We Are In A Defining Moment At The Intersection Of OT & Critical Infrastructure

 

I have an upcoming that will be published later this year.  It is all about Supply Chain Attacks, and in fact, one whole chapter is devoted to how the Crowd Strike and Solar Winds breaches happened.  But, It is not just digital assets that are at risk, even physical ones are also prone as well. 

In this regard, it is our nation’s Critical Infrastructure that is at grave risk.  Examples of this would include our water supply, gas and oil pipelines, the national power grid, our food supply system – all that we need to live comfortably every day. 

But the problem that drives the issue of instability in the Critical Infrastructure is that the technology that drives is too outdated.  This is referred to as “Operational Technology”, and it can be technically defined as follows:

“[It is defined as technology that interfaces with the physical world and includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).”

(SOURCE:  https://www.ncsc.gov.uk/collection/operational-technology)

These components were built in the late 1960s and early 1970s, and neither the parts for them are no longer available nor have the vendors simply just disappeared.  There have been serious thoughts given to simply gutting out the old components and putting new ones in,  but this is almost impossible.  There are many other subcomponents that rely upon them and would not collaborate well with the newer staff.

Thoughts have even been given to just adding new Cybersecurity technologies to the existing OT staff, so that they would not have to be ripped out.  Btu yet once again, interoperability is the issue.  The old simply will not play nicely with the new.  Because of this, our Critical Infrastructure is at grave risk.  Consider some of these stats:

*Ransomware attacks to the OT that drive the Critical Infrastructure has risen by 87% on a Year Over Year (YOY) basis.

*Through a study that they conducted, Palo Alto Networks discovered that at least 70% of businesses (which do not necessarily include the Critical Infrastructure) have suffered some sort of OT related security breach.

(SOURCE :  https://www.darkreading.com/ics-ot-security/boards-fix-ot-security-regulators)

But it is also important to note that the Cyberattacker can quite easily attack the weak points in the Critical Infrastructure, because there are so many of them.  But rather than doing that, and  in effort to cause as a cascading effect of damage, they typically pierce through a backdoor in the IT and Network Infrastructure. 

That way, they can stay in for long periods of time, and wreak havoc on say the national gas pipeline system, as in the case of Colonial  Gas.

But it’s not just here in the United States, these kind of attacks are happening all over the world, with most of the headlines coming out of the Ukraine.  In these cases, their Critical Infrastructure is not being hit directly per se, but rather, through the OT or other IT/Network systems that drive them.  One  of the best-known cases occurred in Lviv. 

Back in 2024, a Russian hacking group deployed a malicious payload in the OT that drove the heating utility company there.  As a result of this, over six hundred buildings lost much needed heat for well over 48 hours. 

In fact, the very same thing even happened here in the United States, though it was not made public.  The Chinese hacking group deployed a piece of malware (known as the “Volt Typhoon”) into the OT systems of the national power grid. 

This went undetected for an alarming one-year period!!!  Luckily, nothing happened about it,  but the Cyberattackers had every opportunity to move in a lateral fashion to attack our water supply as well. 

My Thoughts on This:

Unfortunately, at the present time, there is not much we can do, at least in my opinion, to really beef up the lines of defenses at our Critical Infrastructure.  To do this, we would have to implement  new controls into the components of the OT itself, which are the ICS, SCADA, and DCS (as it was presented in the definition). 

But once again, you simply cannot expect the new to have a nice tango dance with the old – not going to happen.

The other option would be to hold the Board of Directors, and their corresponding C-Suite take more action. But while they may acknowledge the fact that it is an issue, the chances of them taking any action on it are almost nil. 

Heck, if they cannot address Cyber issues that directly impact them, what makes one think that they will act on Critical Infrastructure?

True, the Federal Government could step in,  but given the political chaos that is happening today, this is too far-fetched a reality.  Even if any bills were passed into legislation, it would be far too outdated to keep up with the pace of technology.

But there is one  option that could prove viable.  That is the Zero Trust Framework.  With this, the IT and Network Infrastructure of a Critical Infrastructure would be divided up into different segments or “zones”.  Each one of these would have their own layer of protection, making use of Multifactor Authentication. 

That way, no modern technology of a huge amount would have to be implemented, the only items that would really be needed are the authentication mechanisms that would be needed to confirm the identity of the end user.

The main premise behind this is that if the Cyberattacker can break through one “zone”, the chances of them breaking through all of them becomes statistically zero.  But, as a country, we absolutely must come together as one to figure out best to upgrade the OT systems and the Critical Infrastructure.  It’s not just one business that will be impacted; it will be the lives of all Americans that could be gravely impacted in one fell swoop.

 

 

The New Cyber Metrics We Need Today: 5 Golden Ones

 

I usually do not write blogs over the week but today is an exception.  It’s a holiday today where I work at today, so in that regard, Happy Easter!!!  One thing has humans that we hate to happen to us is to be judged by others, whether it is in our personal or professional lives.  We always want to feel good around the people with are with, but unfortunately, it is a part of life where we will be judged.

Such is the case in Cybersecurity.  This field has a lot of metrics with it, and in fact, I just wrote and published a book about it just last year.  You can see it in more detail at this link:

https://www.routledge.com/Generative-AI-Phishing-And-Cybersecurity-Metrics/Das/p/book/9781032820965

In it, I cover the major Key Performance Indicators (KPIs) and other metrics that the CISO and their IT Security team need to be aware of.  There are two of them, which are of prime importance:

1)     The Mean Time to Detect:

This is also referred to as the “MTTD”.  This reflects how long it takes an IT Security to detect that a threat or security breach is actually happening.  Believe it or not, the average time  for detection is a staggering 7 months.  Nobody really has a firm answer to why it takes so long, either the IT Security team is too overwhelmed putting out other fires, or the Cyberattacker has become  that stealthy and covert.

2)     The Mean Time to Respond:

This is also commonly known as the “MTTR”.  This metric reflects how long it takes an IT Security team to contain actual breach.  There are no hard numbers on this one (as is the case with the MTTD), but the total time for containment will vary depending upon the severity of the threat variant itself.  In this instance, documents such as the Incident Response, Disaster Recovery, and Business Continuity Plans come into prime importance.

But many Cyber pundits are now claiming that these established metrics are now too outdated and stale.  Meaning, they do not consider other variables that can impact detection and containment, such as that of Generative AI.  As I have also written about previously, it can be used for both the good and bad.  So, you may be asking at this point:  “So what next is to come?”  Here are some thoughts that have echoed, as a result:

1)     Priority:

Many people have pointed out that, for example, the MTTR and the MTD cannot be blanket metrics that are used for every kind and type of security breach that happens.  Rather, these metrics must be adjusted to consider the following:

Ø  Exploitability

Ø  Impact

Ø  The sources that were used to detect/contain the threat.

 

In other words, the degree of potential severity (or actual severity if the security breach has occurred) needs to be the key factor here to take into consideration, when calculating these two metrics.

2)     Monitoring:

A metric needs to be formulated which shows that although a security breach has been detected, how long it takes the IT Security team to contain it.  True, this sounds just like the MTTR, but in this case, this is just a static number.  It only reflects only having the entire breach has been put out. This new metric would show long containment takes on a real time basis. 

3)     Practice:

To the best of my knowledge, the metrics that exist in the Cyber world today are used primarily for real world situations.  How about creating a metric or a group of metrics that gauge the effectiveness of both the CISO and the IT Security team when conducting mock Cyberattacks?  Everybody seems to keep talking about doing them but not measuring the results of it at the end.  In my opinion, there should be a strong emphasis on this, as having this in mind of measure will only home in on the IT Security to sharpen their skills and response times when an actual breach happens.

4)     Culture:

 

The sad matter of fact is that we live in a reactive society.  We only act when something  bad happens.  Therefore, there have been calls to create a new metric or group of metrics that reflect the overall proactiveness of the IT Security team on a real-time basis, and how that has led them to be successful (or not) in  the detection and containment of a security breach.  But, it is particularly important to keep in mind that this would be a qualitative metric to calculate, as more subjective variables must be included here as well.

 

5)     After:

Yes, the MTTR shows how long it takes for the IT Security team to contain the threat var. t.  But what afterwards?  Such as how long does it take to restore mission critical business operation?  How long does it take for the business to get back to where the levels it was before the security breach hit?  Some potential metrics here could revolve around both Disaster Recovery and Business Continuity. 

My Thoughts on This:

Me personally, I do not like metrics, but in this case, I fully support them as it relates to Cybersecurity.  This is the only way that we will truly know if the CISO and  the IT Security team are truly doing their jobs do the best levels that they can.  In the end, having good metrics not only will bring a strong reputational image in the eyes of the public, but it can also be the make or break if money and budget is to be approved by the C-Suite for any kind of Cybersecurity efforts to be undertaken into the future.

4 Ways The Cyberattacker Can Take Advantage Of The Tariff Chaos

 

One of my goals on this blog site is to remain as apolitical as possible.  But this is one time in which I am going to break this rule.  Just in the last week, our great country, the United States of America, has seen market swings that not even my parents, a first generation of Indians immigrating to this country have ever seen. 

Millions of diligent Americans who have  sacrificed life and limb to make this country have had their savings and retirement accounts totally decimated.  Of course, we all know where the fingers point to on this one, but I will not venture there.

Also, adding to this turmoil are the mass layoffs that are occurring to the Federal Government agencies. Because of this, many people are now starting to wonder, just how vulnerable is the United States to a wide scale Cyberattack?  IMHO, we are very prone to it.  But, it may not be the direct impact that you might be imaging.  Rather, the Cyberattacker of today, while they love to thrive in chaos, will cause even more chaos.

How is this possible, you may be asking?  Well, according to experts, many think the Cyberattacker will somehow try to sabotage the current negotiations that are taking place with those countries that have offered an olive branch. 

There are many ways that this can happen, but one  way, which is cheap and inexpensive to is to spread false information around, mostly on social media sites, such as Facebook, X, Instagram, and You Tube. 

One of the best methods to do this is to create what is known as a “Deepfake”.  I have written about this in previous blogs,  but essentially, you are creating a fake video of real people.  The goal is to make them look as authentic as possible. 

In fact, technology has gotten so advanced, it is even hard for the trained eye to discern that it is a fake.  So now imagine, a Deepfake created of a US Trade Representative, claiming that progress is being made on cutting a deal with China, and that it will be sealed in just a matter of days.

The Cyberattacker then posts this on the platforms just mentioned, and in response the financial markets climb to over 1,000 points.  But later, when it is revealed that this was just fake news, the markets will whipsaw again, going down yet once again by a similar amount.  Essentially, people will let their  guard down, making them extremely vulnerable. 

Because of this, the Cyberattacker will then fully exploit this situation, and insert pieces of malicious payloads wherever they can get access to an IT and Network Infrastructure.

Another way that the Cyberattacker can take advantage of this tariff chaos is to engage with a  laid off Federal Employee.  Take for  instance this person was just let go of the CIA.  It really is not too hard to get a list of people who have been affected in this regard. 

Once the Cyberattacker has found a victim, they will then engage in the tactics of Social Engineering to lure them in.  At their weakest moment, they will then try to extract top secret  information or intelligence, and from the information gleaned from that, launch a large-scale attack.  Or worst yet, the Cyberattacker may just try to convince the CIA ex worker to turn to the proverbial “Dark Side”, by offering them a large amount of money and becoming an operative for a rogue nation.

Yet another trend that could transpire is that a Cyberattacking group from one nation that has been hit hard by the tariffs will try to recruit the other groups from other nations that have been as well.  They can then all come together to root for a common cause, which would be to support their fellow countrymen. 

If this were to happen (and there is a good chance that it is), just imagine all the firepower that these Cyberattacking groups will have cumulatively.  A huge fear is that there could be  multiple hits on the Critical Infrastructure not just here in the  United States, but on a global basis.  Just imagine not having water, fuel, or electricity for days on end. 

A final way that a Cyberattacker can make their mark on their victim is for them  to keep an eye on the share price of businesses that have been or will be impacted by these tariffs.  As they go down, you can be rest assured that these companies will be spending far less on Cybersecurity to keep their doors open. 

With these lowered defenses, the Cyberattacker can then easily make their grand entry, and do what they want.  This would be the final nail in the coffin to businesses that are already struggling in the current tariff environment.

My Thoughts on This:

As I have also written before, humans tend to be creatures of habit.  We hate change, and worse yet, uncertainty.  But, this is the kind of environment that the. berattacker thrives on, after all, this is when the population, is at  its weakest point. 

Many Cyber experts also are warning businesses and consumers not to expect hardly any help from the Federal Government, as CISA is even facing budget cuts and mass layoffs of its own kind.

So, what is one to do?  My best advice here is to remain on top of things.  While you might be totally stressed out that your 401K is rapidly declining (as is mine), it is also important to keep in mind that there are other priorities as well, such as keeping you and your family safe from any kind of security breaches. 

Unfortunately, the rotten irony of all of this is that the one segment of society that is not impacted by tariffs is, and yep, you got is:  the Cyberattacker.

5 Ways In Which Generative AI Can Be Used To Launch Social Engineering Attacks

 

Many of the threat variants of today from the Cyber Threat Landscape are born from some of the oldest ones.  In other words, the Cyberattacker does not want to start from nothing, instead, they would much rather “build a better mousetrap” as we are seeing today. 

A notable example of this is what is known as Social Engineering.  It can be technically defined as follows:

“Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making mistakes or giving away sensitive information.

(SOURCE :  https://www.imperva.com/learn/application-security/social-engineering-attack/)

So, as you can see, Social Engineering even predates the Roman Empire.  Because of that, anybody with a cunning mind and willing to play on the emotions of human beings can quite easily launch this kind of attack. 

When one thinks about it, the thoughts of engaging a victim by having direct physical contact often come to mind.  But given the recent advancements that have been in Generative AI,  launching this kind of threat vector has become easier and stealthy, and for that matter, does not even  require that the Cyberattacker even have any kind of prior knowledge about their victim.

Another notable example of this would be Cyberbullying.  In this instance, the Cyberattacker can  literally be thousands of miles away from their victim, and build a strong, virtual relationship with their victim.  Then once they are most vulnerable, that is when the Cyberattacker will then strike. 

But also, Social Engineering does not have to directly impact on a victim.  Rather, it can also be used to help gather more detailed intelligence about a victim, or an even larger target. 

I came across an article earlier today, that describes how Generative AI can be used for this very purpose.  Here are some examples of it:

1)     Being able to attend a social gathering:

 

Generative AI was used for the following:

 

Ø  How to let themselves crash the event.

Ø  How to collect visual based  intelligence about the security guards.

Ø  The kinds of conversations to be having  while socializing with the other guests to extract intel.

 

2)     What to wear:

Generative AI was also used by the Cyberattacker to target a certain business by asking for the kinds of clothing that the employees typically wear.  By having this, the Cyberattacker would then be able to able to enter in without hardly ever getting noticed.

3)     Faked documents:

Most of us have heard about how a Cyberattacker can easily replicate driver’s licenses and  even credit cards.  This can even be taken to the extreme where Generative AI can be used  to create a fake employee ID badge and convince the security guard to let them in past the main point of entry.

4)     Finding assets:

Just as much as you can get detailed views about houses and buildings on Google,  the same can also be said of Generative AI.  But instead, it can be one layer deeper.  For instance, it was to be asked by the Cyberattacker where all the physical access security points lie at (such as CCTVs, turnstiles, etc.) it will also give that.  This will then allow them to covertly penetrate the business after work hours.

5)     Creating maps:

Most of us have used physical maps before, but guess what?  Generative AI can also be used by the Cyberattacker and be used to create a detailed map of a targeted building or office space, by providing the following information to the Cyberattacker:

Ø  Entry ways into the building

Ø  The parking garages

Ø  The freight elevators

Ø  Where both the digital and physical assets lie at

My Thoughts on This: 

It all sounds scary, right?  Well you better believe that it is.  When  it comes to the above examples, these all relate to how the Cyberattacker can find vulnerabilities that do not exist in the digital realm.  Rather, they are all physical based, and since the security policies of many organizations focus primarily on digital assets. 

But guess what:  The physical assets are just as prone to, or even more so to a security breach.

What is the best way to mitigate this risk from happening?  Conduct a Penetration Test, just on the physical aspects of your business.  For example, this can include the main points of security, and to even the lengths that security guards should go through when trying to confirm the identity of an individual that is trying to gain entry.

This is also known more technically as “Red Teaming”, and while doing these kinds of tests may not be the cheapest, and at the end of the day, you will know just how Social Engineering Attacks, especially those powered by Generative AI, can successfully launched against  your business.  If you engage in this kind of exercise, you will be completely startled by just how weak your lines of defenses are.

But this will give you the ammunition to beef them up, and to mitigate the risk of a Cyberattacker from physically walking into your business and engaging in conversations with your employees. 

The bottom line:  It is not just your digital assets that are vulnerable, even the physical ones are also!!!