Just as the security community was recovering from the SolarWinds supply-chain attack, over July 4th holiday weekend Kaseya IT management software, commonly implemented by Managed Service Providers (MSPs) fell victim to a series of supply-chain attacks.

Kaseya is the Focus of New Supply Chain Ransomware Attack

According to a report from Bleeping Computer, on July 2, 2021, the REvil ransomware gang was actively targeting managed services providers (MSPs) and its customers via a Kaseya VSA supply-chain attack to deploy ransomware on enterprise networks. Kaseya is a popular software developed for Managed Service Providers that provide remote IT support and cybersecurity services for small- to medium-sized businesses that often cannot afford to hire full-time IT employees, due to their limited size or budgets.

Hundreds of worldwide businesses, including Coop supermarkets in Sweden, confirmed to the BBC they have been impacted by the Kaseya attack, although they are not customers of Kaseya, and have shut down hundreds of stores in Sweden since yesterday evening. This is because they have lost their Point of Sale facilities, which are managed by a company that is a Kaseya customer.

Figure 1. What the infected systems look like

The attackers initially gained access by using a zero-day vulnerability in Kaseya VSA via a malicious automatic update to the software which eventually would deliver the ransomware. Once active in the IT environments, the ransomware would encrypt the different contents of the systems on the network. This would cause widespread operational disruption to any organization that uses this software.  Even if the latest version of Kaseya VSA was implemented at the time of the attack, the cyber criminals could remotely execute commands on the VSA appliance.

How the Ransomware is delivered

As per the DoublePulsar Blog Post on the Kaseya attack: “Delivery of ransomware is via an automated, fake, software update using Kaseya VSA.

The attacker immediately stops administrator access to the VSA, and then adds a task called “Kaseya VSA Agent Hot-fix”.

This fake update is then deployed across the estate — including on MSP client customers’ systems — as it’s fake management agent update.

This management agent update is actually REvil ransomware.

To be clear, this means organizations that are not Kaseya’s customers were still encrypted.

The Following Command is Run:

powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

What this does:
Disables Real Time Monitoring
Disables IPS
Disables Cloud Lookup
Disables script scanning
Disabled Controlled Folder Access (ransomware prevention feature)
Disables Network Protection
Stops cloud sample submission

Throughout their attack, the cybercriminals shut off administrative access to VSA, and several protections within Microsoft Defender were disabled, including Real-Time Monitoring, Script Scanning, and Controlled Folder Access. Kaseya and the US Cybersecurity and Infrastructure Company have both advised clients functioning the VSA software on their servers to shut those servers down as soon as possible.

Figure 2. The Ransom Note

How MSPs Can Open The Door For Attackers

Large organizations that often have a budget for IT and security can easily adopt a robust security strategy to prevent cyber attacks. Smaller organizations or companies that are not security-minded will tend to turn to MSPs to provide them with IT and security services. In order for MSPs to provide their services, they are given remote and administrator access to their client’s networks and environments. The different remote access and credentials that are provided to MSPs are extremely attractive for cyber criminals.

Figure 3. The Anatomy of an MSP Cyberattack 

Given the large number of clients that each MSP is working with, a successful cyber attack could be very profitable and attractive for a cyber criminal. Once the attacker has exploited the MSP system they could easily move laterally across MSP client’s systems and environments. In short, by attacking and successfully exploiting an MSP, cyber criminals have the opportunity to quickly gain access to all their client’s networks, systems and data without being noticed.

While the typical MSPs is a security expert when it comes to securing their clients’ networks and ensuring they are well protected, they also need to ensure their own system is secure from cyber criminals. Security patches must be applied in a timely order, vulnerabilities must be mitigated as quickly as possible and they need to adopt security solutions for any kind of attack to ensure that their system is protected.

In general, customers should set more control limits to their MSPs. For example, endpoints that do not need remote monitoring and management, should not have an agent installed on them. This reduces the risk in such attacks, and less devices will be affected.

It’s A Busy Summer Ahead

Over the past few months, there has been a major increase in the number of successful ransomware attacks. The Colonial Pipeline attack and the REvil attack of meat processor JBS resulted in millions of dollars in operational and mitigation loss. While these attacks are just two examples of successful ransomware, we expect cyber criminals to continue to exploit the different products and services that we use on a daily basis.

With each attack becoming more sophisticated and successfully exploiting well-known organizations, it has caught the attention of the U.S. government. On May 12th, United States President Joe Biden signed an executive order (EO) to improve the cybersecurity of the United States and the private sectors. This executive order seeks to increase its efforts in detecting and responding to different attacks and threat actors in the cyber espionage landscape.

Additionally, the US government plans to play a significant role when it comes to incident responding to ensure better security guidelines in the private sector. For example, in the case of the Kaseya attack, U.S. President Joe Biden has ordered federal intelligence agencies to investigate the supply chain attack. In a statement on Saturday, the U.S. Cybersecurity and Infrastructure Security Agency said it was “taking action to understand and address the recent supply-chain ransomware attack” against Kaseya’s VSA product.

Be Prepared – Not For “If” But “When”

While the Kaseya attack so far hasn’t affected OT systems, it has brought up the subject of organizations needing improved security strategies. Cyber criminals are becoming more sophisticated when targeting different organizations. As long as the security hygiene of an organization or its third-party vendors isn’t up to par, cyber criminals will increase the number of attacks to exploit organizations’ vulnerabilities to truly hurt their victims.

To be prepared for incoming cyberattacks, organizations need to think like cyber criminals and implement a more concrete security strategy with the proper security solutions for any kind of attack. Instead of checking the box in their security checklist, organizations should test their systems and networks to see where they are vulnerable. More importantly, security teams need to change their security mindset from “if we will be attacked” to “when and how we will be attacked”, and prepare accordingly.

The huge difference between the secure and the exploited is how effectively their organization handled a potential cyber attack. By being prepared with basic security practices in place, it will allow security teams to prevent potential attacks from being successful.

We recommend organizations increase their visibility into their entire network as it’s difficult to protect what you can not see. Additional recommended practices are to adopt security network monitoring solutions that provide network segmentation and micro-segmentation as this will help organizations prevent similar ransomware attacks moving forward.

If your organization is looking into securing its industrial networks, the experts at SCADAfence are seasoned veterans in this space and can show you how it’s done.

Ransomware is Everywhere

Over the past few months, there is a feeling that every day a different organization has fallen victim to a ransomware attack. While the idea of a ransomware attack isn’t new, the recent headline-grabbing attacks are exploiting the different products and services that we use on a daily basis. This growing trend of cybercriminals attacking different critical infrastructures has become more lucrative for attackers as they are affecting the way of life which is more devastating for the global community and their victims.

On top of the alarming amount of ransomware attacks, more and more severe vulnerabilities due to remote access have been discovered. This has made it easier for cybercriminals to exploit their targets. One of the most targeted industries that have been affected by poor remote access security is the water utility industry.

Due to the important role of water and wastewater infrastructures in our society, their newly connected systems have become an attractive target for cybercriminals to attack via different attack vectors such as insider and outsider threats and supply chain attacks.

Since the start of 2021, there have been different examples of water plants being successfully attacked by cybercriminals. On January 15th, a water treatment plant in San Francisco was exploited by an attacker who was trying to poison the plant. The cybercriminal gained access by using a former employee’s TeamViewer account credentials. Once the attacker accessed the water plant’s system, they deleted programs that the water plant used to treat drinking water. The attack was only discovered the next day by the water plant and the facility changed its passwords and reinstalled the programs.

A few weeks later another attack on a water plant occurred, and this time it was the Oldsmar Florida water system cyber attack. A hacker gained access into the water treatment system of Oldsmar, Florida, and hijacked the plant’s operational controls. He was able to temporarily drive up the sodium hydroxide content in the water to poisonous levels. Luckily, a plant operator was able to return the water to normal levels.

In 2018, The Department of Homeland Security (DHS) and the FBI warned that the Russian government is specifically targeting the water sector which resulted in the US government forming the Cybersecurity and Infrastructure Security Agency (CISA) to ensure the cybersecurity of critical infrastructure would be prepared for incoming physical threats.

The attack surface of water and wastewater infrastructure will only continue to grow over time. This sparks the priority for stronger cybersecurity and more secure remote access as more water utility organizations will become victims to cyber attacks which could lead to disastrous consequences or even death.

Water Utilities Are an Attractive Target

There are close to 200,00 drinking water systems in the U.S. that provide tap water to nearly 300 million Americans. These water systems are in cities, schools, hospitals, office buildings and other places. When critical water or wastewater systems are exploited by a cybersecurity attack, the malicious activity could result in devastating consequences to public health and safety.

Some attacks on water utilities could cause contamination, operational malfunction, and service outages which would result in potential illness and casualties. Additionally, it could result in a compromise of emergency response teams and possibly impact different transportation systems and food supply. Additionally, on top of attacking the physical water utility equipment, the water plant sector entities are in charge of some critical personal data. This personal data is an extremely attractive target for cybercriminals as seen in previous attacks.

Another example of a successful attack on a water utility is the city of Atlanta ransomware attack. In March 2018, the city of Atlanta and Atlanta Department of Watershed Management employees were unable to turn on their work computers or gain wireless internet access, and two weeks after the attack Atlanta completely took down its water department website “for server maintenance and updates until further notice.” It took Atlanta months to recover and an estimated cost of up to $5 million in recovery efforts, to address the attack.

Remote Access Provides Attackers an Easy Entry Point

If the recent examples of successful attacks on water infrastructures were not evident on the different security threats, now more than ever water utility companies need to get more serious about how they manage remote access.

Over the past decade, the technology behind water infrastructures and utilities has become more interconnected with OT & IoT devices. The different connected devices such as controllers, sensors and smart meters are being used by water utilities to remotely monitor and manage processes. Unfortunately, they are easy targets for cybercriminals to infiltrate.

For water utilities, smart metering can increase efficiency but it comes with its consequences and remote access is a key entry point for successful attacks. Having poor remote access security can allow cybercriminals from both internal and external to gain access to the main operating system remotely and causing severe community health issues like flooding or contaminating water sources.

There is also the issue of smart meters and water appliances that are deployed by water management organizations that can be infiltrated by cyber attacks. If a smart meter is compromised through an attack or reverse engineering, it would allow cybercriminals to potentially access the metering infrastructure which would provide them the ability to attack and move laterally within an organization’s system and networks.

The different vulnerabilities of smart meters brighten the light on the importance and need for better device protection. It is crucial for organizations that are using connected utility devices such as ICS, controllers, smart meters, sensors, etc. to be properly monitored and managed. By understanding who has access, from where they are accessing and irregular activity to a water utility device it will decrease the chance of a successful remote attack on the water systems.

What Water Organizations Can Do

Water and wastewater organizations need to prioritize security and this starts with setting aside the proper amount of resources and attention in protecting their company’s infrastructure and equipment. This process starts with getting a deep understanding of the different security risks that are presented with water and wastewater systems and which steps need to be done to ensure better security.

With the increasing number of successful attacks on water plants and more awareness of the different risks with water utilities, more organizations are slowly starting to understand the significance of implementing the right security practices when it comes to securing their IT and OT systems. As water plants adopt more smart sensors and other IoT devices to automate and modernize their water-based process, it will create new exploitable entry points for cybercriminals to exploit remotely and move laterally within the organization systems.

As water technology continues to advance, so do the different risks that come with it. By adopting more connected technologies and devices it has forced water organizations to connect to the internet which has resulted in more remote access entry points which have caused the increase of security events. This trend has resulted in security teams updating their security approach to one that fits for better remote access security and a new approach for OT security.

While not every water utility company has made the right steps for a more secure water plant, the awareness has led to changes in the water industry. Some companies and cities like The city of Hutchinson have taken a more proactive approach when securing their connected OT equipment with a passive network monitoring solution, specifically designed for OT environments. Now, the city of Hutchinson is securing all their water production, treatment divisions operate and maintain reverse osmosis (RO) water treatment center, 20 water wells, 2 booster pump stations, 4 water storage towers, 2 Class I disposal wells, and all of their groundwater remediation facilities all in one platform.

As water and wastewater organizations continue to become a more attractive target for cybercriminals, it’s best to be prepared for any kind of attack on water utilities by now taking action and mitigating any risks. With a more security-first approach cemented in an organization with the right amount of awareness, water utilizes can continue to expand as their networks do. It is important for decision-makers to consider new security approaches that offer a device-level, security by design that protects their infrastructure for years to come.

To learn more about how SCADAfence protects the water supply of 42,080 Americans in the city Of Hutchinson, Kansas, download the case study here:
https://www.scadafence.com/resource/how-scadafence-protects-the-water-supply-of-the-city-of-hutchinson/

Over the years, PLCs have been insecure by default. Security good practices have been created and adopted for IT which can be seen in OWASP’s Top Ten Vulnerabilities list and Secure Coding Practices report. However, until recently there has not been an emphasis on the different features in PLCs or SCADA for security or how engineers can program PLCs more securely.

Most organization’s PLCs were not connected to the internet or anything outside their industrial control systems or other PLCs. However, the new mindset of  Industry 4.0 of the ongoing automation of traditional manufacturing and industrial practice has created more security risks and threats for OT networks.

Until now most security research that had to do with PLCs was more focused on how to exploit PLCs and how to alter the industrial processes. Luckily insecure PLCs haven’t been highlighted as the key reason for the most recent cyberattacks on industrial organizations. The more common IT threats have been the heart of attacks with targeted ransomware attacks as seen in the Colonial Pipeline attack. Despite only attacking the IT network, the company shut down its OT networks and operations which control its pipelines and distribute fuel as a precaution which resulted in a temporary gas shortage in the United States.

Another example of a recent breach where OT networks were threatened is the water plant in the city of Oldsmar, Fla. This attack showed the potential risks of a cyberattack and the lack of secure programming practices of PLCs could lead to a physical outcome, in this case, poisoning drinking water. These examples are proof that improved and more secure PLCs will lead to becoming the biggest benefit in preventing a process from getting into a bad state.

Top 20 Secure PLC Coding Practices

As our good friend, Jake Brodsky said in his recent S4x20 talk, “No one learns secure PLC coding at school.” The idea that engineers were expected to come out of college knowing the best practices for programming PCLs is a misconception in the industry. According to Jake, there is a massive knowledge gap for the typical engineer who is tasked with programming PLCs which is resulting in more troubles for different ICS security businesses.

The eye-opening talk was the initial spark to create the Secure PLC Programming Practices Project by Jake Brodsky, Dale Peterson, Sarah Fluchs and Vivek Ponnada and is hosted by the ISA (International Society of Automation) Global Cybersecurity Alliance. This new security initiative offers a free downloadable 44-page document that outlines the 20 best practices for engineers that program industrial controls and help improve the security of their systems. Little or no additional software tools or hardware are needed to implement them. They can fit into normal PLC programming and operating workflows.

These are tips and tricks for catching and avoiding problems during the whole lifecycle of the PLC and the application. One of the main goals of this initiative is that PLC vendors will start to integrate or provide templates with their product training to help customers employ these practices when programming their devices.

Here are the key best practices from the list that we feel relate the most to OT security:

Validate and Alert For Paired Inputs/Outputs

If you have paired signals, ensure that both signals are not asserted together. Alarm the operator when input/output states occur that are physically not feasible. Consider making paired signals independent or adding delay timers when toggling outputs could be damaging to actuators (for example, asserting forward and reverse together)

This is important for security reasons because if PLC programs do not account for what is going to happen if both paired input signals are asserted at the same time it could result in the PLCs becoming a good attack vector for cyber criminals. By ensuring that both signals are not asserted together it will help to avoid an attack scenario where physical damage can be done.

Leave Operational Logic in the PLC Wherever Feasible

HMIs provide some level of coding capabilities, originally aimed to help operators enhance visualization and alarming. However, the HMI doesn’t get enough updates to do totallizing or integration. There is also a latency between HMI and PLC which may interfere with the accuracy of such efforts. Furthermore, an HMI will restart far more often than most PLC equipment. It makes sense to keep such accumulators/counters/integrators/elapsed-time counters and so forth there. The HMI can always receive totalizers/counts from a PLC. Thus the operational logic program should rather stay in the PLC to remain complete and auditable.

This practice is beneficial for security because it allows consistency in verifying code changes. HMI coding has its change control apart from PLC, generally not with the same rigor which does not allow system owners to have a complete view and even losing important considerations. HMI’s do not include “forced signals” or changed value lists as PLCs or SCADAs.

Restrict Third-Party Data Interfaces

To strengthen the security of PLCs, it’s highly recommended to restrict the type of connections and available data for 3rd party interfaces. The different connections and data interfaces should be specifically defined and restricted for third parties to be allowed to have read and write capabilities for the required data transfer.

This practice limits the different exposures to 3rd party networks and equipment while authenticating external devices to prevent spoofing. Additionally, it limits the ability for intentional or unintentional modifications or access from 3rd party locations or equipment.

Trap False Negatives and False Positives for Critical Alerts

OT teams should identify the critical alerts and program a trap for those alerts. Most critical alerts for PLCs tend to occur when they are triggered by different conditions.  In some cases, an adversary will attack OT devices by suppressing the alert trigger which could cause a false-negative or false-positive alert. By setting up a trap to monitor the different triggers of alerts it will allow OT teams to detect the alert state for any deviation. A PLC can react much faster than an HMI and can be far more sensitive to these triggers.

By detecting and mitigating false negative or false positives of critical alerts caused by an adversary attack on OT equipment it will allow OT security teams to have a better understanding if their PLC is accessible and being tampered with.

Define a Safe Process State in Case of a PLC Restart

By commanding a PLC to restart in the middle of a working process, there shouldn’t be any issues when it comes to disruption to the process.  Make sure that the process it controls is restart-safe. If it is not practical to configure the PLC to restart-safely, you should define safe process state alerts to ensure that the Standard Operating Procedures (SOP) have clear instructions for setting the manual controls so that the PLC will start up the process properly.

By defining a safe process state it eliminates potential unexpected behavior. The most basic attack vector for a PLC is to force it to crash or restart it. For many PLCs, it is not that hard to do, because many PLCs cannot cope well with unexpected inputs or too much traffic.  For example, the SCADafence research team found a remote CPU DoS vulnerability in Mitsubishi Electric iQ-R Series. This would allow an attacker to send a short burst of specially crafted packets over the MELSOFT UDP protocol on port 5006, which causes the PLC’s CPU to get into fault mode, causing a hardware failure. The PLC then becomes unresponsive and requires a manual restart to recover. This may be uncommon, but it is a basic attack vector if we take into account the malicious behavior of an attacker.

Using The Top 20 Secure PLC Coding Practices

In summary, at least half of these programming recommendations can be summarized as “Validate your inputs.” Many PLC programmers just assume that something physical doesn’t need to be validated. But it is possible to force inputs and it is possible for an HMI to push invalid data to a PLC. Plan for it.

The Top 20 Secure PLC Programming Practices is a great best practices guide that is the work of hundreds of PLC programmers, engineers, and security experts. This is a must-read for every OT security professional and PLC programmer, it is a specific guideline for coding a programmed PLC to help avoid a potential cyber-physical attack.

You can download the Top 20 Secure PLC coding practices document at www.plc-security.com.

Earlier this month, on June 4th, the North American Electric Reliability Corporation (NERC) released a new practice guide that pinpoints how organizations should integrate network monitoring solutions into industrial operational technology (OT) networks of the electric utility industry.

NERC developed the ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Centralized Collectors, and Information Sharing in response to the Department of Energy’s (DOE’s) 100-day plan. The Department of Energy’s initiative is to advance technologies that provide increased visibility, detection, and response capabilities for utilities’ industrial control systems (ICS) and operational technology (OT) networks to better protect the nation’s agencies and infrastructures.

While many government agencies and organizations have already deployed these types of technologies within their OT environments, the NERC anticipates an increase in deployments across the electric utility industry to increase threat detection and incident response abilities due to the DOE 100-day plan. NERC provides an actionable framework for auditing compliance with the CIP Reliability Standards when a registered entity deploys detection and monitoring technologies that include network monitoring sensors and centralized data collectors and may involve the sharing of data collected with third parties.

Additionally, the guide provides ERO Enterprise examples of how to comply with industry standards. This is super helpful as the NERC is aiding organizations with the right framework with compliance monitoring when it relates to the deployment of OT security technology.

We’ve put together an overview of the report and the key takeaways that relate to OT security.

Protecting Cyber Assets

As expected, the guide discusses the importance of the protection of cyber assets. According to NERC, the CIP standards require registered entities to protect Bulk Electric System (BES) Cyber Systems and certain associated Cyber Assets.

For organizations to get a better understanding in the manner in which the CIP standards apply to network monitoring deployments is to determine whether the sensor to be deployed is a Cyber Asset, BES Cyber Asset, and then a BES Cyber System or other types of Cyber Asset subject to requirements of the CIP standards, such as a Protected Cyber Asset (PCA) or Electronic Access Control or Monitoring System (EACMS).

If a sensor does not qualify as a BES cyber system, it may be categorized under CIP requirements depending on how it is used and which environment it is deployed in. Devices that are deployed in high or medium impact can be categorized as protected cyber assets if they are inter-connected with routable protocols within an electronic security perimeter or as electronic access control or monitoring systems (EACMS).

The report ended the section about protecting cyber assets by saying that organizations may not be required to secure sensors that are deployed in an environment with only low-impact BES cyber systems even if they are “performing the functions of an EACMS or other device subjects to the CIP standards.” However, auditors must still assess whether those devices are subject to the requirements of CIP-003-8 concerning electronic access control.

Data Protection with 3rd Parties Access

The report mentions when it comes to the protection of data, the CIP standards require that organizations need to control access to BES cyber system information (BCSI). According to NERC, “Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to [it].” The report provided different examples of such data including network topology of the system, security procedures, collections of network addresses, and any information that is not publicly available and could be used to allow unauthorized access or distribution of sensitive data.

NERC recommends that Compliance Monitoring and Enforcement Program (CMEP) teams are urged to identify how their organization determines whether the data collected by its sensors contains BCSI and whether the information is transmitted and accessible by third parties. If BCSI is included in the data, organizations must assess whether the utility has a process in place to authorize access to the designated storage locations for BCSI. Additionally, any potential third-party access to information needs to be also accessed.

The guide also recommends that CMEP teams fact-check a utility’s network monitoring technology deployment by implementing a deep dive review of every system to ensure that no possible vulnerabilities are missed.

Governance for OT Networks

This NERC report is a very detailed framework which industrial organizations especially in the US electric community will start to implement. We expect government agencies to use this guide as a compliance framework for all discussions on passive monitoring technology.

The SCADAfence Platform for OT security, combined with the SCADAfence Governance Portal, helps utility companies ensure that their Bulk Electric System (BES) is secure and reliable according to the North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) standards. The SCADAfence Governance Portal includes a built-in NERC CIP module which provides cross-organizational tracking and measurement of NERC CIP adherence.

To learn how your organization can achieve NERC CIP compliance by using the SCADAfence Governance Portal, download the full whitepaper here: https://www.scadafence.com/resource/nerc-cip-compliance-scadafences-unique-solution-whitepaper/

Having visibility into compliance enables IT and OT departments to centrally define and monitor their organization’s adherence to OT-related regulations and security policies. To learn more about IT & OT compliance, please join us on June 23rd for our joint webinar with Rapid7 as we will cover how to measure compliance over time for standards such as NIST, NERC-CIP, IEC-62443, among others.

It’s no secret that Nation-State attackers are targeting US government agencies and organizations. As seen inthe Solarwinds breach and the more recentColonial Pipeline ransomware attack, cybercriminals are more motivated than ever to harm US government agencies and their infrastructures.

Due to the United States facing different persistent and more sophisticated cyber-attacks,  United States President Joe Biden signed an executive order (EO) on May 12 to improve the cybersecurity of the United States. This executive order seeks to increase its efforts in detecting and responding to different attacks and threat actors in the cyber espionage landscape. 

This executive order outlines the Biden administration’s first step in preventing future cyberattacks that could exploit and diminish federal agencies and supply chain technologies. The executive order is proof of an increasing effort to modernize the US government’s cybersecurity practices. Some would suggest it as a playbook for how different federal agencies should respond to security incidents and how to improve the sharing of exploited information post a data breach.

Additionally, this executive order presents the idea that the US government will play a significant role as a purchaser of different cybersecurity solutions and services to ensure its security and provide investment in the private sector.

As the executive order registers close to 8,000 words, we don’t expect you to have the free time to read it thoroughly. To help, here are the five main key takeaways you need to know:

Improving Software Supply Chain Security

One of the most glaring and important takeaways from this executive order is their effort to improve the security of software. To accomplish this, the US government is setting a baseline of security standards for the development of software sold to government agencies. This requires every security vendor to provide and maintain more comprehensive visibility for their software and strictly enforce their security data that is publicly available.

Through this order, the NIST will issue supply chain security guidance for government bodies. Each government agency must comply with the guidance, and use it for software procurement contracts. The supply chain security guidance must include secure development environments (implementing proper authentication and encryption), using automated tools to validate trusted source code supply chains, checking for vulnerabilities in secure environments and more.

All government agencies must comply with this security guidance. If they are using any security solutions that don’t comply, the solution must be removed. With this security guidance in place, government agencies will be able to quickly determine whether the software was developed securely, based on government standards.

Incident Reporting Requirements for IT & OT Security

The executive order strives to reform how information about threats and incidents is shared by removing contractual “barriers.” The federal government is working with IT and operational technology (OT) service providers that have shown value by providing more insights into cyber threat and incident information on Federal Information Systems. However, until now, there have been major restrictions on limiting the sharing of such threat data with government agencies who are investigating cyber incidents.

The executive order is designed to help surmount this hurdle by enforcing that all government officials review all the current security needs and requirements IT & OT service providers. This will allow the government to recommend different updates guaranteeing that the service providers are collecting and sharing their incident reporting data with any agency with whom they are working with. 

Enhancing Detection of Cybersecurity Vulnerabilities

Another major takeaway away from the executive order is to improve the ability to detect malicious activity on federal networks. The United States Office of Management and Budget will publish a set of requirements for federal civilian agencies to deploy different cybersecurity solutions that will support the detection of possible vulnerabilities.

By enabling different detection and response systems, government agencies will have improved information-sharing capabilities within the federal government. If different agencies adopt slower and less consistent deployment of cybersecurity solutions and practices, it will provide the opportunity for cybercriminals to exploit and expose the different government organizations. With the help of active cyber threat hunting, remediation best practices and incident response services, government agencies will be more equipped for addressing incoming cyber attacks.

By adopting this new approach of detecting cybersecurity risks, the US government should become the leaders in cybersecurity adoption with strong threat detection and incident response in place which is integrated with a concrete intra-governmental data sharing system. 

Modernizing Federal Government Security

Another key takeaway from the executive order is the strong emphasis on modernizing government agencies’ cybersecurity by implementing security best practices. As stated in the order, within 180 days all government agencies are required to adopt multi-factor authentication and encryption “to the maximum extent consistent with federal records laws and other applicable laws.”

Additionally, the executive order also is pushing for government bodies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure”. The modernization of government agencies’ security is coming in the wake of the ongoing efforts by the US government as they are grappling with cybersecurity issues.

Establishing a Cybersecurity Safety Review Board

The Executive Order will establish a Cybersecurity Safety Review Board, which will consist of government and private sector leads. The board will be modeled after the National Transportation Board (NTB) which investigates different events in the transportation sector. The cybersecurity safety review board will convene in the event of a major cybersecurity event to investigate and analyze how the security event occurred, the findings and advise the security recommendations for improving cybersecurity. The Board will report to DHS on how the government can improve response practices. This reviewal process will ensure that lessons learned from each major security event won’t be forgotten.

Similar to the private sector, government agencies have recognized there is a major gap in the standards concerning incident response. The typical organizational response is to handle the incident response on their own terms and too often tag the severity with the known information at the time of the attack. This allows the tagging of a severity incorrectly and the severity will most likely change over time as more information of the security event will come out. To help improve incident responding protocols and understanding the true severity, the executive order is recognizing the importance of establishing a standard incident response “playbook” that will help government agencies to properly respond to different cyber attacks with a more concrete plan. 

Moving Forward

While the executive order is still fresh,  we will witness how the federal government embarks on major organizational changes and initiatives needed to accomplish the goals of the executive order. As cyber threats continue to increase in impact and size, it will be interesting to see how NIST and other agencies will define the requirements needed for federal agencies in the federal supply chain space.

Here at SCADAfence, we are committed to working closely with our agency customers, as well as the technical partners whose integrations our customers rely on. We will continue to work together to help achieve the goals of the executive order and strengthen OT security posture.