In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
OT/ICS Security Focus Group: Manufacturing (In)security
27 April 2022 – Cyber Security Coalition
It’s extortion, a crime!
In his ‘Manufacturing (In)security’ presentation, Charl van der Walt, Head of Security Research at Orange Cyberdefense, focuses particularly on some security aspects in the sectors of manufacturing and utilities.
It’s a crime
Straight off, van der Walt defines ‘cyber extortion’ as “a form of computer crime in which a corporate digital asset is compromised and exploited in a threat of some form to extort a payment.” As a result, ransomware is but one of many attack options, exercised by possibly several parties collaborating in an incident. Indeed, extortion is possible even without a technical attack, e.g., by simply threatening with (rather than executing) a DDoS attack. Understanding “it’s not about an attack, but a crime, helps to think more clearly about this problem, as the paths to extortion may vary.”
Attractive by sheer numbers
In the datasets of the report, ‘manufacturing’ companies are represented by far the most, with ‘utilities’ scoring a much smaller percentage. As the paths and attacker behaviour resemble those in other sectors, manufacturing does not appear to be specifically targeted, with the proportionally large number of incidents rather reflecting something about the companies in the sector. Nor do there appear to criminal actors that specialize in manufacturing or utilities. The criminals operate as a business, with efficiency, and opportunistically targeting the largest economies with the largest numbers of companies (and thus the largest number of potential victims), with a broad range of types of extortion. Though clearly most attacks and compromises still involve IT elements, rather than OT technology.
Theory of crime
Finally, van der Walt applies a theory of crime on why these sectors are hit in particular, in casu the ‘routine activity theory’. He considers the ‘motivated offender’ (looking for money), the ‘suitable victim’ (the VVIVA-characteristics are discussed) and the ‘lack of guardians’ (elements to prevent the crime). The characteristics of the victims appear to play a major role as to why manufacturing is heavily represented in de datasets of the report.
The presentation is further enlivened with a large number of questions.
👉 The ‘Security Navigator 2022’ report can be downloaded here.
👉 A summary paper on criminology and ‘Routine Activity Theory’ can be downloaded here.
Other blog posts
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.
So, your company has decided to make ICT life easier by migrating to the cloud. Easy pie, just ring a reputable cloud provider? Unfortunately, there may be some data protection and privacy hurdles to jump, as we learned at the 2021 Belgian Cyber Security Convention.