Video interview originally published on manufacturing.net
Whether it’s the infamous Colonial Pipeline ransomware attack last summer, or an ongoing number of water treatment facility hacks, there’s no doubt that infrastructure facilities have become a favorite target of cybercriminals.
In fact, according to a recent report from Skybox Security, the first half of 2021 saw a 46% year-over-year increase in new OT vulnerabilities within organizations charged with running and maintaining key portions of U.S. infrastructure.
In this episode of Security Breach, Alastair Williams, Vice President, Worldwide Systems Engineering at Skybox Security, joins us to help break down some of the social and market factors driving these troubling cybersecurity dynamics. We also discuss ransomware attacks, Log4j challenges, and what he sees as the biggest cybersecurity trends to consider for 2022.
Excerpts from the video interview on manufacturing.net
OT security
Jeff Reinke: Your report showed an increasing number of OT vulnerabilities with a lot of U.S. infrastructure entities. Why are they having such a tough time upgrading and having the right cybersecurity tools in place that they need right now?
Alastair Williams: Our research found that 83% of critical infrastructure organizations suffered breaches within the last 36 months. The research also uncovered that organizations underestimate the risk of cyberattack, with 73% of CIOs/CISOs highly confident that their organizations will not suffer an OT breach in the next year. These two data points really contradict one another, perhaps showing overconfidence in their existing security capabilities and their willingness to accept that more investment in security needs to be made.
JR: So really, they are not making the investments because they think they are good the way it is right now?
AW: Yes, despite the criticality of these facilities, the security measures on OT products are often weak or non-existent. If you look at how we got here, most OT assets were never meant to connect to anything in the first place. Instead, they were often air-gapped – meaning they were physically isolated from non-secure networks. And there was no provision to update or upgrade them on an ongoing basis.
Log4j
JR: Log4j hit really hard in December. It had everyone freaking out. What can you tell us now in terms of what you saw, what was happening, what has been done to control the issue, and do you have any advice for people who may have experienced the Log4j issue and what they can do moving forward?
AW: For a widespread vulnerability like Log4j, patching all of the instances is just hugely time-consuming. Not only is it time-consuming, but it’s hugely costly as well. Along with that history shows that the ‘patch everything’ strategy is just a monumental waste of effort since typically it’s a really a very small subset of devices that are actually exposed to the attack itself. What Skybox is seeing is: Yes, you need to identify those devices that need to be patched immediately because they are directly exposed to one or more threat actors or perhaps are on a second step of an attack chain. It is then about understanding where you have other occurrences of that vulnerability so that you can put in plan a mid-term plan of how you would go about addressing that as part of a BAU-type patching strategy. The other thing would be focusing on other remediation options as well. There are mitigation options that can be applied to the vulnerable library through configuration changes. Obviously, there are other mitigations, such as intrusion prevention or network segmentation. It is really about identifying which remediation options are best suited to the different occurrences of that vulnerability within the organization.
When the Log4j vulnerability was first announced, it was very challenging for organizations to understand where those vulnerable applications were. Many organizations have deployed traditional network vulnerability scanning from the perspective of wanting to scan each asset once per month on a rolling schedule. When something like Log4j happens, the senior management wants to understand where and how big this problem is in a matter of minutes. It’s impractical to go from scanning 1,000 devices a day to scanning 30,000 devices overnight. This is where alternative discovery mechanisms need to come into play with things like passive vulnerability scanning. I would also say that a lot of the traditional network vulnerability scanners are looking for the existence of that particular library of a particular version. But one of the things that we know, and actually we have seen organizations do, is to provide mitigation by way of making a configuration change. So, the version of the vulnerable library remains the same, but it is not exploitable in the same way because of this configuration change. What we’ve seen is the network vulnerability scanners can’t take that mitigation into account. So when you scan your infrastructure, it’s coming back and saying you have 10, 20, 50 occurrences of that vulnerability. But the reality is you have probably addressed one or more of those through configuration mitigations.
Ransomware
JR: What is your take when it comes to ransomware? Do you pay them or not pay them?
AW: My perspective is to take the government and industry guidance. Federal agencies such as the FBI largely discourage organizations from paying ransoms. It does not guarantee the retrieval of data. It further funds and encourages ransomware groups to continue their attacks. Similarly, cybersecurity professionals have seen paying ransom gives the adversaries more monetary incentives to continue doing what they are doing. What is important is to be as prepared as you can. Invest in the toolsets that give you the underlying data.
Cybersecurity trends
JR: Overall, looking out at the rest of the year, what do you see as the bigger trends in cybersecurity?
AW: Ransomware will continue to skyrocket as digital transformation expands the attack surface. Critical infrastructure will continue to be in the crosshairs. We see new many more new vulnerabilities than we have previously. Our research team tells me that we see ransomware everywhere, increasing in severity. Cyberattacks have evolved from encrypting an individual workstation or system to now large chunks of the network. Now, they are exfiltrating data as well. So it’s not just, “Lets encrypt the data and ask for the ransom.” Now it’s, “Let’s encrypt the data, make the ransom demand, and at the same time we are going to steal a whole bunch of your data.”
For example, our February 2021 research revealed that there was a 106% year-over-year increase in ransomware. Once more, as digital transformations continue and the traditional verticals like civil infrastructure shift from air gapped to connected, we are going to continue to see an increase in attacks, not just on the digital networks, but also on OT infrastructure, supply chains, healthcare, and beyond.
The adversaries are not constrained by many of the constraints we have in industry. They don’t have to demonstrate ROI, and they don’t have to write business cases. As a result, cybercriminals are free to do what they want in a very agile way. They can learn from their mistakes, pivot on the spot, and change their entire direction overnight. This will continue to keep organizations on their toes, as well as security vendors like Skybox to ensure we continue to provide our customers with the level of protection that they deserve.