Categories for Blogs & Articles

Cyber Incident on Water Treatment Plant

July 3, 2021Published by Jeffrey Eaton
Running Tap

Cyber Incident on Water Treatment Plant

Author: Paresh Kerai

The New York Times and the Wired news report stated that a water treatment plant in the US was compromised by an attacker remotely.

Reports state that the attacker managed to compromise a remote system with access to the water treatment facilities that controlled chemical levels on the plant.

The attacked system had the capability for any user from the internet to access it for plant maintenance and system monitoring purposes and only had basic security controls such as username and password.

To read the entire article click here

Is ransomware a distraction to a bigger problem?

July 2, 2021Published by Jeffrey Eaton
Author: Mel Griffiths

Is ransomware a distraction to a bigger problem?

Ransomware and other ‘visible’ cybersecurity breaches are not always the end game for attackers – they can also be a distraction tactic from more serious objectives, such as operational technology (OT) breaches.

As business leaders become fixated on the immediate ransomware problem, could the real danger lie elsewhere in the operational network?

What better way to embed yourself and ‘cover your tracks’ to avoid detection whilst your target is concentrating on another critical issue.  Experienced hackers often use a multitude of methods and pathways to secure their real objective.

The fact that you can get into a system and encrypt the whole set of files to create a ransomware attack, means that the target is breached.

Is part of your network not encrypted? People must question why and investigate further, rather than assume unaffected areas of the network are still secure.

Due to the evolution of these systems, the operational technology environment can be highly vulnerable. You may hear “If it’s not broke don’t fix it” or “these are air gapped systems”, which for a time was bearable.

With the broadening of digital transformation and the ability to carry significant vulnerabilities on small hosts – think USB and smartphones amongst others – then those paradigms have been broken down.

Usually there has been a lot of focused work done on the information technology side but if cyber criminals are looking for a way to get into a company’s systems, they are going to attack the softest target and that is rapidly becoming most easily through OT type systems.

An alarming report was released by Gartner recently, warning that by 2025 cyber attackers could be weaponising OT to harm or kill people.

The Gartner report also noted that organisations need to have segmented networks for IT and OT, highlighted by the attack on the Colonial Pipeline in the US.

Put that in the context of critical infrastructure. If cyber criminals have knowledge of architectural designs and infrastructure build outs, that is highly advantageous for attacks that want to shut down a regions power plant or its water supply.

The difference between IT and OT security

OT is an area often poorly understood by business leaders and effective protection of safety-critical systems requires an enhanced and somewhat different skillset than that of an IT only focused professional.

Everybody has different capabilities, so it does not make sense to assume that somebody with IT experience is automatically able to transition into understanding an operational technology environment and vice versa.

My experience working in organisations dealing with safety-critical systems taught me that the engineering principles of safety-critical operational technology systems are very different to those of IT systems alone.

On the flipside, experienced OT people don’t automatically understand the complex vagaries of IT cyber security, because protection from a cyber security attack is not an on or off, or a clear physical event its amorphous. Neither is more important than the other, but they require different skill sets to ultimately complement each other.

Data theft, of course, is a real concern for businesses. But if there is a connection between IT and OT systems, there could be a far more serious issue – criminals are inside their infrastructure.

Not every attack is going to be visible but that doesn’t mean you are not being attacked, it just means that you are not picking them up.

If criminals are already in the systems and doing as they please, they are not then going to put up a flag, deploy ransomware and say, hey, I’m stealing your IP or mapping your infrastructure. They are just going to keep going.

Ransomware is the latest attack in a long line of cyberattacks. It is real and people are being locked down, and criminals are making hundreds of millions of dollars out of it.

Whether it is state-based actors or industrial espionage, it has evolved into a commercial industry far removed from when I started in the industry more than 30 years ago, when it was just people hacking into stuff because they could.

But ransomware can also be put in place to divert attention while other activity is taking place and the likelihood of someone discovering that activity is quite low, because the business has been subject to a ransomware attack and it’s an emergency.

Three simple steps to planning cyber security

Step 1: Visualise the crown jewels

The number one item that businesses have to outline first is their vision for what they want to protect, the most important aspects of the organisation.

It might be protecting a huge database of clients, or safeguarding a fleet of remote-operated vehicles, or defending a manufacturing process.

No cyber security professional can tell a business leader or manager what their risk appetite is or what aspects of their organisation are most important to them. Of course, they can offer advice and suggestions but only the business leaders can answer the question of their risk appetite.

If an item breaks and you have no revenue for your business, you might have a very low threshold on security risk for that area. But that’s your vision to share, not mine to guess.

A vision of the valuables that need protecting must include critical OT infrastructure that keeps workers safe and businesses moving. A clear and honest picture allows us to develop the right protections.

Step 2: Get a grip on reality

Many people want to adopt the vision as the plan, but they first need to understand where they are starting from and the behaviours of the environment they are working in.

And you need to be honest about it.

It’s not just about doing a penetration test to check where the exploitable vulnerabilities are. By understanding the behaviours in the current environment, business leaders can plan a roadmap to that vision.

Cyber security is a journey but if you don’t really know where you are starting from, it’s impossible to determine if you are on the right path.

Recognise the behaviours in the organisation’s environment, appreciate the types of people working in the environment, and understand the systems critical to the organisation.

Once you are honest about that, then you can start down the right path.

Step 3: Think before you act

Don’t just go and buy a product because somebody says, ‘this is the best product to buy’.

Know where that product fits in the vision and the reality of where you are going, as established in the first two steps.

When you put a product in place, understand how it is actually going to help you on that path to the vision.

If you’re not making those forward steps, that’s okay. Go back, readjust, and go forward again. That is the systematic way to approach cyber security.

But take action now, don’t get bogged down in ‘planning’. Too many people have said, ‘we understand the benefits and you’ve shown us the vulnerabilities, but we’re just building our plan, we’ll talk to you in a couple of years.

That is a statement that declares ‘it’s really important to build a plan, which it is, but meanwhile I don’t really care what’s happening in my system.’

Two years is an eternity in cyber security. And it’s a milestone that may never come around if you don’t take action to protect yourself now.

Honeywell Colaboration

Resources - OT Assessment

Why executive responsibility for cybersecurity matters more than ever

June 20, 2021Published by Jeffrey Eaton
Author: Mel Griffiths

When it comes to internet crime, no vulnerability is too small because, for the bad fellas, it’s just a gateway to an even bigger prize. The current state of cybercrime is beyond alarming and calls for more awareness and action. Unfortunately, hardly a day goes by without breaking news of another destructive cybersecurity breach or attack taking place.

Hackers are targeting operational technology, with threats and resulting consequences rising exponentially. The business costs of cyberattacks on critical infrastructure, including utilities, health, transport, commerce, water and electricity, are extensive and disastrous. Yet, despite the catastrophic ramifications of cybersecurity breaches and exposures, many organisations are still not doing an adequate job protecting themselves from harm.

Executives can no longer afford to look the other way.

Beyond the considerable financial loss and reputational damage, now, there are even more consequences for not taking necessary measures against cybersecurity.

Further regulation and governance have been put in place in countries around the world, placing the responsibility for cybersecurity squarely on the shoulders of the c-suite. However, if we’re going to tackle this growing and constantly evolving threat, we need to demonstrate cybersecurity leadership from the top-down.

Prioritising cybersecurity in the C-suite

 Turning a blind eye and underfunding cybersecurity efforts is no longer an option.

The ability to transfer risk by purchasing cybersecurity insurance isn’t sustainable, with ridiculously high premiums and removal of coverage for certain threats such as ransomware attacks. Governments are also moving to manage risk better, implement more robust preventative measures and build cyber resilience. For example, the Australian government recently tightened an organisation’s security obligations with the passing of the Critical Infrastructure Bill Amendment. Any breach to communications, education, research, energy, food, grocery, healthcare, space technology, transport and water is now declared a system of national significance.

Organisations simply must be undertaking preparations, prevention and mitigation activities. Similarly, in the US, the Biden administration announced an executive order designed to strengthen government cybersecurity defences in response to several damaging hacks, including SolarWinds, Colonial Pipeline, and Microsoft Exchange Server.

In the past, CTOs and cybersecurity leaders may have struggled to communicate with their peers on the urgency and importance of taking preventive measures. Yet today, awareness and education are beginning to take place at the highest level of management to close the gaps between allocated resources and providing the ongoing support needed to prevent an attack.

Cybersecurity prevention is an ongoing process that needs to be on every leader’s radar. The c-suite must be working together with the board and business unit managers to understand the risks and assume responsibility for the organisation’s cybersecurity activities.

Understanding the threats to take the right action.

Establishing true cybersecurity leadership, awareness and readiness requires continuous risk-based assessment. Having a holistic view of operational technology systems, networks and platforms is crucial to determining the threat level. IT and OT environments work together and are connected to other parts of the business. Managing the security risk in the OT space means looking at the big picture rather than just patching over what’s worked well with your IT security.

C-level discussion should revolve around an action plan covering worst-case scenarios to identify what steps need to be taken to mitigate the risks. Where is the highest degree of risk in your organisation? How can you increase cybersecurity preparedness to meet governance and obligations? Overseeing the performance of ongoing management and monitoring helps to remain agile to address the evolving threats. Cybersecurity efforts are not a one-off; it requires continuous monitoring, testing and reevaluating the security systems put in place, with the issue demanding a standing item on meeting agendas.

Collaborating from the top-down to tackle the issue.

Over 80% of respondents of a recent Sapien Cyber survey believe a cyberattack has the potential to cripple their organisation. And, with cybersecurity accountability on the rise and Gartner predicting that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024, technology leaders and executives must work together to focus time and resources better to take action and prevent an attack.

The best results occur when organisations collaborate using a top-down approach to establish awareness and encourage the right behaviors. Like any successful company-wide initiative, leaders have to live and breathe it first. Discussions and action on cybersecurity need to occur at the senior level with regular communication and follow-up with teams.

The Unfolding of the Microsoft Exchange Exploits

May 22, 2021Published by Jeffrey Eaton
Smart Cities

The Unfolding of the Microsoft Exchange Exploits

Author: Paresh Kerai

We have recently seen many news articles and technical reports concerning Microsoft Exchange’s four patched exploits that would allow attackers to compromise Exchange servers with administrative privileges.

One thing to note is that these exploits only affect Microsoft Exchange servers deployed on-premises, and organisations that are using Office 365 are not affected by these vulnerabilities.

With so much information circulating about the topic I have written a summary and timeline of the exploits and attacks that have been active in the past few weeks concerning Microsoft Exchange.

To read the entire article click here

Sapien Offices Opening

Talking Tech: Girls and Women in ICT interview series. Interview with Rochelle Fleming, COO Sapien Cyber.

April 5, 2021Published by Jeffrey Eaton
While girls across the world tend to outperform boys in reading and writing skills, they continue to be under-represented in science, technology, engineering and mathematics (STEM).

Through International Girls in ICT Day, the Talking Tech series builds awareness about the gender digital divide, support technology education and skills training, and encourage more girls and young women to actively pursue careers in STEM. 

Listen to an interview with our COO, Rochelle Fleming and Rubi Jain, Bachelor of Engineering in Electronics and Telecommunications at IET India

Critical Infrastructure 2 of 6

April 5, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 2

Author: Mel Griffiths

A new approach for a new threat landscape

On the 11th of July 2018, the Security of Critical Infrastructure Act 2018 came into effect, along with its obligations for owners and operators of assets in the electricity, gas, water, and ports sectors. The aim of the Act was to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure”. However, the provisions in the Act were developed prior to the COVID-19 pandemic, which was accompanied by a flood of cyber-attacks frequently targeting critical sectors not captured in the Act.

This new threat landscape prompted revision of the Security of Critical Infrastructure Act’s definition of which sectors qualified as critical. As a result, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. The Bill will expand the number of regulated sectors to include banking/finance, communications, data and the cloud, defence, education, research and innovation, food and grocery, health, energy, space, transport, and water.

It is the position of Sapien Cyber that it is the responsibility of trusted information-sharing networks the educate the community on the Bill’s purpose and consequences. This article aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Healthcare and Medical and Communications sectors.

The Healthcare and Medical sector – Significant threat in a challenging area

The Health Care and Medical sector has increasingly become a favourite target of cybercriminals and provides an excellent example of the rationale behind extending the Security of Critical Infrastructure Act 2018 to include more industry sectors. The Health Care and Medical sector, as defined in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 includes the provision of health care, or the production, distribution, or supply of medical supplies, while the definition of Health Care includes dental, medical, radiography, nursing and midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, and psychology services provided by individuals. The new definition of critical hospital asset refers to critical infrastructure assets owned or operated by a hospital with a general intensive care unit. However, Telstra Health has rightly emphasised that critical hospital risk management is challenging and that security and continuity of service is comprised of a complex interconnection of technology and people-based systems with long and complex supply chains.

MISA, the Medical Software Industry Association which represents this area of the industry, has asserted that there is a lack of detail regarding incident reporting as well as a lack of alignment with existing legislation, such as the My Health Record Act and various Commonwealth and Jurisdictional legislation and policies. Duplication in these areas may result in organisations being required to undertake “multiple conformance testing without any perceived or real security value”.

Likewise, Medicines Australia which leads the research-based pharmaceutical industry, are cautious of the introduction of government powers that might inadvertently impede the ability of companies to continue usual business operations. They have stated that it “would be an undesirable outcome if, due to onerous security requirements, clinical trials were delayed, thereby denying patients access to innovative life-saving medical treatments”. There is also concern that the costs associated with increased security measures may be passed on to industry and Medicines Australia have urged the Government consider support measures that will assist public and private institutions in transitioning to the higher security obligations.

Consumer Healthcare Products (CHP) Australia, representing the manufacturers and distributors of consumer health care products, have outlined concerns that their industry is impacted by the sector-specific standards and obligations for both the Health Care and Medical and the Food and Grocery sectors in the Bill, arguing that the current definitions of these sectors, as well as Health Care and Medical supplies are overly broad. This position has been repeated by Telstra Health, who have noted that “complex supply lines relating to hospital care in particular” may result in the intent of the measures being difficult to achieve. CHP Australia have highlighted that the manufacture and supply chains required for their products are already subject to a high level of regulatory obligations, characterising the regulatory framework proposed in the Bill as “wide-ranging”, “onerous”, and neither necessary nor warranted.

A common question regarding the Bill raised by a number of sectors and echoed by CHP Australia is why, if no significant cyber security failings have been identified in their specific area, should they be subject to the introduction of such “widespread and onerous legislated requirements”? This may be a somewhat naive and self-preserving position, given the emerging threat landscape in the Health Care and Medical sector, which has become more critical than ever due to the ongoing pressure of the Covid-19 pandemic. Already in a vulnerable position from a cybersecurity perspective, the pandemic has compounded the pre-existing issues for this sector, and together with a surge in targeted exploitation from cybercriminals, the need to provide greater protection is vital.

Fear and loathing in the Communications sector

The Communications sector is defined as businesses that supply, own, or operate a carriage or broadcasting service or asset, or are used in connection with these services or assets. It also encompasses sectors that administer an Australian domain name system. Broadcasting transmission assets are considered critical if they are (a) owned or operated by the same entity and located on a critical transmission site, (b) located on at least 50 different sites and are not broadcasting re-transmission assets, or (c) owned or operated by an entity critical to the transmission of a broadcasting service. Some companies may still be prescribed without meeting the above thresholds, including TX Australia which services many major broadcasters which otherwise do not meet the “at least 50 sites” threshold.

BAI Communications Australia (BAI) have argued that simply defining a number of sites does not capture an accurate measure of control of critical broadcasting assets. Other factors such as population served, unique coverage provided, and alternative modes of delivery available are more appropriate and would allow entities who own and control critical transmission assets to be specified more accurately.

The Communications Alliance which represents the Australian communications industry, is also critical of the asset definitions which it says are overly broad and simply provide a “non-exhaustive list of items that may be considered an asset instead of a clear definition of the term”. For example, the terminology “use in connection with the supply of a carriage service” might conceivably result in every asset within the sector becoming a critical telecommunications asset. This sector is experiencing much confusion as a result of a lack of detail provided by the Government thus far. It has been argued that the timeframe allocated for the co-development of sector specific rules has been too short, making it difficult for this sector to properly understand the impact and function of the obligations. The Communications Alliance has even gone as far as to question whether the proposed regime will meet regulatory best practice at all.

Once again, we also see a lot of disquiet that the Bill will introduce conflict as a result of overlapping and duplicative obligations, both within the Bill, and from co-existence with existing legislation, such as the Telecommunications Sector Security Reforms (TSSR) and the Telecommunications Act 1997. The Communications Alliance has advised that enhancing security obligations would best be achieved under the TSSR, rather than within the proposed legislation, thereby avoiding duplication of obligations such as maintaining a risk management program, which is already captured by the section 313 requirements of the Telecommunications Act 1997.

Both Free TV Australia and the Communications Alliance have joined the chorus of other sectors regarding concerns over potential increased administrative, operational and financial burdens. Free TV have stated that any required boost in security arrangements should have a matching boost in the form of “a funding deed with the Government in recognition of the driver for these costs being a change in Government policy, rather than changes in best practice asset management”. This caustic assessment of the of the proposed legislation is not unique to the owners and operators of broadcast assets.

Within the proposed legislation, an asset is considered a critical domain name system if it is managed by or used in connection with an entity that is critical to the administration of an Australian domain name system. It has also been recommended that the .au country code Top Level Domain be made a critical domain name system. Afilias, the Registry Operator for the .au ccTLD, has clearly stated that “the Government is well-advised to continue its path to keep the Positive Security Obligation dormant for the .au namespace”. They feel the existing “structural guardrails” are sufficient and do not require any further Positive Security Obligations or Agency intervention, which they fear will add unnecessary burdens and costs. Afilias has strongly stated their position, saying that the existing management and oversight of the .au ccTLD is more than sufficient.

Overreach and overlap are common concerns

In this post, we examined the Healthcare and Medical and Communications sectors. It is clear that the proposed Government intervention powers are commonly seen as over-reach that may impede or threaten industry. There is also much concern over the lack of alignment with existing legislation and potential overlap within the Bill for some businesses caught between defined sectors. As a result, there have been calls for an approach that leverages existing legislated obligations. Given the increasing risk to Australian Critical Infrastructure evident in the evolving threat landscape and the urgency with which the proposed legislation is being developed, it seems unlikely the sufficient time will be available to manage amendments or even consult with industry on such suggestions. At this stage, it appears the Bill will proceed, although its final form and specific impacts to Critical Infrastructure owners, operators, and assets remains to be seen.

Critical Infrastructure 1 of 6

March 3, 2021Published by Jeffrey Eaton
Running Tap
Critical Infrastructure – Part 1

Author: Mel Griffiths

Critical Infrastructure cyber-attacks are on the rise

Cyber-attacks targeting Critical Infrastructure are increasing in frequency and efficacy. These attacks are profitable for cybercriminals and offer plausible deniability for Nation States who use these groups as “hired guns”. In late 2020, the software supply-chain compromise of SolarWinds resulted in one of the most significant cyber intrusion incidents to date, impacting businesses and Critical Infrastructure assets across the globe. In February of this year, a cyber-attack on a water treatment system in Oldsmar, Florida very nearly resulted in the poisoning of water supplies. In May, a ransomware attack led to the shutdown of the Colonial Pipeline, resulting in one of the most significant and successful cyber-attacks in US history. June saw ransomware attacks on meat producer JBS USA and on St. Joseph’s/Candler Hospital in Georgia, impacting food supply chains and healthcare systems.

There is a clear global uptick in cyber-attacks on vulnerable Critical Infrastructure chokepoints, with the intention of creating severe and significant impacts to maximise profit or damage. It is also clear that threat actors have broadened their targets beyond traditional ideas of what constitutes Critical Infrastructure. The reality is, if it is critical and vulnerable, there is money to be made. Australia’s Critical Infrastructure clearly faces a realistic, credible, and immediate threat.

The Critical Infrastructure Bill is now a matter of urgency

In response to the increasing threat, the Australian Government’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 is set to significantly broaden the defined Critical Infrastructure sector. The proposed Bill will introduce positive security obligations, including enhanced obligations for systems of national significance, and allow Government intervention in security incidents.

Despite several Tech giants who operate within Australia taking issue with the proposed Government interventions, Minister for Home Affairs, Karen Andrews has recently announced that passage of the Critical Infrastructure Bill through Parliament will be prioritised, stating that the Bill “provides significantly more protections than it does introduce risks”.

Understanding your sector, your security, & your obligations

However, it may not be clear exactly how these changes may impact your sector and how your organisation will be required to change the way it manages its cybersecurity function. The Bill itself is not an easy read, and many Critical Infrastructure owners and operators are unclear as to what the proposed changes will mean to them. Additionally, the broadening of the definition of Critical Infrastructure means that many organisations which were not previously identified as such may be caught unaware and unprepared for the obligations laid out in the impending Bill.

Michelle Price, CEO of AustCyber has highlighted the importance of education on the Bill’s purpose and consequences through trusted information-sharing networks. This series of blog articles from Sapien Cyber is intended to assist organisations in tackling the challenges they may face with the introduction of this new legislation and provides fresh insights as the Bill progresses. These articles will discuss the broadened definition in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, what will constitute Critical Infrastructure, and how the new legislation will impact the security function of each of these defined sectors.

We will also examine the positive security obligations imposed by the Bill, what they entail, and what changes Critical Infrastructure Owner / Operators will need to make to meet these obligations. In addition, we will tackle the somewhat controversial topic of Government intervention in the incident response process in the event of a significant attack on Critical Infrastructure, what this actually entails, and how organisations can prepare.