One-fifth of organizations did not make cybersecurity a priority during the pandemic

56% of IT and OT security professionals at industrial enterprises have seen an increase in cybersecurity threats since the start of the COVID-19 pandemic in March, a Claroty research reveals. Additionally, 70% have seen cybercriminals using new tactics to target their organizations in this timeframe.

cybersecurity priority pandemic

The report is based on a global, independent survey of 1,100 full-time IT and OT security professionals who own, operate, or otherwise support critical infrastructure components within large enterprises across Europe, North America and Asia Pacific, examining how their concerns, attitudes, and experiences have changed since the pandemic began in March.

Cybersecurity still not a priority, regardless of the pandemic

  • 32% said their organization’s OT environment is not properly safeguarded from potential threats
  • One-fifth of organizations did not make cybersecurity a priority during the pandemic
  • COVID-19 has not only accelerated the adoption of new technologies (41% stated implementing new technology solutions as a priority during the pandemic), but also brought to the fore the challenges of having siloed teams (56% said collaboration between IT and OT teams has become more challenging)
  • 83% believe that, from a cybersecurity perspective, their organization is prepared should another major disruption occur

COVID-19 impact on IT/OT convergence

Across the globe, COVID-19 has led cybercriminals to use new tactics and organizations to become more vulnerable to cyber attacks, with 56% of global respondents saying that their organization has experienced more cybersecurity threats since the pandemic began. Further, 72% reported that their jobs have become more challenging.

COVID-19 has clearly had an impact on IT/OT convergence, as 67% say that their IT and OT networks have become more interconnected since the pandemic began and more than 75% expect they will become even more interconnected as a result of it.

While IT/OT convergence unlocks business value in terms of operations efficiency, performance, and quality of services, it can also be detrimental because threats – both targeted and non-targeted – can move freely between IT and OT environments.

“While we would be short-sighted to think that we won’t have more challenges as we continue to face unknowns from this pandemic, protecting critical infrastructure is especially important in a time of crisis,” said Yaniv Vardi, CEO of Claroty.

“As large enterprises are trying to improve their productivity by connecting more OT and IoT devices and remotely accessing their industrial networks, they are also increasing their exposure as a result. OT security needs to be brought to the fore and made a priority for all organizations.

“Attackers know that IT networks are covered with cybersecurity solutions so they’re moving to exploit vulnerabilities in OT to gain access to enterprise networks. Not protecting OT is like protecting a house with state-of-the-art security and alarm systems, but then leaving the front door open.”

Most vulnerable industries

In terms of industries, globally the respondents ranked pharmaceutical, oil & gas, electric utilities, manufacturing, and building management systems as the top five most vulnerable to attack.

Most regions followed similar patterns, identifying three to five industries clustered closely toward the top of the list. The exceptions are the DACH region, where oil & gas clearly holds the top spot at 36%, and Singapore, where pharmaceutical is at 22%.

Most ICS vulnerabilities disclosed this year can be exploited remotely

More than 70% of ICS vulnerabilities disclosed in the first half of 2020 can be exploited remotely, highlighting the importance of protecting internet-facing ICS devices and remote access connections, according to Claroty.

ICS vulnerabilities exploited remotely

The report comprises The Claroty Research Team’s assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during 1H 2020, affecting 53 vendors. The research team discovered 26 of the vulnerabilities included in this data set.

Compared to 1H 2019, ICS vulnerabilities published by the NVD increased by 10.3% from 331, while ICS-CERT advisories increased by 32.4% from 105. More than 75% of vulnerabilities were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.

“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” said Amir Preminger, VP of Research at Claroty.

“We recognized the critical need to understand, evaluate, and report on the comprehensive ICS risk and vulnerability landscape to benefit the entire OT security community.

“Our findings show how important it is for organizations to protect remote access connections and internet-facing ICS devices, and to protect against phishing, spam, and ransomware, in order to minimize and mitigate the potential impacts of these threats.”

Prominence of RCE vulns highlights need to protect internet-facing ICS devices

According to the report, more than 70% of the vulnerabilities published by the NVD can be exploited remotely, reinforcing the fact that fully air-gapped ICS networks that are isolated from cyber threats have become vastly uncommon.

Additionally, the most common potential impact was remote code execution (RCE), possible with 49% of vulnerabilities – reflecting its prominence as the leading area of focus within the OT security research community – followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).

The prominence of remote exploitation has been exacerbated by the rapid global shift to a remote workforce and the increased reliance on remote access to ICS networks in response to the COVID-19 pandemic.

ICS vulnerabilities exploited remotely

Vulnerabilities on the rise

The energy, critical manufacturing, and water & wastewater infrastructure sectors were by far the most impacted by vulnerabilities published in ICS-CERT advisories during 1H 2020.

Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water & wastewater had 171. Compared to 1H 2019, water & wastewater experienced the largest increase of CVEs (122.1%), while critical manufacturing increased by 87.3% and energy by 58.9%.

Assessment of ICS vulnerabilities discovered

The research team discovered 26 ICS vulnerabilities disclosed during 1H 2020, prioritizing critical or high-risk vulnerabilities that could affect the availability, reliability, and safety of industrial operations.

The team focused on ICS vendors and products with vast install bases, integral roles in industrial operations, and those that utilize protocols in which researchers have considerable expertise. These 26 vulnerabilities could have serious impacts on affected OT networks, because more than 60% enable some form of RCE.

Researchers find critical RCE vulnerabilities in industrial VPN solutions

Critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology (OT) networks could allow attackers to overwrite data, execute malicious code or commands, cause a DoS condition, and more.

vulnerabilities industrial VPN

“Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage,” Claroty researchers noted.

The vulnerabilities

Since COVID-19 stepped on the global stage, enterprise-grade VPN installations have become a must for any organization that relies on a remote workforce. Simultaneously, they’ve become great targets for criminals looking for a way into company’s IT networks and assets.

This situation has spurred the researchers to search for vulnerabilities in industrial VPN solutions used by remote operators and third-party vendors for accessing, maintaining and monitoring field controllers, programmable logic controllers (PLCs) and input/output (IO) devices deployed at oil and gas installations, water utilities and electric utilities.

These include Secomea’s GateManager M2M Server, Moxa’s industrial VPN servers with an all-in-one secure router, and HMS Networks’s eCatcher VPN client.

Secomea’s GateManager, which is an ICS remote access server deployed worldwide as a cloud-based SaaS solution with many general-purpose and white-label instances deployed, has been found to have several flaws, all pretty serious:

  • CVE-2020-14500 – arising from the improper handling of some of the HTTP request headers provided by the client, it could be exploited – remotely and without authentication – to execute malicious code and effectively gain access to a customer’s internal network
  • CVE-2020-14508 – an off-by-one error bug that may allow an attacker to achieve RCE or cause a DoS condition
  • CVE-2020-14510 – hardcoded telnet credentials
  • CVE-2020-14512 – weak hash type that could reveal users’ passwords

Moxa’s EDR-G902 and EDR-G903 series secure routers/VPN servers sport a stack-based buffer overflow bug (CVE-2020-14511) that could lead to RCE.

Finally, there’s a stack-buffer overflow bug (CVE-2020-14498) in HMS Networks’ eCatcher, a proprietary VPN client that is used to connect to the company’s eWon VPN device, which allows machine builders and factory owners to remotely monitor the performance of their equipment.

This bug can be triggered by tricking targets into visiting a malicious website or opening a malicious email with a specifically crafted HTML element.

“By sending socially engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email,” the researchers demonstrated.

“The exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images.”

What’s next?

The good news is that all of these flaws have been patched. The bad news is there are surely more of them that have yet to be unearthed, possibly by individuals with malicious intent.

With ransomware attackers increasingly looking for ways to disrupt mission-critical systems for force companies to pay hefty sums, we can predict that, sooner or later, they will exploit vulnerabilities in OT-specific solutions.

“We would also like to emphasize that these vulnerabilities reinforce the unique risks inherent to OT remote access,” the researchers noted.

“While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.”

Claroty appoints Yaniv Vardi as Chief Executive Officer

Claroty announced Yaniv Vardi has been appointed the company’s Chief Executive Officer. Vardi joins Claroty after two consecutive record-breaking quarters for the company, including both year-over-year revenue and logo growth, and expanding customer acquisition even further globally and across several new verticals.

“We are living in a different world than we were even six months ago. Massive shifts have taken place in nearly every market imaginable, and industrial cybersecurity is no exception,” said Amir Zilberstein, Co-founder and Chairman of Claroty.

“Despite that, Claroty has had remarkable successes to date, including its recent record quarters, strong investment community, product innovation, and maturing executive team. The company is uniquely poised to be the preeminent leader in OT security and Yaniv’s skill set, vision, and expertise are what we need to get to our next level of impressive growth.”

Vardi is a dynamic and highly accomplished entrepreneur with more than two decades of global executive leadership experience. He was appointed based on his proven and repeatable success growing companies significantly in the industrial space from startups to mature, profitable enterprises—as he recently took a global business from dozens of millions to hundreds of millions of dollars in less than four years through mainly organic growth.

“The advancement of digital transformation in the industrial space has been further accelerated by the global COVID-19 crisis, with C-suite executives protecting cash while also prioritizing their key focus areas to achieve reliability, availability, and safety of their operations,” Vardi said.

“They are looking for a ‘one-stop-shop’ for their OT and Industrial IoT needs through visibility, monitoring, threat detection, vulnerability management, remote access, and so on, and Claroty is the only company in this industry that is able to deliver this end-to-end platform.”

Claroty improves the availability, safety, and reliability of OT assets and networks within industrial enterprises and critical infrastructure.

Unlike niche solutions that are limited to passive-only OT asset discovery, VPN-based remote access, or IoT-oriented platforms that do not fully address all OT needs, The Claroty Platform provides comprehensive OT asset and network visibility, segmentation, vulnerability management, threat detection, risk assessment, and Secure Remote Access (SRA) capabilities—all within a single, agentless solution. This is all enriched by the company’s award-winning OT security research team and its expansive integration ecosystem.

“I joined Claroty after a long journey of leading different solutions for the industrial space because I truly believe that with our talent, partners, and investors, we will lead the way in the OT security market.

“The Claroty Platform offers the broadest set of security controls and unmatched OT protocol coverage, and the company itself has some of the best talent across both the cybersecurity and OT security industries,” Vardi continued.

“I am excited to lead this very talented and unique team, to continue to build upon and expand our already proven vision, and to firmly secure Claroty’s place as the OT security market leader.”

Vardi will manage the company out of Claroty’s New York City headquarters.

New infosec products of the week: April 24, 2020

Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture

Trustwave Security Colony is based on thousands of hours of actual consulting projects helping organizations implement new information security programs and heightening levels of security maturity. The platform is available to any organization as a standalone resource or can be tied to existing Trustwave Consulting and Professional Services.

infosec products April 2020

Amazon AppFlow automates bidirectional data flows between AWS and SaaS apps

Amazon AppFlow allows customers with diverse technical skills, including CRM administrators and BI specialists, to easily configure private, bidirectional data flows between AWS services and SaaS applications without writing code or performing data transformation.

infosec products April 2020

DefenseCode ThunderScan SAST 2.1.0 supports Go and ABAP languages

DefenseCode announced support for two additional programming languages Go and ABAP with its SAST solution ThunderScan 2.1.0, designed to highlight security vulnerabilities in source code against published standards including PCI-DSS, CWE/SANS Top 25, OWASP Top 10 and along with DefenseCode’s own experience of security vulnerabilities analysis.

infosec products April 2020

Claroty Platform: Enhanced continuous threat detection and secure remote access

The Claroty Platform leverages protocol coverage, scanning, segmentation, and secure remote access capabilities to grant visibility across all three OT dimensions critical to risk reduction: assets, network sessions, and processes.

infosec products April 2020

Claroty Platform: Enhanced continuous threat detection and secure remote access

Claroty, the global leader in industrial cybersecurity, announced it has strengthened the Claroty Platform to deliver the industry’s broadest range of operational technology (OT) security controls in a single solution, thereby empowering enterprises to more easily and effectively reduce risks posed by increasing connectivity between OT and information technology (IT) networks.

“Enterprises have been transformed through digitization initiatives, causing once-isolated OT networks to be interconnected with the rest of the enterprise. However, those OT networks remain invisible to security teams since they communicate on proprietary protocols and have very different characteristics than IT networks,” said Galina Antova, Co-founder of Claroty.

“The Claroty Platform extends core security controls to OT environments, thereby closing the 25-plus year gap between the security posture of IT and OT networks, and delivering comprehensive governance and risk reduction across the parts of enterprise networks that were previously invisible and unsecured.”

Enriched by newly enhanced Continuous Threat Detection (CTD) 4.1 and Secure Remote Access (SRA) 3.0 components, the platform addresses four areas integral to risk reduction: visibility, threat detection, vulnerability management, and triage & mitigation.

All of Claroty’s OT security controls deploy rapidly and integrate seamlessly with existing IT security infrastructure, eliminating the burden of complex deployments, steep learning curves, and unfamiliar tools—all of which have long been barriers for achieving stronger industrial cybersecurity. These controls also improve IT and OT practitioners’ ability to protect the availability, reliability, and safety of their industrial environments.

Visibility

Before the risk to an industrial environment can be reduced, it must be assessed. This requires full visibility into the environment’s OT network, which has historically been difficult to attain due to the prevalence of unfamiliar OT assets, architectures, and protocols.

The Claroty Platform tackles this challenge by leveraging unmatched protocol coverage, scanning, segmentation, and secure remote access capabilities to grant complete visibility across all three OT dimensions critical to risk reduction: assets, network sessions, and processes.

Claroty is the only vendor to provide this caliber of visibility. With CTD 4.1, users can see and customize their view of critical information with greater ease. SRA 3.0 not only enables secure OT remote access, but it also provides real-time monitoring and recordings of all remote sessions for painless auditing and risk assessments.

Threat detection

Swiftly detecting threats is essential to reducing risk. But aside from visibility, OT threat detection also requires distinguishing true threats from false positives. This can be challenging for reasons ranging from the incompatibility of traditional detection tools with OT networks to a deficit of OT threat intelligence, among others.

The Claroty Platform makes effective detection attainable by automatically weeding out false positives and alerting users in real-time to anomalies and known and zero-day threats.

Now with CTD 4.1, users can also access and act on the latest OT threat intelligence faster than ever before with automatic updates via the Claroty Cloud, as well as utilize a customizable dashboard to quickly identify the threats that matter most.

Vulnerability management

Effective vulnerability management is necessary for reducing risk in industrial environments. The prevalence of legacy systems means vulnerabilities are common, but so are false positives and negatives due to visibility and bandwidth limitations.

The Claroty Platform resolves these issues by automatically identifying and comparing each OT asset to an extensive database of vulnerabilities tracked by Claroty’s research team, as well as to the latest Common Vulnerabilities and Exposures (CVE) data from the National Vulnerability Database (NVD).

And with CTD 4.1, users can now pinpoint the riskiest vulnerabilities and attack vectors in their environments, receive mitigation recommendations and filter out any noise faster and more easily than ever before.

Triage and mitigation

Time can significantly impact risk. The longer it takes for an alert to be evaluated, a threat neutralized, or exposure mitigated, the greater the risk to OT availability, reliability, and safety—as well as the entire enterprise—is likely to be.

New features within CTD 4.1 and SRA 3.0 combine purpose-built automation with deep OT context to further streamline and accelerate triage & mitigation processes. The Claroty Platform’s unique root cause analysis feature, which groups all alerts related to the same event or series of events, produces a higher signal-to-noise ratio and lower alert fatigue.

As a result, users can more effectively and efficiently handle alerts and ultimately reduce risk without being overwhelmed by false positives or lengthy investigations.

“Being alerted to vulnerabilities in real-time is a must-have for our Manufacturing operations,” said Kevin Tierney, Vice President of Global Cybersecurity for General Motors.

“We need solutions that allow our organization to quickly identify which assets have potential vulnerabilities and prioritize the actions we need to take in order to reduce and eliminate potential risks.”

“Securing critical infrastructure and industrial networks has become more important than ever, with all the new, unexpected obstacles and challenges that CISOs must overcome,” said Grant Geyer, Chief Product Officer of Claroty.

“The Claroty Platform, strengthened even further by these latest updates, is a complete OT security solution perfectly positioned to mitigate the emerging risks to OT environments.”

Smart cities are on the rise, what are the dangers?

A combination of job prospects, local amenities and other attractions is drawing more people to city living than ever before. Indeed, the UN estimates that by 2050 two-thirds of the global population will be living in cities, up from just over half currently. However, at the same time central government investment for urban areas continues to shrink, with UK cities being on “life support” due to lack of funding from Westminster for instance.

smart cities dangers

To cope with increasing populations and tightening budgets, civic managers are looking at better ways of doing more with less through automation technologies. While the creation of these “smart cities” has the potential to drive efficiencies and improve services, their implementation needs to be coupled with robust cybersecurity solutions and practices to mitigate the vulnerabilities that would make them attractive targets for threat actors.

What’s at risk?

Tempted by the possibilities of being able to remotely control and monitor assets and processes throughout their districts, city administrators are implementing smart technologies across a whole host of services. These include streetlighting, transportation, traffic control and utilities. Frost and Sullivan has predicted that there will be at least 26 fully fledged major smart cities around the world by 2025.

However, through greater connectivity comes greater risk and the results of a successful cyber attack on smart city infrastructure can be catastrophic. For instance, an attack against a city’s electricity grid could knock out power for an extended period resulting in businesses not being able to operate, and residents having to be without heating, lighting and cooking facilities. Another example could be that IoT sensors being used to notify refuse collectors when to pick up waste are taken down. The result would be that rubbish piles up for weeks at a time creating a public health risk.

In addition to the physical impact of a cyber attack, these systems run on a significant amount of data, including personal information, which presents another tempting target for thieves.

How severe is the threat?

Attacks against the IT systems of public sector authorities are happening almost continuously, with UK councils being hit by 800 every hour according to a freedom of information request from insurance brokers Gallagher. This should offer cause for concern to those in charge of smart cities as once a threat actor has infiltrated the IT environment, they could move laterally into an OT system if they are not properly segmented from each other.

While such an attack against an OT network has not yet affected the infrastructure of a smart city on a wider scale, businesses in the industrial sector have witnessed them to their cost. The likes of WannaCry and NotPetya infected production environments via the IT systems of companies including Merck and Renault, severely disrupting operations.

Unfortunately, risks are seemingly built into connected city systems. For instance, there are vulnerabilities inherent in the operating systems used in the OT and IoT devices common in smart cities. One such example is IPnet, which has not been supported since 2006 but is still being used in operating systems, leaving them open to attack. Further, those designing the architecture of smart devices look to make them as lightweight as possible, meaning that security is often an afterthought at best.

These risks are magnified by the fact that there are potentially hundreds of thousands, if not millions, of devices connecting to the OT network, all of which increase the attack surface for threat actors. The advent of 5G is adding to this, offering not only IoT devices new and better ways of connecting to the OT network, but cybercriminals too.

Mitigating the risks

To ensure they reap the benefits of creating smart cities without putting the safety of infrastructure, data and citizens at risk, city administrators must take a cybersecurity-first approach. They need to recruit and train security specialists who understand the different requirements for managing and protecting IT and OT networks.

City administrators should also look to implement robust processes and invest in the right technologies. Such technology should offer total visibility of what is running on a city’s network, as this is vital to keeping it safe. After all, you cannot protect something if you don’t know it’s there. As such, security teams need to know every detail about everything on their networks from make and model of a device through to IP address, patching schedule and risk level.

Armed with this information, security professionals will be able to see where the vulnerabilities are on their networks and take steps to remove them. In OT and IoT environments this can only be achieved through specialized solutions that are able to recognize the unique communication protocols used in production networks.

There is also the need to know how every asset on the network should behave when functioning normally. This will enable any unusual activity to be detected and acted upon. To be effective, automated monitoring should run continuously 24/7, providing security teams with contextualized alerts that are prioritized as to how urgently they need to be acted upon. In this way, security teams will have all the necessary information they need to deal with potential risks in order of severity, cutting down on the number of hours wasted in investigating low-level risks or even false positives.

Ultimately “smart” cities need to think of themselves as “cybersecurity” cities, building security into their OT networks, in the same way they build safety into their road networks.