Black Hat USA: No Excuses for Cyberattacks to Catch Critical Infrastructure Off Guard

Critical infrastructure remains just as vulnerable as it was years ago.

Edward Gately, Senior News Editor

August 12, 2022

7 Min Read
Kim Zetter at Black Hat

BLACK HAT USA — Cyberattacks on critical infrastructure should come as no surprise. And those being targeted by malicious hackers have been getting warnings for many years.

That’s according to investigative journalist Kim Zetter (pictured above), keynote speaker Thursday at Black Hat USA 2022 in Las Vegas. Zetter has covered cybersecurity and national security since 1999. She has broken numerous stories over the years about NSA surveillance, WikiLeaks and the hacker underground. In addition, she wrote an award-winning series about the security problems with electronic voting machines.

The Colonial Pipeline ransomware attack was foreseeable, she said. The same is true of the growing threat of ransomware and the problems created by security issues with voting systems.

Zetter started her keynote with a story. She investigated a man claiming to be working undercover for the FBI inside an underground cyber crime organization.

“All of it could easily be a tale from last year or last month,” she said. “Cybercriminals still operate the same. The main difference is they’ve had more than a decade to perfect operations and become more professional. They now have salaried employees and even give paid vacations.”

Ransomware isn’t new, Zetter said. What’s new is the size of ransoms, which now reach $5 million or more. In addition, they’re now targeting critical infrastructure instead of individuals.

Stuxnet Signaled Shift in Cybercrime

A big shift occurred in 2010 with the discovery of Stuxnet, Zetter said. Stuxnet is a computer worm originally aimed at Iran’s nuclear facilities, but has since mutated and spread to other industrial and energy-producing facilities. The original Stuxnet malware attack targeted the programmable logic controllers (PLCs) that automate machine processes. It generated media attention after it was discovered in 2010 because it was the first known virus to be capable of crippling hardware. In addition, it appeared to have been created by the NSA, the CIA and Israeli intelligence.

Zetter said Stuxnet is seen as a demarcation in what happened in cybersecurity. There have been a lot of advancements since 2010, “but everyone still seems surprised when hackers pivot” to new methodologies, she said.

Stuxnet, in addition to introducing the world to cyberwarfare, brought about four major changes:

  • The trickle down effect of techniques and tools to underground.

  • It launched the cyber arms race among nations.

  • Furthermore, it heralded the militarization of cyber.

  • It introduced the politicization of security research and defense.

In terms of prior warnings about cyber risk, the electricity sector did heed the warnings and over time did become more secure, Zetter said. But a lot of infrastructure organizations ignored the warnings.

The year before Colonial Pipeline, Temple University released a study showing increasing ransomware attacks on critical infrastructure, she said. The attacks weren’t just on hospitals, but also oil and gas.

There were other warnings from Mandiant and the U.S. Department of Homeland Security (DHS).

In 2018, an audit of Colonial Pipeline’s system found deficient information management practices, Zetter said.

“[Colonial Pipeline CEO] Joe Blount said they had good data backups, and yet they paid the ransom,” she said.

Colonial Pipeline is just one example of infrastructure failing to heed warnings and subsequently becoming victims, Zetter said.

Critical infrastructure remains just as vulnerable today, she said. A big problem is the lack of multifactor authentication (MFA). A recent Trellix study shows 75% of oil and gas companies don’t have MFA.

A more recent, worrisome development is the emergence of a “cyber army” after Russia invaded Ukraine, Zetter said. The IT army has claimed several victims, including Mvideo, a large Russian consumer electronics chain; Asna, a network of more than 10,000 pharmacies in Russia; and EGAIS, the Russian government’s unified state automated alcohol accounting information system.

“It may be hard to rein in the IT army after this,” Zetter said. “It could easily shift to other governments or in response to a cultural insult.”

SentinelOne, Armis Integration

Also during Black Hat, SentinelOne unveiled a new integration with Armis. The collaboration helps protect organizations from modern threats and provides unified visibility across endpoints, cloud, mobile, IoT, operational technology (OT) devices and …

… more.

SentinelOne and Armis jointly deliver three solutions:

  • A SentinelOne Singularity extended detection and response (XDR) app for Armis.

  • Armis integration for SentinelOne Singularity XDR.

  • SentinelOne Singularity Ranger app for Armis.

Nadir Izrael is Armis’ CTO. He said Armis partners will benefit from the integration.

Izrael-Nadir_Armis-2022.jpg

Armis’ Nadir Izrael

“The whole idea is to provide something new for partners,” he said. “I think up until now, XDR was very vague and not well defined. The only thing people knew it as was, ‘OK, there are a bunch of partners and vendors that are kind of working together to accomplish something,’ but not really much more than that. I think the change here is that partners know that now there are two tools that not just integrate with each other, but tightly couple with each other and provide a much better solution for their clients, and the knowledge that two very powerful companies are coming together to provide that solution for them. So partners have a wonderful, new set of capabilities to sell that come from this merge of capabilities between Armis and SentinelOne.”

And more will come from this integration, Izrael said.

“The more we progress, the more we’ll be about enriching each other’s data in interesting and innovative ways,” he said. “There are a lot of things where I think the data that exists within SentinelOne, and Armis is kind of a one-plus-one equals three, so we are going to be evolving that solution, and bringing more and more insight into that.

Dynatrace Unleashes Expanded Cloud Security

Also at Black Hat, Dynatrace announced it has extended its Application Security Module to detect and protect against vulnerabilities in runtime environments. That includes the Java Virtual Machine (JVM), Node.js runtime and .NET CLR.

In addition, Dynatrace has extended its support to applications running in Go, one of the fastest-growing programming languages, with adoption increasing by 23% last year.

With these enhancements, the Dynatrace platform provides real-time visibility and vulnerability analytics across the entire application stack. That includes custom code, open-source and third-party libraries, language runtimes, container runtimes and container orchestrators.

Amit Shah is Dynatrace‘s director of product marketing.

Shah-Amit_Dynatrace-2022.jpg

Dynatrace’s Amit Shah

“What makes this interesting and powerful is that it’s in the context of the entire application stack,” he said. “So now your security teams, your SecOps teams have one place to go to in order to be able to find where vulnerabilities are. It gives you a good sense of how critical it is to actually fix it. Is it something you need to take care of right now or is it something where you can wait a little bit and prioritize accordingly? Having that one view really helps coordinate better with your ops team and your dev teams.”

From a partner perspective, it makes it easier for them to provide security services to their customers, Shah said.

“If you’re looking at your your reseller type partners, this just enhances the type of value that they can add to customers by extending the language runtime support,” he said. “A lot of their customers, especially in larger companies, are starting to adopt the Go language so this would really help them there. Enterprise environments are incredibly complex and there’s generally a proliferation of runtimes, Even within an application, you can have parts of an application that are in Java 8 and part are in Java 12. Within any customer’s environment, there’s generally a lot of different runtimes. So this just makes it easier for them to be able to find the vulnerabilities wherever they might be.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with them on LinkedIn.

Read more about:

MSPsVARs/SIs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like