The recent FrostyGoop incident is a stark reminder of a well-known industry reality: Attackers will strike wherever their attacks can succeed. When faced with sufficient barriers to entry, they simply move on to other targets, finding victims elsewhere.
FrostyGoop, which uses Modbus TCP communications to target operational technology (OT), was observed in April attacking an energy company in Lviv, Ukraine, resulting in a two-day loss of heating to customers. It is an example of the growing threat municipal networks face as state-sponsored hackers target critical infrastructure amid escalating geopolitical tensions.
While achieving 100% security is an impossible task, organizations can strive to reach a level of security that effectively exhausts their attacker’s resources to force them to give up on the attack or move on to another target. This requires a trifecta of factors: the commitment of executive leadership, the skills and expertise of the project team and an adequate budget of time and money to implement measures promptly.
Importance of strategic investment
All organizations, regardless of size, must prioritize capital expenditures and investments. This decision-making process can range from irresponsible to over-engineered solutions. To achieve a reasonable balance, a well-informed risk assessment and clear articulation are essential to ensure that financial resources are allocated confidently. There’s no shortage of frameworks for this specific area in industrial-controlled systems (ICS). For instance, the SANS Institute offers a freely available guide that outlines the five critical controls for ICS/OT cybersecurity, enabling even non-security executives to hold their teams accountable and meet baseline standards. These standards can vary from low-cost, internal delivery that maximizes the use of existing licensed hardware and software solutions to higher-cost, external cyber consulting projects that apply best-in-class practices.
Enhancing defensible architecture
One of the key areas to focus on from the SANS’s five critical controls is establishing a defensible architecture. This can be defined as an architecture that reduces as much of the agreed-upon risk as possible through system design and implementation. It’s also critical that this framework simplifies the efforts of human defenders, as SANS points out “it is the human element that allows a defensible architecture to become a defended architecture.”
Common attributes of a defensible architecture can include achieving accurate visibility over your most critical assets, segmenting your environment where possible, only enabling bi-directional communication when required, collecting network traffic and logs from valuable systems and the ability to implement a defensible cyber position. These elements are essential for preventing attackers from gaining and maintaining access to critical systems.
Securing remote access
Another critical area is secure remote access. Traditional operational technology (OT) networks used to be completely air-gapped, not connected to the internet at all. However, with the rise of remote work following the COVID-19 pandemic, paired with the increasing need for efficiency, remote access has become the new normal for many organizations. This connectivity, while convenient, introduces significant risks if not managed properly.
Organizations must ensure that remote access is secure, using strong authentication methods like multifactor authentication (MFA.) Access should be granted on a least-privilege basis, meaning users only have access to the resources necessary for their role. Implementing Virtual Private Networks (VPNs) and monitoring remote sessions for unusual activity can further enhance security. Additionally, establishing clear policies and procedures for remote access helps ensure that all users adhere to best practices and that any potential security incidents are promptly addressed.
The ripple effect of a single breach
It’s also important to recognize that once an attacker has successfully gained a foothold, their natural reach extends to other organizations connected by various commonalities:
- Other organizations that have deployed the same weak technologies, such as unpatched Microtik routers, that facilitated the initial point of entry.
- Organizations with similarly vulnerable architectures, allowing attackers to find alternate methods to plant a web shell.
- Vendors in the same vertical, leading attackers to exhaust the entire supply chain.
- Sites under the same government purview, such as municipal water supplies, other utilities like natural gas and administrative offices.
The human element: Talent and culture
Healthy discussions between adversary simulators and defenders often highlight a common plea for either talent or budget. When talent is abundant, solutions typically follow a more logical and practical trajectory. However, in the absence of sufficient talent, decision-makers frequently turn to the most compelling sales pitch for a net-new cybersecurity solution.
To advance as an industry, we should also strive to make being a defender a more attractive proposition than being a simulated adversary. Social media often celebrates red teams in a more dramatic fashion compared to the blue teams that successfully defend. This is partly because proper defenders don’t always know what has been prevented, whereas a successful red team breach is clear and obvious, making it more likely to be highlighted. By fostering a culture that values and supports defenders, we can ensure that organizations remain vigilant and prepared against evolving threats.
Building a resilient cybersecurity posture
In the words of Bruce Schneier, “attacks never get weaker, they only ever get stronger.” Our security posture must be such that all past attacks would be mitigated, and then some. Posture of protection must exceed the capabilities of the attacker. This doesn’t mean an unlimited budget, but a strategic investment in good security return by applying the right technology properly - for a reasonable budget.
The FrostyGoop incident is a call to action for municipal leaders and cybersecurity professionals alike. By prioritizing strategic investment, enhancing defensible architecture, securing remote access and valuing the human element in cybersecurity, organizations can build a resilient posture against evolving threats. Now is the time to recognize the critical role of defenders and support them in keeping our infrastructure secure.
