{"id":2030,"date":"2020-10-28T00:12:22","date_gmt":"2020-10-28T00:12:22","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=2030"},"modified":"2021-04-12T03:06:28","modified_gmt":"2021-04-12T03:06:28","slug":"effective-organizational-change-management-in-light-of-changing-standards","status":"publish","type":"post","link":"https:\/\/itegriti.com\/staging\/2020\/cybersecurity\/effective-organizational-change-management-in-light-of-changing-standards\/","title":{"rendered":"Effective Organizational Change Management in Light of Changing Standards"},"content":{"rendered":"

[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” type=”legacy” admin_toggled=”no”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true” type=”1_1″][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” content_alignment_medium=”” content_alignment_small=”” content_alignment=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” font_size=”” fusion_font_family_text_font=”” fusion_font_variant_text_font=”” line_height=”” letter_spacing=”” text_color=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]Attacks against industrial control systems (ICS) are only getting worse with time. There are two key reasons for this. First, these attacks are becoming more numerous as time wears on. IBM X-Force<\/a> revealed in February 2020 that the security incidents involving attacks against ICS and operation technology (OT) assets had increased over 2,000% since 2018, with the number of events observed in 2019 exceeding the total for the past three years combined. Most of those incidents consisted of attackers exploiting vulnerabilities in supervisory control and data acquisition (SCADA) assets and other ICS hardware components, as well as using brute-force login techniques.<\/p>\n

Second, these attacks are becoming easier to launch. About a month after IBM X-Force announced its research, FireEye<\/a> clarified that standardized digital operation tools were enabling malicious actors with even low levels of technical expertise to customize and launch attacks against organizations\u2019 ICS and OT assets. The security firm observed that the vast majority of those tools had emerged in the past 10 years, didn\u2019t target a specific vendor and contained exploit modules for over 500 zero-day flaws and other vulnerabilities.<\/p>\n

Why and How Attackers Target Organizations\u2019 ICS<\/h2>\n

The growth of attacks against ICS reflects the ability of all kinds of malicious actors to find motivations for launching new operations. Trend Micro<\/a> noted that digital criminals could prey upon an organization\u2019s industrial assets for financial gain by stealing information and selling it to a competitor, for instance. Malicious insiders could have a similar goal. Alternatively, attackers could embrace hacktivism by seeking to disrupt industrial processes for a political cause or other aim. They might even be state-sponsored actors and carry out their attacks with the purpose of fulfilling a military objective that\u2019s received authorization from their government.<\/p>\n

Regardless of who\u2019s behind it, an attack against an organization\u2019s ICS tend to follow a certain playbook. Trend Micro explained that the typical intrusion begins with a reconnaissance phase in which the malicious actors collect intelligence about the targeted environment. They then use phishing attacks or other techniques to gain an initial foothold in the environment. At that point, they can deploy malware that preys upon an ICS asset\u2019s vulnerabilities or configurations. Such functionality could disrupt the organization\u2019s industrial operations more broadly.<\/p>\n

The common thread that unites each phase of this attack scenario is change. Malicious actors need a way to exfiltrate information gained in the reconnaissance phase. They need to remain persistent on the target\u2019s environment. And they need to activate their payload\u2019s malicious capabilities by adjusting a configuration or exploiting a bug. All of these steps require that the attackers change something within the target environment.<\/p>\n

A Window of Opportunity for Defending Organizations<\/h2>\n

These changes by attackers open a window of opportunity for organizations to protect themselves. This window comes in the form of change management, a process which allows organizations to control and approve changes to their IT and other technology assets.<\/p>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a resource guide<\/a> that change management is particularly pertinent given the growing complexity that characterizes the processes necessary to create ever-evolving information systems. These processes elevate the probability of accidental errors surfacing in the configuration of those systems. Such mistakes could jeopardize the data and\/or business operations of an organization.<\/p>\n

In response, CISA urged organizations to follow the four phases of change management:<\/p>\n

    \n
  1. Create a change management plan<\/li>\n
  2. Identify which assets need protection<\/li>\n
  3. Implement the configuration changes necessary to protect those assets<\/li>\n
  4. Monitor configuration changes and use those results to adjust the plan, thereby creating a feedback loop.<\/li>\n<\/ol>\n

    Why Change Management Isn\u2019t Always that Easy<\/h2>\n

    The issue is that change management isn\u2019t always that easy. For example, CSO Online<\/a> drew attention to the special case of applying change management to supply chain attacks. These security incidents involve malicious actors infiltrating an organization\u2019s systems via an outside provider or partner with access to the organization\u2019s network. Such attacks increase the attack surface by enabling nefarious individuals to use security weaknesses affecting third parties as attack vectors into an organization\u2019s systems.<\/p>\n

    Supply chain attacks are no laughing matter. As an example, the FBI issued an alert in late March 2020 warning organizations about a state-sponsored group called \u201cKwampirs\u201d using malware to conduct supply chain attacks against organizations in healthcare and other sectors. ZDNet<\/a> clarified this was the third time that the FBI had sent out an alert about the group that year. It had published its earlier alerts on January 6 and February 5.<\/p>\n

    What makes supply chain attacks so insidious is that they\u2019re difficult to spot. In these types of attacks, malicious actors target organizations in specific regions, sectors or industries. A successful vendor or partner breach enables attackers to wind their way through the supply chain via automatic updates and verified partner pathways. All of this complicates the ability of organizations to control changes across their entire attack surface.<\/p>\n

    Cyber Security Supply Chain Risk Management<\/h2>\n

    The difficulties discussed above aren\u2019t lost on industry entities. Back in July 2016, for instance, the Federal Energy Regulatory Commission (FERC) issued Order No. 829<\/a>: \u201cRevised Critical Infrastructure Protection Reliability Standards.\u201d That directive instructed the North American Electric Reliability Corporation (NERC) to devise a new standard or modify existing practices in order to help organizations managing Bulk Electric System (BES) operations to mitigate the risks of supply chain attacks.<\/p>\n

    NERC responded by creating Project 2016-03<\/a>: \u201cCyber Security Supply Chain Risk Management.\u201d This initiative consists of three standards. One of them is CIP-010-3<\/a>: \u201cConfiguration Change Management and Vulnerability Assessments.\u201d The purpose of this Critical Infrastructure Protection standard is to help organizations prevent and detect unauthorized changes to their BES Cyber Systems by abiding by the following roadmap:<\/p>\n

      \n
    1. Develop a baseline configuration that includes OS or firmware versions, open-source applications, custom software, logical network accessible ports and security patches.<\/li>\n
    2. Authorize and document changes that deviate from the baseline.<\/li>\n
    3. Update the baseline configuration within 30 days if the change deviates from the existing baseline configuration.<\/li>\n
    4. In the event the change deviates from the baseline, determine which controls in CIP-005: \u201cElectronic Security Perimeter(s)\u201d and CIP-007: \u201cSystem Security Management\u201d might be affected by the change. It\u2019s also important to verify that the change won\u2019t affect required measures in either of those standards and document the results.<\/li>\n
    5. Test the change prior to fully deploying it in a production environment and document the results to ensure that CIP-005 and CIP-007 aren\u2019t adversely affected.<\/li>\n
    6. Verify the identity of the software source as well as the integrity of the software program obtained from that source.<\/li>\n
    7. Monitor for changes to the baseline configuration at least once every 35 calendar days, paying particular attention to unauthorized changes.<\/li>\n
    8. Conduct a vulnerability assessment at least once every 15 calendar ,months.<\/li>\n
    9. Perform an active vulnerability assessment in a test environment or an assessment in a production environment that models the baseline configuration of the BES Cyber System at least once every three years and document the results.<\/li>\n
    10. Perform a vulnerability assessment of most new assets before adding them to the production environment.<\/li>\n
    11. Document the results of all vulnerability assessments as well as all remediation action plans that are necessary to safeguard the assets.<\/li>\n<\/ol>\n

      Beyond the Industrial Sector<\/h2>\n

      Change management isn\u2019t just essential to industrial supply chains. It\u2019s becoming increasingly relevant to entities in all sectors. This becomes truer every day as new data protection standards come into being. According to the United Nations Conference on Trade and Development<\/a>, 132 of 194 countries of the world have already put legislation in place that\u2019s designed to protect people\u2019s data and privacy. That number is likely to grow. Indeed, 67% of respondents to a SAS survey said that they think the U.S. government should be doing more to protect data privacy such as via federal legislation, reported PR Newswire<\/a>. It\u2019s these types of attitudes that support Gartner\u2019s forecast<\/a> of modern privacy regulations covering 65% of the global population\u2019s personal information by 2023\u2014up from 10% today.<\/p>\n

      Along the way, organizations will need to keep up with the latest standards, determine whether those regulations apply to them and work to maintain compliance. ITEGRITI can be a partner in helping organizations achieve compliance as well as align digital security design approaches with the risks in their networks. Learn more here<\/a>.[\/fusion_text][\/fusion_builder_column][\/fusion_builder_row][\/fusion_builder_container]<\/p>\n","protected":false},"excerpt":{"rendered":"

      Attacks against industrial control systems (ICS) are only getting worse with time. There are two key reasons for this. First, these attacks are becoming more numerous. Second, these attacks are becoming easier to launch. <\/p>\n","protected":false},"author":12,"featured_media":2035,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2179,13,2180],"tags":[1941],"_links":{"self":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2030"}],"collection":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/comments?post=2030"}],"version-history":[{"count":4,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2030\/revisions"}],"predecessor-version":[{"id":2032,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2030\/revisions\/2032"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media\/2035"}],"wp:attachment":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media?parent=2030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/categories?post=2030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/tags?post=2030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}