A Perfect Storm for Cyberattacks

By: Andrea Carcano

By now, it’s no surprise that COVID-19 presents new security threats, especially with so many employees working remotely. APT actors that want to capitalize on this new home working model are looking to lure victims into phishing attempts that ultimately seek to establish a foothold within an organization. Applying this specifically in an OT or IoT context, remote connectivity, via vulnerable remote access connections, could expose vulnerable assets to attackers.  

Reflecting on the events of 2017 with NotPetya and WannaCry, which crippled a number of organizations—not least part of the NHS in the UK—it is logical to anticipate a troubling threat scenario. That was three years ago, but according to a recent penetration test study, the WannaCry attack vector is still in the top most encountered vulnerabilities, and that is not all. To further exacerbate the threat scenario, Microsoft only recently announced patches for other disclosed vulnerabilities in the SMBv3 protocol (CVE-2020-0796), the latest version of the same protocol that resulted in the malware attacks of 2016. With this in mind, it is important to understand if organizations have woken up to the persistence of such threats or if memories have faded.   

Patching is difficult during business-as-usual operations, but when organizations are running on skeleton staff and dealing with the rapid mobilization of remote working, it may be even more difficult to apply critical patches within a timely fashion. Obviously, automation plays its part here; however, it is so often the case that there is a reluctance to patch critical systems automatically, and this is especially so in the instance of OT and IoT networks.  

In essence, it’s the classic case of ‘threat meets opportunity,’ giving rise to significant risk which must be mitigated. This is not a problem that will go away, and it is a problem that organizations will struggle to manage effectively. However, it is achievable by applying a risk-based methodical approach to cyber risk. Organizations must focus on deploying defense-in-depth approaches, using multiple security controls to make it difficult for attackers and malware to penetrate deep into the network and cause widespread impact.  

One can begin to draw analogies with the current situation with the global action to the COVID-19 pandemic. This presents an opportunity to explain cybersecurity in practical and relevant terms; for example, what network segmentation means. The same is true for network monitoring, asset management and system patching. If organizations look at protecting their networks in the same way we limit the spread of disease, there are some important lessons to learn. 

Lockdown and social distancing

As the pandemic unfolded, countries across the globe enforced ‘lockdown’ measures to restrict the movement of people. This approach decreases the possibility the virus will spread and can be very much aligned to what security best practice tries to achieve with network segmentation. Logical or physical segmentation is restricted to those areas of the network that are strictly necessary for the functioning of the process. Oil and gas organizations with critical operations have a long history of using isolation tactics to keep their processes reliable and safe. This includes limiting and securing remote access, segmenting networks, deploying deep network visibility and monitoring tools and, when necessary, taking their most important equipment offline. While “lockdown” measures may be easier to achieve in OT than in IT, the principles are the same. Where infection takes place, the pool of infection is limited to a small number of assets. 


When it is possible to detect, or even prevent the infection in the first place, initial infection can be contained. Just like testing humans for coronavirus, with IDS signatures, security teams can detect malware and malicious threats and take action before there is time to have a widespread impact. With consistent testing and detection, organizations can stop the infection in its tracks or at least have the option of taking steps to remediate any damage. These tests also give security managers the ability to identify the most at-risk areas of the network and work out further defense strategies. 


Latest Updates

Subscribe to our YouTube Channel