CYBER SECURITY: ARE WE BARKING UP THE WRONG TREE?
By Ken Soh, CIO of BH Global Corporation
If you do not know what APT or VAPT stand for then you are probably already under attack.*
* APT = Advanced Persistent Threats, VAPT = Vulnerability Assessment and Penetration Testing.
Two years ago, Ken Soh embarked upon a journey of anguish and surprises and experienced first-hand the pervasiveness and sophistication of cyber-attacks. Fortunately, with the support and open-mindedness of the management, he succeeded not only in understanding the intricacies of cyber security but also managed to turn an unpleasant experience into a new business under the group. He has emerged stronger from the experience and has decided to share it with the community on cyber risks. He has done so with first-hand experiences in many related industry conferences and seminars in which he was invited to speak.
This paper serves to summarise a first-hand account of the author’s close brush with the “power of the dark side”. This is done in a bid to educate the industry at large the weight-age and magnitude of cyber threats today; not just in the context of Enterprise Information Technology (IT, e.g. offices), but also Critical Infrastructures, or Operation Technology (OT, e.g. ships, vessels, ports and rigs).
For a long time, I had been put off by many of the cyber security conferences in which vendors are trying their hearts out to state the seriousness of cyber-attacks and the vulnerability of our IT systems simply to induce sales. The doomsday prophets would make similar points citing other people’s well-known examples. How Sony was hacked, how Target was compromised, how such attacks became high profile board room issues, how the CISO (Chief Information Security Officer) is the first to experience ‘Career Is Suddenly Over’, how the CEO (Chief Executive Officer) would be the next to have his ‘Career Ended Overnight’ when their enterprise systems were comprised.
I was becoming a little weary and wary of such industry pitches because, after all the attempts to scare (and, of course, to sell), there is usually no concrete or radically differentiated fundamentals to share that could effectively help mitigate cyber risks. Almost every provider is performing the same fundamental, i.e. to ‘detect and remove’. The problem these days is we can’t even identify many of the advanced threats otherwise the industry would refer to it as ‘Advanced Persistent Threats’ (APT). So is detection still the way to go? Nobody seems to know.
COMPANIES INVESTED A FORTUNE YET STILL CONTINUE TO BE COMPROMISED. WHY?
BH Global was not alone in investing a bundle in security products yet from time-to-time there would be comprised incidents. As cyber threats hot up and become more sophisticated, cases are becoming more prevalent. There is an urgent and imminent need to look for a truly effective strategy and practices. However, this is not possible without an understanding of the fundamentals.
As mentioned earlier, detection-centric practices are no longer working. I started researching the subject, and recalled my experiences of IT operation management, what has changed, what has evolved.
PEOPLE + PROCESS + TECHNOLOGY
This is a standard framework. Yes, security cannot be accomplished solely with technologies. After all, it is still people that operate the technologies. Also, enterprises would naturally need to have robust and efficient processes/governance to ensure the daily operations are in good order.
I was prompted to act because there seems to have been a shift of weight-age over the last couple of years. While in the past, people (security awareness) played a relatively important part of the enterprise security framework, technology has become on par with it. Malware that crashes hard-disks and slows down desktop operations are common today and act by stealth. Once infiltrated, it stays silent on the user’s PC, typically with remote command and control centre from anywhere in the world to take over the infected machine, quietly, in the background. To make matters worse, millions of new malware emerges daily, making even the most advanced detection technology ineffective. In the past, downloading software could allow cyber attacks. Today, simply visiting a site may result in a virus infecting quietly in the background. So education may not be as straightforward today. We need reliable technologies to counter such advanced threats.
WE ARE IN URGENT NEED OF A RADICALLY DIFFERENTIATED PARADIGM SHIFT
Having understood the fundamental notion that detection-centric method is no longer effective, I started to research technologies that could augment it. What I discovered meant that research was well worth the effort.
Specifically, the research started with experimentation of non-detection-centric technologies that includes methods such as white-listing (instead of detection which is known as black-listing), and end point containments. This is not the platform for a large technical discussion. Without touching on geeky pursuits, I would simply argue a collection of a non-detection-centric tool were picked, some of which are surprising and unknowingly powerful, achieving zero incidence in its deployed sites for the last seven plus years!
Hello world, what have we been doing?
SEEING NEW LIGHTS IN CYBER PROTECTION
At this time, I would not say we have started with the new approach described. The research is still ongoing, but a new frontier of protection strategy has definitely been found. It may not be a panacea for cyber threats but at least it completes the loop, and it fills the gap that traditional detection-centric cyber technologies cannot.
The beauty of a non-detection-centric approach is that the technology takes care of not only known viruses and zero-day (new, just born) viruses; potentially, it even takes care of the threat of future ‘unborn’ viruses. What surprises me is that such technologies were already around for some time, waiting to be discovered for wide-scale adoption. No one seems to care.
TRANSFORMING THE DISCOVERY INTO A BUSINESS
The discovery was not only useful to protect the group companies within; it does not take long for business savvy people in the company to realise that it would be a viable and meaningful business to market and apply what is learnt and discovered to protect the industry at large.
For that, a new cyber arm subsidiary Athena Dynamics (ADPL) was born. The principle proved quite useful, and within just two years of operation, ADPL was awarded classified projects in the public sector, security projects in aid of protection of energy plants and more. Such quick adoption by the industry speaks volumes for technology security fundamental not only being sound but also practical.
A USEFUL BUSINESS ALLIANCE THAT BROUGHT MORE SURPRISES
As the cyber business develops, we started to realise that sound product provision alone is insufficient. As cyber incidents become more frequent, there are unsolicited calls from the industry from time-to-time for help when their enterprises are compromised and they require help in either forensic, vulnerability assessment and penetration testing (VAPT), or post-compromise assessment. We decide that a service arm is necessary and for that, we were fortunate to forge an alliance with a highly accredited hacker team from a country that faces millions of digital attacks daily from its hostile neighbours. The group has won world-class hacking competitions such as Defcon and Codeblue year after year since 2010, with its latest credential of opening a water dam door just after 7 hours of consented hacking from the internet.
The partnership was named Good Hackers Alliance (GHA) and with that we have decided to first do a VAPT on our corporate website and systems. The VAPT brought surprises such as the discovery of implanted call-backs from some enterprise PCs, and also unauthorised accounts being created in-house by hackers infiltrated from Russia and Poland. Fortunately, these hacking activities were discovered early, and they were still ‘work in progress’ and there was no major leakage of data. The planted call-backs and ‘evil traces’ were removed, and the exploited gaps were quickly filled and fixed.
INFORMATION TECHNOLOGY SYSTEMS (IT) VS. OPERATION TECHNOLOGY SYSTEMS (OT)
As we ‘ventured’ deeper into cybersecurity related pursuits, we realised that cyber threats have grown not just in depth (i.e. more sophisticated), but also in breadth (i.e. expanded scope). It has grown from threats in IT systems to OT systems, which refers to critical infrastructures such as nuclear, chemical, energy, water plants, trains, planes, ships, etc. Some call it Industrial Control Systems (ICS), or Supervisory Control And Data Acquisition (SCADA) systems.
For a long time, it has been believed that OT systems are mostly ‘air gap’, i.e. physically isolated from external connectivity and hence they are typically safe and sound. Unfortunately, having spoken at an industry conference for the energy sector, I learnt first-hand from the engineers that air gap OT systems is typically not entirely possible. Most OEM devices are connected to their OEM suppliers anyway, whether offline or online modes, for availability and support reasons.
We had our fair share of OT encounters. In our industry, OT would very much refer to the ships, vessels, rigs and ports. We believe that it would be useful if we share more about our journey in this respect.
HACKING SHIPS, PLANES, CARS, ENERGY PLANTS AND MORE
Our journey of cyber awareness reached new heights when we realised GHA’s expertise in consented hacking is beyond just Enterprise IT Systems, for the simple reason that hackers today have already successfully infiltrated critical infrastructures. Offshore rigs were hacked and dangerously tilted; vessels systems were found infected with viruses. These hacks could happen directly or indirectly. The server of a shipping company was compromised, and the pirates knew exactly which ship, when, where and even down to the fine detail of which crate contained the most valuable goods.
FOR SHIPS, CYBER AWARENESS IS RISING BUT MORE NEEDS TO BE DONE URGENTLY
It was very disappointing to see the negative public outcry when the Singapore government decided to segregate sensitive government networks from the internet. From the observation, it is apparent that the public still does not see or understand the magnitude and seriousness of cyber threats today, especially on the dark web, state-funded cyber threats and how attacks to our government network could impact everybody at national level. More education is needed as soon as possible.
Conversely, it has been comforting to observe that the awareness is rising quickly especially with the support of the authority. Specifically, Maritime Port Authority (MPA) has recently been run a full day Maritime Cyber Security Seminar with an overwhelming turn-out. It is good to observe that business owners are starting to question what could be done going forward. We are truly humbled to be invited to speak and share in this inaugural event on maritime cyber security, and it is useful that there is a very useful panelist exchange in the seminar.
WHAT COULD POTENTIALLY BE HACKED ONBOARD SHIPS AND VESSELS?
Unlike IT systems onshore in shipping offices, they are close to the governing IT department, and protection practices and policies could be effectively applied. The IT systems onboard ships and vessels are remote. Governance may not be enforced easily; unless effective cyber tools are in place, the exposure to cyber risk is high.
Separately, more and more OT systems on board ships and vessels today are changing to PC based and TCP/IP based devices. Devices that are well interconnected or devices that accept external devices (such as external USB, storage devices) are vulnerable to cyber risks.
IT IS NOT JUST ABOUT CLASSIFICATION RULES, BUT ACTIONABLE RULES
ADPL is working closely with maritime classification bodies in the fulfillment of a new framework in cyber protection. While some high-level classification rules have been published in the past, new chapters with actionable items will be necessary. The feedback from the ship owners could be gathered at the focused workshops. A reference implementation model could be jointly developed with trial VAPT on shipping devices by teamed up cyber specialists and practitioners. Alongside that, specific cyber tools in the IT arena could be identified, enhanced, ruggedised and adopted for marine and offshore purposes.
THE ASSURANCE FRAMEWORK
Before the fully fledge availability of the global classification rules, ADPL has derived a simple assurance framework which enterprises and critical infrastructure owners could reference:
1. VAPT Risk Landscape Assessment
Every IT and OT setup is unique and different. It is important to perform a health-check on the IT and OT setup to sift out the vulnerability, before looking at the following steps.
2. Non-conventional Protection Instruments
Once the vulnerability is known, specific cyber tools could be considered. As discussed earlier, it is important to find tools that go beyond just ‘Detection and Removal’.
3. Incident Response “Emergency Button.”
Corporates today typically have IT operation competency but not the incident response (IR). It is important to incorporate IR into the corporate BCM and ERM framework.
4. OT and IT Security Awareness
Specialised SCADA security awareness training is a key.
5. Cyber Insurance
While cyber insurance is relatively immature today, it is still an important post-event protection instrument that organisations could consider and deploy.
IN CONCLUSION, AND OUR BELIEF
As I reach the end of this article, I would like to have a little ‘take-home’ list in the traditional perspective of People, Process, Technologies as follows:
1. People: Cyber awareness training can never be a one-size-fits-all pursuit. One should look into the job role and the grade level of the audience. Specifically, we probably need a half-day high-level coverage for the senior management, operational-related risks for the operational mid-level leaders and detail special coverage for the technically inclined.
2. Process: Never take compliance fulfillment as the end of the journey. Compliance and governance framework are mostly process oriented governance to fulfill management reporting. There are many cases where organisations score high in compliances, but their overall security posture is still weak operationally. A deep technical VAPT is key to fill this gap. World class credentials of the VAPT service provider is also an important consideration.
3. Technology: As shared, we believe that most cyber protection platforms today are detection oriented. As advanced threats today are hardly detectable, the strategy is to select a suitable detection tool to be augmented by non-detection centric tools such as sanitisation tools or end-point isolation and containment tools to complete the loop. ■
ABOUT THE AUTHOR