How preparing for cyber risks can minimize the chances of cyberattacks

Are organizations only concerned of undertaking the right measures to mitigate cyber risk after they have been cyberattacked? This may be the case in most situations but the more important question to ask is – what are the cybersecurity controls that should be considered by organizations?

The answer is straightforward – the controls that have the biggest impact on reducing the likelihood or the impact of a successful cyberattack.

Cyber risk is generally defined as the threat to the system, the system’s vulnerability, and the resulting consequences. Therefore, to successfully protect Information Technology (IT) and Operational Technology (OT) systems, companies must understand the tactics, techniques, and procedures (TTPs), which threat actors use to achieve their desired objective.

Here are several examples of well documented cyberattacks on critical national infrastructure over the past two decades:

In 2010, arguably, the most sophisticated cyberattack was executed on an Iranian uranium enrichment facility that exposed the weakness of cybersecurity controls and vulnerability of OT environments. The STUXNET worm was designed specifically to target these environments which allowed the threat actor to exploit and disrupt production operations causing downtime and business impact.

STUXNET was the eureka moment for the energy and manufacturing industries that OT environments can be breached and what impact it can have on their business, human lives, environment, and economies.

In 2015, Ukraine was hit by a cyberattack that shut off power at 30 substations and left millions of people without electricity for up to six hours. Threat actors did nothing different than using known TTPs for cyberattacks on IT environments.

Barely a year later the Ukraine Power Grid was attacked again with sophisticated TTPs and this time the capital city Kiev went dark, breakers tripped in large number of substations. ?

This was another eureka moment - national power grids are not safe from threat actors either.

Since then, advanced persistent threat (APT) attacks on industrial environments continued to rise, and industrial espionage increased including ransomware activities in OT environments.[1]

Recently, Cybersecurity & Infrastructure Security Agency (CISA)[2] launched the Cross-Sector Cybersecurity Performance Goals (CPG)[3] as a prioritized subset of IT and OT cybersecurity practices aimed to meaningfully reduce the risks of critical national infrastructures and the community it supports.

These cybersecurity controls are not meant to be the only considerations but to form the foundation of a defense-in-depth cybersecurity strategy.

These are some of the logical first steps to consider:

User Account Security

User accounts are generally one of the first gateways for threat actors to gain access to the network to establish a foothold and move laterally.

Here are the suggested foundational controls that should be considered:

-???????enable the detection of unsuccessful user login attempts

-???????change all default passwords and implement multi-factor authentication (MFA)

-???????update the minimum password strength

-???????separate user and privilege accounts

-???????enforce unique user credentials (not just email addresses as commonly used)

-???????revoke the credentials of departing employees

Device Security

Device security are measures taken to secure computing devices from cyber threats but also to maintain service continuity.

Here are the suggested foundational controls that should be considered:

-???????approval process for new hardware and software deployment

-???????the disablement of macros by default

-???????maintaining an up-to-date asset inventory

-???????prohibiting the connection of unauthorized devices

-???????documenting device configurations

Data Security

The purpose is to protect sensitive and confidential data from unauthorized access, theft, loss, and destruction.

Here are the suggested foundational controls that should be considered:

-???????strong and agile encryption

-???????enable log collection

-???????secure storage of the said logs.

Governance and Training

A strong governance structure is key for any cybersecurity strategy to manage cyber risks effectively.

Here are the suggested foundational controls that should be considered:

-???????appointment and empowerment of a single leader to be accountable for cybersecurity

-???????a single leader to be responsible for OT-specific cybersecurity

-???????basic cybersecurity training for all employees and third parties

-???????OT specific cybersecurity training for OT managers and operators

-???????establish an effective relationship between IT and OT cybersecurity to improve the response effectiveness for OT cyber incidents.

Vulnerability Management

To prevent the exploitation of known vulnerabilities, the following foundational controls should be considered:

-???????mitigate known vulnerabilities

-???????gather vulnerability intelligence by security researchers

-???????blacklisting of exploitable services on the internet

-???????limit OT connections to public internet

-???????conduct third-party validation of control effectiveness.

Supply Chain / Third Party

To ensure the integrity of supplier products and services the following foundational controls should be considered:

-???????establish supplier cybersecurity requirements

-???????immediate disclosure of known cybersecurity incidents.

Detection, Response and Recovery

Here are the suggested foundational controls that should be considered:

-???????capability to detect relevant threats and TTPs

-???????comprehensive response and recovery plans (including backups).

Network Segmentation

Network segmentation reduces the overall attack-surface.

Here are the suggested foundational controls that should be considered:

-???????segment IT and OT networks

-???????segment safety critical systems form other systems

-???????segmentation of temporarily connected devices

-???????segmentation of wireless communications

-???????segmentation of devices connected via untrusted networks/internet.

Email Security

Email security measures reduces the risk from common email-based threats to ensure the confidentiality and integrity of email communications.

Here are the suggested foundational controls that should be considered:

-???????Email encryption,

-???????Email account authentication

-???????and email filtering

In conclusion, cyber threats are evolving and escalating at an alarming rate for asset-intensive industries such as the energy sector. Strengthening the cybersecurity foundations are imperative to build a defense-in-depth model that safeguards IT and OT environments.

?

?

Jaco Benadie is a member firm Partner at Ernst & Young Consulting Sdn Bhd. The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

[1] Evolution of Attack Techniques in Operational Technology.pdf

[2] ABOUT CISA | CISA

[3] Cross-Sector Cybersecurity Performance Goals | CISA