2H 2021 review
Premise
Nozomi Networks Labs releases a semi-annual report covering the second half of 2021 where it continues to aggregate industry trends and its own research on cyber threat trends for the OT world.
Cybercrime continued to rise in the last six months of the year as supply chain and ransomware attacks dominated the headlines with operational impact and disruption.
Despite renewed attention from law enforcement, government agencies and industry, the sophistication of attack technology and the risks to organizations continue to strike.
To help cybersecurity teams and OT/IoT researchers, the Nozomi report focuses on three main areas:
- attack tendencies
- vulnerability research
- best practices for engagement and remediation technology
Particular interest has been put into an in-depth analysis of ransomware attacks, and Nozomi Networks' research has seen vulnerabilities in video surveillance cameras and software supply chains.
The report also covers attack surface reduction, the role of zero trust in modern OT/IoT networks, and techniques for analyzing device firmware vulnerabilities.
Ransomware attacks continue to make headlines and cause operational disruptions
Just like the first half of 2021, the second half of the year was filled with ransomware news: Conti ransomware group extorted over $150 million over the course of the year.
Other ransomware criminal groups were also active, with REvil targeting IT solution supply chain Kaseya and BlackMatter, believed by many to be a successor to REvil, which demanded a ransom of 5,9 million dollars to a US farmers cooperative.
Critical Infrastructure sectors continued to be targeted, particularly transportation, healthcare and food – sectors now perceived as high-value targets by ransomware groups as well as geopolitical state actors.
Law enforcement agencies have also taken significant actions against ransomware organizations and affiliates – often long-term operations involving the cooperation of many countries.
Not all ransomware news has been bad: Leaked documents from an affiliate of the Conti group gave researchers insight into the tools and tactics used by ransomware gangs and helped bring the group down for a time. However, some affiliates migrated to other ransomware groups while continuing to strike: this is the case with Conti, as affiliates were able to continue their attacks in 2021 2H against key targets.
Supply chain attacks present opportunities for damage to spread rapidly
Supply chain attacks have the potential to affect hundreds or thousands of organizations, depending on how widespread a common software component is and how easily the vulnerability can be exploited.
The first widely reported supply chain attack was over a year ago, when a SolarWinds vulnerability compromised many critical networks across all industries, including government.
Since then, we have seen growing concerns about actual vulnerabilities and exploits in open source code. When vulnerabilities in open source software are announced, vulnerabilities that can be used in many applications, the damage can be equal to or even more extensive than a single vendor's software. It depends on how widely the library component is used.
This was the case with the December disclosure of the Log4Shell vulnerability. Log4Shell was found in the Apache Log4j (pronounced log-forge) open source library, which is widely used in commercial applications and large online platforms.
Thanks to the simplicity of this exploit, attackers were able to quickly launch attacks before patches were available worldwide: one of the largest ransomware groups was able to use the Log4j exploit within a week, launching a attack against installations using VMware vCenter environment.
Vulnerability on OT/IoT/IIoT devices
Nozomi Networks Labs vulnerability research focuses on OT/IoT/IIoT devices and networks which is the main area of research.
In recent years, IoT/IIoT devices have become a common entry point across an organization's network, but they are often overlooked in comparison to widely distributed IT platforms and operating systems.
IoT/IIoT devices have stripped-down operating systems on board with security features removed due to power, processing capacity (and cost!) constraints.
While ICS/OT systems such as SCADA, DCS and PLC equipment could once rely on the so-called “Air-Gap” for IoT/IIoT devices between Wi-Fi, the Internet and the wider Cloud IT network , that's not the case anymore. Security defenses must therefore be strengthened.
In the semi-annual report, Nozomi Networks Labs highlights some of the key research areas, including vulnerabilities within supply chains, cloud platforms and specific enterprise software platforms.
In addition to examining some of the most impactful OT/ICS vulnerabilities discovered by the Nozomi Labs team in the second half of 2021, we also find research on the attack surface of video surveillance systems and what building owners should keep in mind before incorporating them within a network.
Conclusions and Recommendations
Strengthening cyber defenses in OT and IoT environments requires a multi-pronged approach that often includes complementary technologies, well-defined oversight and processes, and appropriate security hygiene.
Often, security teams are overworked and allow human error to compromise even the most advanced defenses with weak passwords, misconfigured networks and devices, or even through “social engineering”. Many ransomware attacks begin with a naive user clicking a malicious email link in an otherwise well-defended network.
Network segmentation is another critical component of a cyber defense strategy to prevent the spread of malware to critical applications and OT processes. Several technologies are useful for segmenting networks, such as VLANs and firewalls, depending on the environment and policy requirements.
In OT networks, the Purdue model (that of ISA95, ISA99, and then IEC62443) is a way to create network zones that align process elements and system functions.
However, too often we find organizations with completely “flat” networks (flat, with minimal segmentation), where systems are easily compromised and mission-critical applications and processes have little or no isolation.
In the report, Nozomi provides suggestions for increasing network segmentation, towards a Zero Trust model.
Also known as micro-segmentation, Zero Trust implies that all network connectivity between individual endpoints is denied except for those connections that are explicitly allowed.
When migrating to a Zero Trust model, it is important to monitor traffic patterns to understand how legitimate traffic flows through the organization before establishing explicitly authorized connections to avoid disruption.
The report also discusses the importance of traffic monitoring in detecting potential security threats, breaches and other anomalies in both network flows and OT mitigation and what can be effectively achieved with reasonable effort.
By providing insights into key areas of the threat and vulnerability landscape, the Nozomi report aims to help organizations assess and improve their security posture.
Enterprises are suggested to have better visibility to increase OT/IoT security and monitoring.
With the sophistication and ruthlessness of today's adversaries, it's also important to adopt a post-accident mindset by honing a Disaster Recovery Plan. Continuously improving your IT/OT Security posture is the best way to ensure availability, security, integrity and confidentiality in your systems, even those in Operations.
WEBINAR: OT/IoT Security Review 2021 2H: Lessons for Critical Infrastructure
Want to know more about the new report? Follow the webinar!
Date: Wednesday February 23, 2022
Hours: 16:30
Duration: 45 minutes
