Not quite a month ago LockerGoga took industrial operations of a major aluminum producer offline; that much we know. What is not known by many is that LockerGoga has a common thread with Triton, Shamoon, Petya and many other attacks that have inflicted damage to critical infrastructure and industrial operations around the globe.
After any incident, whether it impacts one’s own operations or others, it is essential for organizations to perform a “post-mortem” analysis in order to learn from the attack and help better secure the operation from future attacks. These three key takeaways that we thought worth sharing will help strengthen your defense strategy.
1. Security Today Makes a More Secure Tomorrow
The commonality is the fact that there were multiple occurrences of each of these attacks hitting the wild. For example, LockerGoga was first detected in January 2019, yet in March it made a second appearance when it shut down an aluminum producer and required it to go to manual. LockerGoga continued and made an additional appearance in April. Shamoon has also made appearances as early as 2012 and has appeared and reappeared three times. Similarly, Triton made its first debut in 2017; we saw it again in 2018 and then this past week. These attacks are being recycled so there’s a very good probability that whatever resource you apply to better secure your organization the first time will help avoid revisiting them over and over.
2. Basic Maintenance Is Basically Not Happening In Your OT Environment
Industrial organizations have experienced quantum paradigm shifts in the last five years which makes them more attractive and easier to successfully attack. Whereas industrial processes and OT networks were once isolated, today they are not. Thanks to the digital convergence of IT and OT environments and the implementation of IIoT technology, OT is no longer an island that is unreachable. In fact, they are a relatively easy target compared to traditional IT environments which have a twenty-year security head start. To keep attacks from repeating, organizations must keep an up to date inventory of assets that are on the OT network. Some refer to this as “basic maintenance”, yet it is anything but basic.
To truly stop the return of named attacks that we thought were in the rear-view mirror, it is not enough to keep a spreadsheet or other offline list of assets. These static lists are generally outdated the minute that they are issued. Particularly with the more dynamic nature of today’s OT environments, it is essential to have a live list which is updated automatically and includes a detailed inventory of what is in the network. Without this live and detailed information organizations can easily miss critical elements in the network that need to be patched. The result is that vulnerabilities will remain overlooked simply because the security administrator did not know it was there. With enough reconnaissance, hackers can quickly find these holes and take advantage of them by recycling old attacks that still have the capacity to devastate industrial operations.
3. Automate And Alleviate Mundane Tasks; Focus On What Matters
In the past, we relied on human intelligence to find security incidents from mountains of data. This is frequently a laborious, time-consuming set of tasks that detract from the core objective of actioning the meaning of the data. In addition, it is also subject to human error which adds another barrier to resolving any breach. Finding the relevant assets automatically will empower you to apply patches to secure the vulnerabilities before they become exploits and thus eliminate encore performances of attacks that take down OT networks. Deploying a robust patch management program also automates these tedious tasks, eliminates human error. With a real-time and detailed asset inventory program you can prioritize the top threats and be far more efficient with the actions to take in defending your network.
To learn more about how to better automate assets, prioritize threats and defend your OT network, here are some recommended reads and views.
- [White Paper] - Critical Infrastructure Cyber Security: How to Actively Secure Your Industrial Environment In the New Era of Distrust
- [Tutorial Video] - Threats to Industrial Control Systems
- [Webinar] - Best Practices for Building ICS Rulesets