Huawei has replaced thousands of product components banned by the US with homegrown versions, its founder has said.
The post Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder appeared first on SecurityWeek.
Some say the White House cybersecurity strategy is largely aspirational. Its boldest initiatives — including stricter rules on breach reporting and software liability — are apt to meet resistance from business and Republicans in Congress.
The post White House Cybersecurity Strategy Stresses Software Safety appeared first on SecurityWeek.
Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).
The post Top 10 Security, Operational Risks From Open Source Code appeared first on SecurityWeek.
Software supply chain security startup Lineaje today announced that it has raised $7 million in a seed funding round led by Tenable Ventures.
Dreamit Ventures and Veear Capital also participated in the investment round, along with various angel investors.
Founded in 2021, the Saratoga, California-based company helps organizations secure their software supply chain, regardless of whether they are the developers, suppliers, or users of software.
Lineaje’s SB0M360 software supply chain management solution can identify all the components of software, along with their dependencies, to assess the supply chain authenticity and identify potential compromise.
Lineaje’s platform manages over 150,000 software bills of materials (SBOMs) across custom applications, open source software, commercial off-the-shelf (COTS) solutions, mobile applications, and containers.
The company is also assisting Tenable Ventures in building shareable data models to improve runtime security and mitigate weaknesses in deployed software.
The funding will allow Lineaje to accelerate go-to-market operations, expand its employee base, and invest in research and development.
Related: Boxx Insurance Raises $14.4 Million in Series B Funding
Related: Guardz Emerges From Stealth Mode With $10 Million in Funding
Related: Strata Raises $26 Million for Multi-Cloud Identity Management Platform
The post Software Supply Chain Security Firm Lineaje Raises $7 Million appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Supply Chain Security – The supply chain threat is directly linked to attack surface management (it potentially represents a hidden part of the attack surface) and zero trust (100% effective zero trust would eliminate the threat). But the supply chain must be known and understood before it can be remediated.
In the meantime – and especially throughout 2023 – it will be a focus for adversaries. Why attack a single target when successful manipulation of the supply chain can get access to dozens or even hundreds of targets simultaneously.
The danger and effectiveness of such attacks is amply illustrated by the SolarWinds, log4j, Spring4Shell, Kaseya, and OpenSSL incidents.
Supply chain attacks are not new. The iconic Target breach of late 2013 was a supply chain breach. The attackers got into Target using credentials stolen from its HVAC provider, Fazio Mechanical Services – that is, via Target’s supply chain.
The 2018 breach of Ticketmaster was another supply chain breach. A Ticketmaster software supplier, Inbenta, was breached and Inbenta software was modified and weaponized. This was automatically downloaded to Ticketmaster.
Island hopping is another form of supply chain attack. In 2017, Operation Cloud Hopper was revealed. This disclosed that an advanced group, probably APT10, was compromising managed service providers to gain access to the MSP’s customers.
Despite these incidents, it has only been in the last couple of years, fueled by more extensive incidents such as SolarWinds, that industry has become cognizant of the full threat from increasingly sophisticated and wide-ranging supply chain concerns. But we should not forget that the 2017 NotPetya incident also started as a supply chain attack. Software from the Ukrainian accounting firm M.E.Doc was weaponized and automatically downloaded by the firm’s customers, before spreading around the globe. Both SolarWinds and NotPetya are believed to be the work of nation state actors.
All forms of supply chain attacks will increase in 2023, and beyond. Chad Skipper, global security technologist at VMware, specifically calls out island hopping. “In 2023, cybercriminals will continue to use island hopping, a technique that aims to hijack an organization’s infrastructure to attack its customers,” he warns. “Remote desktop protocol is regularly used by threat actors during an island-hopping campaign to disguise themselves as system administrators. As we head into the new year, it’s a threat that should be top of mind for all organizations.”
That supply chain attacks will increase in 2023 and beyond is the single most extensive prediction for 2023. “Supply chain attacks happen when hackers gain access to a company’s inner workings via a third-party partner, a method that provides them with a much greater amount of privileged information from just one breach,” explains Matt Jackson, senior director security operations at Code42. “This type of attack already rose by more than 300% in 2021, and I anticipate this trend will continue in 2023, with these attacks becoming more complicated and intricate.”
Lucia Milică, global resident CISO at Proofpoint, worries that despite all the wake-up calls so far, “We are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels.”
The result, she added, is, “We expect more tension in supply chain relationships overall, as organizations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.”
Jackson added, “Because many third-party partners are now privy to more sensitive data than ever before, companies can no longer rely on their own cybersecurity prowess to keep information safe,” he said.
“Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish,” he continued. “In the next year, companies will become even more diligent when deciding on an outside organization to work with, creating an increase in compliance verifications to vet the cyber tools used by these prospective partners.”
Anand Raghavan, co-founder and CPO at Armorblox, expands on this theme. “This becomes particularly relevant,” he said, “for the Fortune 500 or Global 2000 companies that have a large ecosystem of suppliers, vendors, and distributors whose security stacks are nowhere as mature as those of large organizations. Large organizations might consider requiring all vendors to follow certain security best practices, including modernizing their email security stack if they want to continue being a vendor in good standing.”
Interestingly, despite all the warnings of an escalating threat, Christopher Budd, senior manager of threat research at Sophos, notes, “Unlike two years ago when the SolarWinds attack put supply chain attacks high on people’s radar, supply chain attacks have faded from prominence.” This may be a misleading premise. The discovery of a vulnerability in a widely used piece of software, such as the log4j vulnerability, will be used by individual cybercriminals and nation state actors alike.
However, targeted attacks such as that against SolarWinds requires resources and skill. These attributes are more usually found only in the more advanced gangs and nation state actors. Such adversaries have another attribute: patience. “Today’s and undoubtedly tomorrow’s threat actors have shown they can play the long game,” warns Pieter Arntz, senior intelligence reporter at Malwarebytes.
Budd also warns that despite their immediate lack of prominence (at the time of writing, but anything could happen tomorrow), “Supply chain may be something that continues to not gather news, similar to 2022. But it will remain a real threat and one that organizations should be prioritizing across the board, in part because effectively countering this threat requires a comprehensive, careful, methodical approach.”
The primary growth area in supply chain attacks will likely be the software supply chain. “Over the past few years,” explains Eilon Elhadad, senior director of supply chain security at Aqua, “increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities.”
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the widespread impact that results from attacks to the software supply chain.
“In 2023,” Elhadad continued, “software supply chain threats will continue to be a significant area of concern. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.”
Eric Byres, founder and CTO at aDolus, agrees. “Software supply chain attacks will continue to increase exponentially in 2023,” he said; “the ROI on these attacks is just too sweet for professional adversaries to resist.” He notes that supply chain attacks have increased by 742% over the last three years.
Much of the software supply chain threat comes from the growing reliance on open source software libraries as part of the ‘increasing pressure to deliver software faster’. Zack Zornstain, head of supply chain security at Checkmarx, believes the software threat will particularly affect the open source supply.
“We believe that this threat of compromising open source packages will increase as malicious code can endanger the safety of our systems, ranging from ransomware attacks to the exposure of sensitive information, and more. We expect to see this as a general attack vector used both by cyber firms and nation-state actors. SBOM adaptation will help clarify which packages we’re using in applications, but we will need to invest in more controls to ensure the safety of those packages,” he said.
“Organizations should be on high alert for supply chain attacks if they use open-source software,” warns Kevin Kirkwood, deputy CISO at LogRhythm. “Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.”
If the source code of an open source software library either has – or can be engineered by bad actors to have – a vulnerability, then every company that downloads and uses that code becomes vulnerable.
“In 2023,” continues Kirkwood, “we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that uses third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins.”
Venafi’s Matt Barker, president of cloud native solutions, adds, “We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.”
He continues, “Thankfully, we’ve reached a collective sense of focus on this area and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it. Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge.”
Mark Lambert, VP of products at ArmorCode, expands on this. “As the software supply chain continues to get more complicated, it is vital to know what open source you are indirectly using as part of third-party libraries, services (APIs) or tools. This is where SBOM comes in,” he said. “By requiring a disclosure of all embedded technologies from your vendors, you can perform analysis of those libraries to further assess your risk and react appropriately.”
Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity introduced the concept of a software bill of materials (SBOM), effectively if not actually mandating that software bought (or supplied) by government agencies be accompanied with a bill of materials. It described the SBOM as “a formal record containing the details and supply chain relationships of various components used in building software,” and analogous to a list of ingredients on food packaging.
While the advantages of the SBOM may appear obvious in helping software developers understand precisely what is included in the open source libraries they use, it must be said that not everyone is immediately enthusiastic. In December 2022, it emerged that a lobbying group representing major tech firms such as Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks was urging the OMB to ‘discourage agencies’ from requiring SBOMs. The group argued that the requirement is premature and of limited value — but it didn’t ask for the concept to be abandoned.
It is the complexity and difficulty in both compiling and using an SBOM that is the problem — and it is these concerns that will drive a lot of activity through 2023. The value of the concept outlined in the executive order remains undiminished.
“Incidents such as Log4shell [log4j] and the most recent SpookySSL vulnerabilities [CVE-2022-3602 and CVE-2022-3786] will push the adoption of a software bill of materials as a core component of achieving effective incident response, while efforts will continue in maturing the SBOM ecosystem (adoption across sectors, tooling, standardization around sharing and exchanging of SBOMs and more),” explains Yotam Perkal, director of vulnerability research at Rezilion.
“One of the big challenges I see in the year ahead is that this is more data for the development teams to manage as they deliver software,” notes Lambert. “In 2023, organizations are going to need ways to automate generating, publishing and ingesting SBOMs – they will need ways to bring the remediation of the associated vulnerabilities into their current application security programs without having to adopt whole new workflows.”
As part of this process, Michael Assraf, CEO and co-founder at Vicarius, said, “We predict that a new market will evolve called binary software composition analysis, which will look for software files that are different from what was pre-packaged and shipped. Automated techniques can utilize machine learning that will find this discrepancy, which will be vital in knowing where your risk lies and how large your attack surface can potentially be.”
Thomas Pace, CEO at NetRise, suggests, “SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use.”
He adds, “The need to be able to rapidly understand the provenance of software components is becoming increasingly critical. Without this visibility, the window for attackers to exploit these vulnerabilities is much too big and puts cyber defenders at a significant disadvantage.” But he also notes, “strong efforts from organizations like Google have moved the ball forward in a positive way. Efforts such as open-source insights provide a lot of visibility for end users and vendors alike to scale out the analysis of these components.”
The problems involved with SBOM generation and use have not yet been solved, but enthusiasm remains. We can expect considerable effort into automating these processes to continue throughout 2023.
Nevertheless, Kurt Baumgartner, principal security researcher at Kaspersky, warns, “Open source projects continue to be polluted with malicious code. Awareness of these issues and challenges increase, but the attacks continue to be effective on a large scale. Despite the best efforts of software bill of materials, complex dependency chains help ensure that malicious code is uncontrolled for a time in some projects.”
Despite all companies’ need to be wary of potential software supply chain attacks via the code they develop for their own use, we should not forget that there is a potentially more catastrophic physical supply chain threat. We need only consider the effect the prevention of grain supplies leaving Ukraine (because of the Russia/Ukraine conflict) had on global food supplies to see the potential. Covid-19 also affected many different global supply chains, causing panic buying and popular distress in its early days.
These were not the result of cyberattacks – but many of those physical supply chains could be disrupted by cyberattacks. The Colonial Pipeline incident, although a financially motivated attack, had an immediate effect on the supply of oil to eastern USA. The longer the Ukraine/Russia conflict continues, and the greater that east/west tensions increase, the possibility of physical supply chain cyber disruption will equally increase through 2023, and possibly beyond.
SecurityWeek discussed one such possibility in May 2022: The Vulnerable Maritime Supply Chain – a Threat to the Global Economy here.
Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant notes that in the utilities and energy sector, “99% of energy companies say they have been negatively impacted by at least one supply chain breach in the past year, representing the highest rate of overall impact in any other industry. Because it remains one of the most frequently attacked verticals, it is especially crucial that it rises to the challenge of supply chain defense in 2023.”
Taylor Gulley, senior application security consultant at nVisium, comments, “The past few years have shown that both the digital supply chain, as well as the physical world supply chain, are very fragile. This fragility is due to a lack of redundancy and resources due to economic constraints or skill gaps. For 2023, this situation will still stand true. Supply chain security is a weak link that needs to be strengthened.”
Sam Curry, CSO at Cybereason, believes the SBOM will be an important part of solving the software supply chain problem. “It would be naive in the extreme to think that with thousands of trusted software and service providers to choose from… that the handful of known supply chain compromises were the sum total of them. No. 2023 will show us more, and we will be lucky to learn of them because the attacker can quietly exploit these without tipping their hands.”
He added, “We need to use 2023 to be innovative and vigilant and to find new answers to the supply chain problem, to build on software bills of material, to innovate with the men and women building our software and to find the solutions to deter, to detect and to remove the vulnerabilities and exposures that enable this most insidious and trust eroding of attacks.”
Sharon Chand, Deloitte US’ cyber risk secure supply chain leader, believes that software supply chain security will require continuous realtime monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. “For instance,” she said, “this includes implementing leading practice techniques around ingesting SBOMs and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies.”
Christian Borst, EMEA CTO at Vectra AI, suggests collaboration and cooperation across the software industry will be required. “A holistic approach may help turn the tables on the matter: supply chain means partnership – partnership means collaboration and supporting each other. Only as a ‘mesh’ interconnected structure with consistent resiliency can companies thrive in the digital economy. This includes ensuring that they review the security policies of all those in the chain.”
Sounil Yu, CISO at JupiterOne, makes a fitting summary, referencing a paper written by Richard Danzig in July 2014 (Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies). “To borrow Richard Danzig’s analogy,” says Yu, “we are on a diet of poisoned fruit with respect to our software supply chain. This poison is not going to go away, so we will need to learn how to survive and thrive under these conditions. Being aware of the risks, through efforts such as SBOM, and managing the risks through compensating controls such as egress filtering, will be a priority in 2023 and the foreseeable future.”
Related: US Gov Issues Software Supply Chain Security Guidance for Customers
Related: OpenSSF Adopts Microsoft-Built Supply Chain Security Framework
Related: Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack
Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers
The post Cyber Insights 2023 | Supply Chain Security appeared first on SecurityWeek.
The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years – and these figures are almost certainly no exaggeration.
The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.
From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.
It is worth reflecting on the term ‘breach’. Some commentators include data exposure within the term – so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report.
“We define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,” Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek. “The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.”
Knowledge of a breach comes from public knowledge: from government disclosures and press reports. “Every day, we scan multiple sources, including government websites and press reports, for reports of breaches. We’re careful about the sources we will accept, and we point back to our source so our users can check for themselves,” he continued.
Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard’s statement that ‘98% of organizations have a relationship with a third (or fourth) party that has been breached’ can only be the most conservative of estimates.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group).
“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”
The report highlights which sectors have the highest number of third party relationships, notes that more secure first parties still have relationships with the less secure third parties, points out that third parties are 5x more likely to exhibit poor security, and even enumerates the number of companies that have relationships with foreign organizations.
“Seven percent of firms have relationships with vendors in only their home country (no foreign ties),” states the report. “About 59% of organizations have connections to five or fewer countries, and roughly 14% have vendors spanning 10 or more countries.” This doesn’t necessarily increase or decrease cyber risk, but it highlights a potentially overlooked complication: compliance with international laws, security requirements, and other geopolitical issues.
The overriding conclusion of the report is that no firm can afford to be insular about its cybersecurity. It must have visibility into its own digital ecosystem, but also similar visibility into the security of its suppliers – including, perhaps, the fourth party suppliers. And if that visibility is unavailable, maybe the risk of a relationship is too great.
Related: OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
Related: PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack
Related: Malware Delivered to PyTorch Users in Supply Chain Attack
Related: Iranian Hackers Deliver ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack
The post 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”
Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”
Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”
| Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.  October 23-26, 2023 | Atlanta www.icscybersecurityconference.com |
“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”
He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”
Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.
We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023.
Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”
One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”
Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement.
“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.
Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”
Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.
“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”
Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”
Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.
Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”
He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.
Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said.
“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.
Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”
By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”
Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”
“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.
“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.
Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added.
This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.
According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”
Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”
Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”
He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”
Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”
As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”
Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”
This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”
He adds, “2023 needs to be the year to reset ICS and OT standards for security.”
| Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com |
Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.
“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.
“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.
But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
Related: ICS Vendors Respond to Log4j Vulnerabilities
Related: U.S. Warns ICS/SCADA Malware Can Damage Critical Infrastructure
Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware
The post Cyber Insights 2023: ICS and Operational Technology appeared first on SecurityWeek.
Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.
The Chainguard specification is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.
In an interview with SecurityWeek, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).
Lorenc said OpenVEX, which was designed in collaboration with CISA’s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.
OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,” Chainguard said in a note announcing the draft specification.
“OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,” the company added.
Chainguard’s Lorenc said OpenVEX is complementary to SBOMs and is the first format to meet the VEX Minimum Requirements. To prove functionality end-to-end, the company has also put OpenVEX into production in its Wolfi Linux distro and its own Chainguard Images product.
The spec, designed with support from Google, HPE, VMWare, and the Linux Foundation, is being positioned as an important piece of the industry wide push to improve the security of software supply chains.
“As an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs,” said Tim Pletcher, a research engineer at Hewlett Packard Enterprise.
Related: Chainguard Trains Spotlight on SBOM Quality Problem
Related: Big Tech Vendors Object to US Gov SBOM Mandate
Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security
Related: Chainguard Bags Massive $50M Series A for Supply Chain Security
The post OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings appeared first on SecurityWeek.
