In a report issued Thursday, Port Houston disclosed that “The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”
The report follows on a joint release (AA21-259A) last week by the Cybersecurity and Infrastructure Security Agency, FBI, U.S. Coast Guard Cyber Command and CISA warning of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus.
U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly disclosed Thursday, during a Senate Homeland Security and Governmental Affairs Committee, that the Houston Port was targeted through this vulnerability. Experts with Shared Assessments, Security Gate, Hay Stack Solutions and Gurucul offer thoughts.
<p>Speed is sometimes touted as the only real metric for cybersecurity and it certainly paid off in this instance. When safeguarding critical infrastructure, detection capability is paramount – when security teams spot unusual activity quickly on networks, they can unravel the operation of a potential threat actor. The average mean time for detecting a breach can be up to one year, so the Houston Port security isolating the computer network within hours is most certainly a win.</p>
<p>What’s more, the Port of Houston was transparent about the attack, indicating a wider culture shift away from one that prioritizes security through obscurity. Transparency and collaboration will support critical infrastructure to best prepare and protect against nation state actors. </p>
<p>This breach demonstrates the urgent need to speed up the maritime cybersecurity plan, which has set a goal of \"closing maritime cybersecurity gaps and vulnerabilities over the next five years.\" This goal can be greatly enhanced through collaboration with the ethical hacking community, who can provide continuous security testing, finding, and reporting vulnerabilities before an intruder can access and shut down critical systems.</p>
<div><span style=\"color: #000000; font-family: Raleway, sans-serif;\">As we’ve learned in recent months with Colonial Pipeline and Pinellas County Water Treatment facility, critical Infrastructure is extremely susceptible to ransomware attacks. And with the increased interest in logistics, it’s not surprising that attackers are targeting seaports. Although the Port of Houston was using strong passwords through ManageEngine’s password vault, the hackers were still able to exploit a flaw, further validating that attackers continue to out sophisticate security best practice solutions. If an attacker can decrypt the keys to get into the vault, then they can easily take command and control of systems. </span></div>
<div><span style=\"color: #000000; font-family: Raleway, sans-serif;\">Defensive security practices (including password vaulting) will again be a new focus point for exploitation by attackers. In May, the Biden Administration’s cybersecurity EO emphasized infrastructure protections and is evaluating several different proposals around what software companies are obligated to disclose about their software vulnerabilities. Digital transformation, the increasing shift to cloud (especially post-CoVID) is an exciting time for businesses, but the underlying cyber risk doesn\’t go away just by using a SaaS provider. Take extra care in evaluating new service offerings and look towards a risk management framework in identifying, classifying and mitigating these new risks to your organization.</span></div>
<p dir=\"ltr\">While it’s positive the Port of Houston cyberattack did not disrupt operations, the fact that foreign adversaries were able to obtain legitimate credentials for the systems belonging to one of the largest ports on the U.S. Gulf Coast is concerning. More details on how the intrusion happened will likely be revealed in the coming days, but for now, it\’s worth underlining how to minimize the risk and impacts of credential theft.</p>
<p dir=\"ltr\">Critical infrastructure organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It\’s vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the hands of adversaries. This will help to limit the blast radius, and in most cases, defeat the data breach.</p>
<p dir=\"ltr\">Even if all procedures and policies are well-executed, then there\’s no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment to enable surveillance, often using everyday business documents which we all use. It\’s vital that ports like this, and all organisations, invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work and the business to function.</p>
<p dir=\"ltr\">Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.</p>
<p>There are rarely publicized success stories in cybersecurity; usually we hear about damaging breaches. So this story that The Port of Houston has successfully fended off an attack is encouraging to hear. The attackers attempted to make use of a new vulnerability in ManageEngine ADSelfService Plus, a password management service to enter the network.</p>
<p>Infrastructure such as port operations are fertile ground for ransomware-style attacks, due to both their critical nature and often their relatively poor security practices. Ports, utilities, airports, and other types of infrastructure should have both comprehensive security systems coupled with active monitoring of endpoints, IoT devices, servers, network, and individual systems so that early detection and remediation become the norm, rather than the exception.</p>
<p>This successful defense is a stark reminder that organizations and agencies alike are under constant threat from bad actors, including nation-states. Also, remnants from SolarWinds still can pose a threat, even after all this time. It takes a strong cyber team to battle these kinds of threats. We need to make sure to continue our investment in cybersecurity. The profession needs to grow at a strong rate and remain robust as future battles like this will continue to be digital.</p>