“First of all, every company should be concerned,” said Stefan Woronka, director and head of business development at Siemens Industrial Security Services, speaking about the cybersecurity threats to industry exposed in the U.S. Computer Emergency Readiness Team (CERT) TA18-074A Alert. Pointing out that it’s not just energy sector industrial companies that need to take heed of the issues revealed in the CERT alert, Woronka says, “all industries Siemens supports face cybersecurity challenges.”
Given that the list of detection and prevention measures provided in the U.S. CERT alert is so extensive, Moreno Carullo, founder and chief technical officer at Nozomi Networks, a supplier of industrial cybersecurity technology, said it’s important for users to realize there is a key technique used to accomplish the type of monitoring recommended by CERT. That technique is hybrid threat detection. “This involves the use of signatures plus behavior-based anomaly detection to identify threats,” he said. “The results are correlated with each other and with operational context, providing rapid insight into what is happening, thereby reducing mitigation time.”
Carullo notes that YaraRules is “a signature approach” to hybrid threat detection in that it consists of “a library of advanced scripts that check for the presence of malware IOCs (indicators of compromise). YaraRules aggregates checking for multiple IOCs for malware to reduce manual threat detection work.” He adds that, because YaraRules is developed by an open community of global security researchers, the YaraRules library “innovates as fast as the collective body of knowledge.”
Whenever the government puts out a warning, Carullo says it's a good time for organizations to take note and prioritize or re-prioritize their cybersecurity defenses. With that advice in mind, here are his recommendations following the release of CERT Alert TA18-074A:
- Set firewall policies to restrict outbound communication services. Block SMB as an allowed outbound communication protocol.
- Ensure passwords are complex and long. Use two-factor authentication whenever possible.
- Direct people to change passwords regularly, especially passwords related to critical systems and administrator passwords.
- Communicate to staff the seriousness of the situation, asking everyone to be on guard for suspicious emails, activities or people at facilities.
- Have key staff available and on standby emergency mode.
- Review your incident response and outage plans.
- Review all administrator accounts. Identify and disable unauthorized ones.
- Make sure that physical defenses are high. If there are hardware keys to prevent programming of ICS systems, they should be checked to make sure they are not left in program mode.
- Prioritize the checking of networks for anomalous behavior and Indicators of Compromise (IOCs).
- Eradicate IOCs from networks.
- Harden firewall rules, restricting both inbound and outbound communication between networks and segments within the industrial networks. This includes restricting outbound protocols to a minimum set, which excludes SMB.
- Implement real-time cybersecurity and operational visibility technologies that will help provide early warning Advanced Threat Protection (APT), and allow action to be taken to eradicate infections before they cause damage.
- Implement real-time monitoring and alert correlation to reduce the workload involved in checking for the presence of IOCs.
As a critical step in securing industrial facilities on an ongoing basis, Woronka says Siemens recommends that a company “complete a thorough analysis of their assets and then establish a holistic security concept that brings together IT and OT. The Holistic Security Concept, as we call it, helps to answer key questions for business security, including: What do I need to protect in my business? What level of security do I need? How do I protect specific assets?”
Woronka says the holistic security method used by Siemens integrates requirements from both IEC 62443 and ISO 27001 to provide a focus on both IT and OT requirements. (More information about this can accessed at www.siemens.com/industrialsecurity.) The initial steps to conducting this process include determining the most valuable assets within the scope of protection as well as the potential threats and impacts.
“Based on this information, a threat and risk analysis can be conducted,” he says. “This provides a good overview about which assets require a higher protection level.”
To establish a holistic security approach that includes defense-in-depth based on IEC 62443, Woronka says users should consider splitting the process into three major categories:
- Transparency for Assessment. This involves gaining transparency into the production environment.
- Implementing a defense-in-depth architecture with different measures. This may include firewalls for network segmentation, hardening of the endpoints, implementation of a robust patch management program, use of endpoint software such as whitelisting or antivirus, proper user and access management, and management of remote connectivity. “These measures usually are considered basic cyber hygiene,” he said. “They simply need to be there.”
- Cybersecurity Management. The implemented system and architecture needs to be kept up to date and monitored via regular patching, maintenance of antivirus protection, installation of firewalls and so on.