“ClearEnergy” May Have Been Fake News, But Threats Against ICS / SCADA Security Are Quite Real

Accusations of “fake news” rocked the cyber security industry last week after infosec provider CRITIFENCE implied that it had detected a brand-new “in the wild” ransomware variant called ClearEnergy that posed a clear and present danger to ICS and SCADA security — and it turned out that ClearEnergy didn’t actually exist. Bleeping Computer reports:

After the publication of an article in Security Affairs called “ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems,” security researchers used Twitter to bash the company for what they felt were lies about real world attacks, the company orchestrating a media stunt, and not releasing any research they could vet.

After being mercilessly taken to task on Twitter, CRITIFENCE engaged in furious backpedaling, claiming that the company had “[forgotten] to mention [that ClearEnergy] was only a proof-of-concept ransomware, and promised to release more details in the upcoming days.”

However, it turned out that this particular fake news story contained a rather important kernel of truth; Bleeping Computer reports that “two security flaws CRITIFENCE discovered are real and have resulted in a patch from Schneider Electric, the PLC vendor whose products are affected.”

The ClearEnergy debacle does not negate the fact that ransomware and other cyber attacks against the government and critical infrastructure are skyrocketing, and ICS and SCADA security is in bad shape, putting our nation’s critical infrastructure at risk.

Government Organizations Besieged by Ransomware

Ransomware attacks are most commonly associated with the healthcare industry, but in reality, educational institutions are the most frequent ransomware targets, followed by the government, with healthcare in third place. Attacks against government facilities are growing rapidly, having tripled over the past 12 months.

There’s no reason to think that hackers cannot or will not target the SCADA networks and other industrial control systems used by utility and transportation organizations, other critical infrastructure providers, and even automation systems for “smart” buildings.

In fact, it’s already happened. Last Friday, hackers breached the emergency warning system in Dallas, Texas, causing 156 warning sirens to begin blaring in the middle of the night and panicking residents, who flooded the city’s 911 centers with calls. Other notable attacks against critical infrastructure include:

• The Stuxnet virus, believed to have been developed and unleashed by U.S. and Israeli spies, disabled the Natanz nuclear facility in Iran.
• A Ukraine power company’s SCADA network was attacked shortly before Christmas in 2015, knocking 30 substations offline and plunging 230,000 residents, as well as the utility company itself, into the dark.
• A U.S. federal indictment handed down in 2016 accused a team of hackers with ties to the Iranian government of repeatedly breaching the SCADA system at a dam in New York State.
• In 2008, a teenager hacked the SCADA system at a train station in Lodz, Poland, derailing four trains. The teen told the authorities he had launched the attack because he was “bored.”

SCADA Security Can No Longer Hinge on Obscurity and Isolation

ICS and SCADA networks were first introduced in the 1960s, and some organizations are still running legacy systems that date that far back. They suffer from the same problem as ATMs and electronic voting machines: Because their design pre-dates the internet, they were built with functionality, safety, and efficiency in mind, but not cyber security. When threats of cyber crime emerged, it was assumed that SCADA systems were inherently safe because of “security through obscurity” and “security through isolation.” Some SCADA equipment is not continuously connected to the internet (isolation), and most systems use proprietary interfaces and specialized protocols that aren’t widely known (obscurity).

The problem with equating obscurity and isolation with cyber security is that the internet has rendered both of these “protective” measures obsolete. While industrial control systems and protocols may be obscure, they are far from impossible to research; after all, a bored teenager managed to figure it out. A determined cyber terrorist can also enlist the help of a malicious insider or use spear phishing or another social engineering scheme to take advantage of an unwitting employee. Isolation cannot be counted on because all SCADA equipment must periodically be connected to the internet, or at least to a flash drive, for brief periods to send and receive information or download updates.

Eventually, a terrorist will hack a SCADA system at a power plant, a train station, or another part of the nation’s critical infrastructure, possibly as part of a larger terrorist attack. Public and private sector agencies must work together to proactively secure industrial control systems and ensure they meet the highest levels of cyber security.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!

[bpscheduler_booking_form]

Don’t depend on a cyber insurance policy to cover your losses after a ransomware attack.

Hackers have discovered that there’s fast, easy money in holding enterprise systems hostage, especially in industries that process and store highly sensitive data, such as education and healthcare. The U.S. Department of Justice recently reported that ransomware attacks quadrupled between 2015 and 2016, to an astounding 4,000 attacks a day. Most businesses hit with ransomware are knocked offline for at least a week, and it’s estimated that the ransomware epidemic cost organizations over $1 billion last year alone. With those sobering statistics in mind, more organizations are considering purchasing cyber insurance to protect themselves. But while cyber insurance can help to some extent, it is no substitute for comprehensive information security.

Cyber Insurance Coverage Can Be Expensive, Skimpy, and Uncertain

Cyber insurance is a brave, uncertain new world for both insurers and policyholders. Because widespread internet access is relatively new in the grand scheme of things, and the threat landscape changes daily, insurers don’t have access to the historical data they need to build accurate predictive models, nor do they have the technical expertise to anticipate future threats. Meanwhile, a lack of standardization means that organizations cannot make “apples to apples” comparisons when evaluating coverage options – if the organization even knows how much coverage it needs in the first place, a tall order in a world where businesses are only now coming to terms with cyber threats and their individual risk environments. The result is a confusing marketplace filled with high cost, “skinny” policies. It’s understandable why fewer than one-third of U.S. businesses have purchased coverage, including only 40% of Fortune 500 companies.

All Insurance Policies Have Exclusions

Like all other types of insurance, there are certain things cyber insurance won’t cover. For example, cyber insurance does not cover ransomware attacks that are connected to malicious insiders, such as a disgruntled former or current employee, or even an angry vendor. Additionally, if a policy does not specifically include “extortion coverage,” ransomware won’t be covered at all. Even worse, if a business publicly discloses that it has purchased extortion coverage – such as in a press release or in an SOC report – the policy is rendered invalid.

The legalities of cyber insurance are evolving as quickly as the threat environment; what is and isn’t covered can be difficult to determine, and policyholders may find themselves having to take their insurers to court to get their claims paid.

How Long Can You Afford to Be Locked Out of Your Systems?

Remember that insurance does not prevent catastrophes; it helps you clean up after a catastrophe has occurred. Even the most robust cyber insurance policy cannot protect against the biggest problem ransomware causes: Being locked out of your systems and data for days, weeks, perhaps even months. In a healthcare environment, the inability of front-line employees to access electronic medical records could result in patients being maimed or even dying. While organizations in other industries may not face literal life-and-death situations, the damage from having to cease operations until the computers are back online could be crippling, especially for startups and other small businesses.

The Best Defense is a Good Offense

If you are thinking of purchasing a cyber insurance policy, don’t attempt to go it alone. Seek professional help from a reputable cyber security firm such as Continuum GRC. Our experts will evaluate your risk environment, determine how much coverage you need, and help you choose the most suitable policy for your organization’s needs.

However, cyber insurance coverage is not a replacement for comprehensive, proactive cyber security. The best way to defend your organization against a ransomware attack is to make sure one never happens in the first place.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

[bpscheduler_booking_form]

New York State Cyber Security Law Heavy on GRC and Proactive Cyber Security

The first phase of the New York state cyber security regulations, which apply to insurance companies, banks, and other financial institutions operating within the state, went into effect at the beginning of March. While the insurance and finance industries are already subject to numerous cyber security-related standards and regulations, New York’s legislation represents the first time a state has mandated specific cyber security requirements.

Breaking Down the Requirements

If you want to read all 14 pages and 23 sections, you can download a PDF copy of the regulations here. The requirements, which are being phased in over a two-year period, mandate that organizations engage in proactive cyber security and GRC practices, such as:

• Conducting a comprehensive risk assessment and using the results to design and implement a cyber security program, a written cyber security policy, and a written incident response plan. Further, a separate cyber security policy must be established for third-party service providers.
• Designating a Chief Information Security Officer (CISO) and employing “qualified cybersecurity personnel,” either in-house or through a third-party provider, to perform information security-related functions.
• Providing all employees with ongoing cyber security awareness training, and providing cyber security employees with continuous training to keep them current in their field.
• Performing periodic penetration testing, vulnerability assessments, and risk assessments.
• Establishing appropriate system user access privileges, maintaining system audit trails, and utilizing technical controls such as multi-factor authentication and data encryption.
• Adhering to certain reporting, notification, and confidentiality requirements.

SMBs Fret Over Complying with New York State Cyber Security Law

Most affected organizations have until August 28, 2017, to implement the first phase of the New York State cyber security regulations, including the cyber security policy, employee training program, incident response program, designating a CISO, and hiring qualified cyber security employees. Despite the fact that smaller firms – those with fewer than 10 employees and less than $10 million in assets and $5 million in gross revenues – are exempt from certain portions of the law, many small and medium-sized businesses are worried about their ability to comply.

Although the new law mirrors numerous existing cyber security frameworks and standards, such as ISO 27001, FFIEC, GLBA, NIST CSF, and OCC, as well as guidance from the FTC, many organizations have neglected information security for years. These firms will need to do some serious catching up – and they are not going to get away with simply updating a couple of lines in their existing policies or appointing the office manager the “CISO.” They will need to completely shift their mindset, overhaul their cyber security governance, policies, and plans, implement specific security controls and, in many cases, drastically increase their security budgets to pay for all of these changes.

Even for organizations that grasp the importance of proactive cyber security, compliance concerns are warranted. Not only are the law’s requirements quite involved, but they also require that firms hire or contract with qualified cyber security experts and a CISO. There is simply no getting around seeking out expert help. Meanwhile, there is a severe shortage of workers with cyber security skills. ESG Research reports that nearly half of all organizations cited “a problematic shortage of cyber security skills in 2016.” Even when organizations can locate qualified talent, they must pay top dollar to attract it. The New York state cyber security regulations are expected to shrink the talent pool even further and drive salaries even higher as multinational Wall Street finance companies with deep pockets snap up security analysts and engineers.

Automation and Outside Help Are Keys to Compliance

Most SMB’s, as well as more than a few large businesses, will find that hiring in-house cyber security talent is out of reach. The labor costs alone will break many smaller firms’ budgets – if they can even find qualified workers in the first place. Fortunately, organizations may fulfill the law’s personnel requirements, including the requirement for a CISO, by enlisting the services of a professional cyber security firm such as Continuum GRC. Outsourcing your organization’s cyber security and compliance ensures that you get the expert talent you need immediately and at a price that is far lower than hiring in-house employees. Further, your organization would not have to shoulder the burden of the continuous cyber security training that is required by the New York law.

Automation is also critical. Many organizations still use spreadsheet programs for their IT audits, compliance, and reporting. This time-consuming, inefficient, dysfunctional practice has been outdated for years – and the New York regulations are going to expose its weaknesses even more clearly. Now more than ever, organizations of all sizes must ditch manual IT audits, reporting, and GRC processes and use RegTech software such as Continuum GRC’s IT Audit Machine (ITAM IT audit software). The ITAM IT audit software can help you comply with the New York cyber security law by integrating your IT governance, policy management, risk management, compliance management, audit management, and incident management; creating, measuring, monitoring, and managing your IT governance programs; and providing clear visibility into key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

New York Cyber Security Law Expected to Be Model for Other Industries & Localities

Even if your business is not located in New York state or operates outside of the finance and insurance industries, it is likely that these new regulations will eventually impact your business. First, because of the international reach of the finance and insurance industries in New York, other states and even other countries are expected to use the law as a model as they seek to stem the tide of data breaches, identity theft, and other forms of cyber crime. Second, the New York State cyber security regulations heavily emphasize governance, risk, and compliance processes that all organizations should be engaging in anyway, as part of their proactive cyber security plan.

Your organization does have a proactive cyber security plan, doesn’t it?

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with the New York Cyber security regulations and all other applicable laws, frameworks, and standards.

[bpscheduler_booking_form]