Andres Andreu, CISSP-ISSAP is the CTO of Bayshore Networks, the leader in active OT industrial cybersecurity protection by creating, monitoring and enforcing safety policies.
Andres has over 20 years of public/private sector hands-on dynamic security/software architecture and engineering experience, including extensive backgrounds in SCADA/ICS, web services security/integration, federated ID technology, and electronic surveillance & countermeasures.
Andres is the author of Wiley’s Professional Pen Testing for Web Applications, Technical Editor of Webster’s New World Hacker Dictionary, and the software author of a number of open source projects, including gargoyle (Active Protection for Linux), yextend, I7secassay, WSFuzzer, and SSHA attack.
What are the biggest challenges you face in the year ahead?
While there are many challenges we face moving through 2019, the following stand out as exceptional:
– Sophistication – the sophistication of some attacks is rising fast and hard. The involvement of nation states compounds this challenge because they bring grander resource sets (i.e. money, people, skills, etc) to the table. This means that, to an extent, the middle class is disappearing in the cyber security race. There will only be the elite (well-funded and/or highly skilled) and those entities that will not be able to withstand the elite and simply hope that they are not targeted.
– Evolution – not too long ago metamorphic and polymorphic malware were very impressive pieces of craftily written software. Actually, they still are impressive if one looks under the hood. These pieces of software were/are evolutionary in that they raised the stakes of their predecessors by evolving into entities that are very difficult to detect. This changed a lot of aspects in the cyber security race, especially the role and effectiveness of endpoint security. This genre of software is still around today and remains a force to be reckoned with.
But the software is still file based for the most part and endpoint products have responsively evolved to varying degrees.
Now we are seeing something of another evolution into in-memory malware that is in essence file-less (i.e. no file system storage is used) and really makes endpoint security ever-more challenging.
– Native attacks – this is specific to the IIoT space. Historically the majority of attacks that have negatively impacted the IIoT and/or ICS spaces have really been Enterprise level attacks. I very clearly said “majority” because there certainly have been some native attacks but the true proliferation of native attacks in the IIoT space has yet to hit the industry. One factor here is that many attacking entities are still learning the communications protocols of the IIoT and ICS spaces, but once they finish their lessons things will be different and attack surfaces that may seem elusive now will no longer be so.
– Targeted attacks – soon we will see less overall ransomware but more strategically targeted instances with the bullseye on public utilities and ICS environments. The reason for this is that these targets usually pay the ransoms in question because they need to keep things running. These targets represent vital societal services that have not yet truly been targeted by widespread ransomware attacks. But the few instances that have taken place show attackers a pattern of the targets generally not being as prepared for these types of attack as other entities, like banks. Cyber criminals know that any attack that can cause downtime to these environments/services will get swift attention and ransomware probably requires the least effort in terms of targeting a specific entity. We should expect to see fewer ransomware attacks this year, but they will be more focused, specifically targeted towards utilities and the ICS space in general.
– Reasons – there was once a time when an attacking entity did things for bragging rights. Anyone that has been in this industry long enough remembers that and if you were allowed into the right IRC chat rooms, you had the privilege of being exposed to all kinds of interesting stories (some verifiable and some not). But the reasons for attacks and breaches have certainly changed over time and now we see a stronger focus on monetary gain.
Cryptojacking is a perfect example of this, where the objective is not to steal data or cause disruption of any sort, rather to use that target’s hardware for monetary gain, in this case for mining cryptocurrencies.
– IoT devices – let’s face it, these are everywhere now and it is the wild-west of the unexplored spaces. Mirai was a serious wake up call to the collective power of millions of small low power devices working in unison towards a disruptive goal. But Mirai was only possible because of irresponsible device deployments. As technology becomes easier to deploy these problems are going to grow since people with no concept of security can now just as easily deploy some cool new gear and the stuff just works out of the box – unfortunately, with default profiles that introduce weak security postures. These devices may just work but the ease of deployment coupled with the lack of knowledge out there compounds the security challenges we are facing. Evidence of this can be seen at: https://www.insecam.org. If it were not for default credentials, or having none at all, the content on this site would not be possible.
– Skills – After all these years in this industry I am still amazed at the lack of deep skill that exists. So many security experts are nothing more than implementers of products and don’t truly understand the depth of certain issues. At a public speaking engagement I once asked the crowd:
‘’How many of you are responsible for security within your respective organizations?’’
Of course, all hands went up. I then asked:
‘’How many of you actually, honestly, have ever broken into anything, whether legally or not, in cyber space? I don’t mean taken a course or built a lab at home.’’
Not one hand went up. And so we as an industry have so many people who understand concepts but have no real world hands-on experience with both sides of the security conundrum. While some disagree with my perspective on this subject, I hold strong that this is a weakness and a problem. Attackers think and operate in a certain way that most security professionals (by title) don’t truly understand. And how can someone really protect something they just don’t understand at depth?
– Artificial Intelligence – there was once a time when the reconnaissance phase of an attack gave attackers a number of data points they could use to hone in on a target and construct subjective attack vectors in order to be stealthy and focused. This manual process involved time and research in order to find known vulnerabilities and ingress points once target assets and asset types were identified. Attackers are now turning to Artificial Intelligence (AI) and Machine Learning (ML) to do some of this heavy analytical work for them. As they work with skilled engineers in the realm of AI this will become an area of great concern given the power of what they will have to unleash at their targets.
What unique security challenges does the manufacturing face?
While there are many factors that make the security challenges of any IIoT/OT environment unique, the largest real-world challenges are:
– Adding security to a production environment while not violating the bounded latency constraints the environment needs to adhere to. Modern day networks (i.e. Ethernet networks) operate within boundaries where the traffic flow of data is indeterminate. This means that intervening devices (i.e. security devices) can delay stream data and generally speaking the delays are acceptable. IIoT/OT networks have no such luxury yet need security functionality in order to properly protect their resources and productivity. There is a great and unique challenge in finding that middle ground.
– The impact of active protective action or the lack thereof. Visibility is of value but at some point active enforcement will need to take place to actually secure resources in Manufacturing (and most other IIoT environments, for that matter) so when the usefulness of visibility is outlived and actual enforcement of blocking rules takes place on a network there will be some impact. The challenge is how much impact an organization can tolerate so that there is actual protection while not disrupting productivity. It’s a serious challenge and there will certainly not be a one answer fits all model here.
– Finding that elusive balance between modern day ease of use (i.e. making an operator’s life easier or making remote maintenance possible) and having a strong, or even decent, security posture is yet another unique challenge for the IIoT space. We have all seen the Shodan results for exposed ICS systems where the focus was purely on the ease of use aspect.
Balance is possible but it requires some give and take on both the OT/ICS and IT sides. The fact that some equipment was put in place 20 years ago does not mean the surrounding technology has to be stuck in time, two decades ago. But things have to be done with expertise, planning and tons of testing so that these environments can safely operate within in the confines of modern-day technology.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
The starting point here is putting ego aside and acknowledging that our industry is enormous in terms of focal areas. And once they come to terms with their mortality in this respect, they can start focusing on the areas that truly apply to their environments. Now that’s not to say that learning about outlying or new areas is not a good thing but we have to be realistic and focused.
So, a clear understanding of issues is paramount and a correlation of how they relate to your environment(s) is essential. This means people have to start transcending the realm of buzz words and truly understand the issue affecting them. A perfect example is that everyone is concerned with DoS attacks. But DoS attacks in the IIoT space can look very different to how they do in the Enterprise space. Once a deep understanding of these real issues is in place it is possible to filter out noise and hone in on issues really impacting them and the environments they are responsible for.
What should a company do if they suspect cyber attackers have been successful?
First off, avoid the emotional responses that go to extremes because there is a lot to learn from attacks/breaches so long as the adversary is not aware of having been exposed. My advice is to get professional forensics experts involved as they should be able to provide invaluable insight into the details of the suspected activity. Of course, the details will also feed into the ultimate decision of whether or not the suspect activity qualifies as a successful breach or attack. Over the years this expertise has proven itself to be beyond the normal capabilities of typical IT staff and so it is a worthwhile investment. Moreover, there is a greater purpose at hand if the suspecting entity takes a communal view and is willing to share data so that the entire industry can benefit and prepare, given that details and Modus Operandi should have been discovered during the forensics process.
Beyond the forensics, a company should also have a regular set of external eyes on their security posture. This will also prove to be money well spent over time.
The biggest threat to an institution may already be inside the building. Studies show that 60 percent of cyber attacks come from inside the company. What are the key strategies to address this challenge?
The industry, to an extent, really has become hard outside edge, soft chewy inside in terms of networks, so insider threats make sense as being a very real point of contention. Someone on the inside needs to own the unpleasant responsibility of distrusting just about everything. Users will fight this to the end because they all want openness and freedom when it comes to work environments, so pursuing a balance is critical. There is no formula in this respect because work cultures vary so wildly from organization to organization. For example, does your organization allow for the physical disabling of USB ports on desktops? Does your organization purely rely on users using laptops they take home as well? These types of questions and their answers really start molding what you should do (i.e. strong network segmentation, etc) to secure your organization.
One key strategy is to scrutinize everything, since a strong security posture is both breadth and depth based, for example, following a simple trust but verify model that covers the range of physical to cyber security. The example I always cover is that of the night cleaning crew. Scrutiny in this space could range from background checks to video surveillance during the night-time cleaning activity. If one steps back and thinks about it, these people have free rein to most of your equipment during their cleaning activities because they perform a very necessary function. There have been instances where crafty adversaries have ensconced themselves into a respective cleaning crew and performed their initial activities that way.
Awareness programs are always useful but they cannot be simple online lessons with a silly quiz at the end. I am a fan of active (internal) campaigns where you can expose someone’s mistakes in order to make them more aware in a realistic fashion, for example, internally driven phishing campaigns that make users very aware of the fact that they should not have clicked on something inside an email.
Your business is only as strong as your weakest partner. Can you trust that your partners are keeping your data safe from attackers? Attacks come from inside the company. What are the key strategies to address this challenge?
I have always believed in a stance of “healthy paranoia” so the answer is “NO” you cannot trust your partners are keeping your data safe. This is not meant to be a negative dig on any partner but there is no way you truly know if your partners will go as far as you will to secure your own resources. A few things one can do when it comes to this challenge:
– Request and pursue end to end joint sessions where all ingress and egress points are identified along with normal and edge cases. If you have true competence in your own security space, you should be able to identify where your partner sits in respect to your expected security posture.
– Invest in a 3rd party assessment of the overall joint solution(s) where an objective perspective is applied to all ingress & egress points along with use cases. Moreover, make sure your partner(s) have the same level of accountability in respect to the outcome of said assessment.