Archive for the Commentary Category

HYAS Infosec Research On AI-Generated Malware Contributes to the AI Act And Other AI Policies And Regulations

Posted in Commentary with tags on December 4, 2023 by itnerd

HYAS Infosec is pleased to share that research cited from HYAS Labs, the research arm of HYAS, is being utilized by contributors to and framers of the European Union’s AI Act.

The AI Act is widely viewed as a cornerstone initiative that is helping shape the trajectory of AI governance, with the United States’ policies and considerations soon to follow.

AI Act researchers and framers assert that the Act reflects a specific conception of AI systems, viewing them as non-autonomous statistical software with potential harms primarily stemming from datasets. The researchers view the concept of “intended purpose,” drawing inspiration from product safety principles, as a fitting paradigm and one that has significantly influenced the initial provisions and regulatory approach of the AI Act.

However, these researchers also see a substantial gap in the AI Act concerning AI systems devoid of an intended purpose, a category that encompasses General-Purpose AI Systems (GPAIS) and foundation models.

HYAS’ work on AI-generated malware — specifically, BlackMamba, as well as its more sophisticated and fully autonomous cousin, EyeSpy – is helping advance the understanding of AI systems that are devoid of an intended purpose, including GPAIS and the unique challenges posed by GPAIS to cybersecurity.

HYAS research is proving important for both the development of proposed policies and for the real-world challenges posed by the rising dilemma of fully autonomous and intelligent malware which cannot be solved by policy alone.

HYAS is providing researchers with tangible examples of GPAIS gone rogue. BlackMamba, the proof of concept cited in the research paper “General Purpose AI systems in the AI Act: trying to fit a square peg into a round hole,” by Claire Boine and David Rolnick, exploited a large language model to synthesize polymorphic keylogger functionality on-the-fly and dynamically modified the benign code at runtime — all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality.

EyeSpy, the more advanced (and more dangerous) proof of concept from HYAS Labs, is a fully autonomous AI-synthesized malware that uses artificial intelligence to make informed decisions to conduct cyberattacks and continuously morph to avoid detection. The challenges posed by an entity such as EyeSpy capable of autonomously assessing its environment, selecting its target and tactics of choice, strategizing, and self-correcting until successful – all while dynamically evading detection – was highlighted at the recent Cyber Security Expo 2023 in presentations such as “The Red Queen’s Gambit: Cybersecurity Challenges in the Age of AI.”

In response to the nuanced challenges posed by GPAIS, the EU Parliament has proactively proposed provisions within the AI Act to regulate these complex models. The significance of these proposed measures cannot be overstated and will help to further refine the AI Act and sustain its continued usefulness in the dynamic landscape of AI technologies.

Additional Resources:

General Purpose AI systems in the AI Act: trying to fit a square peg into a round hole” https://www.bu.edu/law/files/2023/09/General-Purpose-AI-systems-in-the-AI-Act.pdf. Paper submitted by Claire Boine, Research Associate at the Artificial and Natural Intelligence Toulouse Institute and in the Accountable AI in a Global Context Research Chair at University of Ottawa, researcher in AI law, and CEO of Successif, and David Rolnick, Assistant Professor in CS at McGill and Co-Founder of Climate Change AI, to WeRobot 2023.

News – European Parliament – The European Union’s AI Acthttps://www.europarl.europa.eu/news/en/headlines/society/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

Future of Life Institute “General Purpose – AI and the AI Act” What are general purpose AI systems? Why regulate general purpose AI systems? https://artificialintelligenceact.eu/wp-content/uploads/2022/05/General-Purpose-AI-and-the-AI-Act.pdf

Towards Data Science – “AI-powered Monopolies and the New World Order – How AI’s reliance on data will empower tech giants and reshape the global order” https://towardsdatascience.com/ai-powered-monopolies-and-the-new-world-order-1c56cfc76e7d

“The Red Queen’s Gambit: Cybersecurity Challenges in the Age of AI” presented by Lindsay Thorburn at Cyber Security Expo 2023 https://www.youtube.com/watch?v=Z2GsZHCXc_c

HYAS Blog: “Effective AI Regulation Requires Adaptability and Collaboration” https://www.hyas.com/blog/effective-ai-regulation-requires-adaptability-and-collaboration

BlackFog State of Ransomware Report For November Is Out

Posted in Commentary with tags on December 4, 2023 by itnerd

BlackFog has today released the State of Ransomware Report for November. This report contains detailed statistics on the latest ransomware attack tactics, active threat groups, and a breakdown of attacks by countries and industries.

Darren Williams, CEO and Founder, BlackFog, has offered perspectives on the last month of ransomware attacks, below: 

“Another month, another record. November surprised us with the sheer volume of attacks. Not only did it break an all-time record with 89 attacks, it was 27% more than the previous best in September. The unreported to reported ratio continues to remain stable this month at 492% continuing the trend with companies reporting breaches more often. The significant fines now being imposed by regulators will ensure this moves even lower in the coming months. 

The SEC rules require registrants to disclose material cybersecurity incidents they experience within four days and to report on an annual basis material information regarding their cybersecurity risk management, strategy and governance. The orders are effective on or about December 18, 2023. 

We saw the Healthcare and Manufacturing sectors grow significantly with increases of 21% and 20% respectively and the Finance sector by a massive 83%, effectively doubling the number of attacks in only one month. This does not bode well coming into the holiday season with the banks and financial institutions under significant pressure. 

In terms of variants, we see LockBit and BlackCat continue to dominate reported attacks, both at 19.2% each. LockBit also dominates the unreported attacks at 34.9% and BlackCat at 14.2%. As in previous months, data exfiltration continues to dominate as the primary mechanism for extortion at 90% with traffic flowing to China at 30% and Russia 9% of the time.” 

Today’s full report is linked here: https://privacy.blackfog.com/wp-content/uploads/2023/12/BlackFogRansomwareReport-Nov-2023.pdf 

RCMP Warns Of A #Scam Call Using Their Phone Number

Posted in Commentary with tags on December 4, 2023 by itnerd

If you’re in Ontario, you should be on the look out for scammers using an Ontario RCMP number to intimidate and threaten victims in order to scam them. The warning came out on Friday, and the scam uses the phone number 519-948-5287 to run the scam. Thus if you see this number, it’s likely a scam.

The RCMP also provided these facts in order to help you to avoid being scammed by people claiming to be the police:

Be aware that the police:

  • Will never ask you to make payments using bitcoin or gift cards,
  • Will not show up to your residence to collect money for a child in jail 
  • Will not ask for your personal information such as your Social Insurance Number (SIN), your date of birth (DOB) or phone number

On top of that, the RCMP doesn’t provide policing services in Ontario. Finally, they offer this good advice:

If you suspect that you are being scammed, hang up, wait ten minutes and call your local police service.

Waiting ten minutes before calling police is a good idea as scammers can sometimes hijack phones and continue the scam by pretending to be the police. A better piece of advice is to call the police from another phone.

If you’re in the rest of Canada, be prepared for this scam to go another province now that this is out there.

New P2Pinfect Variant: Malware’s Threat Actors Increasingly Targeting IoT, Routers, Embedded Devices

Posted in Commentary with tags on December 4, 2023 by itnerd

Since Cado Security Labs’ recent  discovery, its researchers have been monitoring and reporting the exponential growth of the P2Pinfect malware, which acts as a cross-platform botnet agent exploiting cloud environments.

Today Cado Security will reveal a new P2Pinfect variant compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture that its researchers have discovered. 

This novel discovery demonstrates that the threat actors behind P2P2infect are increasingly targeting routers, IoT, and other embedded devices. 

The new sample includes updated evasion mechanisms, making it more difficult for researchers to analyze dynamically, including Virtual Machine (VM) detection methods for embedded payloads, debugger detection, and anti-forensics on Linux hosts.

You can read the details here.

TikTok Appears To Censor Content Critical Of China Says CNN

Posted in Commentary with tags on December 3, 2023 by itnerd

Not that I am surprised by this. But CNN did a test of TikTok and surprise, TikTok appears to censor content that is critical of China. To get the full context of this report, you can watch it via this link. But here’s the TL:DR. CNN anchor Jake Tapper interviewed TikTok’s head of public policy last year asking if they censored content critical of the Chinese party. “We do not censor content on behalf of any government,” the spokesperson answered.

But this week CNN reviewed data the total number of hashtags on both Instagram and on TikTok for topics that might be embarrassing to the Chinese government — and found stark differences. 

  • Hashtag #Uyghurs appears in 10.4X more posts on Instagram than on TikTok.
  • Hashtag #Tiananmen (referencing the 1989 pro-democracy protests) is 153 more likely to appear on Instagram than on TikTok.

On the surface, it seems that TikTok is suppressing these hashtags. Though I will point out that Instagram has been around way longer than TikTok which might account for this. But it does seem like one hell of a coincidence that a Chinese owned social media app has way less content that is critical of the Chinese government.

So why does this matter? TikTok is being looked at by Congress in relation to trying to manipulate how China and their policies are viewed. Which is another way of saying that they are looking at Chinese propaganda. That could lead to TikTok being banned. Thus TikTok really needs to explain this in a way that makes sense and is plausible.

So how about it TikTok?

In Depth: Boosting Cybersecurity Awareness with Gamification Via Fortra’s Terranova Security Training

Posted in Commentary with tags on December 2, 2023 by itnerd

A staggering 95% of all cybersecurity issues can be traced to human error, according to the World Economic Forum, highlighting that traditional cybersecurity awareness training may not be delivering the effectiveness urgently needed. 

To get more insight on this, I had an interview with Theo Zafirakos, CISO Professional Services Lead at Fortra’s Terranova Security to see what his thoughts were in terms of cybersecurity training and how effective it is as well as how effective it can be:

1. Can you comment on how end users perceive cybersecurity threats and how they should deal with them? 

Cybersecurity and cyber threat tactics are complex topics and because of this, individuals often feel intimidated and insecure when using technology. Additional stress is added when they are told that they must deal with the imminent threat of cyber criminals looking to steal their data, hack their systems, or compromise their passwords. It can be scary, and even technophiles are not all adept with cybersecurity best practices. This complexity and fear may make some individuals veer away from any responsibility for learning. If they do something wrong, it is easy for them to justify it with, “it was not my fault, I was not informed”. Even after learning, it is still easy to make mistakes, and this can lead to feelings of anger and embarrassment. 

In a recent survey conducted by Fortra’s Terranova Security, 75% of respondents between the ages of 18 and 75 stated that they have been targeted or know someone who has been targeted in a phishing attack. It is not that the other 25% did not get targeted, it is most likely that they were not aware. We can no longer deny the threat – it is real, and it affects everyone. What was surprising from the same survey was that most of the respondents still believe and rely solely on their IT teams to protect them. But what happens when the cyber criminal manages to bypass technical controls or target an individual in a personal context. Whose responsibility is it then?

Organizations, schools, and governments must take the time to inform individuals of the threats associated with the use of technology, how to detect them, and what practices to adopt when they are online or dealing with sensitive information.

When users adopt secure behaviors and can consistently apply best practices, they will display positive emotions such as pride when detecting a phishing attack, confidence when they detect and report suspicious activity, or relief when they notice a malicious website just before they submit their password. This will motivate them to learn more.

2. How does your typical end user cybersecurity training fall short in terms of arming end users with the tools they need to protect themselves and their organizations? 

Very often, cybersecurity awareness courses are too technical and may not be modified to suit the knowledge and competence of the learner. When users follow such courses, they may not understand the learning objectives or their individual role in contributing to the cybersecurity of their organization, and often become intimidated by future learning. Lengthy and non-interactive learning activities do not engage the learner.

Content is not the only issue. The design and deployment of the learning program is also very important. Gone are the days of taking an hour-long course once a year, using the same content. Organizations must adapt by providing fresh and relevant content on a regular basis without repeating it year after year. Developing and maintaining a large content library in all required languages, and very often in accessible formats, is a daunting and resource consuming task.

When the program and learning activity selection has not been well thought out in advance, we notice a decline in participation over time and a reduced retention of best practices.

3. How does Fortra’s Cyber Games modules fill in that gap? 

Cyber Games modules are powerful tools for employee learning and professional development. By allowing players to solve virtual puzzles and interact with clickable on-screen elements, we tap into human psychology to ensure that the training is engaging and informative for participants. 

Cyber Games provide instant performance feedback by measuring the player’s cybersecurity knowledge in real-time. Continuous feedback happens organically throughout each module, whether that is expanding on a correct response or explaining what led to a mistake. As a result, players are given autonomy to move through safe environments and see the impacts of their actions immediately.

We have created interactive eLearning modules that deliver unparalleled security awareness training results and enhanced problem-solving skills. Instead of subjecting players to a stream of endless text and visuals, users are encouraged to approach in-game tasks with a more critical mindset to determine the best possible strategy. This way, individuals grow their reasoning and detection skills.

We cannot have games without having some form of competition, which serves as a natural motivator. Unlike more traditional security awareness training initiatives, Cyber Games are fueled by inherent motivating forces. Bolstered by a scoring system, such as awarding a certain number of points for a correct response, players are pushed to improve their performance – whether they are scored against their previous results or those of other employees via a department or company leaderboards.

4. Can you speak to any success stories that you have seen with your Cyber Games modules? 

Gamified cybersecurity awareness programs are a powerful tool for organizations to help motivate employees to engage with training and enhance their behavior by retaining what they learn.

In one situation, one of our customers had difficulty motivating their users to accept and follow the awareness program. By introducing Cyber Games, they were able to demystify cybersecurity and make it a fun and engaging experience. When the time came to launch their official program, they had a significant increase in voluntary participation compared to previous years.

Another customer used Cyber Games for just-in-time learning following undesired results during a phishing simulation. By providing end users with these additional learning opportunities with instant-feedback gaming modules, it is easy to distill complex topics into clear, actionable best practices. The consequence for failing a phishing simulation was to play a game, instead of being enrolled to training, which is often seen as punishment. Simply by changing the type and name of the activity, it created a more positive psychological environment for the learner.

Gamification can be used as a tool to build a culture that understands the value of cybersecurity and adopts it in daily routines. Organizations must use every tool at their disposal to encourage a mindset where security is everyone’s responsibility, not just the IT team! 

5. Are your Cyber Games modules aimed at big businesses, or can SMB’s leverage this as well? 

Cyber Games have been designed for any organization and any user, even those who are not gamers. While some games offer a more immersive experience with 3D concepts, others are simpler in design, which anyone can learn and play in a very short time. The Serious Games module leverages proven eLearning techniques and puts end users at the center of immersive, exciting scenarios in 3D virtual environments. They boost skill development and make learning key cyber concepts fun. The Cyber Challenges module reinforces existing security awareness training programs and provides quick, focused learning opportunities to end users. Each module zooms in on one specific unsafe behavior or best practice, supporting users with bite-sized content.

We cover topics that are relevant to all sectors and sizes, such as phishing and malware, social media, protecting sensitive information, and many others.

Many thanks to Theo Zafirakos for taking time to answer these questions.

Linda Yaccarino Tries To Rally The Troops At Twitter While Some Of Those Troops Are Leaving The Building

Posted in Commentary with tags on December 2, 2023 by itnerd

Things are going from bad to worse at Twitter. Twitter CEO and Chief Elon Musk apologist Linda Yaccarino is trying to spin Elon Musk’s F-Bomb laced tirade from a couple of days ago. You can read the details via this CNBC article that a reader pointed me towards. Here’s the relevant points:

Linda Yaccarino sent a memo to employees of X (formerly Twitter) on Thursday in the aftermath of Elon Musk’s interview with Andrew Ross Sorkin, which she characterized to her staff as “candid” and “profound.”

Her memo goes on to try and act as some sort of rallying cry by not only putting some spin on Elon’s tirade. Here’s a example of what I mean:

We’re at one of the most maverick companies in the world and we get to do things that have never been done before. X sits in a one-of-a-kind constellation of companies that are changing the world – from helping to conserve the planet through Tesla’s electric vehicles, to exploring new planets with SpaceX, to the seamless global connectivity of Starlink, to the potential of transforming lives with Neuralink, to responsibly reimagining the benefits of AGI through xAI.

You’re at X because you have the courage and conviction to build and operationalize the most consequential platform that exists. That’s quite an enviable position to be in.

Our mission at X is bold: to be an open platform without censorship of thought – one that provides people information and the freedom to make up their own minds. Our principles do not have a price tag, nor will they be compromised – ever. And no matter how hard they try, we will not be distracted by sideline critics who don’t understand our mission.

Yeah, if you want to call a platform full of racists and antisemitic humans among other miscreants that’s run by a guy who likes to lash out at his critics any way he can an”open platform without censorship of thought“. But you do you Linda.

The problem with this is that I don’t think that this message is resonating with Twitter staff based on this:

Claire Atkinson reported on Thursday that X, formerly known as Twitter, had faced a series of resignations from staff, including senior and junior employees, amid what has certainly been a chaotic month for the site and its owner. Sales staff began exiting the company shortly after X handed out bonus checks this month, the report said.

Atkinson reported that X was operating with a skeleton staff at its office, and the advertising division had been losing money.

A spokesperson for X did not immediately respond to a request for comment.

If a business is failing, employees head to greener pastures because they have bills to pay. Thus it’s really not surprising that there’s a wave of resignations given that Twitter is a train wreck next to a dumpster fire with no real hope of recovering from that. The real question is when will this make Twitter to be no longer viable because there’s not enough staff, or the right staff to run the platform.

Linda Yaccarino has lost the plot here. If she were smart, she’d heed the advice of her friends and quit Twitter. But based on the above, she’s going nowhere. Which means that either not that smart, or she’s all in with Twitter and is willing to go down with the ship. Not that it matters at the end of the day. What does matter is that this is yet another data point that shows that Twitter is doomed.

EU Adopts New Rules To Protect Devices Connected To The Internet

Posted in Commentary with tags on December 1, 2023 by itnerd

EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:

The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.

The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.

The law will affect any product that is connected either directly or indirectly to another device or to a network.

The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.

Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.

Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary: 

Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.

The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface.  The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer.  The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively.  This is a step forward to making security a priority for all.

Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.

UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:

   “Despite a lot of pushback, particularly on the 24 hour breach reporting requirements,  the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024.  Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.

   “Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding. 

   “This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.   

   “This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response. 

David Ratner, CEO, HYAS Infosec follows with this:

   “The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility.  However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”

Elon Musk Gets Desperate When It Comes To Advertisers On Twitter

Posted in Commentary with tags on December 1, 2023 by itnerd

Clearly Elon Musk’s F-bomb laced tirade has had significant knock on effects. It seems to have accelerated the departure of advertisers from Twitter. Which I did predict here:

What’s clear from this debacle is that Elon completely off his rocker. And this will simply accelerate the departure of advertisers from Twitter. I wonder if Elon will start caring once Twitter is in critical condition with no hope of recovery? By the time he does, if he actually does care, it may be too late. 

According to this story, the departures likely have started:

The Tesla chief also acknowledged that an extended boycott by advertisers could bankrupt X, formerly Twitter, but suggested that the public would blame the brands and not him for a potential collapse.

However, Insider Intelligence analyst Jasmine Enberg said: “If anyone is killing X, it’s Elon Musk – not advertisers.”

“Should X collapse, an autopsy would reveal a series of platform policy decisions, staffing cuts, tweets and antagonistic comments by Musk that have driven away X’s primary source of revenue,” Enberg said.

An executive at a major global ad-buying firm, who declined to be named, said only one major client was continuing to advertise on X.

“(Musk) seems to be hell bent on destroying the platform,” the executive said.

And:

“We believe there is a risk that more companies will stop advertising on X; at least on a short-term basis,” D.A. Davidson & Co analyst Tom Forte said.

“It is fair to say this makes the company’s subscription efforts more important and potentially means it may need more than half its revenue to come from subscriptions,” he said.

So how is Elon going to square this circle? The Financial Times is reporting that X is now going to be focusing on smaller businesses. The story is paywalled, but a TL:DR is available on The Verge with the key point from the article. At least from a Twitter perspective:

‘Small and medium businesses are a very significant engine that we have definitely underplayed for a long time,’ the company told the Financial Times. ‘It [was] always part of the plan — now we will go even further with it.’

Here’s the problem with that strategy. I don’t see how getting a bunch of small and medium sized businesses on board will make up the revenue shortfall of a Disney or IBM, or Apple individually, never mind all three of those companies combined. This seems more like a Hail Mary more than a real strategy that could produce real revenue. And given the fact that subscriptions aren’t exactly raking in the cash for Twitter, that means only one thing. Which is Elon has doomed Twitter to a slow and painful death. And his latest stunt has accelerated the death of the platform. Anything he does now is simply delaying the inevitable. There’s just no denying it at this point.

Congratulations Elon. You’ve proven how bad you are at running a company.

North Texas Municipal Water District Pwned In A Ransomware Attack

Posted in Commentary with tags on December 1, 2023 by itnerd

North Texas Municipal Water District was recently pwned in a ransomware attack, causing operational issues and exfiltrated customer files:

Officials at North Texas Municipal Water District have confirmed that the water, wastewater, and solid waste management services provider had its business computer network impacted by a cyberattack, according to The Record, a news site by cybersecurity firm Recorded Future.

While phone services have been disrupted by the attack, there has been no impact on customers, said NTMWD Director of Communications Alex Johnson, who added that an investigation looking into the extent of the incident is already underway.

Ransomware operation Daixin Team has taken credit for the attack, which it claims has resulted in the exfiltration of more than 33,000 files with customer details from NTMWD’s systems.

Well that sucks for North Texas Water. Tom Marsland, VP of Technology, Cloud Range had this comment:

The breach of the North Texas Municipal Water District only breached the business network and phone system, and core water, wastewater, and solid waste services were unaffected. Kudos to the teams for strong isolation and/or practices that prevented a breach of the OT network. Municipal water and utility companies are a growing target due to limited staff – there is still a schism between IT and OT operations personnel in most organizations that I’ve worked with.

The recent publication by CISA regarding the exploitation of Unitronics PLCs used in water and wastewater systems highlights basic principles that highlight the schism between OT operations personnel and cybersecurity departments. Use of default passwords, multi-factor authentication, keeping backups of running configurations, practicing recovery, and keeping things off the open internet that do not need to be there are basic tenets of cybersecurity – the fact CISA has to remind organizations of these highlights the need for experienced professionals working in OT cybersecurity. All of these are low-hanging fruit for any organization to cover. 

We will continue to see more breaches of OT/ICS systems until these methods of protection are taken seriously. Devices should not be connected to the internet that could directly impact human life just for convenience. There needs to be wider, open-source security solutions provided to smaller organizations, both in ICS/OT and IT, to help with cybersecurity practices.  Too often we’re seeing the smaller organizations be the weak link in the chain that is then enabling wider breaches.

Seeing as a municipal water provider was the target of this attack, it highlights the fact critical infrastructure needs to be protected from attacks like this. But clearly that isn’t happening, and that needs to change. Now.