US DoE Says Build Security Into All Energy Systems; PowerShell Securely Configured is Better Than No PowerShell at All; OT Devices Are Not Secure and Need to Be Segmented/Shielded

I’m not a big fan of the term “Cyber Informed Engineering” as it implies there is still some need for engineering that is NOT “cyber-informed.” The strategy is basically well known and proven “build security in” or “secure by design” concepts that should be integrated into all energy system operational, upgrade, and new system efforts. Given that the world’s energy systems will change quite a bit over the next 20 years, now is the time to do that.

John Pescatore

This is the most hopeful thing that one has heard in this space. In most industries we know what to do; we simply lack the will to do it. The energy sector is an exception. Because of the interdependencies in the grid, securing it is more complex than simply securing all the operators in the grid. Here, we need a strategic approach that goes across enterprises.

William Hugh Murray

This sprang from the 2019 National Defense Authorization Act for Fiscal Year 2020 which directed DOE to create this CIE strategy. Part of the idea is to engineer a system which is resistant to further attack once penetrated. The CIE in practice summary explains how this should be considered. Note that while this applies to critical infrastructure, there is applicability to important IT systems. Ask if system A is compromised, what could then be reached easily and how you could slow or stop the effectiveness of that lateral movement.

Lee Neely

PowerShell has gotten a bit of a bad reputation. Many attackers use it to their advantage after they gain access to a system. But there are also many defensive opportunities, and this concise document does a great job in not only outlining how to restrict PowerShell but also showing how to detect malicious uses.

Johannes Ullrich

PowerShell 5 should be removed in favor of version 7 for windows 10/11 and Linux which adds needed security features such as SSH remoting and over-the-shoulder transcription. Leverage the AMSI integration as well as application control to enabler integration with anti-malware components on the endpoint and to restrict what PowerShell is permitted to do. Review the Defense document below for more on detection and properly securing PowerShell.

Lee Neely

This is an excellent resource and one I encourage all cybersecurity professionals to read and implement. In many investigations we investigate we see PowerShell being abused by criminals.

Brian Honan

The sad part is not the number of the vulnerabilities, but the type of vulnerabilities. It shows how many of these OT devices controlling critical infrastructure suffer from vulnerabilities that home security systems fixed (for the most part) years ago.

Johannes Ullrich

Operational Technology (OT) covers an enormous range of devices and uses. The only real common denominator is they all started out without thinking at all about “build security in” or “secure by design.” The only hope of changing that is making sure those requirements/concepts are part of procurements of new equipment – any OT items in use today have to be segmented/shielded etc.

John Pescatore

The guidance from Forescout, resulting from their OT:ICEFALL project, is to not wait for CVEs for your OT prior to taking actions to secure them. They have manufacturer-specific recommendations and segmentation, monitoring, patching, and identification of vulnerabilities are a good idea across the board. Make sure that your scanning and assessment teams know how to interact with OT/ICS systems without doing harm.

Lee Neely

Looks like attackers had over 3 weeks on target, including 4 days after the malware was first detected. Not a lot of data on this one, but looks like 1.2M individuals impacted, so this is an expensive one – just the costs of offering identity theft protection are likely to exceed the proactive cost that would have avoided or minimized the damage.

John Pescatore

We've been noting the security of health devices, and focusing on segmentation, access control and updates; don't forget the back-end systems. Ensure sufficient protections are in place not only from medical systems but also any public facing system. You say you have your IDS and WAF all set - have you verified they work? Nothing in learning mode? That someone is responding to configured alerts?

Lee Neely

It is becoming a buzzword to call information/cybersecurity “resiliency,” but this incident is an important reminder that security is really a subset of overall reliability/resilience. While Availability has been part of the Confidentiality/Integrity/Availability triad forever, security issues generally aren’t the top driver of downtime in most organizations. Important to plan for how IT admin code changes that crash systems or network admin config changes that cause self-inflicted denial of service storms impact your ability to continue to deliver security services.

John Pescatore

Even the best of us get bit by BGP changes. Cloudflare is working to make their architecture more robust and less susceptible to network configuration errors. In so doing the configuration updates to that model resulted in the same outages they wish to avoid. When successful their architecture and lessons learned can be leveraged to help others become more resistant to these issues.

Lee Neely

With many organisations engaging with the cloud over the past two years as a result of the pandemic, this is a good resource to use to review and ensure any migrations to the cloud your organization has undertaken is done so in a secure way.

Brian Honan

This should make it easier to work cross-agency, and while DHS and CISA have the charter and authority, this removes many barriers to success.

Lee Neely

While this is likely just Iran poking at Israel as part of their ongoing disputes, it's still a good idea to make sure that you have properly secured your emergency communication systems, that access is regularly verified, to include new integrations or connections to ensure the level of security is not reduced over time. Excessive false positives, or even too much testing, will reduce their effectiveness in a true emergency.

Lee Neely

Hillrom is releasing more than one patch. Note the timelines for the fixes, some due in late 2023.

Lee Neely