The COVID-19 pandemic has been detrimental to the world economy while flattening many industries. The mining industry was fortunate to be one of the very few industries to deliver exceptional growth throughout this period. Yet this growth has marked the mining industry out as a lucrative target for cybercriminals.

Thanksgiving – when families get together and express gratitude for everything they have over some food and hopefully some football. For most families and especially security teams, this is a time for looking back to evaluate the past year and to give thanks for how far we’ve come. 

When looking back at the past 12 months for the OT security community, it was a challenging year as the industry was bombarded with increasing amounts of successful ransomware attacks on industrial and critical infrastructure organizations. Instead of highlighting the attacks, we believe it’s better to focus on the different aspects of OT security that we are truly thankful for. 

Here at SCADAfence, we are grateful for all the efforts and innovation put in by our team and the collective OT security community. The sleepless nights and ongoing devotion to improving OT network visibility and security for industrial organizations is something everyone can be thankful for this thanksgiving. 

From the increasing awareness of IT-OT convergence to the US Government emphasizing the security risks that relate to OT environments, 2021 is a clear example that OT security is headed in the right direction and getting growing awareness by board members & C-level executives worldwide. 

As we look at last year and move forward, here are the 5 reasons why we are thankful for OT security. 

IT-OT Convergence

Just like on Thanksgiving, some family members might not see eye to eye at first but by the end of the night, everyone is happy and in agreement. This yearly experience is very relatable for security experts in IT and OT teams as they need to work together when it comes to the responsibility of OT security and converging networks.  

Up until recently, IT and OT teams rarely worked together as OT security teams were not in charge of advanced threats and IT security. With the advancement of operational technology and the adoption of industrial IoT devices, the need to converge IT and OT networks and systems is becoming more popular by the day with industrial organizations. 

With the increasing usage of IP-based communications with OT devices, there is a bigger challenge between IT & OT teams in understanding who is in charge of securing OT systems and this has created a cultural divide between teams. IT and OT teams’ technical barriers and lack of clear ownership are the key challenges why IT and OT teams are less open to working together. While the awareness of this challenge is increasing, we are seeing more organizations invest in technologies and governance platforms to ensure improved collaboration as they see that proper IT-OT convergence is a crucial aspect of their cyber security program.

Similar to families making up at the end of the Thanksgiving dinner, when IT & OT teams both come to the mutual table to wine and dine, it can result in improved visibility and transparency for an organization’s complete network security. At SCADAfence we have seen many of our customers adopt a seamless IT-OT convergence approach including one of the leading oil and gas organizations who are experiencing complete network visibility to all 71 of their global production sites.

OT Detection & Response

As industrial organizations become more interconnected, they potentially have more exposure to vulnerabilities. The high cost of industrial equipment and the damages to communities and economies that an attack could cause are key factors for organizations who are looking to protect their industrial networks. In addition, aging legacy equipment in factories, safety regulations that forbid any modifications being made to equipment and industry compliance regulations have created quite the challenge for OT teams.

Despite all of this, it is possible to secure industrial networks without disturbing regular operations and without risking non-compliance. By using OT security solutions that provide continuous threat detection and establishing the right security policies, OT security teams can put an effective OT strategy in place that will protect their organization’s processes, people and profit while significantly reducing security incidents and vulnerabilities.

Asset Inventory Management 

Effective cyber security in OT requires a deep foundation of asset information. Until recently OT teams didn’t have the resources or tools to maintain such an assets inventory. When organizations don’t deploy asset inventory management within an OT environment it creates a major visibility hole as they won’t know the security status of their environments. 

In some cases, industrial organizations will only create a simplified asset inventory to detect the data for security tasks. Organizations need to change their approach to asset inventory management and see it as the foundation of their OT security program.  

When detecting new vulnerabilities in OT networks and devices, organizations rely on their asset inventory to decide the severity of the vulnerability, how to patch the device and how it affects their environments. With an automated asset inventory, industrial organizations will increase the productivity and efficiency of their OT teams by quickly managing their assets data to detect and protect their environments all in one dashboard.  

Governance and Compliance 

Compliance regulations in OT are another aspect for security leaders to be thankful for as it is crucial for the security and production of industrial organizations. In recent years, there has been a growing demand for standards and guidelines to manage the risk exposure of OT infrastructures. IT and OT departments, who typically manage the cyber security standards across the organization, are now required to monitor the compliance of these standards across the various OT locations. On the other hand, the information provided today by the various IT tools is dispersed and is technical in nature. This makes the ability to translate them into risks and to prioritize actionable mitigations, very challenging and time-consuming. 

Organizations need to automate the governance processes with a solution that enables the IT and OT departments to centrally define and monitor the organizational adherence to organizational policies and to OT-related regulations. The solution should be configured and managed from a central location and aggregates compliance information from all sites in the organization. It also connects to other security systems, providing a cross-organizational, comprehensive compliance posture. 

OT Remote Access

Industrial organizations have undergone an evolution where most OT environments were isolated systems and now most OT systems are interconnected to the internet. This is occurring due to organizations deploying new technology that allows increased remote access management to OT systems. 

By providing remote access to OT systems it creates an advantage for industrial organizations but it also comes with more risks. By increasing the connectivity of OT systems and devices to the internet it can result in exploitation via cyber attacks. The constant increase of attacks on critical infrastructure and the convergence of IT and OT systems has quickly increased the adoption of remote access security in critical infrastructures and industrial organizations.

To fight off remote access security risks within OT environments, organizations need to deploy OT security solutions that come integrated with remote access features that are specifically designed for OT environments. By deploying an OT security platform that integrates remote access security that does not require any changes in network architecture, it will ensure that the OT systems are properly configured to detect and correlate remote user activity and detect if there is any malicious network activity.

Lastly, all of us at SCADAfence would like to thank our readers. It’s a privilege to share our passion for a subject with fellow security-minded folks. We wish everyone who’s celebrating a safe and happy Thanksgiving!

 

When organizations are seeking out the right cybersecurity controls for their OT environments and devices, the clear objective is to decrease and eliminate risks. Too often organizations only adopt the minimal level of security. While each organization defines its security risk levels, it is often based on their production environments, industrial devices and the critical risk factor of their facility production.

In 2021, the increasing number of cyber security attacks on major critical infrastructure operators grabbed the headlines. The successful attacks targeted different industrial sectors such as oil pipelines, food manufacturers, and water and wastewater facilities. Up until these attacks occurred, the media and the industrial sectors paid little attention to the cybersecurity of critical infrastructure. 

CISOs and security teams face an uphill battle when it comes to detecting and mitigating ever more frequent and sophisticated cyber threats, especially in OT environments.

Cyber attackers are learning new tactics, getting more creative, and are becoming more relentless than ever to exploit industrial organizations. As seen in the Oldsmar water system attack and the Colonial Pipeline ransomware attack, adversaries are targeting IT and OT environments to inflict damage on organizations that can affect the daily lives of civilians.

Considering the evolving and ever-expanding threat landscape,security and incident response teams might be feeling lost at times when defending their OT networks. Even more so with the recent increasing convergence of IT and operational technology (OT) threats, industrial organizations are seeking new practices on how to leverage their existing IT security stack to address the new cyber threats that are targeting OT environments.

This is where SCADAfence and IBM QRadar have partnered together to create a joint integration to tackle OT security challenges. Now security teams who are using IBM QRadar can be provided with the required visibility and security for adopting advanced Industrial IoT and OT technologies. This new integration with QRadar allows users to simply integrate alerts from the SCADAfence Platform to their QRadar feed, as well as viewing it in a dedicated SCADAfence dashboard.

Diagram 01. The SCADAfence & IBM QRadar integration dashboard

Many industrial organizations count on IBM Security QRadar, an intelligent SIEM, to provide actionable threat intelligence to help detect and respond to security incidents that need to be mitigated. SCADAfence’s integration with IBM QRadar allows our joint customers to capitalize further on their current security stack, so they can have complete visibility into their OT networks with real-time alerts, all in one user-friendly dashboard.

Leveraging SCADAfence and IBM QRadar

CISOs and their organization are always looking to enable their IT and security teams to detect and respond to security incident events more efficiently, but they also want to simplify how to address the lack of visibility into the security of OT environments at the same time. At SCADAfence, we believe we can achieve more through collaboration and integrations. Organizations can leverage SCADAfence’s OT security platform and alerting with QRadar’s strengths across all their industrial OT and IIoT environments to provide complete OT visibility and threat detection to respond to security incidents all in one dashboard.

Diagram 02. The SCADAfence & IBM QRadar integration alerts dashboard

Complete OT Network Visibility 

SCADAfence’s leading OT security platform is configured to minimize any interruption to the normal operation of the customer environment and provides OT insights and produces risk management recommendations that are appropriate to your organization’s needs. This is accomplished by discovering the assets and their roles in the network which provides visibility into their behavior. With a wide range of algorithms and mechanisms, the SCADAfence Platform detects anomalies that can compromise security, safety and reliability.

Multi-Layered Approach to OT Defense

Easily integrate the benefits of the SCADAfence Platform to provide endpoint controls with behavioral indicators of compromise across endpoints and operational networks. This will allow IBM QRadar users to have the visibility to respond across IIoT and OT environments, all within a single dashboard. This integration empowers customers with SCADAfence’s OT security technology while providing the needed visibility into OT equipment.

Automated Asset Inventory 

The SCADAfence Platform allows IBM QRadar customers to automatically discover and continuously manage their entire asset inventory up to date with detailed information on all the devices connected to their OT networks. Regardless of the vendors and controllers deployed in the infrastructure, the platform automatically generates asset inventory without needing any prior knowledge.

Efficient Detection of Incidents

With IBM QRadar and SCADAfence, users can correlate network traffic behavior with host and user behaviors across multiple network areas. Easily surface critical events and detect incidents across machines and networks that would previously go completely undetected. Quickly react and precisely prevent further attack propagation with an automatic correlation of OT manipulation commands with compromised host indications.

Proactive Operational Insights

SCADAfence Platform continuously alerts IBM QRadar users of any abnormal behavior or configuration changes that may have an impact on their operations’ stability before it actually affects their operations. The SCADAfence platform utilizes the most advanced OT security technology to gain the most up-to-date industry insights, which helps provide users with better security alerts and recommendations on how to remediate today’s OT vulnerabilities that may impact your environment.

Diagram 03. The SCADAfence & IBM QRadar integration log activity dashboard

Discover the instant value of OT security in your QRadar environment. Mutual customers with an active subscription to SCADAfence can go to the IBM Security App Exchange and download SCADAfence Platform integration for IBM QRadar.

Over time, we have learned that we develop products not for our own innovation, but for you the customers, to help improve your OT security. In 2021, we were excited to launch three newly designed products that include many new features that will improve your OT security experience.

We launched the SCADAfence Platform 6.6, Governance Portal 2.0 and the Multi-Site Portal 2.6. We launched these new product versions to ensure that we offer the industry’s leading industrial cybersecurity products that provide the best detection & response capabilities in large-scale OT networks, asset discovery and governance. Some of the new features include the MITRE ATT&CK framework for ICS support, we’ve included many new security alerts, improved our state-of-the-art technology, enhanced reporting, new zero trust capabilities and more.

With the combination of our additional new funding, hiring top experts in R&D & the executive team, 2021 has truly been an amazing year for SCADAfence. We have strengthened our leading OT security offering to provide the most advanced and cutting-edge technology in the OT security industry.

After months of excessive testing by internal & external research teams, The SCADAfence Platform version 6.6 consistently demonstrated best-in-class performance and provided 100% detection with close to zero false positives.

Current customers can upgrade their SCADAfence Platform to the latest version and see the new features in action. But let’s take a closer look at the main new features, with some screenshots.

Designed for our users, by our users

After talking to our rapidly expanding customer base and asking how we can make their user experience as efficient as possible, it was time for a further optimized UI design. We’ve updated All our product’s user interface with a smoother and sleeker feel, that was designed with ease of use in mind, based on customer feedback.

Our new UI will allow our customers and their OT security teams to easily manage their OT environments while navigating through the platform.

Diagram 01. The SCADAfence Platform’s Assets Manager dashboard

The ‘Einstein’ Baseline

We’ve always prided ourselves in having the most advanced baseline technology in the industry, with over 40% more accuracy than other solutions in the OT security market. According to Gartner’s Vam Voster, “ SCADAfence’s self-tuning baseline minimizes false positives; this means that no user configuration is required, nor is any stop-and-restart needed to relearn. This system allows for a scalable solution for a huge organization and seamless integration with OT networks.”

With the SCADAfence Platform, our customer’s baseline period takes just 2 days, unlike our competitors who tend to take up to six weeks. On top of the baseline period, we wanted to make our industry-leading baseline even more advanced and accurate, so we are excited to introduce our new ‘Einstein’ baseline.

Unlike other OT security solutions, SCADAfence’s new ‘Einstein’ baseline continuously updates and learns more about the latest network traffic and will “forget” old and irrelevant behavior that is not relevant to the customer’s environments and systems. This results in detecting new malicious behavior which increases the visibility into networks, even if in the first phase they were infected or compromised.

In addition, changes in network behavior might occur due to changes in process or network equipment. This also requires an adaptation of the baseline.

This is a major improvement in the accuracy of the detection, and coping with dynamic networks.

New System Mode – Offline PCAP Analysis

SCADAfence’s customers and partners can now run PCAP analysis for offline risk assessment processes. The offline analysis will allow customers and partners to test and analyze their traffic files taken from their network and analyzed offline. This analysis enables users to get a better understanding of their network traffic while not affecting their current network. This feature has been uniquely designed to provide completely offline analysis without interference from live network traffic.

Governance 2.0

The SCADAfence Platform release 6.6 is equipped with our latest version of our  IT/OT Governance and compliance portal. After receiving continuous feedback from our customers and dozens of deployments of our Governance portal we updated our industry-leading governance portal.  In addition to a complete UI facelift, the new Governance Portal version 2.0, has more speed, more advanced results and more compliance regulations. In fact, we’ve added nine (9) new compliance frameworks to fit our customers’ growing compliance needs.

Diagram 02. The SCADAfence Governance Dashboard

Scaling with SCADAfence’s Multi-Site Version 2.6

SCADAfences’s customer deployments are growing to where they are reaching hundreds of sites. This poses a significant burden for most administrators to configure each site’s settings individually. With SCADAfence Multi-Sites’ Portal Central Configuration, this is no longer an issue.

Diagram 03. The SCADAfence Multi-Site Dashboard

The Multi-Site Portal now allows customers to distribute their configurations to all their sites from the Multi-Site Portal to the distributed SCADAfence Platforms. The security configuration is managed via profiles and covers many security aspects including alerts policy, IP groups, central licensing, 3rd Party tools integrations and more.

By deploying the central configuration, administrators will now save more time while increasing productivity and efficiency while using the SCADAfence Platform in their multiple sites.

Central Software Updates

As part of the central configuration capabilities, SCADAfence customers now have the opportunity to update the SCADAfence Platform software from the Multi-Site Portal. This new feature allows customers to upgrade their SCADAfence Platforms with the latest version in all their sites centrally from the Multi-Site Portal, without the need to access each site’s Platform and upgrade it manually.

This allows organizations and their administrators the flexibility to increase the management of their sites and the OT networks, which results in productivity and saving time.

Sprinting Into 2022

This latest product release had a strong emphasis on user experience, security and improving the management of different industrial protocols (ENIP/CIP, S7, BACnet, etc.). In conclusion, the SCADAfence Platform version 6.6 enables organizations in manufacturing, critical infrastructures and more industrial sectors to operate securely, reliably and efficiently with the right amount of OT security within their industrial environments.

We’re confident that these updates and those coming in the future will bring a better experience for users and we are here to help with all your OT security needs.

In the wake of the different ransomware attacks on Colonial Pipeline, JBS Foods, Oldsmar Florida water system and other critical infrastructure, President Joe Biden signed a national security memorandum that is aimed to strengthen the cybersecurity for critical infrastructures. The goal of this memorandum is to establish improved information sharing and collaboration initiatives with the private sector. Additionally, the White House wants to raise the security of ICS and address the different security risks and vulnerabilities in critical infrastructure environments.

The National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems formalizes the Industrial Control System (ICS) Cybersecurity Initiative which directs the Departments of Homeland Security and Commerce and the Department of Commerce’s National Institute of Standards and Technology (NIST) to create and issue cybersecurity performance goals for critical infrastructures.

The new initiative of collaboration between the federal government and the critical infrastructure sector will work together to defend the critical infrastructures of the United States. “Encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” according to the memorandum.

Additionally, the memorandum will increase the adoption of cyber security solutions that provide better visibility into ICS, “The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”

Another objective of this incentive to strengthen the security of ICS is to deploy interconnected industrial sensor technology. By deploying sensors, critical infrastructure environments will enhance their visibility into security events in their operational systems.

This will allow organizations to detect any intrusion on their network more quickly. As quoted in the memorandum, “We cannot address threats we cannot see; therefore, deploying technologies that can monitor control systems and detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

Why The Industrial Control Systems Cybersecurity Initiative Matters

Following in the lines of the Biden Administration’s recent cyber security executive order, the memorandum establishes the Industrial Control Systems Cybersecurity Initiative (the “ICS Initiative”). The ICS Initiative is a collaborative effort between the Federal Government and the critical infrastructure community to improve the cybersecurity of systems supporting national critical functions.

This new initiative is important for the critical infrastructure sector as it encourages, facilitates and scales the deployment of ICS security technologies to monitor and detect malicious activity and provide the right mitigation steps in response to cyber attacks. By using the ICS Initiative as guidance, the Federal Government will collaborate with the industrial sectors to share different cyber threat information for ICS systems of critical infrastructures.

Initially, this initiative was launched in April 2021 with a pilot effort within the electricity subsector with over 150 electricity utilities representing almost 90 million customers agreeing to deploy control system cybers security technologies. The same effort is underway with the natural gas pipelines sector which will be followed by water and wastewater, chemical and other sectors later this year.

Critical Infrastructure Cybersecurity Performance Goals

The Memorandum also directs the need for government agencies to create and issue baseline cybersecurity goals across the critical infrastructure sectors. The need for improved security controls will be dependent on the control systems in the critical infrastructure environments.

These measures will “further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety,” according to the memorandum.

NIST and CISA will establish the preliminary goals for control systems for critical infrastructures sectors by Sept. 22, 2021. Then the final cross-sector control systems goals will be published by July 28, 2022.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memorandum states.

Moving Forward

ICS security is not an easy task at hand and defending the wide range of industrial networks and facilities is often neglected or not enough resources are allocated. By creating a voluntary collaboration of infrastructures operators and the cyber security agencies of the government it will strengthen the awareness of the different attacks on critical infrastructures.

The US government putting a strong emphasis on visibility is a smart move. The research and deployment of cyber security for ICS are only now starting to change for the better. The legacy systems are finally converging between the physical and the interconnected networks. By becoming interconnected to the Internet it has created new security risks for the critical infrastructures sectors that haven’t been properly evaluated. The memorandum is a good first step into ensuring better security for ICS, but it’s only one small step on a long road to more secure critical infrastructure sectors.

There is a lot of buzz recently on the topic of MITRE ATT&CK for ICS and rightfully so.

Multiple industrial sectors are experiencing a growing threat landscape for operational technology (OT) networks and ICS and SCADA systems. This is clearly demonstrated by the number of recent successful ransomware attacks, which have compelled critical infrastructure organizations to better prepare themselves for incoming cyber threats.

To be more prepared, the different stakeholders responsible for infrastructures and services are enhancing and maturing their security operations centers (SOCs) and are adopting more cyber threat intelligence. This has resulted in considering adversarial Tactics, Techniques, and Procedures (TTPs) to be the most valuable tool.

While adopting the latest and greatest new security tool can help an organization’s security posture it’s equally as important to understand the different threat landscapes and attack methods that an organization could fall victim to. Recently the security community has started to have a common belief that the new attacks by adversaries have become more sophisticated with new techniques that are making it easier to exploit new vulnerabilities or new methods for lateral movement.

Too often we see that the majority of successful attacks are using common methods and techniques and are able to exploit an organization due to poor implementation of security controls or poor security posture. Therefore organizations need to have a better understanding of the attack techniques and adopt security solutions that will increase the detection of attacks which will make it easier for security teams. This is where the MITRE ATT&CK for ICS framework comes into play.

What is the MITRE ATT&CK For ICS Framework?

The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is an initiative started in 2015 with the goal of providing a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The knowledge base helps security professionals make sense of the numerous varieties of tactics and techniques attackers use to infiltrate networks, steal data and other methods of exploiting organizations. The MITRE ATT&CK framework enables security professionals to move beyond identifying the simplest and most common attack methods and instead allocate resources to get a better understanding of adversaries’ behaviors.

The enterprise ATT&CK framework consists of 11 tactics that tend to answer which tactic and what the cyber criminal wants to achieve when exploiting an organization.

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Exfiltration Impact

Diagram 01. The SCADAfence Platform’s built-in MITRE ATT&CK framework dashboard

This globally accessible knowledge base has become the security industry-accepted framework due to its specifically detailed list of methods of how enterprise IT and OT environments can be exploited and compromised. Security experts have mentioned that if an organization can defend against every technique in the framework then its environment will be entirely secure.

Since the framework has become the industry standard, in January 2020 they released the MITRE ATT&CK for Industrial Control Systems (ICS) framework. This list of OT-specific TTPs collected from real-world data and provides a common classification for industrial security teams to improve their detection and how they should respond to cyber incidents. Now that OT defenders have a community-accepted attacker framework and list of TTPs which is constantly updated, it’s time to integrate this attack intelligence into the security solution being deployed in incident response processes.

With over 500 adversarial techniques in the framework, it would be very difficult for any organization to defend against all the methods and techniques no matter how solid their security strategy is.

How Can an Organization Implement the MITRE ATT&CK Framework?

The ATT&CK framework can be super useful and informative for any organization that needs to increase its threat knowledge and strengthen its security posture. While MITRE offers the materials for free, it’s suggested to adopt a solution that has the framework integrated into their security solution. This will allow security teams to deploy the framework for the organization’s security needs.

If an organization has a dedicated security team whose responsibilities include analyzing threat data, it’s recommended to start mapping threat intelligence based on the ATT&CK framework, instead of relying on previous mapping frameworks. This will allow the security teams to map out both external and internal attack information based on the ATT&CK framework which includes real-time alerts, incident responding and more. Once the security team has mapped out the attack data, they will be able to compare the ATT&CK framework with the organization data and prioritize attack techniques.

SCADAfence For MITRE ATT&CK

Earlier this year the SCADAfence Platform launched our advanced support for the MITRE ATT&CK framework. SCADAfence shares this new approach with the OT and ICS industry by mapping individual assessments and results to the framework. Aggregated results provide a visual map of the framework within our platform that identifies the systematic strengths and weaknesses of the organization’s security architecture. SCADAFence is the only OT security company that offers these mitigation steps within the map of the framework. This is aligned with SCADAfence’s development teams work motto – “fueled by innovation”.

Diagram 02. The SCADAfence Platform provides organizations with a MITRE ATT&CK visual map

The SCADAfence research team is constantly updating and understanding the development of the framework’s tactics and techniques. They offer feedback and actionable mitigation steps on the tactics and techniques of the framework which align with best practices for OT security and ICS.

The SCADAfence Platform correlates security alerts to the MITRE ATT&CK framework, providing visibility to the user on the attack tactic and technique. A new MITRE overview tab was added to our platform to analyze the security posture.

Diagram 03. The SCADafence Platform showing all the stages of the attack based on the MITRE ATT&CK framework

All system alerts from the SCADAfence Platform are mapped to the MITRE ATT&CK for the ICS model. The SCADAfence Platform also provides a map of an attack that is advancing according to the MITRE kill chain, and per each alert, the corresponding classification is presented as well. In the case of security incidents, this can greatly help customers to understand the phase of the incident, its extent and impact, and respond in a quicker and more effective way.

SCADAFence is the first OT security and ICS vendor that has developed and integrated the ATT&CK for ICS framework within their platform in such a comprehensive manner. Customers are already getting a better understanding of where and how cybercriminals are trying to gain access to their environments according to the framework. By implementing SCADAfence’s ATT&CK for ICS  technology it has provided them with a better picture for organizations when it comes to securing ICS.

In one specific case, one of our customers was able to detect and identify an active attack in the SCADAfence MITRE ATT&CK dashboard. Their security team was able to quickly identify the attacker’s movements through the kill chain and stop them in their tracks before any damage was done to their organization.

As cyber criminals continue to use more sophisticated attack methods, organizations need to prioritize the time and resources into understanding the behaviors of these attackers to stay secure against incoming threats. By leveraging the most advanced OT security vendor which covers the MITRE ATT&CK framework you will be able to quickly detect, visualize and mitigate any security gaps within your organization.

50% of Automotive Manufacturers Are Susceptible to a Ransomware Attack

The automotive industry has started to ramp up its digitalization in their manufacturing sites but cybersecurity is still an afterthought for most organizations. For cyber criminals who are adopting ransomware attack methods, this is music to their ears.

According to a recent ransomware trends report, close to 50% of the 100 largest automotive manufacturers are highly affected by ransomware attacks. Additionally, more than 17% of automotive suppliers most likely will incur a ransomware attack.

One headline-grabbing example of a successful ransomware attack that hit automakers hard was the 2017 WannaCry outbreak. This attack affected over 200,000 computers in over 150 countries. This included France’s Renault where many of their industrial systems were exploited and were forced to temporarily idle some of their plants in Europe. Renault manufacturing plants in France, Slovenia and Romania were so affected, that all their industrial activity was shut down and remained offline for days.

A more recent example of automotive manufacturing companies being attacked is when massive vehicle manufacturers Volkswagen and Audi fell victim to the “Conti” ransomware group. Over 3.3 million customers and interested buyers in the United States and Canada were affected by this attack. The attacker was able to obtain access to their networks by scraping an unsecured Microsoft Azure server. Data stolen includes email addresses, vehicle identification numbers, phone numbers, and physical addresses.

The threat landscape of automotive manufactures will only continue to grow and the need for improved cybersecurity will become more obvious as more automotive companies will fall victim to cyber criminal attacks.

The Keys Are in The Cyber Criminals’ Glove Compartment 

No industry is safe from the threat of cyberattacks such as ransomware and this is especially true with the automotive industry. Due to implementing legacy systems and their physical cybersecurity approach, the industry as a whole needs to rethink its security strategy.

Until recently, the majority of automotive manufacturers believed the security of their manufacturing plants and enterprise IT systems were less of a priority. This meant that the typical automotive organization would keep any security attack or event out of the public eyes which resulted in their security teams ignoring the real risks at hand.

As the technology of automotive manufacturers is advancing, security is becoming more prominent not just inside the cars, but also in the manufacturing phase. According to an industrial threat research report by IBM, “automotive manufacturers were the top targeted manufacturing sub-industry in 2021, accounting for almost 1/3 of the total attacks against the manufacturing industry.”

As a result of the increasing number of attacks on the automotive manufacturing industry, organizations and their management teams are now taking security more seriously by getting a better understanding of their organization’s security strategy and how they can strengthen their security posture against attacks. While this is a good first step for organizations to understand where they are vulnerable, automotive manufacturers need to understand why cyber criminals see them as attractive targets.

Why Automotive Manufacturers Are Constantly Being Attacked 

As the automotive manufacturing industry has started to embrace more Industrial Internet of Things (IIoT) it has created an endless amount of security challenges. The most glaring security risk for automotive manufacturing systems is modernizing their technology to be more interconnected to the Internet which has resulted in their OT environments being under attack. This has impacted automotive manufacturing plants as process control devices and intelligent assembly manufacturing lines with PLCs are becoming less secure by the day. These threats are challenging the industry from a security and organizational perspective.

Additionally, cyber espionage is a large threat to the manufacturing of vehicle development, production and delivery due to the automotive industry being extremely competitive. Not just between manufacturers but actually between countries as there is a massive drive for new automotive technologies and innovation. Similar to other industries, North Korean and Russian threat actors have been linked to targeting the automotive industry. The state-sponsored attackers’ key initiative is to exploit the system of automotive manufacturers and steal information that pertains to innovative research, developments, intellectual property information and in some cases to even slow down their production lines.

Another reason why state-sponsored attackers may target the automotive industry is to steal information on new technologies that are being developed for governments and the military. By targeting automotive constructors it can provide cyber criminals large amounts of information which can include, artificial intelligence, sensor detail, autonomous vehicle systems and discrete deployment information.

One of the more recent and popular methods that cyber criminals are implementing is attacking automotive manufacturer’s supply chains via third-party vendors. These external parties can be seen as low-hanging fruit for cyber criminals as they are potentially easy entry points to compromise additional systems up the supply chain in order to gain access to the targets’ primary networks. If a third party is exploited, an automotive manufacturer would be presented with even more risks.

What Automotive Organization Can Do To Prevent Attacks 

Automotive manufacturers need to distribute their time and resources to gain a better understanding of how vulnerable their systems are and what they can do to secure their organization’s data and systems. To understand how to protect the organization’s systems, the first step is to understand the different security challenges and risks that relate to automotive manufacturer systems and equipment and which strategy is needed for better security.

With the amount of successful state-sponsored attacks over the past few years, different industrial verticals including automotive manufacturing, now understand the urgency of adopting the correct security practices when it comes to securing their OT environments. As more automotive organizations continue to modernize their OT equipment and connect their industrial networks to the Internet, it will open a door for cyber criminals to attack and move laterally within the OT networks.

Only until recently did the typical automotive manufacturer use stand-alone systems and equipment. However as technology has advanced, more organizations are connecting their legacy systems to the Internet to provide access to third-party vendors to work with their OT equipment. This new method of work has forced security teams of automotive manufacturing companies to change their mindset and approach to secure their OT networks and equipment.

While the industry is taking time to adapt to this new security approach, it is great to see the ongoing increase in awareness that is shaping the industry to become more secure. Some organizations, like Coşkunöz Holding have taken a more proactive approach when securing their OT assets with a passive network monitoring solution that is designed for OT environments. Coşkunöz Holding now has complete visibility into their OT networks, up-to-date inventory of all their production assets, including detailed critical asset visibility and vulnerability management capabilities.

To avoid becoming victims to the next widespread ransomware attack, the automotive industry needs to implement a more proactive security approach that is based on detection and mitigating risks within their production environment. By implementing the right OT security approach with awareness and technology, the automotive manufacturing industry can benefit significantly from it, ensuring their servers and systems are secure from incoming cyber attacks.

To learn more about smart organizations like Coşkunöz Holding are expanding their OT visibility into their automotive manufacturing plants, check out their OT Security case study here: https://www.scadafence.com/resource/global-automotive-aerospace-manufacturer-expands-ot-visibility-and-cybersecurity/