As an organisation, it is necessary to have a good working backup system. Due to increasing cyber incidents, such as ransomware attacks, there is an increasing risk of data loss. Back-ups are therefore necessary to restore the systems quickly.

Depending on the size of the organisation, you can opt for a simple or a complex technical solution. The following points are always important:

  1. The backup plan

Document how the backups are made and maintained. Describe the technical aspects such as storage medium (USB drive; NAS; cloud); how this is organized and who is responsible. The following topics provide some guidance.

  1. The quality of the backup

Make regular backups of critical data and systems. And make sure that the working environment can be quickly restored from the backups. The more frequently backups are made, the less data will be lost if you are forced to restore. Your backups need to be up to date and the recovery tested regularly to ensure they’re working when needed. Practice shows that during incidents, companies were not always able to restore the system.

  1. The 3-2-1 rule (+1)

Is critical data stored in multiple backup locations?

It’s vital to have multiple backups and keep them separated. If one backup copy is compromised at least one other will remain secure. The most common method for creating a robust backup system is to follow the ‘3-2-1’ rule:  at least 3 copies, on 2 different devices and 1 off-site copy.  The off-site copy must be stored in another location as the live system. This strategy is popular because it is scalable with the growth of data and systems.

For increased security and a faster recovery, a second off-site copy is nowadays placed in the cloud in addition to the traditional single off-site copy. It becomes the 3-2-1+1 rule.

  1. Offline backup copy

Ransomware often encrypts not only the original data on the disk, but also the connected network storage drives containing data backups. Incidents show that ransomware also frequently compromises cloud storage locations with backups. Connect these backups only when necessary and keep 1 spare copy off-line at all times. This will prevent an infection from continuing from the system to all the backup copies.

Using cloud storage is safe as long as physical separation from your live environment is guaranteed. Crucially, when your offline backup is not in use, it must also be digitally disconnected. Unlike conventional backup storage, you can’t take your cloud storage offline by simply disconnecting it. Precautions need to be taken to achieve the same level of protection as a physical offline backup such as a portable drive. Access control to the backup copy needs to be carefully considered as well as identity management.

Conclusion

In addition of protecting your systems by firewalls, antivirus and other measures to prevent a hack, you must also be prepared that at a certain moment your defense fails and you are still hacked. It is strongly advised for all companies regardless of size, to set up a Business Continuity Plan where the backup plan is described.

Ewald Coenraad – Cyber Security Professional

The DCMR Environmental service conducted a study into the cybersecurity risks and resilience at BRZO/SEVESO companies in South Holland and Zeeland. DCMR stated that more attention is needed for digital resilience at this type of high risk companies.

This study shows that some larger companies in particular have already taken the necessary cyber security measures,  but that in general the companies are insufficiently prepared for cyber incidents. From an OT perspective, this research shows that 40% of the companies have taken limited or no protective measures to protect their industrial control systems and thus their factory. The results can be found on the DCMR website: https://www.dcmr.nl/actueel/nieuws/meer-aandacht-nodig-voor-digitale-weerbaarheid-risicovolle-bedrijven.

CR-TEAM can assist you to measure your cyber resilience posture both IT and OT. So you know your position. Interested? Contact us for more details.

On Thursday 23 September 2021 iTanks organizes a Pitch Breakfast at 07.30 am. The program MKB010>>Next inspires, informs and stimulates small and medium sized companies to do digital, sustainable and circular business. During the iTanks Pitch Breakfast MKB010>>Next a number of innovative parties from the iTanks network will pitch.

Especially for iTanks, Ewald Coenraad will give tips and tricks on Cyber Security on Thursday 23 September. The CR-Team – Cyber Resilience Team gives advice to make your company more resilient against cyber crime. Register via iTanks Pitch Ontbijt | MKB010>>Next | iTanks. View the promo video at:

We are the  and are an independent cyber security provider with a focus on securing Industrial Automation & Control Systems (IACS). With a broad spectrum of security services, we can improve the resilience of your OT infrastructure and defend the continuity of your operations. Our cyber specialist Ewald Coenraad has years of experience and decades of OT expertise. As a result, he understands the concerns within your company. Click here to read more about cyber security in the KH Engine.

The Coronavirus (COVID-19) affects us all in our daily work and requires measures to prevent it from spreading. The health of our employees, customers, business relations and partners remains our first priority. We therefore strictly follow government guidelines. Our products and services, as we carry them out on a daily basis, are decentralised from our offices as much as possible and we maximise working from home in accordance with instructions and possibilities. In this way we can continue to provide you with optimal support and we ensure that CR-Team, also in this difficult period, will provide the continuity of service to you as you have come to expect from us. The meetings with the project teams can take place by Skype or telephone and for the time being we will limit the physical meetings to what is strictly necessary.

Should you have any questions regarding the impact on your project, please do not hesitate to contact us.

Nist security functionsThe US Cert has reported on multiple critical vulnerabilities in Rockwell Automation PLC’s. The affected systems are:

  • MicroLogix 1400 Controllers,
  • MicroLogix 1100 Controllers,
  • RSLogix 500 Software

The bugs could allow an attacker to gain access to sensitive project file information, including passwords. Rating 9.8 out of 10 on the CVSS v3 severity scale, the bugs include the use of hard-coded cryptographic key; use of a broken or risky algorithm for password protection; use of client-side authentication; and clear text storage of sensitive information.

Bugs and vulnerabilities are a fact of our OT life. It all comes down to how recognizing you have vulnerabilities and how you respond to it. Doing nothing is not an option and therefore:

  • Know which assets you have,
  • Know their vulnerabilities,
  • Understand your threats,
  • Have a maintenance service plan,
  • Respond and solve the vulnerabilities.

Whereas visibility is the basis of security management, in practice we see the industry is struggling to produce an up-to-date asset inventory. CR-Team can help you to obtain visibility of all assets and connections in your OT network. Please check this page about security scans or reach out to us for more information.

Cyber ResilienceThis week it became public that multiple industrial facilities had interrupted operations due to ransomware attacks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

These were incidents that could have been prevented.

Segregation of IT and OT networks is a crucial security measure. But that is easier said than done…

Sure you can propagate a complete air gap but in reality that proves not to be practical strategy for the majority of companies. Firewalls are the right mitigation against cross-networks connectivity. Sounds like a straight forward solution: buy the hardware and licenses, install and done. Protection is in place! In practice however there is much more to managing this critical piece of infrastructure; the firewalls must be industry grade, configure following the default-deny principle and, very important, maintain them with patching and health assessments.

Make it periodic activity to review the configuration, policies and rules to ensure that your OT network is still properly separated. CR-Team can assist you with the review, assess your OT network for rogue access points, unauthorized remote access, unmanaged assets, active malware and other flaws in your protection.

Please reach out to us, we secure OT.

 

 

Every year the number of reported ICS vulnerabilities increases with about a third. In an IT world that is cumbersome but can be solved with an -automatic- patch round or scheduled update. In OT however we are not this flexible and need to work with our vulnerable systems for a longer period, until the impact of the update is extensively tested. Even that does not have to be a problem either because we take additional security measures and protect the OT from threats from IT and internet.

But what if our additional security measures are not effective? Or if we have more vulnerabilities than for which we have designed mitigating controls? That is the real problem. The OT environment is left under-protected which causes business continuity and product quality to be at risk.

 

 

Statistics of we issues we find in an average OT environment show that no less than a third of the issues can be classified as high/critical risk. These are issues that need immediate attention.

If we breakdown these issues to their cause we get the following chart.

 

 

 

These ‘usual suspects’ are causing serious threat to your OT environment:

  • systems and packages are missing security updates (33%)
  • access control is failing. For example because of default passwords (admin:admin), hard-coded credentials and insecure remote access. (25%)
  • misconfigurations and insecure services are present (10%)
  • the network is not segmented properly and allowing unrestricted traffic (11%)

It is a huge task not only to know your vulnerabilities but also to understand the best way to solve them. This is the expertise of CR-Team and we can support you.

We will start with performing a full inventory of your OT environment, because: “We can not protect what we do not know”. After adding context and discussing what we found we will propose a security remediation plan. Through our structured project approach it will be clear who is responsible for the actions and when the end state is delivered.

Reach out to us if you want to know how we can help you.

TrendMicro HoneypotA recent research paper about an ICS honeypot is great in several ways:

  1. It shows how easy it is to set up a fake company. These ‘companies’ can then be used for fraud and phishing (terminal spoofing for example) but also for malware distribution.
  2. You learn which vulnerabilities attract attackers.
  3. It describes perfectly how hackers exploit an exposed OT network.
  4. The impact of a hack becomes clear. Your OT network becomes compromised causing discontinuation of business.

The researchers make use of common design errors and configuration mistakes (vulnerabilities). The OT network design is incorrect leaving your critical network connected to the internet. If you allow remote access then make sure that the appropriate security controls are taken and that they are effective. Information like P&ID’s and network topologies are business confidential and must therefore not be shared through fileshares like Dropbox or sent to generic mailboxes. Information like this is gold in the hands of adversaries.

Contact us, we will be happy to explain how we can protect your IACS.

Read more about the research on the researchers website