Cybersecurity defense needs a new game plan

Today’s well-funded and intelligent enemy is decentralized and not afraid to prod and poke around potential victims until they find a weak spot in their cybersecurity infrastructure.

"You can do a lot with technology and collaboration, but at the end of the day, it all comes back to people," said Frank Grimmelmann, president and chief executive at the Cyber Threat Response Alliance during his keynote address Monday at the ICSJWG 2016 Spring Conference in Scottsdale, AZ. "It doesn’t matter what sector you are in, you will be attacked, that is a fact."

While it may be simple to fall into an abyss and say the bad guys are always going to win.

"Are we going to keep looking every year and see things are getting worse? We are losing today," Grimmelmann said. "We are losing to an enemy that is very well-funded. We can go to the next level and write the book. We need to rethink the game plan."

Part of rethinking the game plan is better coordination of attack information between the private sector and the public sector.

Grimmelmann heads up the Arizona Cyber Threat Response Alliance, Inc. (ACTRA) which is a hub for collaborative cyber information sharing in a neutral environment where partners from industry, academia, law enforcement and intelligence come together, leveraging cross-sector resources to more effectively analyze critical, real time intelligence and respond to emerging cyber threats to Arizona’s Critical Infrastructure and Key Resources.

"We look at why private actionable evidence is not shared," he said. "Membership is private and public sector and we talk about intellectual property and economic security. We want member organizations to empower themselves and leverage resources back and forth with governmental resources. We want to be proactive and pull resources. We want to bridge private and public sectors."

Going back to the decentralized attackers, Grimmelman said a stronger perimeter defense is no longer as effective as it once was.

"The adversary is coming at us and we have to be right all the time," he said. "But sometimes we get caught up in the details" and forget the main priority. 

Along those lines, Grimmelman discussed the Verizon data breach report, where he pointed out there there 64,199 incidents and 2,200 breaches, which is a 3.5% success rate."You don’t want to be part of the 3.5%," he said. 

Grimmelman said the most successful types of attack include:

• Phishing
• Weak/default passwords
• Less time to breach than to discover
• Minimal common vulnerabilities and exposure (CVE) data
• Workstations/people.

As far as the key attack vectors, Grimmelmann reported from the Verizon report it was phishing and point of sale (POS).

Grimmelmann asked why should attackers go to the trouble of creating code to crack into a system when they can target people and social engineer the daylights out of them and learn passwords and get into the system that way.

He added that 95% of breaches were financially motivated. "With financially motivated attacks, everyone is open to attack."

Grimmelmann also talked about knowledge and working together could help stave off attacks like the grid attack in the Ukraine.

In December 2015, a significant power outage occurred in the Western area of Ukraine including the regional capital of Ivano-Frankivsk. Up to 700,000 homes went without electricity for three to six hours. Malware was a component of the attack. This was a case where a hacking incident involving an industrial control system affected ordinary citizens.

While no one knows the ultimate goal of the grid attack in the Ukraine, there were experts saying that attack was not sophisticated, Grimmelmann said, but he disagreed.

"I say it was very sophisticated. They took on three companies at the same time. It was not sophisticated in the type of attack code, but sophisticated in terms of coordination. It was a destructive attack, but restrained."

About two months after the attack officials determined it was an attack. What was interesting is when the attacks occurred, the energy company got its systems back up and running quickly. They didn’t wait for anyone to come in to investigate.

"We need to coordinate and collaborate, but you also need to be empowered and not wait for anybody else," Grimmelmann said.

There was another malware issue that became public last week and that was with a German nuclear plant. The Gundremmingen plant run by the German utility RWE had viruses, which include W32.Ramnit and Conficker, discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said. The operating system was saved because it wasn’t connected to the Internet.

Grimmelmann said issues included:

• Payload was in place since 2008
• Payload mismatch
• Officials had to bring the system down to remediate.

"The malware brought the nuclear power plant to its knees," Grimmelmann said.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about safety below.

Original content can be found at www.isssource.com.

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.