The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Here's how organizations can eliminate content-based malware in ICS/OT supply chains.
As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects.
A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack:
- Two distinct types of malware, "Sunburst" and "Supernova," were secretly placed into an authorized software update.
- Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures.
- Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection.
- The C2 traffic was cleverly hidden using steganography, making detection even more challenging.
- The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations.
While this incident led to widespread IT infiltration, it did not directly affect OT systems.
In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences.
Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems.
These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including:
- Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage.
- Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points.
- Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making.
- Access control challenges: Proper identity and access management within complex environments are crucial.
- Compliance with best practices: Adherence to guidelines such as NIST's best practices is essential for resilience.
- Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions.
Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems.
Supply chain defense: The power of content disarm and reconstruction
Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious.
What does CDR do?
In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety.
- Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while maintaining full functionality.
- Removes harmful elements: This process effectively removes any harmful elements, making it a robust defense against known and unknown threats, including zero-day attacks.
How does it work?
CDR's effectiveness lies in its methodical approach to file handling, ensuring that no stone is left unturned in the pursuit of security.
- Content firewall: CDR acts as a barrier, with files destined for OT systems relayed to external sanitization engines, creating a malware-free environment.
- High availability: Whether on the cloud or on-premises in the DMZ (demilitarized zone), the external location ensures consistent sanitization across various locations.
Why choose CDR?
With cyber threats becoming more sophisticated, CDR offers a fresh perspective, focusing on prevention rather than mere detection.
- Independence from detection: Unlike traditional methods, CDR can neutralize both known and unknown malware, giving it a significant advantage.
- Essential for security: Its unique approach makes CDR an indispensable layer in critical network security.
CDR in action:
Beyond theory, CDR's real-world applications demonstrate its ability to adapt and respond to various threat scenarios.
- Extreme processes: CDR applies deconstruction and reconstruction to incoming files, disrupting any embedded malware.
- Virtual content perimeter: Positioned outside the network, in the DMZ, it blocks malicious code entry through email and file exchange.
- Preventative measures: By foiling the initial access phase, CDR has been shown to deliver up to 100% prevention rates for various malware.
Integration possibilities:
CDR technology can be seamlessly integrated into various network security modules.
- Secure email gateways: Enhances email security by integrating with existing systems, providing an additional layer of protection.
- USB import stations: Offers controlled access to USB devices, ensuring that only sanitized content is allowed.
- Web-based secure managed file transfer systems: Enables comprehensive coverage of file transfers, ensuring sanitized content at every step.
- Firmware and software updates: Aims to cover all content gateways, securing a 'sterile area' behind these modules, including essential updates.
NIST's guidelines that call for the adoption of CDR
The National Institute of Standards and Technology (NIST) has outlined specific guidelines that highlight the importance of CDR. In the NIST SP 800-82 Revision 3 document, the emphasis on CDR's role is evident:
1. Physical access control:
- Portable devices security: Under the section ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the guidelines stress that organizations should apply a verification process to portable devices like laptops and USB storage. This includes scanning for malicious code before connecting to OT devices or networks, where CDR can play a vital role in ensuring safety.
2. Defense-in-depth strategy:
- Multi-layered protection: Under section 5.1.2, the document defines defense-in-depth as a multifaceted strategy. It states: ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.’ This approach is considered best practice in the cybersecurity field.
- Widespread adoption: The quote continues, emphasizing that ‘Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’ This highlights the broad acceptance and integration of this strategy in various cybersecurity measures.
- OT environments: This strategy is particularly useful in OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments. It focuses on critical functions and offers flexible defensive mechanisms.
- CDR's role in defense: CDR contributes to this defense-in-depth approach, especially in handling content with browser isolation solutions. Its role in enhancing security across different layers of the organization makes it a valuable asset in the cybersecurity landscape.
Mitigating the risks
The SolarWinds breach was a frightening sign of what has already begun, and it might just be a small part of what's happening now. With criminal groups capitalizing on the increasing cloud connectivity at ICS/OT sites, attacks on hundreds or even thousands of organizations simultaneously are actual risks we face today.
But amid these challenges, there's a solution: CDR. This cutting-edge technology offers a robust defense against the known and unknown, providing a shield against malicious forces that seek to exploit our interconnected world. In the ongoing battle against malware, CDR stands as a vigilant sentinel, ever ready to protect.