisory examining tactics, techniques, and procedures associated with Russian Foreign Intelligence Service (SVR). The advisory provides additional insights on SVR activity including exploitation activity following the SolarWinds Orion supply chain compromise.
CISA released a related document, Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise, that summarizes three joint publications focused on SVR activities related to the SolarWinds Orion compromise.
SVR cyber operators appear to have reacted to prior reporting by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
Leave a comment , , , ,

NCCoE Releases Draft Guide on Securing the Industrial Internet of Things

Cyber Security CII sector, Industry News
Example Solution Addresses Cybersecurity Challenges for Distributed Energy Resources
The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has published for comment a preliminary draft of NIST SP 1800-32, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.
In this practice guide, the NCCoE applies standards, best practices, and commercially available technology to protect the digital communication, data, and control of cyber-physical grid-edge devices. The guide demonstrates an example solution for monitoring and detecting anomalous behavior of connected industrial internet of things (IIoT) devices and building a comprehensive audit trail of trusted IIoT data flows.
By releasing Volumes A and B as a preliminary draft, we are sharing our progress made to date, using the feedback received to shape future drafts of the practice guide, and featuring technologies and practices that organizations can use to monitor, trust, and protect information exchanges between commercial- and utility-scale distributed energy resources (DERs).
Addressing Emerging Cybersecurity Concerns of DERs
The use of small-scale DERs, such as wind and solar photovoltaics, are growing rapidly and transforming the power grid. In fact, a distribution utility may need to remotely communicate with thousands of DERs and other grid-edge devices—many of which are not owned by them. Any attack that can deny, disrupt, or tamper with DER communications could prevent a utility from performing necessary control actions and could diminish grid resiliency—a concern that was highlighted in a recent United States General Accounting Office report, Electricity Grid Cybersecurity.
This NCCoE practice guide aims to help companies provide secure access to DERs and monitor and trust the ever-growing amount of data coming from them.
Leave a comment , , , ,

IACIPP Concerned at Increasing Ransomware Attacks Against Critical Infrastructure

Association News, Cyber Security CII sector, Power/Energy/Oil & Gas sector
The International Association of CIP Professionals (IACIPP) is concerned about the increasing threat and ransomware attacks against critical infrastructure and in particular the energy sector.
As has been demonstrated by the recent ransomware attack on Colonial Pipeline in North America, and the impact this has had across other infrastructure services, and the wider economic impact on, for example, the price of petrol and oil, such attacks should be a concern to us all.
"The attack on the Colonial Pipeline Industrial Control System was not a total surprise. For years, our pipeline infrastructure and other critical infrastructures have experienced an ever-increasing level of probes and attacks.  The ICS owners and operators must be vigilant and assure their systems are continuously monitored and armed with the latest cyber protection tools." Commented Dr. Ron Martin, CPP,  Professor of Practice: Critical Infrastructure, Industrial Control System Security, and Access and Identity Management at Capitol Technology University.
Although the FBI and other federal and private cybersecurity entities are working to mitigate the effects of the attack on Colonial Pipeline, there needs to be the wider discussion and collaboration across industry sectors to prepare for future attacks to mitigate future economic impact such attacks cause.
“Our critical infrastructure sectors are the modern day battlefield and cyber space is the great equalizer. Hacker groups can essentially attack with little individual attribution and virtually no consequence. With over 85% of all infrastructure owned and operated by the private sector, significant investment and attention must be placed on hardening key critical systems. I anticipate more attacks like this happening in the future. A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?” commented Brian Harrell, Strategic Adviser to IACIPP and Former Assistant Secretary for Infrastructure Protection.
CISA and the Federal Bureau of Investigation (FBI) have recently released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against Colonial Pipeline.
Chuck Brooks, President of Brooks Consulting International and cyber expert, commented, “Protecting critical infrastructure needs to be a shared responsibility of both the public and private sectors. The energy sector become a preferred target of sophisticated hackers often in collusion with nation state actors. The cost of breach as evidenced in the Colonial pipeline ransomware attack can be disruptive to commerce and impact many industry verticals. “
“Critical infrastructure needs to be fortified from cyberattacks and physical attacks in a joint government/industry collaboration. Resources need to be invested in emerging automation technologies and training. IT and OT systems need to be monitored at the sensor level for anomalies. Sensitive operations need to be segmented and air gapped. Back up of data is an imperative and resiliency a requirement for all critical infrastructure operations. It may take new laws and regulations, but it needs to be done.” Concluded Mr Brooks.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
John Donlon QPM the Chairman of IACIPP stated - ‘This type of attack comes as no real surprise. It is consistent with recent trends and what is really quite concerning is the fact that the scale and impact of such events continue to escalate. We have seen recent Government activity across the Western world seeking to put in place support to Infrastructure Owners and Operators but the speed of new attack methodologies, either through nation-state actors or criminal groups, means it is not always easy to keep ahead of the curve. Unfortunately, I believe we will continue to see even greater escalation in the power of attacks being executed and therefore the breadth and depth of collaboration between governments and the private sector has to develop at pace’.
This will also be subject to a case study panel discussion at Critical Infrastructure Protection and Resilience North America (www.ciprna-expo.com) in New Orleans LA on 19th - 21st of October 2021.
Leave a comment , , , ,

CISA-FBI Cybersecurity Advisory on DarkSide Ransomware following Colonial Pipeline cyberattack

Cyber Security CII sector, Industry News
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
Latest Update:
May 11: The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks
May 10: Colonial Pipeline restarted some systems with the goal of substantially restoring operational service by the end of the week
May 9: Colonial Pipeline is is developing a system restart plan
May 7: A ransomware attack against the corporate systems (IT) of Colonial Pipeline led the organization on Friday May 7 to proactively take certain operational systems (OT) offline to contain the threat, which has temporarily halted all pipeline operations. Details on the attack mechanism and the attack scope are under active investigation by the FBI and the private security firm Mandiant (a division of FireEye).
Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.
Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:
CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide <https://www.cisa.gov/publication/ransomware-guide>
Leave a comment , , ,

Natural hazard triggered industrial accidents: Are they Black Swans?

Agency News, Industry News, Power/Energy/Oil & Gas sector
A recently published JRC study examines whether technological accidents caused by natural hazards (Natech accidents) are real “Blacks Swans” (unpredictable and hence unpreventable events), identifies their possible causes and discusses effective strategies to manage extreme risks.
The study concludes that the Black Swan metaphor is overused for technological accidents in general and Natech accidents in particular, whose recurrence raises questions about the effectiveness of corporate oversight and the application of state-of-the-art knowledge in managing risks.
What are Natech accidents?
Natech accidents occur when the natural and technological worlds collide, wherever hazardous industry is located in areas prone to natural hazards. Past Natech accidents have often had significant impacts on public health, the natural and built environment, and the local, national or even global economy.
Major technological accidents considered unpreventable are occasionally called Black Swan events. Three features characterize a Black Swan:
- it must be an outlier with respect to normal expectations, making it unpredictable;
- it has to have a major impact;
- it can be explained in hindsight, making it appear predictable.
Inadequate risk management and organisational risk blindness
A closer look at past Natech accidents shows that the vast majority of these events, if not all, could have been foreseen and prevented using available information and knowledge prior to the disaster. They can therefore not be considered inevitable or Black Swans.
The JRC study provides a detailed analysis of the reasons for why Natech risks are often underestimated:
- Risk management traditions and the Act-of-God mindset - The focus for managing natural risks has traditionally been on the response side and hence on disaster management, rather than on prevention and risk management, whereas the technological-risk community has always focused on risk- rather than disaster management. Natech risk is sandwiched between these two worlds, and neither community feels very much at ease with taking ownership of the risk;
- Complexity of Natech risk scenarios - Natech risk analysis would need extensions to traditional risk-analysis methodologies in order to cover the multi-hazard nature of the risk and the multitude of possible simultaneous scenarios;
- Risk governance and risk management problems due to the multi-stakeholder and multi-hazard nature of Natech risks, and the multitude of possibly conflicting issues that are usually on a manager’s radar screen;
- Socio-economic context, including group interests and power, economic pressure, and public or media indifference; and
- Human fallacies and cognitive biases that can corrupt the experiences we draw on for estimating risks.
Managing extreme risks
Building organisational resilience is key to managing risks effectively, in particular in high-risk industry. The JRC study discusses possible strategies to reduce extreme risks, prepare better for their consequences, and make Black Swans more accessible:
- Risk-based versus precaution-based strategies
- Disaster incubation theory and warning signals
- Mindfulness
- Resilience engineering
- Scenario planning
- Red teaming
While the JRC study is centered on Natech risks, it is generally applicable to managing also other types of extreme or low-probability risks.
Leave a comment , , ,

NSA releases Cybersecurity Advisory on Ensuring Security of Operational Technology

Agency News, Cyber Security CII sector, Industry News
The National Security Agency (NSA) released the Cybersecurity Advisory, “Stop Malicious Cyber Activity Against Connected Operational Technology” today, for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) operational technology (OT) owners and operators. The CSA details how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. Information technology (IT) exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.
Each IT-OT connection increases the potential attack surface. To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible. An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure.
This guidance provides a pragmatic evaluation methodology to assess how to best improve OT and control system cybersecurity for mission success, to include understanding necessary resources for secure systems:
- First, NSA encourages NSS, DoD, and DIB system owners, operators, and administrators to evaluate the value against risk and costs for enterprise IT to OT connectivity. While the safest OT system is one that is not connected to an IT network, mission critical connectivity may be required at times. Review the connections and disconnect those that are not truly needed to reduce the risk to OT systems and functions.
- Next, NSA recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission critical, as appropriate to their unique needs. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.
Operational technology includes hardware and software that drives the operations of a given infrastructure environment, from an engine control unit in a modern vehicle to nationwide train transportation networks.
Every IT-OT connection creates an additional vector for potential OT exploitation that could impact and compromise mission and/or production. Performing a comprehensive risk analysis for all IT-OT interconnections and only allowing mission critical interconnections when they are properly protected will create an improved cybersecurity posture. By employing an appropriate risk analysis strategy, leadership and system owners and operators can make informed decisions to better manage OT networks while reducing the threats from and impact of exploitation and destructive cyber effects.
Leave a comment , , ,
1 30 31 32 33 34 54