Resilience In Critical Infrastructure


CyberWire staff | »

Since the recently disclosed cyberattack against a server at the Port of Houston came up during the hearings (Easterly offered an account of this particular attempt against a critical installation), it’s worth reviewing that attack and industry reaction to it. The Port of Houston Authority said yesterday in a brief announcement that it had “successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.” CNN reports that on August 19th attackers believed to be associated with a foreign intelligence service gained access to a server in the Port of Houston, planted malware, and stole Microsoft credentials. Defenders were able to isolate the compromised server within about an hour and a half of the initial attack. Whichever nation-state was responsible for the Houston attack (and there’s no attribution, yet) the Record reports that the attack was accomplished by exploiting a zero-day in a Zoho authentication appliance.

Cherise Esparza, CPO, CTO & Co-Founder of SecurityGate, is encouraged: “This is a good news story demonstrating when organizations are prepared, adhere to guidelines, and have security controls in place with the proper processes, attacks can be thwarted!” Doug Britton, CEO of Haystack Solutions, is also encouraged, but counsels continued vigilance: “This successful defense is a stark reminder that organizations and agencies alike are under constant threat from bad actors, including nation-states. Also, remnants from SolarWinds still can pose a threat, even after all this time. It takes a strong cyber team to battle these kinds of threats. We need to make sure to continue our investment in cybersecurity. The profession needs to grow at a strong rate and remain robust as future battles like this will continue to be digital.”

Saryu Nayyar, CEO of Gurucul, also liked the successful defense and recovery:

“There are rarely publicized success stories in cybersecurity; usually we hear about damaging breaches. So this story that The Port of Houston has successfully fended off an attack is encouraging to hear. The attackers attempted to make use of a new vulnerability in ManageEngine ADSelfService Plus, a password management service to enter the network. Infrastructure such as port operations are fertile ground for ransomware-style attacks, due to both their critical nature and often their relatively poor security practices. Ports, utilities, airports, and other types of infrastructure should have both comprehensive security systems coupled with active monitoring of endpoints, IoT devices, servers, network, and individual systems so that early detection and remediation become the norm, rather than the exception.”

Ron Bradley, VP at Shared Assessments, draws a metaphorical lesson:

“There’s a lot to unravel here, and it’s a fairly complex technical discussion. It’s ironic this notification originated from the Port of Houston, because it’s very much in line with what I advise in many instances, and that is to know your ports and protocols. What holds true in shipping ports also holds true in network ports which are synonymous in a certain sense. In shipping ports, the protocol is to understand which ships are coming into the port and what is contained within the shipment. The same holds true for networking ports and protocols. Companies must be diligent about continuously scanning open ports from the outside of their network and ensuring no unauthorized ports are accessible.

“The primary mitigation to this particular attack would be to not allow the password reset application to be accessible from outside networks. If that’s not practical or possible, then additional layers must be implemented such as multi factor authentication, in addition to the appropriate intrusion detection and intrusion prevention mechanisms.”

Other commentators were dismayed by another case in which attackers found credentials relatively accessible. And several of them noted that organizations under stress, as so many are during enforced periods of remote work and the other consequences of the COVID-19 pandemic, are in a heightened state of vulnerability.

Danny Lopez, CEO of Glasswall, sees a glass half full (sort of). But an attacker with the right credentials is a major problem:

“While it’s positive the Port of Houston cyberattack did not disrupt operations, the fact that foreign adversaries were able to obtain legitimate credentials for the systems belonging to one of the largest ports on the U.S. Gulf Coast is concerning. More details on how the intrusion happened will likely be revealed in the coming days, but for now it’s worth underlining how to minimize the risk and impacts of credential theft.

“Critical infrastructure organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It’s vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the hands of adversaries. This will help to limit the blast radius, and in most cases, defeat the data breach.

“Even if all procedures and policies are well executed, then there’s no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment to enable surveillance, often using everyday business documents which we all use. It’s vital that ports like this, and all organisations, invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work and the business to function.

“Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”

Matthew Meehan, chief operating officer at TokenEx, agrees that stolen credentials are the “weak link in the security chain,” even as technology trends in the direction of risk-based authentication:

“There is ample opportunity for hackers to exploit passwords everyday. We continue to encourage strong password policies as vital to both personal and business security. Cybercriminals often reuse credentials found from online data dumps, commonly known as credential stuffing, to access sensitive data. That tactic, combined with user penchant for simple passwords, does not result in an appropriate level of data protection. We can’t stress enough – users should never repurpose passwords. Instead, creating complex and unique passwords in conjunction with two-factor authentication is best.

“For all types of sensitive data like personal or payment information, organizations can remove that data from systems entirely using tokenization. That way, if a foreign hacker does access U.S. systems, as in the case of the Port of Houston, they won’t be able to steal any useful information. Finally, rather than being a target to malicious attacks, good password hygiene practices like not sharing or reusing passwords, are absolutely vital. Investing the time to take one extra step to secure data is invaluable to U.S. interests, compared to the fallout of a data breach.”

Neil Jones, Egnyte’s cybersecurity evangelist, draws attention to the other problems the transportation sector faces:

“Labor shortages and supply chain disruption resulting from the global pandemic have already stifled productivity at U.S. ports. Just last month, a record 44 vessels were awaiting a berth space at the Los Angeles and Long Beach, California ports, with an average wait time of 7.6 days. Imagine if a cyberattack had occurred on the ports’ operations during such a critical time. In the Port of Houston case, the attacker appeared to breach the port’s network via remote access, a mission-critical requirement for a port that’s required to function on a 24/7/365 basis. So, it is especially fortunate that shipping operations weren’t disrupted.

“The reality is that all transportation and shipping data are vulnerable without proper data governance and network security techniques. It is imperative that organizations protect the data itself, not just the technical infrastructure around their data. This type of security incident occurs far too regularly, particularly now that many employees are required to work remotely, in decentralized teams. If credential compromise tools are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where the adversaries were able to infiltrate the network, the files themselves would remain inaccessible to outsiders, and crucial shipping systems would remain protected.”

And Exabeam’s chief strategy officer Gorka Sadowski would make our flesh creep with accounts of the stuff they see on the dark web:

“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media.

“Billions of previously stolen credentials live on the dark web, and we’ve just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch. Thankfully, in this instance, the compromise was detected. If it hadn’t been, the attacker would have obtained unrestricted access.

“Organizations across all industries need to invest in machine learning-based behavioral analytics solutions to help detect malicious activity and stop adversaries before damage is done. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Resilience in critical infrastructure
External Link: Resilience in critical-infrastructure

Share this page:

Related Posts