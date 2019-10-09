Increasing Cyberthreats Targeting /ICS Networks The presence of newer, -connected devices in networks makes them vulnerable to Internet-based threats and is a major contributing factor to the rising tide of cyberthreats targeting systems. Additionally, many companies are now using third-party vendors as a cost-effective alternative to onsite staff to patch, update, and repair their systems. Unfortunately, the remote desktop protocol (RDP) used for remote access is incredibly vulnerable to exploits, and adversaries will often leverage this to gain access to the corporate network and compromise devices. The end result is that networks with proprietary systems and legacy technologies, once isolated from the Internet, now require protection from traditional cyberthreats. Cyber adversaries are constantly working to create innovative attacks capable of shutting down critical networks. There's a new breed of attack wreaking havoc in networked infrastructure that combines methods like ransomware, wipers, bricking capabilities, botnets, data exfiltration and network reconnaissance tools, which we refer to as 'disruptionware'. This category of malware includes the LockerGaga ransomware, Triton/Trisis, and BlackEnergy. All three of these were about more than just preventing access to systems and data. The goal was specifically to suspend operations and/or undermine safety by freezing an industrial process that controls the critical infrastructure services that so many depend on. Disruptionware's high success rate and minimal required effort make it an attractive tool for any malicious actor, from novices to nation-state sponsored attackers. Consider the results of a corporate sabotage that leverages disruptionware. An organization seeking to win a lucrative contract could launch an offensive against a competitor's network by encrypting their network, freezing operations and causing disruption. Because disruptionware typically originates in an network, it's important to implement tools and procedures to monitor both and environments. If your organization is compromised, network monitoring tools can track the movement of a threat on your network to provide valuable data that helps reduce mean time to respond ().

The Internet of Things () Explosion A 2018 Forrester report revealed that 100% of organizations now have technologies connected to their ICS networks. This is a big deal since many of these devices are consumer-grade technologies that are 1) mostly unmanaged 2) come from a multitude of vendors 3) use non-standard operating systems 4) support a diversity of often insecure protocols, and 5) may dynamically connect to other devices inside or outside the organization's network. Additionally, bad security practices like default or simple credentials, unencrypted traffic and lack of network segmentation remain common. Our research team has done extensive testing on how vulnerabilities like unencrypted protocols and misconfigurations in devices can be exploited, which you can read more about here. They found that devices ranging from video surveillance systems to smart lighting could be used as an entry point to pivot into the broader organizational network. They also demonstrated how the very common MQTT protocol can be used to infiltrate a network to gather information like available assets and their location, configuration information and even sensitive information like credentials. Long story short, devices provide a slew of entry points for an adversary and are relatively simple to use to enter a network. As the scale and diversity of devices grow, monitoring and controlling them should become a critical focus of an organization's cybersecurity plans.

Increasing Workloads for SecOps Teams The mounting pressure to bulk up cybersecurity has resulted in security leaders at many critical infrastructure organizations investing sizeable amounts of money into the latest and greatest cybersecurity tools. Security operations centers that were once intended to monitor primarily systems are now responsible for overseeing the security of their entire infrastructure, as well. Keeping up with the large amounts of data that these network security tools can generate is a tough task for overloaded security teams to keep up with. Many analysts are now responsible for thousands of devices, and alerts indicating potential areas of risk like changes in communication behavior and insecure protocol communications are a daily occurrence. Manually piecing together all of this information is incredibly time-consuming, and new vulnerabilities affecting devices are coming out with increasing frequency, adding to the problem. Choosing the right security tools can lessen this burden. Sometimes organizations are using many disparate tools that cause them to have to manually analyze data, when they could be using additional features within tools they already have. Using something that offers visibility and control for and networks from one interface can help reduce the burden of piecing together security and operational alerts from separate tools. A tool that regularly updates its CVE database and offers impact-based risk scoring can help further automate risk analysis.