The Port of San Diego issued a statement on Wednesday claiming to have experienced a “serious” cyber-attack.
In the follow-up statement released yesterday, the port claimed that IT systems belonging to the Port of San Diego were infected with a piece of ransomware. Some of the ports systems were compromised as a result of the attack and others were shut down as a precautionary measure.
The port claims it was mainly an administrative issue and no port operations have been impacted by the attack. Park permits, public record requests, and business services are the only public services temporarily unavailable.
A ransom demand was received and payment was requested in the form of Bitcoin, but the amount and whether the ransom was paid was not disclosed.
The Port of Barcelona was also hit by ransomware earlier this month, but it's unclear if the attacks are related in any way. Similar to the Port of San Diego attack, the Port of Barcelona claimed only internal systems were impacted by the attack and that there was no impact on land or seaside operations.
Without continuous monitoring and patch management, systems will continue to be vulnerable and susceptible to attack. Organizations must embrace closed-loop intelligent change control to gain deep visibility into system configurations and spot any unusual activity that could represent a breach.
Attacks on industrial control systems pose an ever-larger threat because these systems run extremely critical services across the U.S., with the potential to impact the electric grid, water systems, and manufacturing plants.
For organizations looking to secure these systems, we suggest abiding by the NERC CIP Compliance standard or implementing the CIS Controls to reduce your attack surface.
How NNT Interacts with the NERC CIP Compliance Standard
Cyber Security — Critical Cyber Asset Identification: Purpose: NERC Standards CIP-002-3 through CIP-009-3 provide a cybersecurity framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed.
Automated Network Discovery is provided to identify any Cyber Assets using a routable protocol. Any devices discovered will then be more deeply interrogated to establish other identification attributes. For Change Tracker Gen 7, a full System Information and Configuration Audit can then be automated.
Cyber Security — Security Management Controls: Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Pre-built Hardened Build-Standard documentation, with continuous automated auditing for compliance is provided and these can be adopted then tailored by the "Responsible Entities."
Cyber Security — Personnel & Training: Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Standard CIP-004-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
All User and System activity will be tracked to and audit trails provided to ensure access is in-line with authorized privilege. Any new accounts or increased privilege will also be reported for review and approval.
When access privilege is revoked this will also be audited and reported for review.
Cyber Security — Electronic Security Perimeter(s): Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Use NNT Change Tracker to apply a configuration baseline – NNT are a Certified Vendor for CIS Benchmark Checklists and an Official OVAL Adopter, ensuring the most secure and effective configuration settings are used for firewalls.
Apply File Integrity Monitoring to firewall rules and other security configuration settings for tight change management, plus collect logs from firewalls to detect security incidents in advance of any breach
Cyber Security — Physical Security of Critical Cyber Asset (s): Standard CIP-006-3 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP-006-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
Physical access controls can be audited using automated audit trails and correlation rules. Configuration assessment and change control is automated using Change Tracker
Note: Any systems used to operate physical access controls will also need configuration hardening, change control and breach detection/anti-tampering measures to be enforced for the cyber elements
Cyber Security — Systems Security Management: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s). Standard CIP-007-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
Built-in reports identify all open ports and whether the use of these is approved. Any other open ports will be highlighted for mitigation. Similarly, all services and daemons can be audited and validated for compliance with the approved hardened build standard.
NNT is a Certified Vendor for CIS Benchmark hardening checklists, providing a full assessment of all configuration settings and identifying any vulnerabilities. NNT also provide real-time breach detection, vital for the detection of any Stuxnet-style APT attacks
CIP-008-3: Cyber Security — Incident Reporting and Response Planning:
CIP-008-3 R1.1-R1.6, R2
Cyber Security — Incident Reporting and Response Planning: Standard CIP-008-3 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
In the first instance, any incident is alerted and reviewed automatically against expected, planned changes using NNT Closed-Loop Intelligent Change Control. Any Unplanned Changes are reported as potential security incidents and an investigation and review process is provided within Change Tracker, augmented with log data from Log Tracker
By providing forensic-detailed audit trails of all system and user activity, security incident investigation is straightforward (all audit trails are retained for a 12 month period in line with NERC CIP Version 5 requirements
CIP-009-3: Cyber Security — Recovery Plans for Critical Cyber Assets:
CIP-009-3 R4
Cyber Security - Recovery Plans for Critical Cyber Assets: Standard CIP-009-3 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Standard CIP-009-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
Configuration settings are recorded after every change that is made. Change Tracker built-in workflow requires all changes to be assigned to a Planned Change with documentation providing a full audit trail to be used when restoring systems to an earlier state.
Compliance Reports provide a long-form version of the Initial Configured Baseline for all system. A full backup with incremental change history is provided for any text-based config file including firewall appliances and other network devices.
CIP-010-3: Cyber Security — Configuration Change Management and Vulnerability Assessments:
CIP-010-3 R1.1-R1.5.2, R2.1, R3.1-R3.4, R4
Cyber Security - Configuration Change Management and Vulnerability Assessments: To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES). Key requirement is to develop a baseline configuration, individually or by group, which shall include the following items: 1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. Any commercially available or open-source application software (including version) intentionally installed; 1.1.3. Any custom software installed; 1.1.4. Any logical network accessible ports; and 1.1.5. Any security patches applied.
Change Tracker provides a comprehensive solution to address CIP-10-3. Initial vulnerability assessments are performed using Certified CIS Benchmark hardening checklists and these can be tailored to match exactly the required hardened build standard for BES Cyber Systems. Any other source of automated compliance content such as OVAL or SCAP can also be used. This encompasses CIP-005 and CIP-007 Requirements
Once systems are in a hardened compliant state, all changes are tracked and assessed automatically against Approved Planned Changes. Any changes identified as 'Known Approved' are reconciled with the Planned Change documentation.
Changes that 'deviate from the existing baseline' can be reviewed and retrospectively assigned to a Planned Change with rationale documentation. The Planned Change can then be applied to all change history for other BES Systems, effectively updating the baseline configuration automatically.
CIP-011-1: Cyber Security — Information Protection:
CIP-011-1 R1
Cyber Security - Information Protection: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Secure configuration standards can be assessed and records produced using NNT Change Tracker for BES Cyber System Information, including storage, transit, and use.
The Most Powerful & Reliable Cybersecurity Products
Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.
Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)
Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.
Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds