Episode #131: Hitting Tens of Thousands of Vehicles At Once with Matt MacKinnon

In this episode, Matt MacKinnon, Head of Global Strategic Alliances at Upstream Security, looks at a cybersecurity niche in the automotive industry that I did not know existed: protecting the cloud systems that vehicle manufacturers rely on to manage and interact with the vehicles they produce. From passenger cars to 18-wheelers and massive mining equipment, connected vehicles enable everything from diagnostics and updates to real-time remote control.

Matt explains how digital transformation and the pervasive use of cloud systems in automotive and heavy equipment industries has introduced new attack opportunities, with potential consequences ranging from unauthorized manipulation of vehicular systems, data breaches, and potential threats to safe and reliable operations.

How to manage these risks and protect cloud systems connected to vehicles? Matt walks us through protective technology and how it works – technology I did not know existed.

Episode #85: Cyber Insurance is Changing Fast with Georgina Williams

Georgina walks us through changes in the insurance industry triggered by NotPetya and the $1.4 billion USD Merck Pharma payout. For many, OT cyber insurance is not the “one stop” solution it once was.

Next, the OT cyber risk team must get a handle on network and other dependencies. For the purposes of assessing attack exposure, we must know about all the ways OT assets and physical operations depend on services from more-exposed IT, Internet or cloud networks. More difficult to determine, but just as essential, is that we must understand those tricky dependencies that exist even without communications between IT and OT assets and networks, such as procedural or logistical dependencies. These dependencies are important because IT assets are low hanging fruit for attackers. Even when OT systems or physical operations are the ultimate target of an attack, most OT network attacks begin with compromising IT systems. IT/OT interconnections and dependencies must be identified, protected and the data flow controlled to properly manage OT cyber risk.

For example, Active Directory systems are a common data flow dependency. In many organizations, OT systems need to connect to IT Active Directory servers to enable users to log in. In this scenario, if OT systems cannot connect to Active Directory servers residing in the IT network, OT is crippled. Subtler dependencies can exist; not all dependencies are reflected in information flows.

For example, during the NotPetya cyber attack, Maersk, the world’s largest container shipping company, suffered an operations outage because of a procedural dependency that was not evident in IT/OT information flows. The Notpetya malware crippled the database on the IT network that instructed truck drivers where to transport containers that were unloaded from ships in port. Since the tracking system was down, the drivers were unable to deliver the containers. Sometimes dependencies are complicated and the best way to investigate them is to assemble all stakeholders together to ask and understand – if all IT systems were shut down, could physical operations continue, and if not, why not?

Dependencies on IT systems are one reason that so many ransomware attacks result in outages of OT networks. Ransomware attacks impair IT networks more often than they do OT systems, and if OT networks have multiple dependencies with IT systems that ransomware has impaired, physical operations cannot continue. While it can be very difficult to eliminate all OT dependencies on IT systems, we cannot simply ignore any dependencies that must remain in place. Instead, we must recognize that IT systems which are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on the IT network instead of the OT network but must be managed and secured in many of the same ways that OT systems are managed and secured.

• Risk management: Organizations must identify and assess the risks to their networks and information systems. This also includes a person or team that is responsible for handling the decisions that need to be made regarding risk, with the blame falling on them if something goes wrong.
  
  
• Incident response: Organizations must have a plan in place to respond to cybersecurity incidents within 24-hours of the incident. NIS2 also requires organizations to report certain types of cybersecurity incidents to their national authorities.
  
  
• Vulnerability management: Organizations must identify and patch vulnerabilities in their systems in a way that is appropriate for their devices and networks. This use of the term “appropriate” is somewhat ambiguous and it is probably best to err on the side of caution and provide more protection instead of less protection whenever there is any doubt.
  
  
• Security awareness training: Organizations must train their employees on cybersecurity best practices. Sometimes the most secure networks can be compromised by an employee clicking on some phishing link or using a weak password. Avoiding these issues can be greatly mitigated if everyone with access has a good understanding of the type of threats that exist and how to avoid them.
  
  
• Supply chain security: Organizations must also ensure that their 3rd party vendors are taking appropriate cybersecurity measures. This means that not only does the entire internal operation need to comply with NIS2, but also any 3rd party vendors that provide products or services need to comply too.