A Chinese Advanced Persistent Thread actor used CVE-2024-24919 (a vulnerability in Checkpoint VPN) to gain ongoing access into operational technology networks. This group earlier used the exploit to compromise an ‘unnamed national grid’ for 6 months.
According to Dark Reading,
Though they didn’t limit themselves to one part of the world, the attackers were largely focused on specific, highly valuable OT industries. For example, a number of targets were significant supply chain manufacturers to aviation and aerospace companies. Around half of all victims tracked were manufacturers of one kind or another.
This is a topic I have covered many times: the security appliances themselves become the bad-actor-superhighway-conduit. Its a combination of ‘The Matryoshka Risk‘ (supply chain compromise) and and the ‘Quis custodiet ipsos custodes: When Good Firewalls Go Bad‘ problem. Security devices are complex, making it more likely they have compromises, and, they are often used as all-or-nothing bastions. The VPN and inspecting firewalls provide all-in-one spots to take over the world, and often in turn break your own encryption.
A particular challenge is the asymmetric nature of the problem: the attacker is better funded, with better training, better tools, and, no downside. The defenders are many, small, and fragmented.
The solution is not the one taken by the ostrich. Instead, a few simple tactics:
Multi-factor authentication
First, multi-factor authentication. The nature of this attack is secret extraction. IPSEC certificates, passwords, SSL trust chains. If we were to use multi-factor on all places these secrets might be shared (the ASA, other Cisco routers, etc), that would make it much harder for the attacker to traverse. If all the devices has multi-factor, and, the attacker extracted the shared password from the Cisco ASA, well, we’d fall back to single-factor. Couple that with some logging and alerting, we’d have a shot at stopping the attacker in their tracks. Couple that with some segmentation, and, the attacker would be materially slowed, giving us time to react.
You may feel there are barriers to implementing multi-factor authentication on some of those “legacy” devices. Maybe you need to access them with local accounts not part of your Domain Identity Provider? Maybe you need to have a contractor or network managed service provider use them? Agilicus has you covered, see the case study at the right, implementing multi-factor authentication as an identity-aware proxy without any changes.
Logging
Second, logging. Devices and software generate logs. These are not just used for install-time debugging and diagnostics. Make sure the logs are available in a central, non-tamperable location. Make sure the devices all have NTP real-time, synced properly. Use UTC to avoid embedded device databases not understanding changes in Daylight savings time. This is non-negotiable… If its not UTC, the odds of some random Y2K bug showing up are high.
Logs can be stored in a fancy SIEM. Logs can also be stored in flat files in a syslog collector. Start collecting, get the timestamps, and, then, on the first incident, you will at least have some information to work through. And, after that incident, you’ll have a better understanding of what you want to budget here.
Segmentation
Third, segmentation. Think of your medieval castle here,its got a moat, its got a drawbridge, its got a wall, its got a keep. Every time some monty-pythonesque attacker got through the first line, you fell back.
Now think of the famed Maginot line, a long thing ‘infinitely strong’ line of defence built by France in the 1930s to deter Nazi Germany. Worked great, the Germans went around to the Benelux and… boom, the wall was not so great from the inside.
Network segmentation is a core principle of Zero Trust. In fact, Zero Trust is the limit, one user, one resource, rather than the VPN model of one user, all resource.
Implementing network segmentation can seem daunting. Look up private VLANs in your switches. Look up ACL’s. Group devices by either type or purpose. Every bit helps. Make sure there are logs generated (see above) for things traversing, or being blocked from traversing, the segments.
Once you have those 3 simple tactical things underway, every day you get stronger, and, you start to be able to focus on longer term evergreen tactics, giving simple, effective security. Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps
In “CISA: 8 Top Cyber Actions for Securing Water Systems” we covered the government’s eight key recommendations for securing water systems. They apply to other industries equally, and boil down to:
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup Operational Technology AND Information Technology Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cyber security Awareness Training
Remember, you don’t have to be better than a nation-state actor; you just need to be better than your neighbours.
And the first step, call Agilicus.