Cyberattacks and data breaches continue to drive the headlines in 2021 – and there are few signs that cyber adversaries are retrenching. The looming threat of ransomware has forced organizations to not only evaluate their entire cybersecurity programs, budget, and roadmap, but also critically evaluate their Identity and Access and Privileged Access Management (PAM) solutions. PAM controls are a fundamental part of active cyber defense, as solutions ensure continuous visibility and management to highly privileged, administrator accounts that constitute an organization’s “keys to the kingdom.” The recently disclosed cyber attack at the Port of Houston is a refreshing success story that underscores how PAM controls can help prevent and mitigate a business-crippling data breach.
Critical Infrastructure at Risk
Critical infrastructure is not a subject often considered by the average American. However, it is, as the name would suggest, integral to our daily lives and wellbeing. As described by the United States Cybersecurity & Infrastructure Security Agency (CISA), the term critical infrastructure is “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.” It is no surprise then that the supply chain industry is a popular target with cybercriminals. Cyber-attacks that breach critical infrastructure and cause massive damage are increasingly becoming a staple of the evening news. This torrent of bad news can easily lead to despondency and the false assumption that nothing can be done to prevent such attacks. We don’t often hear about successful cybersecurity defenses, as they make for uninteresting news stories and attract only a small audience. However, cybersecurity success stories do exist, and as cybersecurity professionals, it is our task to heed the lessons of these victories along with the failures. One such recent example is the attempted attack on the Port of Houston.
Supply Chain Disruption
The Port of Houston attack is only one of many recent supply chain cyber-attacks. In fact, the Identity Theft Resource Center (ITRC) reported that “supply chain attacks rose 42% in the first quarter of 2021 in the US, impacting up to seven million people.” Supply chain disruption is a common casualty of cyber-crime, causing incalculable damage to systems, infrastructure, businesses, and individuals. The Colonial Pipeline attack offers a great example; not only did it affect the company’s revenue and reputation, it had a disastrous domino effect on gas stations, airlines, military, and even the average consumer. As emphasized by CNET, the breach not only “caused a major blow to the gasoline industry in the southern and eastern parts of the United States, but it also showed how vulnerable the US energy grid is to more attacks in the future.” Regardless of this attacker’s intentions (fiscal, most likely), we can surmise that prospective attackers will take this instance and others as an encouragement to get into, or continue participating in, the potent cyber-crime industry.
The Role of Cybersecurity in Protecting the Supply Chain
Yes, cyber-crime is its own industry, and it’s a very lucrative one at that. According to the FBI Internet Crime Complaint Center (IC3), 791,790 complaints were reported in 2020 alone, amounting to an estimated $4.2 billion. This also means that cybercriminals are business people, and they want to get the best ROI for their time. You can’t render your organization perfectly protected, but these hackers aren’t magical monsters. They are business people looking for the maximum return for minimal effort. If you take steps, even the most basic, to make your organization difficult to compromise, they will move on to another target. Throughout the supply chain cycle, data is now almost exclusively digital, and it only takes the weakest link to disrupt the entire chain. But, if more organizations get on board with cybersecurity, it could potentially change the basic economics of the cyber-crime industry and discourage people from getting involved.
What happened at the Port of Houston?
Before diving into details of the breach, it’s necessary to understand the assets at stake and the degree of damage that could have been inflicted. To start, according to an internal 2019 report from the Port of Houston, it was responsible for about $74.3 billion of total personal wages and salaries that were supported by maritime activity at the public and private terminals located at the Port of Houston. It also supported 1,350,695 direct, induced, indirect, and related jobs in the state of Texas and 3,208,809 throughout the US. The Port is the second largest in the country in terms of overall tonnage and is the largest receiver of foreign trade. It is “an economic engine for the Houston area, Harris County, and the State of Texas.” Each year, over 250 million tons of cargo pass through it, generating an economic value of $300 billion. A successful attack could have caused them to shut down operations for days, or even weeks, causing massive pileups in supply chains already stretched thin due to the Covid 19 pandemic. Initially, the attack seemed successful, taking advantage of a zero-day vulnerability in the Port’s self-service Single Sign-On (SSO) product. But, prompt detection of unusual activity by the Port’s automated systems, and activation of an existing plan for managing incidents, allowed the compromised network to be isolated within 90 minutes of the initial breach.
The Role of Privileged Account Management
The Port of Houston’s 90-minute response and mitigation time is a significant improvement to the 280 days that IBM classifies as the average response time to a breach. The Port’s systems and operational data were protected due to a preventative security measure already in place: password management. Modern privileged account management (PAM) systems do much more than act as simple vaults for secrets such as passwords. They also log all authentication activity and watch for anomalous patterns in user and system activity. PAM controls are also an embedded part of all industry-recognized cybersecurity frameworks, including NIST CSF. The Houston attack, which officials suspect to have been perpetrated by foreign government involvement, was contained due to the organization’s privileged account management solution. Though media coverage would have you believe otherwise, having even a rudimentary cybersecurity plan can be the difference between a successful attack and an unsuccessful one. This is also not to imply that the Port of Houston has a “basic” cybersecurity plan, but the measures that saved their infrastructure in this instance are measures that an organization of any size with any budget can and should implement. At first, the attackers were able to breach user-level permissions through the vulnerability they exploited. But, when they tried to use that access to move laterally and elevate their access from User to Administrator, they were detected by the Port’s PAM solution and shut out.
The events at the Port of Houston give us a straightforward example of why cybersecurity measures are paramount – just because it’s not complicated doesn’t mean it’s ineffective, and outsmarting the hackers is more attainable than we think. One of the first steps to a successful cybersecurity strategy should include assessing and identifying your vulnerabilities, then putting measures in place to execute your appropriate mitigation strategies. Firewalls, endpoint detection and response (EDR), and privileged account management (PAM) are all effective starting points, and the latter measure is what saved the Port of Houston from a devastating outcome. For companies that shy away from investing in cybersecurity, deploying an effective PAM solution is an achievable goal that can save them immeasurable amounts of money, time, and energy.