Hacker Changed Chemical Concentration at Water Treatment Plant; Ransomware Hits Brazilian Utilities; Google Launches Open Source Vulnerability Website

Vendors often offer remote support and monitoring, which helps maintain their systems. That support mechanism needs to be well understood. If you must expose access to monitor and manage an internal service, make sure that it is properly secured, including mandatory multi-factor authentication, regular reviews of which accounts have access, and logs that not only capture activities, but are also forwarded to your SIEM//SOC. Pay particular attention to any accounts which cannot be MFA, and, if possible, don't allow remote access to them. If cellular or other private networks are used, understand what else is on those networks and how the communications are protected.

Lee Neely

Many organisations have remote access solutions in place to enable vendors and staff to work remotely, and in the pandemic this has increased, so now is a good time to review all your remote access solutions to ensure that they are configured in a secure manner and where possible MFA is enabled.

Brian Honan

Utility operator convenience must not be allowed to trump security of the utility.

William Hugh Murray

This initiative is very important and the Google blog on the subject informative. Neither Open Source or proprietary development are delivering the reliability or quality that are needed. We must dramatically and urgently improve code quality to shore up our crumbling infrastructure. Both transparency and accountability are necessary and current practices are delivering neither.

William Hugh Murray

Solid concepts. Back in 2014 when the Heartbleed OpenSSL vulnerabilities were discovered, Google was one of the founding members of the Core Infrastructure Initiative that had similar goals, including a focus on "open source supply chain security." However, that seemed to go dormant around 2016. There seem to be many of these voluntary efforts that lose steam for lack of a continued forcing function. In the food industry, the loss of revenue after signs on restaurants and notices in newspapers that the restaurant was closed due to discovered vermin infestations or potentially poisonous ingredients found seem to result in higher levels of essential restaurant hygiene than restaurant trade association websites.

John Pescatore

Key escrow is critical with encryption, particularly with valuable assets. Make sure that your enterprise can recover the password for corporate information protected by employees. When using a password vault, make sure that you can also recover the password to that vault, or that it is stored in a known secure location and kept updated.

Lee Neely

The hack coincided with their promotion of "Hacking for Dummies" by Kevin Beaver. The good news is that these were salted password hashes, making compromise more difficult. If you reused your SitePoint password elsewhere, or have an old account you've not used, change those passwords.

Lee Neely

Make sure that you're updating Chromium-based browsers, as well: Edge, Brave, etc. Note that the Chromium latest version and the latest browser version may not match, e.g, Edge is 88.0.705.63 while Brave is V1.19.92. As there is a published exploit for CVE-2021-21148 in the wild, assume it is being actively exploited.

Lee Neely

he patched version of the plugin was released December 17th. Even with automatic updates, make sure that your plugins are updated, and remove the unused ones. While the volume and adoption of plugins for WordPress drives warnings at least weekly, you can mitigate much of the risk by enabling auto-updates for plugins, removing unneeded ones, and installing a WAF. If you do install a WAF, make sure that you understand how frequently it's updated to understand your exposure to newly discovered vulnerabilities.

Lee Neely

The WordPress plugin vulnerability of the week. WordPress plugins are a major source of vulnerability. They come with no representation or assurance of quality. They should be used sparingly, and, where used, actively policed.

William Hugh Murray

Back in July 2016, the US the Department of Health and Human Service Office for Civil Rights issued HIPAA guidance that said that all successful ransomware attacks should be considered as reportable security incidents, not just as denial of service attacks. If the attackers encrypted patient health information, they (and not the patient) had control of it ("acquired" it in HIPAA terminology) and thus an unauthorized disclosure had occurred.

John Pescatore

IST SP 800-171 focused on protecting confidentiality; SP 800-172 adds suggested protections for integrity and availability as well as discussion around the value and purpose of each control to aid understanding. These two publications are examples of how to flow down protection requirements for consistent protection of sensitive information. Make sure to leverage a known referenceable standard, as well as a clear definition of your data sensitivity wherever you are having someone else process it, such as cloud, outsourcer, or service bureau. Include this in your contract language. Then verify the controls are in place, not just at inception, but throughout the life of the contract.

Lee Neely

As the FERC looks at potential incentives that could be offered to electric entities they need to consider what the measuring stick will be to determine adequate achievement of "exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST)". It would be far more appropriate to measure entity implementations that exceed the existing CIP Standards applicable at a particular site based on the determined impact rating of the site. Additionally, entities truly need flexibility in recategorizing expenditures associated with cybersecurity initiatives beyond just the initial CapEx spend and include traditional cybersecurity related O&M spend, this ability to leverage incentive plan elements to pursue cybersecurity tasks associated with programs focused on asset inventory, configuration validations, ICS network collection and response capabilities, and workforce development opportunities would significantly help the industry. This action alone could have a significant positive impact on the cybersecurity our nations critical infrastructure. The concepts of incentivizing additional security controls around moving CIP Low to Med and Med to High treatment will encourage and help fund security improvements at interconnected sites that have by definition a Low impact on the electric system, but have trusted communications paths into higher criticality sites, so they represent the weakest link and will benefit greatly from additional security investments. The concepts around hub and spoke incentives need careful architectural and operations based engineering review to determine if the benefits out way the additional risks in each entities unique system.

Tim Conway

The proposed rules provide for incentives on two types of 'going beyond the minimum.' The first doesn't make much sense: Incentives for applying security controls for high and medium impact systems to low impact systems. This would kind of be like giving auto manufactures financial incentives for making coffee cup holders more crash-resistant. The second incentive is kind of a variant on the same theme: a "hub and spoke" incentive if all low impact systems external connectivity is routed through presumably more secure high impact systems. This could make more sense but could also result in exploitable low impact systems becoming pathways into high impact systems. An example might be a small/low-impact hydropower system with external connectivity for remote monitoring. If compromised, minimal impact - but if financial incentives resulted in that small/low-impact facility being networked to a major dam or water supply system, did overall risk go up or down?

John Pescatore

The update to the app included obfuscated malicious code, rather than a change to the SDK which changed advertisement behavior. While Google has raised the bar on Android applications, a lot of applications have not been reviewed for proper security/behavior. In this case, the app was removed from the Play Store, not Play Protect, so it will not be uninstalled on devices automatically. Even so, allowing only applications from the Play Store or your corporate App Store is best practice. On Android, your MDM can also be used to disable or otherwise block banned or otherwise disallowed applications.

Lee Neely