Security for Change, not Performance

The latest notice of exploitation of critical infrastructure comes with an irresponsible set of actions:

• Change all default passwords on PLCs and HMIs and use a strong password.
• Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
• Disconnect the PLC from the open internet.?If remote access is necessary, control network access to the PLC.???Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.?Use an allowlist of IPs for access.?
• Back up the logic and configurations on any Unitronics PLCs to enable fast recovery.
• If possible, utilize a TCP port that is different than the default port TCP 20256.?

The problem with all of these suggestion is that are performative, an ineffective in the long run. Changing the default passwords, even using strong passwords. Is nothing more than putting a wait state in the breach given modern tools. As we saw with the LastPass breach, MFA is not real security anymore, either. Disconnecting from the Internet is a great recommendation, except hiding behind VPN isn't disconnecting from the Internet as VPN endpoints are literally ON the Internet. As Brian Deitch says: "If you can reach it, you can breach it." Similarly, changing TCP ports is not an effective maneuver as it is still out there, just on a different port. The saddest recommendation of all: "Backup to enable fast recovery." That is only useful if the SecOps team detects the breach, which is typically in days, if not weeks.

So, what IS a security measure for change and not performance? For one thing, cloaking access to private applications behind Zscaler's ZPA is one such measure. It is an action which can be taken to change the dynamic of the attack, as opposed to the above measures which merely delay it. If access is given via Browser Isolation, that truncates the attackers tools, even if they were to gain access. Another measure would be to deploy Deception technology. Deception leverages strategically-placed decoys to lure attackers for early detection, as well as protection of vital resources. With today's technology dynamic deception tools are entirely accessible and appropriate. The lack of pervasive use is simply mind-boggling.