On 20th April 2022, the Five Eyes intelligence alliance released a Cyber Security advisory (CSA) on the impact of Russia’s invasion of Ukraine on the wider cyber world. Russian organisations have previously targeted Ukrainian critical national infrastructure with the infamous ‘NotPetya’ and ‘BlackEnergy’ attacks (more details from NCSC UK and CISA USA).
Cyber Vulnerabilities Everywhere: Spring4Shell
Just a few months after the Log4j Java library was discovered to have a vulnerability (called Log4Shell) that not only affected many software products but also reportedly affected several critical OT devices; a new vulnerability affecting Java’s most popular framework Spring has been discovered.
Operational Technology (OT) and the Log4Shell vulnerability
On the 24th November 2021, the Alibaba Cloud Security team privately notified Apache about a new vulnerability in a very popular Java programming language library called Log4j. The vulnerability became public knowledge on the 9th December 2021 and officially published in CVE databases during the 11th & 12th December 2021.
Resiliency: Cyber & Net Zero
This post has been written by Awen Collective CEO & Founder, Daniel Lewis.
I've been thinking a lot about the concept of resiliency, and in particular cyber resiliency and ecological resiliency (by achieving net zero). Can we draw parallels? Can we learn from each other?
What is “cyber resiliency”?
Cyber resiliency, I would say, is ensuring that systems are prepared for a potential cyber attack. This includes thinking about:
What do you do if something goes wrong?
Do you have mitigations and contingencies to ensure continuous operations?
Do you have processes and resources in place to not only react but also be able to best learn from what might have gone wrong?
What is "ecological resiliency"?
There is a lot of talk at the time of writing about humanity's and the Earth's resiliency in regard to the impact of climate change. The goal is to achieve Net Zero (the balance of carbon produced and removed from the atmosphere), which in turn should reduce existential risk caused by human-driven climate change. So the resiliency aspect includes the societal changes required to work towards Net Zero.
Are there similarities? Could we learn from each other?
In order for any resiliency to be most effective it requires efforts from multiple directions:
People - ultimately, we are all in this together. Every single one of us needs to know that we (as individuals and as a society/community) are susceptible to cyber attacks, and to the impact of climate change. We therefore need to be doing our bit where we can: e.g. having good password hygiene, using two-factor/multi-factor, keeping our systems up to date, using antivirus, looking out for nefarious activity in the physical or cyber world, etc. E.g. recycling, reducing waste, choosing a renewable energy supply, reducing air travel, considering electric vehicles and public transport.
Technological advancements - doing realistic and effective R&D - getting both the quick wins (e.g. updating and upgrading protection - antivirus or intrusion detection system. e.g. increasing energy efficiency through hybrid energy sources), and the longer term plans (e.g. carbon scrubbing, developing new alternative energy sources).
Government response - the "carrot and stick approach" - but I would say that the "carrot" is going to be much more effective from a widespread perspective than the "stick" (and many situations) because we need governmental support to do realistic research, improve the current state of affairs, and work towards the best possible outcome with good and clear guidance. Subsidies and grants work best if not only do they give instant relief, but are then coupled with short and long term hands-on support and guidance. This goes to both cyber security/resilience and Net Zero efforts.
Opportunities through standardisation - despite the complaints people have about complying to standards, and other complaints about compliance not being the end goal, it can be an opportunity having standardisation. For example, if a tendering & procurement process for an organisation includes the requirement for (or even just favours) suppliers to have a particular standard, then that prompts the supplier market to do better. Standards need to evolve over time, and be feasible to not only large enterprises but smaller ones too. Examples in cyber security include ISO 27001 and IEC 62443, and examples in the eco-friendly business world are many and varied - ISO have 14001, but there are sector and application specific standards such as LEED and Energy Star.
No doubt that there are other options too. These are just some thoughts about the parallels and what we might be able to do about the resilience of it all. If you have any thoughts on the subject, it would be great to hear from you.
On Friday 5th November 2021, in my capacity as the CEO and a founder of Awen Collective, I pitched Awen Collective (alongside other British and Brazilian businesses) at COP-26 as part of a Connected Places Catapult virtual event where I highlighted that cyber security is important to be included in smart city, industry 4.0 and Net Zero initiatives. Please do go download the Business Portfolio brochure of companies, including Awen Collective, from the CPC UK - Latin America Net Zero Solutions website. We are also now members of the Connected Places Catapult.
Awen Collective secures investment round led by Dutch Security TechFund
Caerphilly (Wales, UK)/ Naarden (NL), 4th March 2021 - Dutch Security TechFund, managed by TIIN Capital, has led the third investment round in Awen Collective Ltd. Other investors are SFC Capital and two strategic angel investors from the UK. It is the joint mission of Awen Collective and Dutch Security TechFund to make society safer. For Awen Collective this means creating software to increase the cyber resiliency of Critical National Infrastructure and Manufacturing. Dutch Security TechFund aims to support and invest in businesses which advance this mission.
Read the full press release in Dutch and English here [PDF]
Read the blog post on the TIIN Capital Website (in Dutch)
(TIIN Capital are the managers of the Dutch Security TechFund)
To summarise the investors in this round are:
The Dutch Security TechFund (managed by TIIN Capital) - lead investor
SFC EIS Fund and the SFC BBI Fund (managed by SFC Capital) - follow-on funding from their 2019 SEIS investment in us!
Paul Dennis (an experienced executive from the industrial automation industry)
Paul Rix (an experienced process engineer from the industrial automation industry)
The press release also includes a quote from the Deputy British Ambassador to The Netherlands, Lucy Ferguson, and a quote from Philip Meijer of InnovationQuarter.
Awen Collective wishes to thank all the investors, the British Embassy in The Hague, InnovationQuarter, Lime Advisory and Acuity Law for all their help during this investment round and going forward.
Cyber doesn't go so swimmingly for Florida water company
What happened?
On Friday 5th February, a hacker tried to poison the water supply of Oldsmar, Florida, after gaining access to the water treatment control system. Through remote desktop software TeamViewer, the hacker took control of an employee’s computer at the water treatment plant and subsequently increased the amount of sodium hydroxide (lye) in the water to dangerous levels.
The consequences
The operator monitoring the system at the time of the cyber attack immediately noticed the increase of lye from 100 parts per million to 11,100 parts per million and reversed the change. This attack could have otherwise had very serious consequences to the population of Oldsmar. The treatment plant supplies water to around 15,000 residents as well as businesses in the area. Under normal circumstances, lye is a substance that is added to water to control the acidity. However, the substance is very corrosive, and can have serious health consequences if ingested. So thanks to the quick response of the keen-eyed operator at the treatment plant, the residents of Oldsmar, really did have a lucky escape!
How it happened
At the time of writing, no arrests have been made. Authorities cannot publicly describe if the attacker accessed TeamViewer using a zero-day vulnerability or by using a known one. It is unknown where the breach even originated or how many people were behind the attack: whether the attacker or attackers operated within the state of Florida, or from across the world.
In the days following the intrusion, the treatment plant has uninstalled the software that enabled the hacker to gain access, and TeamViewer has asserted that there is no indication it was their platform that was compromised. It is suspected that the attacker took advantage of systems still using Windows 7, whose end-of-life date was early last year. This is plenty of time for vulnerabilities to be discovered, without any patches to be officially released for them. Still, whether the intrusion was carried out due to a weakness in TeamViewer, stolen credentials, a Windows 7 zero-day, or a combination of these factors, we must consider what steps to take to ensure all of these potential exposures are managed and reinforced.
How to prevent the incident from happening again, or happening to you
What prevented this intrusion from becoming life-threatening was the watchful eye and quick action of the operator. If the attacker had gotten their hands on the proper credentials, it's possible that the attack could have been carried out in the middle of the night. The use of remote software was already common in industrial plants before lockdowns to monitor performance, but with so many professionals working from home these days, it's especially imperative to (just one more time today) inspect what technology you use to enable remote work. Are your organisation's VPN servers hardened? Is multi-factor authentication enabled where possible? Is it really necessary to utilise screen-monitoring capabilities where you’re doing so? Are you and your colleagues running the latest versions of your communication platforms? What about the devices on your physical site? Do you even know what remote-access software is running on your systems, right now?
Asking such questions and being thorough in finding the answers is absolutely worth the cost, as any organisation that has been hit will tell you. Preventing yourself from being the next target and appearing on the news for all the wrong reasons is less painful and is cheaper than cleaning up the aftermath of an attack. Even then, it's not a one-time endeavour; no matter what sector you operate in, it is necessary to regularly perform audits, scan your network and hosts for any suspicious behaviour or vulnerabilities (provided that you know what would constitute as suspicious vs. normal in the first place), and so on and so forth. And if it turns out you need to, say, uninstall some remote desktop software, your pre-incident preparation will likely involve another round of security auditing if you have a rigorous change management plan. This is no small task.
The Industrial Cyber Security Ecosystem
There is no silver bullet for the problems related to the cyber security of Operational Technology (OT). There are some great solutions out there, and some which could be better. There are some amazing service providers out there who truly specialise in industrial cyber security, and others who are striving to become better in this emerging field.
We have an opportunity here to increase not only awareness but knowledge and skill. Cyber security experts, in general, have traditionally focused on IT-based cyber security. OT engineers, in general, have traditionally focused more on human safety, and not really touched cyber security.
Awen exists to reduce cyber risk and increase cyber resilience within the industrial sectors, giving value to both traditional IT-based cyber experts who are turning their attention to OT, and to OT engineers who are becoming concerned about their cyber security. Our two software products, Profile and Dot, are both about increasing awareness. Profile increases awareness about industry-focused cyber security policies and procedures. Dot increases awareness about the landscape of OT assets, and can deduce the vulnerabilities of those assets. This in turn, gives the organisation intelligence which is truly actionable. Both products are focused on the pre-incident space, and are useful in cyber risk assessments, cyber security audits, embedding security in the OT systems design and deployment stages, and more general OT change management. This is where our solutions fit in with the industrial cyber security ecosystem.
If this sounds great, and you would like to talk with us (guaranteed radical honesty, and no hard selling) then please contact us today.
This blog post was written by Awen industrial cyber software development specialists - Seren Corbett and Paige Pesigan.
What the UK Government is doing to protect our cities from future cyber threats
The UK National Cyber Security Centre (NCSC) have chosen Awen Collective for their Smart Cities innovation acceleration programme.
The UK National Cyber Security Centre (NCSC), which is part of the GCHQ intelligence and security organisation, announced on 2nd February 2021 that they have chosen three British businesses, including Awen Collective, to work on some of the toughest security problems within the Smart Cities domain as part of a two and a half month virtual programme.
WatchKeeper and the Cyber Defence Service are the two other businesses in the cohort. The programme is the 7th cohort in a series of NCSC Cyber Accelerators and is the first to have been dedicated to Smart Cities Security. The programme is in collaboration with Wayra, the innovation division of telecoms company Telefónica, and has partnerships with the Digital Catapult, Microsoft and others.
Cyber-attacks to energy, water, transportation, or manufacturing organisations are causing economic damage to these sectors and could cause significant disruption to society if the attack were large enough. It is the mission of Awen Collective to increase resilience and reduce the impact of cyber-attacks on society's critical infrastructures. Awen Collective does this by creating software to improve cyber security policies and procedures, and to enhance visibility in operational technology environments before attackers have opportunities.
Smart cities are a frequently discussed and increasingly popular concept. There are many flavours of smart city, but essentially, they involve taking advantage of digital technology for services such as traffic, electricity, heating, waste collection and other community services. The concept is popular and budgets for the implementation of such technology are increasing.
Smart city technology will bring efficiencies, cost savings, and better service to its end-users. However, the employment of smart city technology when it is overlaid on top of the legacy equipment found in the traditional infrastructure sectors has led to an increase in cyber vulnerabilities. Therefore, there is an increase in attention to industrial cyber security initiatives, products, and services by both the public and private sectors.
This cohort of the NCSC Accelerator is not the only initiative or programme that Awen Collective is involved in related to Smart Cities cyber security. Awen Collective was also announced in September 2020 by the UK Government Department for International Trade (DIT), as one of 30 British tech companies to be chosen as the first participants in their Tech Export Academy, which is a 9 month programme aimed at showcasing the best smart cities technologies across the Asia Pacific region. The CEO of Awen Collective, Daniel Lewis, was also announced by techUK (the British technology trade association) in November 2020 as being on the steering board of the techUK Smart City group.
Our civil society continues to move toward a more efficient and sustainable future powered by data in schemes such as Smart Cities and Industry 4.0, we are doing our best to look out for the security, safety and privacy of everyone.
If this article is of interest to you or your business, and you would like to discuss more about what we are doing at Awen Collective, including our products Profile and Dot, then please contact us today for a chat.
Awen Collective is Cyber Essentials Plus Certified
As of 26th January 2021 Awen Collective is officially Cyber Essentials Plus certified!
After completing the initial Cyber Essentials certification on 13th January 2021, the wonderful team at Wolfberry Cyber Security completed an audit of our systems under to confirm we comply with the requirements of the Cyber Essentials Plus scheme. Wolfberry are an IASME Cyber Essentials Certification body.
We see the Cyber Essentials and Cyber Essentials Plus schemes as a vital stepping stone to help UK-based SME’s engage with their cyber security and ensure a reasonable level of thought and attention has been paid to their ongoing protection from cyber attack.
As a cyber security software supplier, we hold ourselves to the highest standards of internal cyber security, both as a company, and within the security-first principles we build our products under. Cyber Essentials Plus certification marks our first steps into officially recognising those efforts, but by no means will be the last. Our products have previously, and will continue to, undergo testing and validation using external partners to ensure their safety and security, and we look forward to being able to bring you news on further cyber security certifications in the future.
Awen Collective would certainly encourage all organisations to consider the Cyber Essentials and Cyber Essentials Plus schemes as a foundation of their cyber security efforts, and we’d like to extend our thanks to Wolfberry Cyber Security, IASME and the NCSC for their support of both Awen Collective and the provision of this scheme.
Those in one of the UK Critical National Infrastructure (CNI) sectors, or servicing the CNI sectors, should not only look at Cyber Essentials but should consider the NCSC Cyber Assessment Framework (CAF) which is made much simpler to check and monitor using the Profile software system by Awen Collective.