Categories for Blogs & Articles

Cybersecurity is Swimming Among a Sea of Black Swans

For centuries, it was believed that all swans were white. However, on January 10th, 1697, Dutch explorers travelled up a river, now called the Swan River in Western Australia, and discovered black swans, overturning 1500 years of Western understanding in a highly unexpected and rare occurrence.

The “black swan” has since become a metaphor, originally coined by author Nassim Nicholas Taleb in 2007 to describe an event that is both unexpected and significant in impact. Using this metaphor, Taleb argued that the predictability of events tends to be overestimated and the potential impact of rare and unlikely events underestimated. Taleb succinctly summarised the central idea of the Black Swan event, writing that “rare events cannot be estimated from empirical observation since they are rare”.

Although traditionally employed by financial and economic commentators, the notion of a Black Swan event is becoming an increasingly appropriate analogy for modern cybersecurity challenges. Black Swan events have a disproportionate impact on our understanding of the world and the way we make decisions. Cybersecurity has become so besieged with such events in recent years, that it has practically been swimming among a sea of Black Swans.

Cybersecurity Black Swans: A Taxonomy of Recent Events

The inundation of cybersecurity Black Swan events in recent years is not an artifact of the news cycle, which frequently reports the rare and rarely reports the frequent; on the contrary, many of these events have shaped the industry. To make this point, let us revisit some cybersecurity Black Swan events from the last ten years and highlight what made them so unexpected and significant.

• 2014 – A cyber-attack against a German industrial steel mill caused massive damage to the mill and resulted in physical damage to equipment. This incident was notable as one of the first cases of a cyber-attack causing significant physical damage in the industrial sector.
• 2015 and 2016 – In an attack on the Ukrainian power grid, hackers were able to gain access to the control systems of multiple power distribution companies and cause widespread blackouts. This incident was significant as one of the first successful cyber-attacks on a power grid.
• 2017 – The Triton/Trisis malware attack on a petrochemical facility in Saudi specifically targeted the facility’s safety systems and had the potential to cause a catastrophic release of toxic chemicals. This was one of the first instances of a cyber-attack being used to specifically target the Safety Instrumented System (SIS) of an industrial control environment.
• 2017 – The infamous WannaCry ransomware attack affected an unprecedented 200,000 computers in 150 countries, causing widespread disruption to businesses and government organisations worldwide.
• 2020 – The SolarWinds supply chain attack was a cyber-espionage campaign that involved the compromise of software updates for the SolarWinds Orion IT management software. The attack was notable for its level of sophistication and coordination in targeting and accessing a significant number of government and private sector organisations.
• 2021 – The cyber-attack on the Colonial Pipeline resulted in a shutdown of a major oil pipeline supplying fuel to the east coast of the United States. The attack was significant due to the extent of the disruption and the reaction of the populace to the fuel shortage.

Although this brief taxonomy of Black Swan cyber events is by no means exhaustive, it serves to illustrate the point that the increasing digitisation of the world has led us into an uncharted territory of risks. However, technological progress is not the only driver of cyber-risk in the modern context.

The Father of Invention

The Black Swan event that was the COVID-19 pandemic had a significant impact on cybersecurity. The increased use of remote access technologies and cloud-based services has expanded the attack surface for cyber criminals, and many organisations have had to quickly adapt their cybersecurity measures to protect against new threats.

Furthermore, a combination of three occurrences in 2022 might be considered the latest Black Swan event impacting cybersecurity: a spike in interest rates, a widespread disruption in supply chains, and a war breaking out in Ukraine. This combination has led to a severe global economic downturn and geopolitical instability, fuelling fears of catastrophic cyberattacks in the near future.

In the modern interconnected world, it appears there is little in the way of unprecedented events that does not impact cybersecurity in some way. Even the term “unprecedented” seems to have lost its utility as a descriptor of the challenges we continue to face. But as Kenneth Kaye, a researcher of conflict resolution stated, “if necessity is the mother of invention, conflict is its father”. Just as the pandemic challenges led to new opportunities for organisations to improve their security, the latest Black Swan events will surely spur innovation to combat what are now called the Gen V cyber threats.

Cyber-Threats: The Next Generation

Generation V (Gen V) is a term used to describe the next generation of cyber threats, which are characterised by their increased complexity and sophistication. The Gen V attack surface refers to the various entry points or vulnerabilities that attackers can exploit to gain access to a network or system. These entry points may include traditional attack vectors such as web applications, email, and endpoint devices, as well as newer technologies such as cloud computing, the Internet of Things (IoT), and artificial intelligence (AI).

The Gen V attack surface is constantly evolving, as attackers develop new techniques and technologies to bypass security controls. For example, attackers may use advanced persistent threats (APTs) to infiltrate a network and remain undetected for long periods of time, or they may use machine learning algorithms to evade detection. Additionally, as more and more devices and systems become connected to the internet, the Gen V attack surface continues to expand.

To protect against Gen V threats, organisations need to adopt a comprehensive security strategy that includes multiple layers of defence, such as network segmentation, intrusion detection and prevention, and endpoint security. They also need to be proactive in identifying and mitigating vulnerabilities in their systems and applications. Furthermore, security teams must be adaptable and stay up to date with the latest threats, trends and best practices in cybersecurity.

Adapting to the Unpredictable

It is anticipated that in the near future, organisations will need to adopt a more proactive and holistic approach to tackling Gen V threats. As was reflected in the Global Economic Forum’s recent Global Cybersecurity Outlook 2023 report, this will likely involve a combination of advanced technologies, best practices, and well-trained cybersecurity professionals.

Artificial Intelligence and Machine Learning are poised to play a crucial role in detecting and responding to Gen V threats. These technologies can be used to detect and respond to anomalies in network traffic and identify threats that traditional security solutions may miss. These technologies will greatly enhance behavioural analytics used to identify and respond to threats by analysing the behaviour of users, devices, and systems on a network. Cloud security solutions are also likely to play a key role as more organisations move their operations to the cloud.

Cloud security will need to focus on threats such as data breaches, account hijacking, and malicious insiders. In addition to cloud security, automation of security processes will be crucial to tackle Gen V threats. Automating certain tasks such as incident response, vulnerability management, and threat intelligence management will help security teams to respond to potential threats more quickly, freeing up resources for professionals to keep abreast of the latest threats.

Crucially, cybersecurity skills development will need to be more widespread and accessible and encourage a more diverse cohort to become involved. As threats become more sophisticated, it will be essential to have sufficient well-trained cybersecurity professionals to identify, respond to, and mitigate these threats. It is important, however, to recognise that resisting the evolving cyber-threat landscape is not entirely dependent on emerging technologies. There is much that can be done today to safeguard assets from the Gen V threats.

Do Not Leave Until Tomorrow What Can be Done Today

Contrary to popular belief, it is possible for organisations to prevent or lessen the impact of new exploits such as Log4Shell or highly advanced attacks like SolarWinds. This can be done by organisations making the most of their current security infrastructure, implementing specific hardening measures, and utilising built-in security features that can be activated easily without the need for additional expenses.

One simple yet effective method to improve cybersecurity is to prevent servers from sending out Internet traffic. Although this may seem like a basic security measure, many organisations still fail to implement it. By blocking servers from accessing the Internet, it prevents or slows down attackers who rely on the server to establish a connection to the attacker’s command and control infrastructure.

Implementing specific security improvement plans can also help make the environment more resistant to techniques used by attackers to move laterally and gain higher levels of access. This will prevent attackers from using their initial access points to reach important assets. Additionally, this approach will give defenders more time to identify and remove attacks in their early stages.

This highlights the importance of basic security controls and how they can stop sophisticated attacks like the SolarWinds supply chain attack and mitigate vulnerabilities like Log4Shell. By studying the tactics, techniques, and procedures (TTPs) used in recent breaches and exploits, organisations can gain valuable insights on how to improve and prioritise their defences to prevent future exploits. In addition, study of TTPs can help to prioritise vulnerability patching.

When a new vulnerability is discovered, the most common solution suggested is to patch the affected systems, as if it is the only course of action organisations can take to address the risk. While patching is important, it can take some time for large organisations to fully assess their exposure and apply patches in production environments. This is particularly pertinent for Industrial Control System environments. Additionally, sometimes new vulnerabilities are found shortly after patching cycles are complete. As a result, patching is not always able to completely close all vulnerabilities.

It is therefore prudent for organisations to understand how the exploit works, and what dependencies it relies on to execute in order to respond to such events. What may seem like a temporary solution to mitigate the vulnerability can sometimes be the key to protecting the organisation.

There have been so many significant societal, geopolitical, and technological Black Swan events impacting the character of cybersecurity in the last ten years that the unexpected must now be expected. The ever-increasing digitisation of the world has led us into an uncharted territory of risks. Generation V cyber threats are increasing in complexity and sophistication, and this trend is likely to continue with the pace of technological innovation. To paraphrase a childhood rhyme, “if you build a better mousetrap and put it in your house, before long your adversaries will build a better mouse.” It is therefore essential that organisations ensure they are doing all that they can today, while awaiting the next iteration of the cyber-arms race, and the next Black Swan.

As we enter 2023, the world is on edge. Governments are nervous, markets are jittery, and trigger fingers are itchy. The current global anxiety is also influencing cybersecurity risk perceptions and the threats that shape them. During the recent World Economic Forum held in Davos, Switzerland, a warning of an unpredictable time ahead for cybersecurity is prompting calls for more action to protect an increasingly digitised and interconnected world. The Global Cybersecurity Outlook 2023 report launched at the forum has placed geopolitical instability at centre-stage, highlighting fears of potentially catastrophic cyberattacks over the next two years.

The report indicates that 93% of cyber leaders and 86% of business leaders are of the opinion that global instability will likely be the root cause of a catastrophic cyber event in the near future. The report also states that the geopolitical instability will be a key influencer in the review of cyber strategies, as will the recognition that the entire cyber supply chain is only as strong as the weakest link. These assessments are also causing a shakeup of the way organisations do business.

Organisations are reviewing the levels of trust they will extend to third party providers who have access to their environments and data and are reconsidering which countries they intend to do business with. In addition, a disconnect between the views of business and security leaders is emerging, where the former foresees a safer path with in-house security solutions, while the latter gravitate towards secure partnerships. One might consider this disconnect to be a mirror of the international reactions to the rise in instability, with increasing nationalism on one side, and a desire for security through international partnerships on the other.

The abrupt change to the geopolitical zeitgeist in the past 12 months is also altering the nature and character of cyber threats. These threats are evolving, with an increased likelihood of attacks aimed at creating business disruption and reputational damage. Strategies, therefore, appear to be shifting on both sides of the digital conflict.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), industrial control system patch management is inconsistent at best and non-existent at worst. The 2022 SANS ICS/OT Cybersecurity survey found that security patching in ICS environments occurs on an average of every 1.25 months. More interesting is that around two-thirds ICS operators rely on third-party providers or device manufacturers to perform patching.

Risky Version of Swings and Roundabouts

Digital transformation projects in recent years were largely triggered by a risk of an entirely different type. There are very few organisations that were unaffected by the pandemic pressures which changed the way society lives and works. Security practitioners had to reimagine much of the security paradigm as organisations migrated north to the cloud. Now further dramatic events are shaking up the digital world, with external circumstances that were unimaginable only a short time ago once again dictating these changes. Digital transformation, which has barely had time to rest and enjoy the fruits of the labour, is being re-examined in response to the way the threat environment and technology is changing.

The Global Cybersecurity Outlook 2023 report suggests that the major factors influencing cyber strategies going forward will include embracing Artificial Intelligence (AI), increased adoption of cloud technologies, and changes to identity and access management. A key lesson learned by those who rushed into pandemic-induced digital transformation projects was this: haste leads to oversights that create avoidable vulnerabilities and breaches. Although new technologies may be intended to reduce risk exposure, additional complexity in any environment brings another set of potential risks.

In the past, less well-resourced entities have often opted to take the wait-and-see approach, where the new technologies and models embraced by their more well-resourced siblings are observed and assessed with keen interest. However, if the current fears are well-founded, such a strategy may prove ineffectual for individual businesses and the cyber-ecosystem as a whole. The adoption of new technologies in this latest iteration of ‘unprecedented times’ will hopefully balance urgency with exactness, lest what is gained on the swings be lost on the roundabouts.

Cloudy With A Chance of No Trust

When anxiety abounds, control is craved. In cybersecurity’s current state of unease, Zero Trust Network Access (ZTNA) looks increasingly enticing. In part 3 of Sapien’s December 2022 roundup of ICS security, we discussed the concept of Zero Trust Network Access (ZTNA) and its implications for identity and access management. ZTNA utilises granular permissions that are based on user ID, device ID and type, device health state, and geographic location. Unlike traditional authentication methods, ZTNA is not one-time authentication to provide access, but rather continuously applied authentication based on a range of variables, with permissions being continually verified. However, ZTNA is no panacea, particularly when it comes to critical infrastructure.

As we discussed in our December blog series, there are constraints that may make the deployment of ZTNA across Industrial Control System (ICS) networks untenable. Much like many other IT principles and practices, ZTNA methods that work in enterprise security simply do not translate well to industrial security. For example, the very nature of many ICS devices, some of which do not even have basic authentication or logging capabilities, make securely verifying their identity impossible. However, despite being in its infancy for ICS networks, it seems likely that ZTNA will eventually become more widespread as confidence in its deployment in the Operational Technology space grows. On the whole, it is likely that ZTNA is here to stay and will continue to be embraced more broadly, much like cloud computing.

The shift by many organisations to cloud models has been ongoing for several years now, and while this strategy can lessen organisational cybersecurity risk, it can also create new risks if implemented improperly. These risks include poor cloud strategy, poorly defined roles and responsibilities, lack of technical skillsets to manage cloud security, and the challenges of change management. There are also technical factors to consider, especially in regard to poorly envisioned architecture and integration of on-premises and cloud technologies, as well as ensuring cloud solutions meet agility, availability, and security requirements. Many organisations that ran into these issues are now pulling back some of their assets to on-premises solutions, causing the cumulus pendulum to settle into more practical hybrid models.

It’s Okay Dave. I Can Do That: Artificial Intelligence Promises Proactive Solutions

The increasing pace with which the cyber threat environment is changing requires technologies that can keep up and adapt faster than traditional reactive measures. Artificial Intelligence (AI) may offer significant benefits in this regard, including a greater ability to keep pace with new malware threats using superior predictive intelligence in comparison to traditional methods. As with any new technology, terminology can become muddied. In the field of AI, the concept of Machine Learning (ML) is often used interchangeably with AI. However, AI consists of systems that can perform human-like tasks with enhanced efficiency based on any data type, including unstructured data. ML, however, teaches machines to provide accurate results based on structured or semi structured data. A good example of this is ChatGPT, the second AI to pass the Turing test by fooling humans into believing the AI is another human. Your Netflix recommendations are based on ML.

The dramatic increase in natural language processing of AI technologies will give the automation of data scaping for the latest threat intelligence a significant boost. AI will also provide advantages in tackling the growing threat of malicious bots by predicting the intent of traffic and adapting security accordingly. AI may also provide significant advances in establishing and maintaining accurate asset inventory and predictive threat exposure. Finally, AI may be a promising solution to the problem of the growth of remote endpoints, reducing reliance on signature-based threat detection.

Without Diversity, Creativity Remains Stagnant

Underpinning the predicted difficulties in managing the growing number of cyber threats is a shortage of the required cyber skillsets. The Global Cybersecurity Outlook 2023 report suggests that around a third of organisations are identifying skills gaps in their cyber security teams. Significantly, this problem is more pronounced in the protection of critical infrastructure sectors, such as the energy sector, where almost a quarter of the surveyed practitioners cited critical shortcomings in the requited skills.

The report suggests that in order to boost the number of skilled cyber professionals, an increase in inclusion and diversity is required. The causes of lack of diversity among cyber professionals may be a result of a failure in the education system, of organisations not making diversity a priority, or industry stereotypes common in many STEM fields. Efforts to improve inclusion and diversity in cyber professions are being undertaken, but the severity of the ongoing skills shortage and the urgency of filling those gaps make the undertaking particularly difficult.

Apart from filling the necessary skills gap, building a diverse and inclusive cyber workforce will also yield a more resilient, creative, and efficient security function. Diverse teams make better decisions, produce less errors, and have less staff turnover. Diverse companies have also been shown to be more profitable. Diedre Diamond, a 25-year tech industry veteran and CEO of Cyber SN and Secure Diversity asserts that “breaches [come from] all cultures, all genders, all ages, all over the world… so, in cybersecurity more than anywhere, we have to have diversity. If we don’t bridge these gaps… then we will lose the digital war.”

Insecurity Breeds Support for Order

The evolving threat environment appears to also be changing many minds in regard to cyber regulation. According to the report, perspectives in 2022 were largely hostile to cyber security regulation, with more than half of respondents viewing cyber and privacy regulations as ineffective in reducing cyber risks. In Australia, the introduction of critical infrastructure security legislation was met with much consternation. However, the results of this year’s survey showed a dramatic about-turn, with 73% of respondents viewing cyber regulation and the associated enforcement as effective. While regulation did not become a far more effective risk mitigator in that last 12 months, appreciation for its utility has increased. The connection between support for government intervention and perceived threat has been studied extensively, and it may well be that the lack of perceived control generated by geopolitical turmoil is the driver that is increasing support for government regulation in cybersecurity.

He Said, “Do You Speak-a-My Language?”

The 2023 report also suggests that cybersecurity risk awareness is increasing at the executive level. Increased executive involvement in cybersecurity mean the previous disconnects between cybersecurity professionals and the business executive are lessening. In an effort to further improve risk communication, the report urges cybersecurity professionals to reduce the amount of technical jargon in their communications and for directors to make clear the business priorities in terms of assets and processes.

The report advises that “building a security-focused culture requires a common language based on metrics that translate cybersecurity information into measurements that matter to board members and the wider business.” As with most communication issues, overcoming them is frequently easier said than done. However, emphasis on a common language should help the ever-present difficulty of communicating the return on cybersecurity investment to be more clearly understood by all parties.

Summary

The geopolitical instability that began in early 2022 is at centre-stage, fuelling fears of catastrophic cyberattacks in the near future. The current unstable geopolitical environment has become the key influencer of current cyber strategies and is also altering the nature and character of cyber threats. External circumstances that were unimaginable only a short time ago are dictating these changes. The major factors influencing cyber strategies going forward will include embracing Artificial Intelligence (AI), increased adoption of cloud technologies, and changes to identity and access management. The adoption of new technologies in this latest iteration of ‘unprecedented times’ will need to be considered carefully. The future of cybersecurity will require focussed efforts to generate a more diverse and inclusive cyber workforce that enhances the resilience, creativity, and efficiency needed for success. Finally, the eternal struggle to communicate risk effectively is showing signs of improvement. The increasing involvement of executives in cybersecurity is making it a more accessible and appreciated part of core business practices.

This is the third and final article in Sapien Cyber’s roundup of the current state of Industrial Control System (ICS) security in 2022 and what we might expect for the future. In this article, we will cover the growing use of ransomware-as-a-service against industrial and critical infrastructure targets, the trends in ICS patch management, and what can be expected of Zero Trust Security Architecture for industrial security.

You Might Need to See Someone About That RaaS

According to the Australian Cyber Security Centre’s (ACSC) Annual Threat Report, there were 95 cyber security incidents affecting Australia’s critical infrastructure in the 2021- 2022 financial year. This equates to roughly 8% of the incidents that the ACSC responded to. Since the infamous Colonial Pipeline ransomware attack in the United States in May 2021, there has been increased use of ransomware-as-a-service (RaaS) to attack critical infrastructure sectors, with several Australian organisations falling victim. According to IBM’s Cost of a Data Breach 2022 report, 12% of critical infrastructure breaches globally were ransomware attacks.

According to TrendMicro, the use of RaaS grew by 63.2% in the first quarter 2022 compared with the first quarter of 2021, a trend that has held steady for the remainder of 2022. The cost of ransomware and other attacks on critical infrastructure industries was also considerably higher than the average data breach globally in 2022, with a difference of almost 23%. The ACSC Annual Threat Report points to the RaaS known as Blackcat (also referred to as ALPHV or Noberus) as a particularly prevalent threat, noting use of the service to target critical infrastructure, finance, construction, and even local government. As a trend, this seems likely to continue for all sectors. It may be inferred that critical infrastructure, and by extension, ICS networks are being specifically targeted. However, the increase of ransomware in these sectors may also be a consequence of the ever more user-friendly nature of RaaS. In practice, however, the difference may be splitting hairs.

We Can Patch That For You

In security 101, you may recall that reducing the attack surfaces of networks limits the opportunities that attackers can leverage. Patch management refers to the applying of software updates, especially those that remove exploitable security vulnerabilities. Unfortunately, due to the risks to mission-critical assets, ICS vulnerability patching is often performed in reaction to an incident, rather than as a proactive measure for the prevention of attacks.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), industrial control system patch management is inconsistent at best and non-existent at worst. The 2022 SANS ICS/OT Cybersecurity survey found that security patching in ICS environments occurs on an average of every 1.25 months. More interesting is that around two-thirds ICS operators rely on third-party providers or device manufacturers to perform patching.

In IT environments, the risks associated with patching are more tolerable than in ICS networks. For example, an email server going offline for a few hours may be inconvenient but would not usually be considered a critical issue. However, ICS environments house mission critical infrastructure where downtime can severely impact productivity and costs can quickly run into millions of dollars. As we have seen, ICS owners and operators are increasingly managing the risks associated with ICS patching by employing experienced third-party providers, and this outsourcing appears to be bearing fruit. According to the 2022 SANS ICS/OT Cybersecurity survey, organisations that employed a third party to handle patching had a significantly lower incidence of security events that resulted in complete shutdown compared with organisations who opted to manage updates internally as a manual process. More efficient and effective patch management is not the only thing that is changing in ICS security, however. The inevitable shift to remote work has led to both increased productivity, but also a scramble for new approaches to security. Can ICS security be dragged, kicking and screaming, to embrace ZTNA?

ZTNA: Buzzword or Paradigm Shift?

One of the more alarming results of the 2022 SANS ICS/OT Cybersecurity survey was the finding that only 18% of companies restrict network access and enforce Multi-Factor Authentication for remote access into OT networks. Additionally, over half (57%) of respondents reported that external users who have full network access are able to apply configuration changes and updates, enough to keep even the most stoic supervisor up at night.

The uptake of more secure models for remote work, such as Zero Trust Network Access (ZTNA), is slow in the OT space, and this tardiness is costing critical infrastructure organisations. IBM reports that in 2022, critical infrastructure organisations that had not yet adopted ZTNA suffered almost 25% more breaches and incurred almost 25% more in data breach costs than organisations who had. However, the report does not make clear if these breaches were of enterprise or industrial systems.

Critical infrastructure industries also have a much lower prevalence of zero trust security approaches than the global average, and the majority allow external users full network access to OT environments, a situation which is inarguably problematic. The reality is, however, that Zero Trust Network Access (ZTNA) is fast becoming the preferred method to provide secure remote access, with 41% of organisations in 2022 reporting having deployed ZTNA, up from the 39% reported in 2021.

ZTNA utilises granular permissions that are based on user ID, device ID and type, device health state, and geographic location. Unlike traditional authentication methods, ZTNA is not one-time authentication to provide access, but rather continuously applied authentication based on a range of variables, with permissions being continually verified. Let us be cautious here, however. It is always prudent in cybersecurity to examine the latest trends and buzzwords with a modicum of suspicion.

Trust The People, Not the Packets

Like many other security paradigm shifts that have come with grand promises, ZTNA should be examined closely to understand what it really is and what it is not. This is particularly relevant to ICS practitioners who, on the whole, tend to be somewhat more risk averse and sceptical than their IT counterparts in regard to industry marketing. Heath Mullins, senior analyst at Forrester, exemplifies this healthy approach when he said that ZTNA is “the most abused and the most misunderstood term in security today.”

At its core, ZTNA preaches that “trust”, or more specifically, implicit trust as a feature of traditional network architecture, is problematic in the modern threat environment. In the ZTNA zeitgeist, the inherent risk is a user who can provide something they know, have, and (sometimes) are, and via those virtues, gain access to the castle. However, it is not really the users that are mistrusted; rather it is the impersonation of the user that is the fundamental risk. In this way, zero trust may be better thought of as a mistrust of the packets, rather than the people.

With a better understanding of what zero trust is, let us turn our attention to what zero trust is not. ZTNA is not a technology. There is no single piece of kit that can buy you zero trust. And it is certainly not a reflection of management’s regard of its employees. In exploring the appropriateness of ZTNA for any type of network, one must be cautious of vendors who make take liberties with the terminology. It is also prudent to recognise that a new and effective paradigm that has promise in an evolving threat landscape is not a new cloak which may be cast over everything that was previously effective.

John Kindervag, the creator of the Zero Trust Model of Cybersecurity, has eloquently put it in these words: “Digital trust and human trust are two separate things. Zero trust only applies to digital systems. People are not necessarily untrustworthy, but at the same time they are not packets. Zero trust only applies to the zeros and ones that traverse our various digital systems.”

ICS Has Trust Issues

Despite the advantages of ZTNA to modern OT network access, the uptake and deployment of the architecture in ICS has been very slow thus far. IBM’s Cost of a Data Breach 2022 report notes that 79% of critical infrastructure industries have not adopted Zero Trust security models, while SANS reports that only 1% of the OT space are currently using ZTNA for either internal or external users. There may be several reasons for this.

There are constraints that may make the deployment of ZTNA across an entire ICS network untenable. Much like many other IT principles and practices, ZTNA approaches that work in enterprise security simply do not translate to industrial security. For example, the very nature of many ICS devices, some of which do not even have basic authentication capabilities, make securely verifying their identity impossible, while other ICS devices lack logging capabilities.

In addition to these issues, there are the usual suspects that prevent the timely deployment of security upgrades to ICS environments; downtime is expensive and legacy systems have decades-long lifetimes meaning any upgrades need to be well considered and justified based on risk. These complexities are likely to mean that the adoption of ZTNA in industrial security will be slow and largely driven by regulation rather than risk. However, despite being in its infancy for ICS networks, it seems likely that ZTNA will eventually become more widespread as confidence in its deployment in the OT space grows.

As the risk landscape continues to evolve over the next few years, we can, with some degree of confidence, understand what is motivating our adversaries and what methods are working for them. Armed with this knowledge, we can make tried and true practices that reduce attack surfaces more streamlined and effective. We can also examine the security practices of the IT community, learn what is effective, and understand how it can be leveraged to better secure ICS environments.

Sapien Cyber is an Australian sovereign company that is invested in keeping the Australian cybersecurity community in the loop. In this second in a series of three articles providing a roundup of some of the key insights on the current state if Industrial Control System (ICS) security in 2022 and beyond, we will further discuss current trends in the threats to ICS and critical infrastructure. We will also look at how organisations are investing their resources in industrial security uplift to combat the growing tide of ICS attacks.

Excuse Me, Is This Your Thumb Drive?

For those familiar with Operational Technology (OT) security and the concept of air gapped systems, you may recall the Stuxnet incident of 2010, often regarded as the first modern example of a major attack against ICS. In the incident, the Stuxnet malware was introduced via removable media (specifically USB memory sticks) to infiltrate an air gapped target that was not otherwise connected to the outside world. With the increasing tendency for modern ICS systems to have several points of connectivity for remote access, you may think that the use of removable media as an attack vector is an antiquated footnote in cybersecurity history. But you would be wrong.

Some readers may be surprised to find that 36.7% of respondents to the recent SANS ICS/OT Cybersecurity survey for 2022 pointed to threats through removable media as the second most significant threat vector of concern. The bigger surprise, however, comes from a another 2022 survey of ICS operators who reported removable media as the second most common vector in actual attacks in the last year.

According to Honeywell, in 2022 up to 52% of threats to ICS environments have been specifically designed to exploit removable media, a doubling the 19% reported in 2020. Honeywell’s Industrial Cybersecurity USB Threat Report 2022, based on malware detected and blocked by Honeywell technology, found that Trojan malware was the dominant threat, comprising 76% of the removable media malware detected. Remote access and control malware comprised 51% of threats, indicating that threat actors are increasingly targeting USB removable media as an initial attack vector.

This represents an evolution of the use of removable media to attack ICS environments. The goal is no longer to infect air gapped systems, but to more easily circumvent network security to gain direct access deep within the ICS environment. This modern twist on the threat vector has the potential to allow attackers to establish remote connectivity and download malicious payloads, exfiltrate data, or establish command and control. The dramatic increase in the use of USB-based trojan malware in the last two years suggests that removable media may be a significant issue into 2023 and beyond. The use of this attack vector to target ICS via circumvention of well-established network defences should be high on the radar of ICS security practitioners in the future. With adversaries becoming increasingly more inventive in their attempts to infiltrate and exploit ICS environments, investment in ICS security is projected to rise significantly, from USD 16.7 billion in 2022 to USD 23.7 billion by 2027. The question is, how are organisations performing so far in their security uplift goals?

We’re Going to Need a Bigger Boat

With attacks against critical infrastructure increasing at phenomenal rates in the past year, it is unsurprising that 96% of respondents of one recent ICS survey expressed a need to invest more in their OT security. While 72% reported that their organisations are in the process of completing security uplift projects, less than a third reported them as being completed.

Larger organisations with more than 5,000 employees (and presumably greater resources) were more likely to have already completed their industrial security uplift projects, whereas the majority of smaller companies reported that they were continuing to work toward their security uplift goals. When these findings are paired with the results of the SANS survey, the barriers to ICS security uplift become clear.

The SANS respondents revealed that their biggest ICS security challenges are rooted in the fact that many organisations have great difficulty integrating legacy and aging OT technology with modern IT systems. The general focus of most security technologies for IT environments makes them ill-suited or even disruptive to the OT environment. There also continues to be a general lack of understanding among many IT staff of OT operational requirements, as well as a general lack of available labour resources to implement security plans, if they exist at all.

Significant Barriers in a Time of Great Need

In their survey, SANS found that one of the key barriers organisations faced in implementing an appropriate industrial security solution was the lack of solution scalability to meet the challenges of a distributed environment. Additionally, the level of security coverage provided by the solution and the associated requirement to employ more than one vendor was also reported as a significant obstacle. Legacy infrastructure, cost, lack of expertise, and long project timelines also proved to be significant barriers to implementing appropriate security measures.

There is no easy answer to these barriers and no fix-all solution that will swiftly provide the levels of security coverage required in the modern threat environment. However evolving security plans that maintain focus on current threat vectors and effectively communicating the risk to the executive suite are key. In addition, outsourcing tasks to external security specialists where skills, tools, and resources are lacking in-house is a strategy that will pay dividends; 76% of organisations who have completed all or some of their industrial security uplift have consulted with external security specialists for assistance in deploying solutions. The proof in the pudding is that these organisations were also less likely to have experienced an impactful security incident in the last year.

One Size Does Not Need to Fit All

The body of knowledge concerning IT security is mature and well established, but this body of knowledge cannot be effectively transplanted into ICS security, either in strategies or technologies. While many ICS practitioners understand this, many IT professionals do not, often creating a rift and sense of distrust between enterprise IT security and OT security. Misapplying IT strategies and solutions into the OT environment can have impacts ranging from the problematic to the devastating. However, effectively communicating this understanding to IT security practitioners continues to be a barrier to success for many organisations.

Change in this area will require businesses to invest in appropriate training and education of key staff on OT security. Businesses also need to realise that although there are key differences between the environments, a converged technical view of threat indicators from both the IT and OT environments is possible. Creating a complete network view of threat indicators allows for the tracking and mitigation of threats in an overarching and holistic way. Although there is a large number of organisations that are increasingly recognising the need and indicating their intention to invest more in their OT security, it is the investment of money and manpower in the right areas that will be key to an organisation’s success in OT security uplift.

Many businesses fail to realise that security uplift is an ongoing process. It is a process that needs to continually change in response to a changing threat environment and the modern threat environment for both IT and OT is changing more rapidly than ever before. Organisations need to stop treating security uplift as a project that, once done, will solve all security issues for the foreseeable future. Any industrial security uplift that can be achieved should be targeted at the greatest risk and vulnerabilities a company faces.

Organisations intending to invest in their ICS security beyond 2022 would do well to remember that small, targeted incremental changes can have a big impact. The evolving nature of the threat environment demands a flexible and agile security response. Measured progress that keeps pace with the continually changing tactics and techniques of an ever-evolving adversary is progress that will adapt and thrive in a world of increasing risks.

As an Australian sovereign company, Sapien Cyber is interested in providing timely and valuable information to the cybersecurity community in Australia. We are providing a series of three articles to provide a roundup of some of the key insights on the current state if Industrial Control System (ICS) security in 2022 and beyond. In this article, we will discuss the current threat landscape and what we might expect in 2023.

Primary ICS Security Concerns are Shared Globally

Many Australian organisations utilising ICS as part of their core business functions share remarkably similar concerns in regard to securing those ICS networks, regardless of their sector. A recent survey of 800 global participants from a range of industry verticals utilising Operational Technologies (OT) has highlighted that the security challenges Australian industries are facing are globally ubiquitous.

The threat landscape for ICS and OT operators has continued to grow in sophistication and frequency over the last year. This observation is a key finding of the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report released on November 4, 2022. The report shows that during 2021–22, the targeting of critical infrastructure networks globally occurred at phenomenal rates compared to that which has been observed historically.

Given the increasing connectivity of ICS environments to IT networks in modern organisations, it is unsurprising to find that 90% of Australian organisations utilising OT in their operations have experienced some form of security incident in the last 12 months. Many of these incidents have had significant impacts on these businesses. 46% indicate that a large number of devices over several locations were impacted by the attack they experienced, while 8% reported that their experience resulted in a complete shutdown of all devices and locations. On average, it took Australian organisations 1.87 days to recover from these attacks.

A Land War in Europe Results in Global Cyber Operations

The ACSC report notes that several Russia-aligned cybercrime groups, including those that have successfully targeted Australian critical infrastructure, have publicly threatened to conduct operations against Ukraine’s allies. Several recent high-profile attacks against Australian businesses by Russian-affiliated groups attest to the reality of this threat. In September 2022, cybercriminals suspected to be working on behalf of a state-sponsored operation attacked telecommunications provider Optus, impacting 9.8 million customers. In October 2022, insurance giant also Medibank Private suffered a major breach resulting in the loss of customer information, including medical procedures, of up to 1 million customers. The Australian Federal Police have confirmed that they believe a Russian hacking group was responsible.

These two breaches alone have affected almost half of the Australian population. Although recent high-profile attacks have impacted an incredible number of everyday Australians, the ACSC has also reported that cyber-attacks against Australia’s critical infrastructure are also occurring at “phenomenal rates”. Russian military and cyber offensive tactics frequently target civilian populations, a frightening reality that critical infrastructure operators around the world need to keep in mind as the war in Ukraine continues into 2023.

A Blurring of Threat Sources

Although the uptick in the targeting of ICS and critical infrastructure cannot be entirely attributed to recent geostrategic instability, the results of the 2022 SANS ICS/OT report reveal that attack attribution and threat vectors are evolving from traditional silos. When participants of the SANS survey were asked what the top three threat vectors that were causing the greatest concern, 40% cited ransomware, extortion, or other financially motivated crimes as number one, 38.8% cited nation state activity, 32.1% cited non-state and non-ransomware actors, and 30.4% cited risk from partnerships, including hardware and software supply chains or joint ventures. These findings indicate that the thinking of security practitioners needs to abandon the siloing of threat source types that have previously been helpful; threat actors do not maintain such neat categories in the present day.

The distinction between financially motivated groups, nation state activity, non-state/non-ransomware actors, and supply chain risk was once a lot clearer than it is today. The current escalating threat environment makes it increasingly difficult, if not impossible, to separate nation state actors from criminal cybercrime groups commissioned by hostile nation states for purposes of plausible deniability. This outsourcing of tasks to cybercrime groups with extensive experience allows nation states to leverage a “very particular set of skills” without investing significant resources while reducing their risk exposure. This trend is also allowing cybercrime groups to act with relative impunity and provides them with a level of protection in their own countries to carry out their own profitable cybercrime operations. For example, nations such as Iran and China have been known to employ “contract hackers” such as Helix Kitten (APT34) and Double Dragon (APT41) to carry out offensive cyber-operations in addition to their cybercriminal day jobs.

It’s Not All Cloak-and-Dagger

The ACSC report quite correctly cautions against complacency in regard to other, less cloak-and-dagger types of attack vectors. When ICS and OT systems associated with critical infrastructure assets are targeted, even the most trivial exploits have the potential to result in a major impact. The ACSC warns that this type of scenario is particularly dangerous if threat actors move laterally from “internet-facing devices on corporate networks to the operational networks of critical infrastructure providers”. This is a threat vector of increasing concern for modern ICS for defenders and likely often viewed as low-hanging fruit by the motivated attacker. ICS security practitioners often lack control and oversight of corporate IT security measures, while conversely, IT teams often do not grasp the full potential impacts to ICS IT breaches. As a result, ICS security professionals are echoing the ACSC’s concerns of IT as a serious threat vector into OT systems.

The SANS survey participants ranked “compromise in IT allowing threats into the ICS/OT control networks” as the most significant threat vector with 40.8% of the response. Another ICS survey asked OT operators who had experienced some form of breach in the last year what were the most common attack vectors exploited. The largest category (42%) was cited as “web application attacks”, mirroring the SANS severity ranking. It appears that security practitioners understand the risk associated with this vector, but that attackers are finding it one of the simplest and most successful vectors into OT systems. This finding suggests that more work needs to be done in this area to ensure that IT and OT teams have a shared conception and view of integrated security that spans the entire organisation.

Different Roles But Shared Goals

Enterprise IT security and industrial OT security are very different. They have different missions, priorities, and methodologies. They have different systems, different protocols, and a myriad of technologies that are not comparable or compatible. This means that approaches to securing IT or OT networks and responding to security incidents are necessarily managed differently. Although the convergence of IT and OT is now the norm, there is a tendency to focus on the benefits of merging business processes, insights and controls while IT and OT security remains siloed. The new threat landscape requires these two areas of security to pool their expertise, resources, and data and defend their common interests as part of an overall security strategy. In 2023 and beyond, organisations where OT and IT security is siloed and working independently will find themselves at greater risk of serious repercussions from both well-resourced nation states and motivated cybercriminals alike.

Imagine, if you will, a world where an immense number of Industrial Control Systems (ICS) are connected to the internet. Imagine that these systems are accessible to anyone, anywhere, anytime. A world where the schematics of the Programmable Logic Controllers (PLCs) that are crucial to the functioning of a nation’s most critical infrastructure can be downloaded and studied by any interested party. A place where the tools needed to connect to a PLC and cause havoc are not found in some immoral recess of the Dark Web; they are freely available on the World Wide Web. This is the current reality of our interconnected world.

PLCs, the ruggedised industrial computers used to control assembly lines, valves, doors, robotic devices, or any other automated function, can be found with remarkable ease on the internet. Many readers may be familiar with Shodan, a search engine that locates internet connected devices. Shodan retrieves service banners which can reveal a great deal of information about a device and the services running on its open ports. Although Shodan may be famous for its ability to locate internet connected Industrial Control Systems, it is not the only method, and perhaps not even the preferred method for the nefarious actor. A simple Google search can also be used to locate internet connected ICS maintenance and control portals.

What Has Google Got On You?

Google crawls the internet to find and index all of the information found on nearly every web site and page. Google also has a proprietary language that can be used to extract that information beyond searching via keywords. Malicious actors can use this proprietary language to uncover a great deal of information about connected ICS. With a little foreknowledge of the devices used by a target and their manufacturers, a malicious actor can develop ‘Google Dorks’ to search for specific vendor device portals.

For example, let us assume an attacker is interested in the Siemens S7 series of PLC controllers. By using an ‘inurl’ Google dork to search for any page that includes ‘Portal.mwsl’ within the address (which Siemens S7 PLCs use as an online portal), the attacker can browse through a range of connected and vulnerable devices without having to provide an email address or pay a subscription to Shodan.

Using an appropriate Google dork search, an attacker can locate admin portals for Siemens S7 PLC controllers and determine their physical location from the provided IP address. To be clear, no login to the PLC needs to occur; yet the amount of information that can be gleaned about the device is alarming. The specific device type, the serial number, and firmware version are all freely available. The attacker can also discover the device’s MAC address, IP address, netmask, default router, and physical properties. All this information can be found on Google without any need to log into the device.

Obscurity Is No Security

Although such portal pages cannot be found by the average user with regular Google keyword searches, the reality is that far too many ICS still rely on a principle of ‘Security by Obscurity’. Security by obscurity is a term that refers to the reliance on security design or implementation secrecy as the main method of providing security to a system or component. This method of security has never been a good idea, and in an age where information is freely available to the inquisitive and malicious alike, it behoves us to recall the words of 19th century locksmith Alfred Charles Hobbs, who reminds us that “rogues are very keen in their profession”.

When one understands just how easy it is to gather information about these incredibly sensitive devices that essentially run the modern world, it is unsurprising to learn that 90% of Australian organisations who employ Operational Technologies (OT) and Industrial Internet of Things (IIoT) technologies have experienced some form of security incident impacting their industrial environments in the last 12 months. As Sapien Cyber recently reported, there has been a dramatic increase of more than three times the number of attacks targeting Australian organisations over the past year, double the global trend for the same period.

Of the organisations that reported experiencing an ICS security incident, 87% said that their industrial networks were impacted for between one and five days. Of these, 46% experienced an impact to a large number of devices over several locations, while 8% reported that their experience resulted in a complete shutdown.

More Need to Do More

Unsurprisingly, 96% of respondents expressed a need to invest more in their OT security. While 72% reported that they are in the process of completing security uplift projects, less than a third reported having completed such projects. Larger organisations with more than 5,000 employees (and presumably greater resources) were more likely to have already completed such projects, whereas the majority of smaller companies reported that they were continuing to work toward their security uplift goals. Mos tellingly, it was the organisations which consulted with external security specialists for assistance in deploying security strategies were less likely to have experienced an impactful security incident in the last 12 months.

Security by obscurity is still too often par for the course when it comes to ICS. Organisations need to realise just how vulnerable they are. Attackers don’t simply walk through the unlocked front door (or even backdoor). They watch. They study. They learn all they can about your network, your devices, how they work, how they are connected, and ultimately, how they can be exploited. When thinking about how much information your organisation might be giving away to attackers, remember that “rogues are very keen in their profession”.

In an attempt to raise awareness, Sapien Cyber has been continually reporting on the increasing frequency and sophistication of cyberattacks against Australia over the past couple of years. Unfortunately, new data suggests that despite industry investment and government legislation aimed at uplifting cyber security, particularly in the critical infrastructure sectors, attacks are continuing to increase at an unprecedented rate, outstripping the global trend.

Recent estimates suggest that there is one cyberattack conducted every eight minutes in Australia. Critical attacks have more thantripled, increasing by a staggering 227% between August 2021 and May 2022, almost double the global trend for the same period. This unprecedented rise cannot be attributed to an increase in Australia’s traffic alone, which only rose by 38%.

Rise in Cyberattacks in Australia 2021 – 2022. Source: Imperva, Inc.

The increased efforts and focus by threat actors on Australian businesses and government appears to be paying off. Grocery giant Woolworths, a business now considered as critical infrastructure under new legislation, had a breach in mid-October 2022 which leaked the details of over 2.2 million MyDeal customers. This attack has come hot on the heels of the data breach of major telco Optus, in which 10 million customers were impacted. Not even the Australian Federal Police (AFP) have been immune from attack. In August this year, more than five million emails, tens of thousands of documents, and the details of 35 AFP operations were hacked, exposing operatives of our international crimefighting partners.

All of this has occurred despite the government’s best efforts to keep legislative pace with the evolving threat landscape. Sapien Cyber has reported extensively on the government’s legislative amendments designed to protect our most critical infrastructure, and new amendments continue to be enacted. The most recent of these amendments came in April this year, with the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act).

Australian Businesses Struggling to Keep Up

Evidence suggests that the multitude of industries captured under the new definitions as critical infrastructure sectors may be struggling to establish and maintain appropriate defences. One key outcome of the pandemic has been that many businesses were forced to hasten their transformation projects to enable them to cope with the necessary shift to more remote operations. This has created avoidable vulnerabilities that are now ripe for exploitation. When combined with increased obligations, such as new reporting requirements for some entities to notify the Australian Cyber Security Centre (ASCS) within 12 hours of becoming aware of an incident, organisations are struggling to keep up.

Some commentators have suggested that the ever more rigorous obligations could create cyber risks in and of themselves, not only threatening system effectiveness and integrity, but also the viability of small businesses to achieve the required security uplift, or pay the resulting fines if they fail.

Increased Fears of Risk to Operational Technologies

In addition to the threats to IT infrastructure, there are also increasing fears among CEOs and C-suite executives about the risks to operational technologies. A recent survey of business executives revealed a prediction that over a third of cyberattacks in 2023 will threaten operational technology systems, citing 33% of threat vectors originating from the industrial internet of things (IIoT).

The preponderance of attacks seen in the last year have been described as common, off-the-shelf and automated type attacks. These have included a 108% increase in malicious bot activity, a 60% increase in Remote code execution (RCE) attacks, path traversal and local file inclusion (LFI) attacks (18%), and cross-site scripting (XSS) attacks (16%). This suggests that threat actors are attempting to exploit the multitude of vulnerabilities stemming from pandemic-induced transformation projects.

Cyberattacks Now Costing Australian Businesses Trillions

The financial impact of successful cyberattacks in Australia now runs into the trillions. Expenditure on cyber defences is on the rise too, however, with an estimated 60% of Australian organisations planning to increase cyber budgets in 2023, although only 37% have reported investing in preventative and defensive technologies. The direct financial impact of a successful attack is not the only issue that organisations have to be concerned about. Reputational damage can produce a domino effect, costing businesses even more. A case in point is the desperate attempts by Optus to secure its reputation and retain customers after the recent historic exposure of 10 million records.

Ransomware attacks and data-held-for-ransom breaches are by no means the sole concern of retail and financial institutions. A keen lesson may be learned from the Colonial Pipeline attacks in the USA in 2021, where lax security measures led to a complete shutdown of the pipeline, the first in the company’s 57 year history. In that incident, attackers held almost 100 gigabytes of data to ransom, prompting the company to shut down and scour their networks and physical infrastructure for signs of more deadly potential consequences of the breach. After an extensive inspection of the pipeline, covering 29,000 miles (46,670 km) on the ground and in the air, searching for visible damage, the company paid a US$4.4 million ransom to Russian-linked cybercrime group ‘DarkSide’.

Cyberattacks are Preventable

Sadly, the attack on the Colonial Pipeline was entirely preventable. Investigators found that the breach originated from a single compromised VPN password which lacked the basic security requirement of two-factor authentication. Evidence also suggest that the password may have been reused by an employee for other purposes, leading to its discovery by the attackers. The attack could have been much worse had the attackers either had the ability or motivation to breach the more critical operational technology systems, leading to potentially deadly consequences.

Many organisations are now realising that effective security need not be complex or particularly expensive in comparison to the potential financial, reputational, and life-threatening consequences.

Nikki Saunders, Cybersecurity EcoSystem Program Manager from Schneider Electric recently made a very astute observation, stating that implementing effective cybersecurity requires asset and system visibility and working with an experienced partner “that understands your unique challenges and ensures open lines of communication”.

Here at Sapien Cyber, we pride ourselves on being just such a partner to our customers. As an Australian sovereign company, our suite of products and cadre of highly experienced and trained professionals provide the visibility and clear communication articulated by Saunders that is so sorely needed in the current threat climate in Australia. The reality is that the current trend shows no signs of abating. Geopolitical tensions, poor implementation of transformation projects, and the success and wealth we enjoy as a nation all point to Australia continuing to be an increasingly attractive target for threat actors of all types. Sapien Cyber encourages you to explore how we can help your organisation avoid falling victim to one of the cyberattacks currently being conducted against Australian businesses every eight minutes.

Cybersecurity has changed significantly over recent years. Distributed networks, cloud services, subscription models, and remote work have made the traditional strategy of selecting specific solutions for each potential risk increasingly impractical. Traditional perimeter approaches have resulted in an average of 45 different security solutions deployed across the modern enterprise network. In addition, security risks are becoming increasingly external. The software supply chain, the public cloud, the trading of breached data, IoT proliferation, and operational technology (OT) are all threats outside of traditional perimeter security.

The sheer number of tools, which frequently lack vendor interoperability, that are required to secure modern networks the traditional way make centralised management and monitoring an evolving headache. The days of deploying unintegrated point solutions for each threat are gone. It is time for a new strategy.

Cybersecurity mesh architecture, or CSMA, is being touted as a practical and flexible new approach to managing the threats to modern enterprise networks. One of the fundamental drivers for this new approach has been the significant shift away from the ‘castle and moat’ or ‘walled cities’ paradigm of network security. The necessity of remote work brought about by pandemic pressures in tandem with the rapid digitisation of the modern workforce has established ‘hybrid multicloud’ as the increasingly dominant network architecture, where most organisational cyberassets now reside outside traditional physical and logical security perimeters.

Because hybrid cloud and multicloud architectures utilise one or more public cloud services in tandem with on-premises servers and private cloud resources, the concept of the ‘walled city’ approach to cybersecurity has become increasingly obsolete. These distributed resource and worker models have become aptly referred to as ‘anywhere operations’.

CSMA aims to secure these distributed architectures by allowing “anyone to access any digital asset securely, no matter where the asset or person is located”. By embracing the cloud delivery model, CMSA decouples policy enforcement from policy decision making, effectively making identity itself the defined security perimeter.

Gartner predicts that by 2025, over half of digital access control requests will be supported by CSMA. This prediction appears to be on-track, given the increasing shift towards vertical-market clouds where cloud providers offer industry-specific services around security, compliance, and other factors.

Bringing Down the City Walls with Mesh

To understand exactly what cybersecurity mesh architecture is, it is helpful to revisit what it is not. CSMA does not draw from the traditional defence in depth strategies and ‘walled cities’ approaches where password-protected network perimeters provide access to an entire network with internally managed permissions.

Instead, CSMA provides individual perimeters around each access point through a central point of authority which distributes and enforces security policy. Instead of a walled city surrounding the assets within a single perimeter, think more of many individual personal shields.

With assets, workforces, and cloud services becoming increasingly distributed away from the protective environment of the traditional network, CSMA envisions utilising identity, not simply as the key to the kingdom, but as the perimeter itself.

The primary advantage of this approach is that assets can be secured, regardless of location, by defining the security perimeter around the identities of users and machines on the network. However, to understand how this all works, we will need to revisit several related technologies and wade through a range of acronyms.

There are four main layers of cybersecurity mesh. These include:

1. Security Analytics and Intelligence Layer: This layer focuses on collecting, aggregating, and analysing security data from various security tools.
2. Distributed Identity Fabric Layer: This layer focuses on providing identity and access management services, which are central to a zero-trust security policy.
3. Consolidated Policy and Posture Management Layer: This layer converts policies into the rules and configuration settings needed for a particular environment or tool.
4. Consolidated Dashboards Layer: This layer provides integrated visibility into an organisation’s complete security architecture, enabling more efficient detection, investigation, and response to security incidents.

A Mesh of Acronyms

Cybersecurity loves an acronym, and tracing the evolution of the CSMA concept can make even the most seasoned practitioner’s head spin. Starting with the more familiar Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR), we can track the development of the CSMA strategy through SASE (Secure Access Service Edge technologies), CASB (Cloud Access Security Brokers), XDR (Extended Detection and Response), and ZTNA (Zero Trust Network Access). Unlike SIEM or SOAR which integrate various security tools to coordinate and execute security incident management, CSMA primarily utilises security analytics and intelligence, together with identity, policy, posture and dashboard layers. In this way, CSMA more closely resembles XDR.

Extended Detection and Response (XDR) seeks to provide greater visibility and control than traditional SIEMs across all endpoints, the network, and cloud workloads. XDR uses a collection of products within a single solution, typically including Endpoint Detection and Response (EDR), threat intelligence and analytics, antivirus software, firewalls, and data encryption. XDR provides a more holistic potential foundation than SIEM for the security analytics and intelligence layer in CSMA.

CSMA also has similarities to Secure Access Service Edge (SASE) technology. SASE aims to provide secure access to cloud and network resources by applications, services, users, and machines, typically delivered as a cloud service. Rather than these services being delivered by standalone systems, SASE technologies combine SD-WAN, CASB, secure web gateways, ZTNA, Firewalls as a Service (FaaS), VPN’s, and microsegmentation. SASE, therefore, has much technology in common with CSMA.

For example, Software-Defined Networking (SDN) and Software-Defined Wide Area Networks (SD-WAN) enable the network to be intelligently and centrally controlled, or ‘programmed,’ using software applications. This provides a foundation for CSMA’s central point of authority for distributing and enforcing security policy consistently and holistically, regardless of the underlying network technology. Although SASE may be described as a meshy method of distributing diverse functions in an integrated manner, CSMA has an even broader scope.

Cloud Access Security Brokers (CASB) also provides a possible foundation for CSMA by utilising an on-premises or cloud-based security policy enforcement point. This point of enforcement is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed.

Zero-Trust Network Access (ZTNA) is another key feature of CSMA and reflects the ‘personal shield’ concept that is central to the approach. ZTNA embraces three central principles:

1. All entities are untrusted by default – This requires continuous verification and the checking of every request from every user for every resource.
2. Least privilege access is enforced – This is designed to limit breach impact and access through minimal permissions.
3. Comprehensive security monitoring is implemented – This requires the collection of evidence including logs, behavioural data, and context to enable the tracking, monitoring, and validation of compliance for every access to every monitored resource.

Although each of the existing technologies mentioned above provide some elements of the four CSMA layers, security mesh remains a strategy, rather than a defined architecture, despite the name.

So, if Cybersecurity Mesh Architecture is currently an architectural strategy, what can organisations do to pave the way to establishing this type of security architecture in their own hybrid cloud or multicloud enterprise network?

Making a Mesh of Your Enterprise Network

To leverage the advantages of CSMA for hybrid cloud and multicloud architectures, organisations can begin by building the supportive layers for a cybersecurity mesh strategy:

1. Identify your attack surface. This can be achieved by assessing your current network for security gaps and vulnerabilities and prioritising the criticality of each resource and the severity of the associated risks using a solution such as Sapien Cyber’s Condor vulnerability management system.
2. Invest in reliable security technology and tools. Investing in reliable security technologies will help the development of a holistic security approach which may include:
   1. Information Security: Securing business data from leaks and breaches by employing data loss prevention and email security.
   2. Authentication Protocols: Password management and multi-factor authentication to prevent unauthorised users.
   3. Perimeter Security: Application firewalls and unified threat management (intrusion detection, spam detection, content filtering, etc) to ensure perimeter security.
   4. Network Security: Continuous network monitoring via solutions such as Sapien Cyber’s Raptor threat management system to proactively identify vulnerabilities and threats and take preventive security measures. Network security measures should be capable of storing threat and alert data for future intelligence.
   5. Endpoint Security: Endpoint security practices such as implementing a domain name system (DNS) and MDR (managed detection and response) will stop malicious traffic from unauthorised sites and allow for the regular collection and analysis of data related to persistent threat processes.
   6. Backup and Disaster Recovery: Mapping out an ongoing and testable backup and disaster recovery strategy using appropriate software solutions is an essential, yet often neglected aspect of a holistic strategy.
3. Employing interoperable technologies. Avoiding silos and focussing on integrating security analytics and associated data (either in the cloud or on-premises) allows for efficient traffic analysis and the triggering of appropriate responses.
4. Decentralised identification management. Authentication protocols, zero trust network security, and identity proofing are essential for securing a remote workforce and enforcing authorised access beyond traditional perimeters.
5. Centralised security policy management. Modern decentralised infrastructure employing public, private, and hybrid cloud (multi-cloud) solutions require flexible security protocols and tools that separate policy and decision-making from implementation and enforcement. This centralised process converts policies into the rules and configuration settings needed for a particular environment or tool.
6. Employ experienced security professionals and robust standards and frameworks. Security professionals who are well versed in current and emerging standards and open-source code projects that can supplement vendor interoperability gaps are essential to a successful security mesh implementation.

In summary, CSMA is a modern strategy for securing distributed and remote IT infrastructure, based on a zero-trust strategies, integrated and interoperable components, and consolidated security tools. CSMA offers a holistic security strategy suited to modern distributed environments by extending security controls on an individual level and enhancing a zero-trust access approach. We invite you to discuss your cybersecurity mesh journey with us at Sapien Cyber and learn how our on-premises and cloud solutions can help you build out your CSMA layers and secure your distributed network architecture.

Much like the rest of the world, Australia is witnessing a dramatic increase in cyber incidents targeting critical infrastructure. The Australian Cyber Security Centre noted that one quarter of all cyber incidents in the 2020/21 period were associated with Australia’s critical infrastructure or essential services. Globally, one third of industrial control systems were targeted by malicious activity in the first six months of 2021 alone, leaving lawmakers scrambling to keep up with the rate of change to the threat landscape. Much like the global pandemic and the land war in Europe, the level of cyber threat (once described with the now-worn adjective, ‘unprecedented’) is now very much the new normal.

While Information and Operational Technology (IT and OT) convergence continues to expose decades-old operational technologies to the internet, Industrial Control System (ICS) attack kits and other malware tools continually mushroom up on the Dark Web, allowing malicious actors to exploit vulnerable systems with little or no technical knowledge of ICS or SCADA. For example, in April of 2022, the FBI released an advisory regarding the “Pipedream” toolkit, described as a veritable Swiss Army Knife for hacking Industrial Control Systems. While security researchers keep reporting ICS vulnerabilities that are remotely exploitable and do not require user interaction or specific privileges, the pandemic has made it easier than ever for attackers to exploit outdated ‘castle and moat’ network architectures to access OT systems through the compromised devices of remote workers. Meanwhile, continuing uncertainties over the Ukraine conflict have sparked a flood of urgent advisories warning of an additional threat source in the form of direct or indirect retaliatory cyber-attacks, particularly for critical infrastructure.

Both Australia and the United States have introduced measures to combat these emerging threats. Australia’s SLACI and SLACIP Acts (collectively referred to as the Security of Critical Infrastructure [SOCI] legislation) and the US Biden Administration’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (referred to herein as NSM for brevity), introduced last year, have some broad parallels in their aims, but also have significant differences in the approaches taken that are worth examining.

The rationale for the amendments to the Australian Critical Infrastructure laws were communicated by the government as urgent, with Australia facing a very serious and rapidly deteriorating cyber security environment. The government said they had “compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate”. The United States provided a similar rationale in the Biden NSM, stating that “the cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation”.

A Look at the Australian Approach

In order to compare and contrast the approaches taken by the US and Australian governments, it is prudent to examine the development of each in turn. For the Australians, the challenge was seen as devising a way to deliver a swift and comprehensive response to the emerging threats. However, implementing the response was not as straight-forward as first conceived, and the whole process was burdened by significant disagreements between industry and government on the exact response required.

Until recently, critical infrastructure in Australia fell into one of four categories: electricity, gas, water, and ports. However, the pressures of the pandemic and the increasing volume of cyber-attacks on critical sectors beyond these traditional categories forced the Australian government to reassess its conception of what is critical. In order to uplift the cyber security posture of critical sectors, Australia recently broadened its legislated critical infrastructure asset classes from 4 to 11 sectors, bringing Australia’s definition of Critical Infrastructure much closer to the 16 critical infrastructure sectors already established in the United States.

The development of the SOCI amendments and their introduction to Parliament was preceded by a consultation process based on discussion papers and exposure drafts of the legislation. The intention of the consultation phase was to involve industry in guiding the framework development. For many in the affected industries, however, the process felt more like being heavily pressured to decide on the purchase of an ill-fitting suit. While the Australian Government continually emphasised the urgency of the legislation to safeguard Critical Infrastructure in an increasingly hostile threat landscape, those impacted called for more consultation to clarify responsibilities, leverage existing frameworks, and reduce the regulatory burden.

In the interests of expediting the process, the government chose to design and define much of the regulation in legislative instruments, rather than in the primary legislation. This created an inherent uncertainty in determining the regulatory and financial impact because the definitions were found to be unclear and sometimes inappropriate. Impacted stakeholders complained that the consultation process was too rapid, and that the government had not sufficiently engaged with industry regarding their concerns, questions, and recommendations.

It became apparent that achieving both a swift and a comprehensive response to the threat was not going to be possible, and many called for the process to be paused. As a result, Australia’s Parliamentary Joint Committee on Intelligence and Security (PJCIS) were tasked with reviewing the operation, effectiveness, and implications of the proposed changes. The Committee found that “many companies, industry bodies or stakeholders did not feel like their input or feedback had been actioned or acknowledged” due to a lack of promotion of the process, inadequate engagement, and insufficient information to allow stakeholders to make comprehensive submissions. The Committee also warned that if the government persisted in attempting to achieve both a swift and comprehensive response to the threat in the same process, it may achieve neither.

The PJCIS concluded that the proposed Bill of amendments should be split into two Bills; the first to promptly legislate urgent measures seeking to address the immediate threat, while deferring the remainder to a second Bill after further consultation and collaboration with industry.

Two weeks after the PJCIS report, the government tabled and passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), increasing Australia’s four Critical Infrastructure sectors to 11, with 22 defined asset classes. The SLACI Act also brought into effect government intervention measures, cyber incident reporting obligations, and a mandatory Register of Critical Infrastructure Assets. On April 2nd, 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) became law, implementing the final package of amendments including the Positive Security Obligations and Enhanced Obligations for Systems of National Significance (SoNS)

A Look at the United States’ Approach

On July 28, 2021, while the Australian government was still wrestling with the concerns of industry to its proposed reforms, US President Joe Biden signed a memorandum to modernise defences in industrial control systems (ICS). This action came hot on the heels of the now infamous Colonial Pipeline cyberattack which occurred on May 7, 2021, when a company managing an oil pipeline system carrying gasoline and jet fuel from Texas to the South-eastern United States suffered a ransomware attack that ultimately resulted in a shutdown of the pipeline and a great deal of public panic.

Subsequently, on May 12, 2021, the Biden Administration set out new policy to remove existing contractual barriers to threat information sharing between IT and OT service providers and executive government departments and agencies responsible for investigating or remediating cyber incidents, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). The policy also implemented a range of measures to modernise the federal government’s own cyber security posture, including adopting Zero Trust Architecture and secure cloud services, centralising and streamlining access to cybersecurity data, and ordering investment in the necessary technology and personnel to accomplish these tasks.

Other measures in the order included mandating two-factor authentication (2FA), encryption, and log storage requirements for federal government systems; creating standardised playbooks for federal government incident response; establishing government-wide endpoint detection and response system; and mandating baseline security standards for the development of software sold to the government.

Utilising the newly established policy, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced a security directive on May 27, 2021, aimed at critical pipeline owners and operators. The directive required critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator who was to be available 24 hours a day, seven days a week. The directive also required critical pipeline owners and operators to review their current practices, identify gaps, and report the results to the TSA and CISA within 30 days. As a result of the aforementioned policy and the first DHS/TSA directive, CISA was able to better advise the TSA on cybersecurity threats to the US pipeline industry and on effective countermeasures.

On July 20, 2021, a second directive was issued requiring owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information and operational technology systems, develop and implement cybersecurity contingency and recovery plans, and conduct a cybersecurity architecture design review.

On July 28th, 2021, a little over a week after the second directive, President Joe Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (NSM). This memorandum established the Industrial Control Systems Cybersecurity Initiative (the ICSC Initiative), a voluntary and collaborative effort between the Federal Government and the larger critical infrastructure community to significantly improve the cybersecurity of Industrial Control Systems. The primary objective of the ICSC Initiative was described as defending the United States’ critical infrastructure by encouraging and facilitating the deployment of threat visibility and detection systems and associated response capabilities for control system and operational technology networks. The NSM also implemented the sharing of threat information between government and industry, facilitated by the May 12th policy, for priority control system critical infrastructure throughout the United States.

A Stick or a Carrot?

The voluntary and collaborative approach of the US National Security Memorandum means the NSM was not a regulation or law and there would be no fines for non-compliance. The US government expected that all responsible critical infrastructure owners and operators will apply the measures as a whole-of-nation effort, with industry doing its part. Some commentators suggested, however, that should the engagement of industry fall short of the anticipated uptake, more forceful measures might be introduced. Back in Australia, the government was not willing to place such a level of trust in the owners and operators of critical infrastructure to implement voluntary measures. Instead, the carrots were discarded for a rather large stick.

In contrast to the US National Security Memorandum’s voluntary and collaborative approach, Australia established legislated obligations carrying fines for non-compliance. The corporate penalties for failing to comply with reporting or information provision obligations carried a penalty of $55,500 per breach or day for non-compliance, while failing to comply with government assistance measures could result in significantly higher financial penalties, in addition to 2 years imprisonment.

In addition, many Australian owners and operators of critical infrastructure assets would now be subject to Positive Security Obligations, including the implementation of a risk management plan and mandatory reporting. Although similar to the Department of Homeland Security’s directives aimed at pipeline owners and operators in regard to risk management, gap analysis, and mitigation, the Australian approach was to apply such obligations across the board.

The changes also created a new tier of assets called Systems of National Significance (SoNS) and imposed enhanced obligations on the responsible entities for those assets. Under the changes, the Australian government could privately declare a critical infrastructure asset to be a SoNS, with four core enhanced cyber security obligations, including incident response planning obligations, requirements to undertake cyber security exercises and vulnerability assessments, and provision of access to the Australian Signals Directorate of system information. The differing levels of trust in the critical infrastructure industries between the US and Australia did not stop at compliance, however; there were also significant differences in how the two governments approached the concept of ‘assistance’.

Assistance and Enforcement

The Biden Administration’s NSM stipulated that sector Risk Management Agencies and other executive departments and agencies were to liaise with and assist those critical infrastructure stakeholders, owners, and operators in implementing the principles and policy outlined in the NSM. These included the deployment of threat visibility and detection systems, developing response capabilities for ICS and OT networks, and establishing the nuts and bolts for the sharing of threat information between government and industry.

Meanwhile down-under, any Australian critical infrastructure owners and operators within one of the newly defined eleven sectors could be subject to Government Assistance measures. Note the difference in language compared with the Biden NSM. The Australian government’s wording does not infer the entity would be ‘in receipt of’ or ‘eligible for’ assistance, but rather subject to. response capabilities for ICS and OT networks, and establishing the nuts and bolts for the sharing of threat information between government and industry.

Despite industry protests regarding excessive government and ministerial powers without judicial review or independent oversight, these measures would allow the Australian government to request information, direct an entity to take an action, or to intervene directly in an incident. The information gathering direction would be the first stage of escalation in the event of a significant incident where the government would be able to compel an entity to disclose information related to a cyber security incident to determine the need for further escalation of support and intervention. The action direction would allow the government to direct an entity to take action that is reasonably necessary and proportionate to achieving the objective of resolving the incident. An intervention request would be at the extreme end of the government‘s authority, allowing the government to direct the Australian Signals Directorate (ASD), with support from the Australian Federal Police (AFP), to intervene directly in an incident.

Different Strokes to Protect the World

The National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems recognised from the outset that cybersecurity needs vary greatly among critical infrastructure sectors, as do cybersecurity practices. However, the NSM also recognised the need for consistent baseline cybersecurity goals across all critical infrastructure sectors, as well as a need for specific security controls for select critical infrastructure. Therefore, the NSM ordered the development of cybersecurity performance goals for critical infrastructure in pursuit of these baseline security practices.

For Australia, one of the key challenges was the significant differences in cybersecurity maturity within and between the eleven critical infrastructure sectors, as well as between existing levels of regulation. In their responses to the exposure drafts, many industries pointed out that they already had regulatory regimes and standards that adequately managed the risks to their assets and that these needed to be considered and incorporated to make the amendments work as efficiently as possible. To navigate this issue, the Australian government established risk management program obligations designed to establish a minimum set of safeguards where there were no other regulatory settings to achieve the same purpose.

Conclusion

Both the United States and Australia have sought to establish security amendments with the objective of ensuring that Critical Infrastructure sectors achieve and maintain a defined standard of security. The Australian approach has been to design and define much of the regulation in legislative instruments rather than in the primary legislation, and to brush all eleven Critical Infrastructure sectors with broad security strokes. In contrast, the Biden Administration’s approach has been much more focussed on specific mitigations. While the US memorandum does direct the development of cybersecurity performance goals for critical infrastructure by CISA and NIST, it also seeks to establish a stronger security posture through specific strategies. It is worth remembering that, despite the many shared aspects of culture, systems of government, and core values, Australia and the United States are very different countries requiring different approaches to achieve the best possible outcomes for the security of their most critical assets.

Despite these differences, there are shared common adversaries who are increasingly targeting critical infrastructure and threatening many of the foundations on which modern societies heavily depend. The onus of protecting our nations is no longer the sole domain of governments. It is now a responsibility shared with our critical infrastructure owners and operators, their stakeholders, and the entities providing key services to these organisations. Those responsible for the Industrial Control Systems that keep our nation functioning must ensure they are on top of their own Operational Technology protection. If they do not, they may find themselves the first of many dominos to topple in a significant attack, potentially bringing modern life to a standstill.