Some will have you believe there are armies of state sponsored bad actors out there targeting your business, and only the latest technological silver bullet will save you. They will cite Stuxnet, Triton, WannaCry, NotPetya, Dragonfly, Energetic Bear/Crouching Yeti and others as proof that you are not safe from the threat of a cyber security incident. And they are right, or at least partly so; yes, there are a lot of bad actors out there, yes, you are not safe from the threat of a cyber security incident, no, technology alone will not save you.
The Department for Business Energy & Industrial Strategy (BEIS) Security of Network and Information Systems Regulation 2018 Implementation in the Energy Sector for GB Policy Document Chapter 2, Section 9 states ‘In the UK, the NIS Regulations 2018 require energy companies identified as OES to demonstrate active cyber security risk management´ This is an interpretation of Regulation 10 (1) of 2018 No. 506 Electronic Communications The Network and Information Systems Regulations 2018, which states ‘An (Operator of Essential Services) OES must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.’
This, therefore, requires OES to first identify the risks before they can manage them, and here we note the specifics of the regulation ‘risks posed to the security of the network and information systems on which their essential service relies.’ There is not a company in this sector today that does not have a risk register, disaster recovery plan and business continuity plan, however, how many of those registers and plans specifically relate to the Operational Technology (OT) networks and systems which run the production assets?
There are a plethora of good quality articles already published describing the differences between Information Technology (IT) systems and OT systems in relation to the Confidentiality, Integrity, Availability triad of concepts relating to information security, and how Availability is king in the Cyber Physical process domain. For the purposes of this paper we will consider a dual redundant Windows Server 2016 SCADA server in a virtualised environment, with the process put back into production mid-August 2018 following its yearly shutdown, what are the risks posed to the security of the network and information systems? This paper was written on the 14th September 2018, 4 days after Microsoft’s Patch Tuesday which addresses more than 60 vulnerabilities, including 4 publicly disclosed vulnerabilities, one of which being CVE-2018-8440, a privilege escalation bug affecting our Windows Server 2016, which was widely publicized two weeks before the patch was released along with proof-of-concept exploit code. There are already real-world attacks, with users having no remedy until the patches came out. Although an attacker would need to convince a user to download and open a specially crafted file to exploit this if successful they would be able to gain full system privileges on the machine.
To patch or not to patch, that is the question, and only you will know the answer. What risk does this vulnerability pose to the security of the network and information systems on which the essential service relies? Unless you are running a well-managed OT asset risk register, you are not able to quantify the risk. Perhaps your organisation has a no-patch policy for OT assets outside of the maintenance window; this implies the network and information systems on which the essential service relies is at risk for potentially up to a year – how is that risk to be managed?
Let’s discuss threat actors now; there are classically 6 types; Government Sponsored, Organized Crime, Hacktivists, Insider Threat, Opportunistic and Internal User Error. Referring back to the vulnerability we have identified above, the risk profile for each type of threat actor is different. As a broad sweeping statement your business may say they have mitigated the risk associated with not patching CVE-2018-8440 by not installing a mail client on the server, and its firewalled, and your staff are trained not to click on suspicious links, so we are working through the People, Process, Technology approach to increasing the cyber security posture of our systems. That works right up until we look at the Insider Threat, because the code to leverage this vulnerability is published on the Internet, and if you have a disaffected employee with a bit of tech knowledge you have a very dangerous individual, and that is a risk that you need to identify and mitigate.
Now the questions are:
- Has your OT asset risk register captured the risk associated with this vulnerability?
- Has it documented the fact that a competent person has evaluated the risk of not applying this specific patch?
- Is this decision process auditable?
If the answer to all of those questions is ‘Yes’ – well done, you are demonstrating the kinds of Indicators of Good Practice the NCSC is looking for, and the HSE will use when undertaking compliance and enforcement functions in the not too distant future. It is highly likely that you will have also identified that there is published guidance, not approved by Microsoft, for mitigating this vulnerability, and a published set of rules for use in Microsoft Sysmon Detection for detecting the exploitation of this vulnerability, so patching is not the only way of mitigating this specific risk, and there is a means to mitigate the Insider Threat – but unless you have the risk register you will probably not know about the risk.
If the answer to any of those questions is ‘No’ – Cyber Prism can help. Cyber Prism has a proven track record of working with OES in the oil & gas sector to develop and deliver a business strategy to reduce risk through NIS compliance. Our highly skilled and experienced team drive a pragmatic, risk-based approach to compliance, as OES cannot mitigate against all risk.
By having team members who have designed and managed the delivery of safe and secure control systems we recognise the differences between OT and IT systems, and the risks associated with safely securing a cyber-physical system that has the potential to kill, cause injury and result in an environmental incident if it operates in a manner outside that for which it was designed.