fbpx
Connect with us

Tech

The common vulnerabilities leaving industrial systems open to attack

Published

on

The common vulnerabilities leaving industrial systems open to attack

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


The industrial sector was the second most targeted by malicious actors in 2020, when data extortion became a primary tactic and attacks skyrocketed. Overall, the year saw more cyberattacks than the past 15 years combined. And the trend has unfortunately persisted throughout this new year — industrial systems continue to come under siege by ransomware, and attacks on critical infrastructure like the Colonial Pipeline and JBL, the world’s largest meat processor, show just how high the stakes are.

The good news is that we do know where many of the vulnerabilities lie. Recent research from industrial security company Claroty, which uncovered many “critical” vulnerabilities in industrial control systems, also laid out which specific vendors are putting industrial enterprises at risk. Now a new report from security company Positive Technologies has revealed the most common industrial vulnerabilities.

The findings

According to the research, industrial systems are especially open to attack when there’s a low level of protection around an external network perimeter that is accessible from the internet. Device misconfigurations and flaws in network segmentation and traffic filtering are also leaving the industrial sector particularly vulnerable. Lastly, the report also cites the use of outdated software and dictionary passwords as risky vulnerabilities.

To uncover these insights, the researchers set out to actually imitate hackers and see what path they’d take to gain access.

“When analyzing the security of companies’ infrastructure, Positive Technologies experts look for vulnerabilities and demonstrate the feasibility of attacks by simulating the actions of real hackers,” reads the report. “In our experience, most industrial companies have a very low level of protection against attacks.”

Once inside the internal network, Positive Technologies found that attackers can obtain user credentials and full control over the infrastructure in 100% of cases. And in 69% of cases, they can steal sensitive data, including email correspondence and internal documentation. Even more concerning, at 75% of the industrial companies that Positive Technologies’ experts tried, they were able to gain access to the technological segment of the network. Overall, 2020 research from the company revealed that in 91% of industrial organizations, an external attacker can penetrate the corporate network.

Protecting industrial systems

“More than anywhere else, the protection of the industrial sector requires modeling of critical systems to test their parameters, verify the feasibility of business risks, and look for vulnerabilities,” concludes the report.

Specifically, the researchers recommend industrial enterprises look to a cyber-range simulation of risks, which they say can assess the security of production systems without disrupting real business processes. This is a crucial challenge in the industrial sector, because many of these systems can’t simply be turned off for regular evaluation.

“Cyber-range simulation of risks reveals the criteria of their actuation, that is, the preconditions and possible consequences of such attacks,” the report continues. “This increases the efficiency of other security assessment tasks. In addition, a cyber-range is a place where information security specialists can test their skills in detecting and responding to incidents.”

Saumitra Das, cofounder and CTO of cloud native AI security company Blue Hexagon, responded to the research by noting that it’s particularly difficult to update and protect industrial control system software that use obscure protocols. He says segmenting the IT and OT/ICS networks, focusing on reducing the chances of someone penetrating the IT network, is key.

“Detecting attacks on the OT/ICS side is also good, but is usually very late and risky,” he added. “It’s like detecting ransomware that has begun to encrypt already. You want to detect and mitigate the foothold infection, rather than wait for the final payload.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Go to Source

Click to comment

Leave a Reply

Tech

IT systems failure blights UK Border Force electronic passport gates

Published

on

IT systems failure blights UK Border Force electronic passport gates

Oleksii Nykonchuk – stock.adobe.com

The Home Office confirms the UK Border Force electronic passport gates are up and running again after passengers complain of missed flights due to earlier immigration processing delays

Caroline Donnelly

By

Published: 24 Sep 2021 16:59

An IT system failure that blighted the functionality of the UK Border Force’s electronic passport gates at airports across the UK has now been resolved, the Home Office has confirmed.

The electronic passport gates are designed to allow fast-tracked access through the UK border to anyone in possession of a biometric passport, but an unspecified “technical issue” stopped passengers from using the service at UK ports earlier today for several hours.

According to government figures, there are 270 electronic passport gates in operation at air and rail ports across the UK, but it is not known at this time if all were affected by the technical difficulties.

Even so, the situation led to large queues of passengers at Heathrow Airport as border staff were required to manually process a higher than normal number of passports at these entry points as the situation occurred.

Heathrow Airport put out a statement on Twitter at around 1.40pm today saying it was “aware of a systems failure” affecting the UK Border Force’s electronic passport gates.

“The issue is impacting a number of ports of entry and is not an isolated issue at Heathrow,” the statement read. “Our teams are working with Border Force to find a solution as quickly as possible.”   

According to a statement released by the Home Office, the electronic passport gates were back up and running again around mid-afternoon today.

“This afternoon, a technical issue affected e-gates at a number of ports,” the statement read. “The issue was quickly identified and has now been resolved.”

It added: “We have been working hard to minimise disruption, and apologise to all passengers for the inconvenience caused.”

Even so, passengers caught up in the disruption have since detailed their frustrations on social media at getting caught up in lengthy queues, delays and missing connecting flights as a result of the issue.

Read more on Datacentre disaster recovery and security

Go to Source

Continue Reading

Tech

Digdata partners with Facebook to encourage future data talent

Published

on

Digdata partners with Facebook to encourage future data talent

Educational initiative Digdata and Facebook have developed a programme aimed at encouraging young people to consider careers in data science

Clare McDonald

By

Published: 24 Sep 2021 16:25

Digdata, a recently launched educational initiative, has announced a partnership with Facebook to develop virtual challenges designed to develop young people’s data skills and encourage them to pursue careers in data science.

The Digdata Facebook live online career challenge will pose the question, “Can Facebook and Instagram help online retailers increase success?” and will ask participants to use a dataset provided by Facebook to try and answer this question.

Rachel Keane, chief data inspirer from Digdata creators the Data Inspiration Group, said: “We intend to dispel the myth that the data industry is not cool or creative. Data is used globally every day to make decisions that affects us all yet is not seen as a subject that receives specific teaching in schools, colleges and university, and is rarely mentioned as a future career.

“Digdata intends to inspire young minds on a path towards new exciting career opportunities in data that can combine their passion and interest, their natural personal skills and curriculum-based learning, while offering continuous professional development.”

There are many reasons suggested for why young people don’t choose careers in tech or data science, including, but not limited to, a lack of visible role models like them in the industry, and a lack of understanding about what these careers involve, or what they need to do to reach their career goals.

The aim of the Digdata programme is not only to give young people insight into how data might be used in solving business problems, but also to change some of the misconceptions people have about science, technology, engineering and maths (STEM) careers, the types of people who work in them, and the skills needed to be part of the sector.

The programme currently works with just over 200 schools and 40 universities in the UK, and has different levels of access depending on the school year of the participants – First Step for years 7 to 9 at secondary school, Next Step for years 10 to 13 at secondary school or sixth form, and Step Up for university students.

For each level, participants will work with partner organisations, such as Facebook, taking part in virtual work experience and using data to solve problems.

As well as providing challenges for students to test their understanding of both the technical and soft skills needed to take part in a data career, Digdata offers online resources for students, teachers and parents to help them understand what is involved in a data science career across a number of different industries where a data scientist might work.

Digdata partners, such as Facebook, will host a briefing event for participants on Microsoft Teams to outline the challenge they will be using data to tackle, what they want the outcome to be, and the dataset the participants will be using, following up afterwards with resources including hints on how they might tackle the problems faced.

After a week to 10 days, participants send their projects back in whatever form they like, and will receive a video from the Digdata partner describing several of the ways the data could have been used, as well as a certificate of participation.

Keane said a lot of those who choose to take part in Digdata challenges are likely to be “STEM-based students”, but the soft skills involved in the challenges presented are just as important. She also claimed employers are increasingly more willing to teach new starters some of the more technical skills for a role as long as candidates already have some of the skills needed when they join a firm.

Keane also pointed out the UK’s skills shortage and increased demand for talent is juxtaposed with many students not being aware of what skills are needed for particular careers, and argues that people in secondary school, who are beginning to make decisions about what subjects they will be studying at GCSE and in the future, should be “made aware” of which skills are going to be most helpful in potential future roles.

This includes soft skills such as storytelling, listening, and creativity, as well as technical skills.

Registration is now open for the Digdata Facebook online career challenge, with the first event taking place on 7 October 2021.

Roger Taylor, chair of the government-backed Centre for Data Ethics and Innovation, said: “Every young person should be given a chance to understand the varied world of work and the opportunities open to them after education. Enabling them to hear directly from employers about the challenges they face and the skills they are looking for is a great way to inspire and encourage students to learn and develop. I am delighted that Digdata are bringing such energy to making this happen in the world of digital and data – technologies that will do so much to shape our future.”

Read more on IT education and training

Go to Source

Continue Reading

Tech

IR35 reforms: HMRC confirms compliance checks under way in financial services, oil and gas sectors

Published

on

IR35 reforms: HMRC confirms compliance checks under way in financial services, oil and gas sectors

Less than six months after the roll-out of the IR35 reforms to the private sector, HMRC has confirmed it has started writing letters to companies requesting details of their compliance procedures

Caroline Donnelly

By

Published: 24 Sep 2021 16:08

HM Revenue & Customs (HMRC) has confirmed that compliance checks are under way within the financial services and oil and gas sectors, out of concern about how firms in these industries are adhering to the revamped IR35 tax avoidance rules.

The government tax collection agency told Computer Weekly in a statement that the action is the result of “changes in engagement models” emerging within these sectors, which are renowned for being  heavily reliant on personal service and limited company contractors.

“We are therefore contacting client organisations in these sectors initially to confirm that they are applying the off-payroll working rules correctly,” an HMRC spokesperson told Computer Weekly.

The reformed IR35 rules came into force within the private sector back in April 2021 and introduced changes that shifted liability for determining how contractors should be taxed onto the medium-to-large companies that engage them.

Previously, it was down to the contractors to self-declare whether or not the work they do, and how it is performed, means they should be taxed in the same way as salaried workers (inside IR35) or as off-payroll employees (outside IR35).

However, in HMRC’s view, this system of self-declaration has been subject to misuse by contractors who have deliberately sought to misclassify their engagements as outside IR35 in the interests of minimising their employment tax liabilities.

Earlier this week, the Institute of Chartered Accountants in England and Wales (ICAEW) published a news alert about letters it claimed HMRC has begun sending out to firms in the oil and gas and financial services sectors, seeking information about their IR35 compliance procedures.

An example copy of the letter, published on the ICAEW’s website, states that the missive is being sent out on behalf of HMRC’s specialist off-payroll working team. It goes on to request information detailing how the recipient is applying the off-payroll rules.

The letter said HMRC is keen to understand the organisation’s hiring process for contractors, and details of the steps it takes to determine their tax status.

“If I decide your systems and processes are suitable, it’s likely I’ll close the check and take no further action,” said the letter. “This is because the risk of you not correctly applying the rules is low.

“If something is wrong, I’ll work with you to correct it or tell you how you can do this yourself… and it may mean you have not paid the right amount of tax, national insurance contributions or apprenticeship levy. You may need to pay us, or we may owe you money.”

The letter added: “If there’s more tax to pay because something is wrong, we may charge penalties. If you tell me straightaway and work with me to correct this, I may be able to reduce any penalties due.”

HMRC confirmed the veracity of the letter in a statement to Computer Weekly. 

In the lead-up to the reforms coming into force, Computer Weekly reported on several instances whereby firms within the financial services and oil and gas markets responded to the changes by issuing hiring bans on limited company contractors to sidestep the incoming IR35 rule changes.

In a similar vein, there were also reports of companies in these sectors failing to take reasonable care when individually assessing the tax status of every contractor they engaged with, and instead resorted to making blanket determinations that resulted in every contractor they engaged with being classified as working inside IR35.

HMRC has also previously offered assurances that it would take a “light-touch” approach to enforcing the IR35 during the first 12 months of their implementation to give firms in-scope of the reworked rules time to adjust to their new responsibilities.

For this reason, the fact that HMRC appears to have already started taking steps to ramp up its IR35 compliance activities may come as a surprise to some, said Seb Maley, CEO of contractor compliance advisory Qdos.

“The light touch [talk] is a red herring and businesses shouldn’t pay any attention to it,” he said. “All it means is that HMRC won’t issue penalties and fines for the first year, not that the taxman won’t investigate businesses and demand tax liability payments.

“I’m not surprised that compliance activity has started already. HMRC is under huge pressure to raise revenue as the government looks to recoup the billions spent and lost during the pandemic.”

Maley said any firm that receives a similar letter from HMRC should handle it with care – no matter how innocuous it may seem.  

“To view any letters sent by HMRC as innocent checks would be naive,” he said. “Experience tells us that letters can easily lead to IR35 investigations if the taxman has any inkling of non-compliance.

“With this in mind, any correspondence must be handled with care by businesses, who should be exploring all options to ensure their compliance and protect themselves from the risks of IR35.”

Conversely, Dave Chaplin, CEO of contracting authority ContractorCalculator, told Computer Weekly that it should be taken as a good sign that HMRC is taking proactive steps to ensure the private sector is not falling foul of the new rules.

Particularly in the light of reports about government departments, such as the Department for Work and Pensions and the Home Office, finding themselves hit with multimillion-pound tax bills for compliance failures dating back to the roll-out of similar reforms in the public sector in April 2017.

“Cynically, I was thinking they would wait at least a year for a certain amount of tax to build up to make it even worth their while [to pursue these companies], but it looks like they are actively going out there, trying to make sure clients are doing the right thing now so they don’t end up  with massive tax bills,” said Chaplin.

“The reforms only came in six months ago and already they are starting to look at sectors to check they’re doing it right, because if it’s just a few mistakes that can be easily fixed, it’s much better to find out earlier rather than later.”

Read more on IT legislation and regulation

Go to Source

Continue Reading
Home | Latest News | Tech | The common vulnerabilities leaving industrial systems open to attack

Market

Trending