Information and Operational Technology, what about cyber security?
If cybercrime was a country, it would be the third largest economy in the world after the USA and China, said the World Economic Forum.
In their quest for adequate protection, most organizations are addressing security for information technology (IT) rather than operational technology (OT). Can methodologies and best practices we usually apply to IT be replicated to OT? Actually, we should pay some attention as the two domains are distinct and have different security requirements.
As we know, IT refers to the use of computer technology for managing information, while OT refers to the use of technology in managing physical processes, such as manufacturing, transportation, and energy production. While IT systems are designed to protect data and information, OT systems are designed to interact with the physical environment.
ISO27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to manage sensitive company information, such as financial data, intellectual property, and personal data by outlining a set of policies, procedures, and controls to manage risks to information security. The focus of ISO27001 is maintaining the so-called CIA of information, that means Confidentiality (information is accessible to authorized users only), Integrity (information is complete and correct), and Availability (systems responsible for delivering, storing, and processing information are accessible when required by authorized users). We can also add two other important elements, specifically Authenticity (information is genuine) and Non-Repudiation (the sender of a message cannot later deny having sent it and the recipient cannot deny having received it).
As for OT, let’s consider a different standard: ISA/IEC 62443 is about cybersecurity in Industrial Automation and Control Systems (IACS) and provides a framework for securing the control systems used in manufacturing, transportation, and energy production. Tailored to the unique requirements of IACS, the focus of ISA/IEC 62443 is the opposite order of IT – that’s maintaining the AIC of the physical assets and processes: Availability, Integrity, and Confidentiality.
This different focus has a relevant impact on the evaluation of the risks, threats, and security assessment. For instance, IT systems are more vulnerable to hacking, malware, and social engineering attacks, while OT systems are more vulnerable to physical attacks, such as tampering, sabotage, and theft.
Security assessments should therefore be conducted in different ways, using active scanning for IT, which means that interactions with the systems are possible, and passive scanning for OT environments, which means interactions with the systems are not allowed. In OT human safety should always be prioritized.
Eager to learn more about cyber security in Operational Technology environments and how to protect your IoT infrastructure? Contact our cyber security experts!
Ready for a cyber turbulent 2023?
Cybercrime remains high on the agenda of governments, public organizations, and private companies worldwide. In 2023, the global annual cost of cyberattacks is predicted to top $8 trillion, says a recent Cybersecurity Ventures report, and the overall damages could reach $10.5 trillion annually by 2025. But the impact of cybercrime extends far beyond the economic costs.
Cybercrime can disrupt essential services such as hospitals, pipelines, transportation systems, government departments. It can jeopardize trust and the reputation of public and private service providers, increase geopolitical tensions, and undermine democratic principles. Interviewed by the Financial Times, Mario Greco, CEO at Zurich Insurance, said cyber threat “is not just data . . . this is about civilization. These people can severely disrupt our lives.” The potential magnitude is so serious, that he predicts cyber risks will soon become uninsurable.
While the World Economic Forum calls for global rules and a more expansive approach to foster cyber resilience, attack rates and costs are expected to rise dramatically in 2023 for different reasons.
As IBM’s Security Intelligence explains, today it’s easier than ever to access powerful ransomware and malicious tools. This means criminals can launch attacks even with modest technical skills, damaging businesses, governments, and organizations in nearly every sector, also hitting individuals.
The attack surface is rapidly expanding. In 2023 there will be more than 15 billion IoT devices worldwide, and tens of millions of employees from public and private organizations working remotely. Intruders may take control of a city network by violating a single connected IoT device such as a video surveillance IP camera, or reach corporate assets from a home office device.
Rising geopolitical conflicts are adding troubles by multiplying state-sponsored and politically driven attacks. We also see the rise of environmental and social hacktivists, launching anti-establishment incidents to promote a diverse set of causes around the globe. And high-profile targets like infrastructure or big corporations will not necessarily be their first choice, since small government offices, mid-sized city departments, or local utilities may be more vulnerable – thus they may become the perfect starting point for resounding attacks.
Are you ready for a cyber turbulent 2023? Get in touch with our cybersecurity experts to learn how you can improve your organizations’ cyber preparedness!
Case study: Quick intervention to impede website defacement
Over 40% of all websites worldwide use WordPress. This Content Management Systems owes its popularity to the open-source codebase and the possibility to extend the core functionality of the website via third party plugins – there are more than 59 thousand official plugins currently available.
Plugins are in most cases developed by independent software companies and professionals with different levels of expertise and security awareness. Before being added to the official WordPress library, plugins are audited to ensure they work as they are intended to, but also that they follow WordPress's security guidelines. However, not even the most efficient review team can test WordPress plugins under the lens of cyber security and grant they are 100% cyber secure. Also, consider plugins are checked only when first added to the WordPress repository.
Lots of other plugins are available outside the official library. In most cases, they are cracked or alternative versions of fee-based plugins, which can be downloaded from free but may embed backdoors. For these reasons, you may not be surprised to read that in 2021 about 98% of vulnerabilities concerning WordPress websites were related to plugins.
An outdated plugin ignited the compromise of the website of one of our customers. During routine content update, its digital marketing team was unable to access the administration panel: the anomaly was suspicious enough to promptly call for an investigation about this issue. Paradox Engineering’s cyber security team analyzed the case, pointed out a cyber security incident and detected two attack vectors with different goals.
The first attack aimed at manipulating the home page of the website (so called ‘website defacement’), the second was likely to host a hidden ecommerce website to sell illegal goods. The attackers exploited an outdated and vulnerable plugin to upload a modified configuration file, which triggered a new WordPress installation on the host machine. The new installation process allowed attackers to upload other malicious files to gain full control of the website.
In less than a week, the site would have become a valuable resource in the hands of cyber criminals. Fortunately, the request for investigation came to PE a few hours after the malicious files were uploaded, so it was possible to impede the website defacement. The early intervention reduced the time of compromise, leading to the clean-up of the website within a few hours.
Paradox Engineering’s incident management process is based on NIST best practices to mitigate the impact of the attack and speed up recovery. The first step is to collect as many data as possible regarding the events that occurred in the attacked system and extract relevant information about the attack vectors. After the assessment, it is important to quickly implement all necessary containment actions to block other possible attack movements. Finally, after the containment, a deep investigation to find the root cause is useful to define the best resolution and mitigations actions to prevent similar attacks in the future.
7 tips to protect your website:
- implement advanced authorization and authentication website backup policies – store the backup in a safe place (not accessible from the web instance) and always use backup solutions that are not provided by CMS plugins
- prefer policies that follow the main principles of “need to know” and “least privilege”
- install only strictly necessary plugins and regularly delete the ones you don’t use
- keep the CMS and plugin updated. It’s recommended to set automatic updates for security patches and manually apply major releases
- have a staging environment to test any update
- collect log events for the cybersecurity team to detect anomalies
- implement a change detection mechanism (e.g., through hashes) to notify the cybersecurity team in case of suspicious website access or modification
Learn more about our Cyber Security Services and contact our experts to ask for consultancy and advice!
Case study: Discover and manage zero-day vulnerabilities
In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.
At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.
First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.
During a routine security assessment on the IoT network of a customer, our cyber security team detected a newly installed device, specifically an IP camera. A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.
Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker's perspective? To answer these questions as exhaustively as possible, our cyber security experts leverage a methodological process that is part of the company's cyber security framework.
The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.
Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer agreed to remove the IP camera to avoid any possible issue and restore the overall security level.
Is your IoT infrastructure secure enough? Learn more about our Cyber Security Services and contact our experts to have all your questions answered!
When a city is held hostage – podcast
Cybersecurity threats are on the rise and ransomware is the prime threat for private companies and public bodies, says latest ENISA Threat Landscape report by the European Union Agency for Cybersecurity.
Cybercriminals are increasingly motivated by the monetization of their activities, and their attacks are growing in terms of sophistication, complexity, and impact due to our massive online presence, the transition of traditional infrastructures towards digital solutions, advanced interconnectivity of systems, and the exploitation of new features of emerging technologies.
Ransomware and cryptojacking are the techniques that money-oriented attackers use more frequently, and cryptocurrency remains their most common pay-out method. Without surprise, ENISA highlights supply-chains attacks are ranking high because of the significant potential they have in inducing catastrophic cascading effects.
But something is changing. DDoS (Distributed Denial of Service) campaigns are becoming much more targeted, persistent, and increasingly multivector. And not all cyber offenders are primarily driven by money.
In the UK, on December 20th 2021, Gloucester City Council became aware of a cyberattack hitting its systems and resulting in some key services such housing benefits management to be delayed or unavailable. As reported by BBC, it could take months to fix affected servers and systems, while preliminary investigations unveiled there could be links to hackers in the former Soviet Union.
The mounting tension between Russia and Ukraine is seen by cybersecurity experts as a possible trigger of hacking offensives threatening Europe, the US, and beyond. That has already happened in 2017 with NotPetya, a Russian cyberattack that targeted Ukraine but rapidly impacted the entire world at a cost of billions of dollars.
The likelihood of cyberwar scenarios makes ENISA underline there are four categories of cybersecurity threat actors to be monitored: ‘traditional’ cybercriminals, state-sponsored attackers, hacker-for-hire actors, and hacktivists. Understanding how these actors think and act, what their motivations and goals are, is an important step towards a stronger cyber incident response.
Are cities prepared to recognize and face such different threats? Listen to Nicola Crespi, head of R&D at Paradox Engineering, and Dario Campovecchi, our cybersecurity architect, in a conversation that explores some of the most acute dangers Smart Cities are confronted with, and how to manage cybersecurity as a lifelong journey.
The podcast is available on Tomorrow.City
What about cybersecurity in Smart IoT Cities?
“Your city has been hacked” – this is the news everybody fears...
If measuring it as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. According to a report by US-based firm Cybersecurity Ventures, cybercrime is predicted to inflict damages for 6 trillion US dollars globally in 2021. Growing by 15% per year, expected damages will reach 10.5 trillion US dollars by 2025 including stolen money, theft of personal and financial data, theft of intellectual property, lost productivity, forensic investigation, restoration and deletion of compromised data and systems, and reputational harm for the hacked organization.
A cyberattack could potentially disrupt essential public services, expose personal and financial data, and disable the economy of a city. Not a reassuring perspective for cities which are increasingly relying on interconnected networks and sensor-based infrastructures to operate and deliver any application that people and businesses need, from energy distribution to mobility systems, from street lighting to municipal waste collection, and more.
Are cities prepared to face such a threat? An online survey we carried out in October 2021 targeting city officers, utility managers and ICT professionals, found that two-thirds (67 per cent) felt their city was “somewhat vulnerable” to cyberattacks and only four per cent claimed to be “100 per cent cybersecure”. The majority’s (42 per cent) main concern in the case of an attack was around financial data violation, followed by business continuity (40 per cent) and personal data privacy (18 per cent).
How can cities mitigate cybersecurity risks and build a secure foundation for their IoT infrastructure? How can we manage cybersecurity as a lifelong journey? Don't miss our digital event 'What about Cybersecurity in Smart IoT Cities?' on Thursday November 18th, 2021: at Smart City Expo World Congress, our Chief Innovation Officer Nicola Crespi and our Cybersecurity Architect Dario Campovecchi will discuss Paradox Engineering's security by design approach and introduce some innovative services we will launch in 2022.
Free registration is required, contact us to submit questions in advance!
Zero trust, the new cybersecurity buzzword
Any device or network architecture can be breached, that’s true. So we shouldn’t trust any user or system. The simple but trenchant assumption is feeding ‘zero trust’, a new hype concept in cybersecurity and a ‘very fashionable term’ in the tech world as the UK's National Cyber Security Centre defined it.
Widespread digitalization, new hybrid workforces and collaboration models, and the growing sophistication of cybercrime created the conditions for a more restrictive vision of data and infrastructure protection. While the EU is shaping its Cybersecurity Strategy, the US is already approaching zero trust after President Biden's "Executive Order on Improving the Nation's Cybersecurity." Released last May, the order basically pushes federal agencies to implement zero trust architectures and prepare for future enhancements. Updated guidance was released last week and agencies are given specific security goals to be achieved by September 2024.
If asked to summarize what zero trust is about, we might say “Never trust, always verify”. The idea is to remove inherent trust from the network, and don’t trust devices by default just because there are inside the perimeter of a firewall or VPN. A zero-trust architecture should verify everyone and everything, using granular techniques to permit only necessary network access and transactions.
The migration to this network design could be expensive and somehow disruptive for most organizations, and it could require years to be completed due to the extent of changes to be implemented.
Zero trust supporters highlight this strict model allows the organization to minimize cyberattack risks, define stronger authentication and authorization policies, reduce the network overhead, and react more quickly in case something gets compromised.
However, we need to remember 100 percent cybersecurity is an impossible goal, unless we fully give up on innovation and digital transformation. So zero trust architectures or solutions can’t be taken as the ‘silver bullet’ answer to solve everything.
Some analysts recommend a pragmatic approach, starting with an accurate assessment of actual vulnerabilities. Which network elements actually require zero trust protection? Which data, transactions, or applications need to be locked down with the utmost level of security? This kind of analysis could lead to the decision to shift to zero trust only for the most critical assets and acting more proactive and systematic cybersecurity measures without adding unnecessary complexity.
What’s your approach to cybersecurity? Is zero trust applicable to your network? Contact our cybersecurity experts to share thoughts and insights!
Cybersecurity in Smart Cities: don’t be trapped in the survivorship bias
During World War II, a team of researchers at the Columbia University was asked to examine the damage done to aircraft that had returned from missions and recommended adding armor to the areas that showed the most damage. This sounded pretty logical, but the statistician Abraham Wald contradicted the US military's conclusions by pointing out that only the aircraft that had survived had been considered. Since the bullet holes in the returning aircraft identify areas where a bomber could take damage and still fly well enough to come back safely to base, Wald proposed to reinforce areas where the returning aircraft were unscathed.
The ‘survivorship bias’ – thus the logical error of concentrating on people or things that passed some selection process and overlooking those that did not – can lead to some false conclusions in several different ways, and it is a pitfall for cybersecurity too.
In 2020 the Center for Long-Term Cybersecurity at UC Berkeley surveyed 76 cybersecurity experts and ranked different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack. According to this study, not all Smart City technologies pose equal risks: emergency alerts, street video surveillance, and smart traffic signals stand out as the most vulnerable, while smart waste systems and satellite water leak detection are meant among the safest.
City officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and invest more on technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great. Again, this sounds like a logical recommendation – but let us beware the survivorship bias.
Achieving 100% cybersecurity is an impossible goal unless we fully give up on innovation and digital transformation. However, Cities should be 100% conscious that any urban network infrastructure and application should be properly designed and implemented with security built in from the outset. Even potentially unattractive systems – such as streetlights – might become interesting for criminals, and the human element is often the weak link to turn a vulnerability into an actual leak.
Many governments around the world are raising cybersecurity consciousness and starting dedicated programs to protect critical systems and resources. Last May, President Joe Biden signed an executive order aimed at strengthening US cybersecurity defenses, a move that follows a series of sweeping cyberattacks on private companies and federal government networks over the past year. The order seeks to move the federal government toward more modern and safer digital infrastructure, and sets stricter rules for IT service providers working with public bodies.
Italy is set to create a national agency responsible for fighting cyberattacks and creating a unified cloud infrastructure to increase security for public administration data storage. Most European countries are boosting their efforts to counter cyber risks, seen as a threat to their security and competitiveness in an increasingly networked world.
While we head for improved systems and data protection, we shouldn’t forget that it is possible to balance the value of innovative technology with the lowest possible risks. At Paradox Engineering, the balance is made thanks to our ‘security by design’ approach: this means injecting cybersecurity into IoT technologies from their very inception, and combine different methods (blockchain, dedicated hardware security modules on devices, ultra-reliable encryption, and other features) to ensure urban infrastructures are intrinsically secure.
Securing cities is an ongoing challenge which requires an overarching approach and strategy (let us avoid the survivorship bias!), together with constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.