AI’s Growing Role in Controlling Devices:

As AI starts entering more workplaces, it is crucial to recognize that AI will become more interconnected with hardware devices in your organization. You might want AI to control room lighting and air conditioning to make it voice-controlled or adapt to the changing activities in the room. AI can also control massive machinery, including robots and high-powered lasers for cutting steel. We’ll all be surprised at how many real-world tangible controls AI can assist. For AI to control devices, computers must drive the machines. Threat actors could exploit weaknesses to disrupt companies, damage equipment, cause expensive delays, and worse.

Machines Driven by Computers, Including Those Running AI and Traditional Computer Control Systems, Introduce a Security Threat:

As AI becomes integral to your operations, remember: Everything from climate control and identity detection to robots and laser cutters hinges on computer systems. AI’s potential is vast, and its growing adoption means more devices linked to our networks.

However, this surge in AI adoption produces an often-overlooked danger that all organizations with industrial controls must consider. The computer systems hosting your AI and traditional solutions can become obsolete faster than the devices they control. Neglecting to update operating systems and using other security controls exposes your organization to cybersecurity threats. While devices might seem to run smoothly, the escalating sophistication of cyber attackers can’t be underestimated.

Executives: Unchain Your IT Pros from the Security Limitations:

Is your IT Team prohibited from applying critical cybersecurity updates to operating systems or upgrading to supported operating systems on workstations that control instruments, lasers, robots, and other machinery? If they are, those workstations pose a security threat to your organization.

Executives must understand that using workstations with old operating systems or without the most recent critical security updates is a significant security risk. In some cases, executives must ask the IT Team if they have encountered this situation. Sometimes, executives are inclined to delegate decision-making to the IT Pros. Instead, the IT team must alert the executives of the pros, cons, and expenses. The executives need to decide if it makes sense to pay to upgrade the applications that control robotics, manufacturing, or other equipment on a network.

Three Definitions:

In case nobody’s explained these terms, it is essential to differentiate between upgrades and updates:

1. Operating System Upgrades: An example is upgrading from Windows 10 to Windows 11. Newer operating systems often have more security features. Microsoft and Apple will naturally be tempted to assign their best and brightest people to develop and update the newest operating systems, so they eventually drop support for old operating systems. Unsupported operating systems are designated EOL (End of Life.) Using an operating system after it is no longer supported is a significant security risk.
2. Operating System Updates, a.k.a. Patches: Security updates are rated by the severity of the security risk and how likely an attacker will exploit the weakness. Critical security updates are the most important to apply. Staying up to date with patches can be a significant struggle in many situations.
3. Application Upgrades: Upgrades to new versions of the software that controls devices such as CNC machines, robotics, lasers, laboratory equipment, instruments, or any other hardware that connects to a computer.

The Shocking Reality:

Some applications that control devices may prohibit operating system upgrades and security patches. The applications might break if the IT team deploys the patches or upgrades the operating systems. Sadly, as reckless as it seems, some companies that create applications to control machinery will no longer provide technical support to your IT team if the operating system on the workstations is upgraded or has security patches. Their software developers may be too busy to create flexible, secure applications and are forced to focus strictly on functionality.

Depending on the application vendor, paying for an upgraded version of a controller application can be very expensive. Fortunately, sometimes, the upgrade charge is reasonable or free. Sometimes, no upgrade is available to permit operating system upgrades or critical security updates.

Another consideration is the risk that upgrading might interrupt manufacturing flow if the upgrading process requires extensive troubleshooting or potentially interrupt production. When equipment operates 24/7, the IT Team is under more pressure since there is no downtime for maintenance.

If the new application’s user interface significantly differs, shop floor personnel might require additional training. Inadequate training can lead to costly mistakes and safety issues. Scheduling training will affect the timing of deploying the new applications.

So, as you can see, when robotics, scientific instruments, lasers, manufacturing, or other equipment works just fine, upgrading the application offers no valuable benefits, and the IT team is busy, we find during audits and security assessments that many manufacturing organizations have outdated operating systems or need critical cybersecurity updates.

The organization’s executives might accept the risk, especially if compensating controls are in place.

Alternative Tactics Increase Security:

Using compensating controls in networks is essential because systems sometimes have significant vulnerabilities before updates are released or installed. Compensating controls are even more essential to help protect workstations if patches are missing.

Compensating controls include, and are not limited to, isolating the machines that control robotics, manufacturing equipment and scientific instruments on a separate network away from your network. That separate network must have limited connectivity to only allow traffic to and from the specific devices necessary and limit the kind of data and how it traverses the network to reduce the attack surface and make it more difficult for a malicious program or third party to access that instance or device. I sometimes refer to this tactic in keynote presentations as creating filtered subnets.

Another compensating control is to harden the unpatched or EOL machines by removing all applications except those essential for the equipment’s operation. Examples of applications that must be removed include browsers and email clients since they are common vectors for successful attacks. If the employees operating those devices require internet and email access, consider adding a separate workstation that is patchable for email and web access.

EDR/XDR (Endpoint Detection and Response / Extended Detection and Response) technology is another helpful control. It involves installing a small program called an agent on each computer. The EDR/XDR agent monitors the system’s software, services, and behavior for any signs that threat actors might have already compromised the computer. If the EDR/XDR tool detects an IoC (Indicator of Compromise), it can respond by interrupting the process. When tuned to avoid false alarms, the best response is to allow the agent to effectively quarantine the workstation from the rest of the network until the IT team can investigate. This helps prevent attackers from spreading to more hosts.

However, it is common for IT teams to succumb to the danger of relying too heavily on EDR/XDR to protect their organization and, therefore, neglect implementing other industry best practices to protect systems. Threat actors often set up EDR/XDR tools on their test networks to find ways to circumvent the protections. So, even if your EDR/XDR tool says everything is safe, it doesn’t necessarily mean threat actors aren’t active in your network.

To combat this, companies commonly conduct yearly red-team exercises, performed by exceptionally skilled IT teams that regularly perform these exercises and know the tricks and practices real-world threat actors use. These exercises are designed to test the effectiveness of the detection and response process. These exercises look for weaknesses in EDR/XDR and help keep the IT team in practice, ensuring they’re better prepared in the case of an attack.

Depending on your budget, if $20/user/month for EDR/XDR is not feasible, know that the other cybersecurity controls in this article, such as careful hardening and segmentation with very restrictive filtering, are much less expensive than EDR/XDR and have little if any ongoing expense. I don’t want to diminish the usefulness of EDR/XDR tools. If you are on a tight budget, unless your cybersecurity policy requires EDR/XDR, you might choose to focus on other compensating controls.

The IT Team must alert the executives about the expense of upgrading applications, isolating the shop floor instances on a separate network, deploying an additional network for web and email access, training users and operators, implementing EDR/XDR tools, and other expenses. Include time estimates along with financial estimates. Then, the executives can make an informed decision, and IT can follow their instructions and ask for support as necessary.

Step-by-Step Guidance for IT Teams:

Acknowledge that it can be a significant challenge and sometimes practically impossible to ensure that all workstations run with a current OS and that all critical security updates are applied. But keep applying updates if possible.

Inform your executives whether your team has time to make these changes. IT teams must alert executives of the time and expense involved. The executives will have options such as adding more IT professionals to augment the team, postponing other projects, or accepting the risk of continuing with unpatched systems or EOL OSs with the compensating controls listed below.

Explore all technical, training, and expense changes before upgrading applications.

Ask your supervisor to delegate the price checking to someone outside the IT department if feasible. Your IT team is very busy, so checking the prices might cause the upgrade to be delayed. It can be time-consuming to check with the robotic, manufacturing, and scientific equipment vendors to find the pricing for upgrades to their applications that control machinery.

Investigate more than the pricing. Ask about changes in the upgraded applications affecting the user interface and user experience. Ideally, the upgraded application software operates similarly and has the same interface. Unfortunately, some manufacturers significantly change the user experience when they upgrade their applications.

If users will need training, identify a trainer.

Determine how scheduling the training will affect the deployment timing.

Involve executives in decision-making and send them regular reports about the project’s progress.

Implement compensating controls on the workstations because of the high cybersecurity risk of missing critical patches or using EOL OSs. Compensating controls aren’t a replacement for missing patches, but the controls can help tremendously.

Remember that attackers can exploit security risks long before they are discovered. Only when the vulnerability is discovered will the operating system and application developers know to create or release patches to seal that security hole. Refrain from relying on patches as your sole security control for application software and operating systems.

Strongly consider isolating shop floor machines on a separate subnet, especially those you are prohibited from patching and those using EOL OSs. Isolate that subnet completely with an air gap or utilize aggressive filtering at the switch or router to limit traffic to only the required source, destination, ports, and protocols.

Additionally, hardening the workstations against attacks is strongly recommended.

Remove or restrict web and email access. This is one of the most effective ways to harden workstations, as web and email are two of the most common vectors for malware.

If the workers at those devices need access to the web and email, consider deploying a separate workstation to their station they can use for web and email. If feasible, that workstation should not be on the shop floor network. If you put those workstations on the equipment network, you would need to allow email and web traffic, and modifying access control lists to allow more sources, destinations, ports, and protocols can significantly reduce the security you would otherwise introduce to the equipment control network. Strive to exclude TCP ports 80 and 443 on the AI device network while allowing full functionality of the AI and other computer-controlled devices.

Be sure you limit the sources of inbound and destinations of outbound network traffic to the absolute minimum. If you need to run new cables to facilitate the additional workstations for web and email at the workers’ stations, then running new cables might be a significant investment. Deploying a WiFi network for email and web access might be more economical. Keep the key secret. If you share the WiFi password, workers might connect other devices to the equipment network and compromise security. Completely blocking email and web access and access to external IP addresses will hamper the workers on the manufacturing network from exposing the hosts to many threats.

Strongly consider using EDR/XDR tools, along with the Red Team Exercises, to help ensure the configurations’ effectiveness and allow your IT team to prepare for actual emergencies.

Summary:

Protect workstations that control hardware such as robotics, pharmaceuticals, lasers, and scientific instruments, regardless of whether they utilize AI. This helps ensure the safety and operability of your systems, protecting your organization and workers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

(Image source: Bing. Learn more at [Bing.com].)

The post An Executive’s Handbook to Securing Modern Manufacturing Networks and Robots, AI or Not appeared first on Foster Institute.

You can encourage them to buy, or even issue them, a small uninterruptable power supply UPS for their Internet router. Laptops have built-in battery power. If a worker has a desktop computer or other networking equipment, those devices must be on a more powerful battery backup.

If you are comparing unit run times, watts are usually a better comparison than VA. A 500W UPS, around one hundred dollars, will probably run an Internet router for between one and two hours. You can ask your IT Pro if you want more details and find out their favorite brand name. APC, Tripp Lite, and CyberPower are popular brands. (The Foster Institute does not receive any compensation for mentioning brands, nor is this an endorsement of the brands. You might find it helpful to know what products our clients find useful).

Please forward this to your friends who might benefit if their workers stay connected during a power outage.

The post Battery Backup for Your Work from Home Users’ Internet and Computers for Power Outages appeared first on Foster Institute.

More often than ever before, bad actors infiltrate organizations in a slow, methodical way. They can remain undetected for weeks, months, even years. The FBI uses the term dwell time to designate the period from when attackers infiltrate systems until you discover them. The FBI warns businesses that attackers can cause significant damage during dwell time. Bad actors quickly establish backdoors to ensure access, even if you block their first point of entry. They deploy keyloggers on systems to record keystrokes. If your cyber assets are compromised, the bad actors can potentially monitor your messages to find out when you discover their presence in your network, computers, applications, cloud resources, websites, or anywhere else.

Once attackers know you’ve discovered their infiltration, that triggers them to move forward with their next phase, often contacting you to demand a ransom. Sometimes they threaten severe consequences if you attempt to recover your system in any other way than paying them. Since they are in your systems, you must take the threats seriously.

Establish a protocol for workers to communicate suspicions in some method other than email.

Even your IT department must avoid emailing each other questions such as, “I received an alert that someone is resetting an administrator password. That’s odd. Is that you?” Instead, they must communicate by mobile phone or radio.

If you suspect a breach and contact us, consider phoning. If you must email, use a personal account outside of your company account, and use a phone or some device other than a company computer’s keyboard to send the message.

I’m not talking about when users receive a phishing message. I’m talking about if they receive a phishing message that includes customer account information, if an important file is missing or won’t open, or if they receive an unexpected login request on a website or to open a file. IT needs to investigate these early-warning signs.

Please forward this to other executives who you care about to establish a mobile hotline number for users to reach the IT team to report suspicious activity. Help avoid triggering attackers’ responses before your IT team has time to react and, hopefully, mitigate a potential cybersecurity disaster.

The post If You Get Hacked, Do Not Email Anyone About It appeared first on Foster Institute.

Step 1: Attackers compromise work-from-home users.
Step 2: They gain access to their company.
Step 3: They bite into the company to discover what’s inside.

There are so many work from home users; this is a target-rich environment.

1. You must harden remote users’ systems against attacks. Secure their connections.
2. When possible, issue laptops, so your IT team has more control over your remote users’ security.
3. Implement user training and phish testing. Please say if you’d like us to provide phish testing and online training for your users. We do all the work so your IT teams can focus on their other tasks.

Please forward this to your friends so they realize their remote users must be more secure than ever, and attackers target them indiscriminately.

The post Your Work From Home Users are Like a Box of Chocolates appeared first on Foster Institute.

The post Zoom Security Settings – The Concise Details appeared first on Foster Institute.

I’m in San Francisco right now at the RSA cybersecurity conference. Hand sanitizer is everywhere, and people are using it.

Italy shut down some towns. There is a possibility, however remote, and perhaps not for months, that US cities might shut down too. Prepare for the potential impact on your organization. For example, if schools shut down, will some of your workers, including IT team members, be unable to come into work because they need to stay at home to watch their youngsters?

Make sure all of your network users can work from home concurrently. Your IT team might need to increase the capacity of your servers to handle the additional workload. Can your workers use their phones to conduct business remotely? Does your IT team need to set up remote VoIP phone clients? Are IT team members cross-trained to be able to cover other workers’ duties? Does everyone know who to contact at your company for the most current information?

Even if your workers can work, they will put the safety of their families first. When Italy shut down some towns, the grocery stores ran out of food and supplies quickly. Encourage workers to stock up on food and products they usually buy, including non-perishables. They need to have enough medications. Once their family is taken care of first, then your workers can devote attention to work.

Prepare for loss of, or delays in, sales and income. Develop contingency plans. Would the loss of one of your primary suppliers devastate your business? Are you prepared if some essential piece of machinery, or network server, needs repair and you cannot get spare parts? Assign someone or develop a team at your company to focus on the risks and develop contingency plans. Remember IT.

Warn your workers that there will be an increase in spam and phishing as bad actors prey on their worries of the virus. They must be vigilant to spam and fake news.

For more information, Homeland Security offers suggestions at ready.gov/business/implementation/IT CDC provides a useful document at CDC.gov/flu/pandemic-resources/pdf/businesschecklist.pdf

Notice signs of things to come including a potential reaction to the virus. The falling stock market is a sign, Italy closing cities is a sign, and San Francisco declaring a state of emergency is a sign. Prepare now in case things start happening rapidly.

Please forward this to your friends so they can prepare their organizations for possible public panic and quarantines over Coronavirus.

The post Prepare Your Organization for a Reaction to Coronavirus appeared first on Foster Institute.

Add a footer to all of your web pages to the effect of “The CCPA requires us to notify you that we could sell your data unless you opt-out here” and provide them a link. Do it even if you don’t sell data.

CCPA applies to you if:

• At least half of your organization’s revenue is from the sale of personal data, or
• Your organization stores personal data of fifty thousand people or more, or
• Your organization has at least twenty-five million dollars annual revenue

If one of those applies, then:

• If a consumer in California asks, you must be able to give them copies of all of the data you collected about them.
• You must be able to tell them if you sold their data and to whom.
• Consumers can demand that you delete their data. Scouring their information from all of your applications and tools can be difficult because you have to remove them from your contact list, accounts receivable, order history, and everywhere else you store any information about them or their activities.

Protected data includes contact information and anything that can identify a household, including GPS locations.

Confusion abounds in the CCPA. For example, if consumers choose to opt-out, an organization cannot discriminate against them by blocking or offering a lower level of service. But some companies provide services based on their consumers’ data, so how can they give the same level of service to consumers who do not provide data? Another example is that employers need to keep some data on employees. What if an employee asks to have all their data, including their social security number, erased everywhere, but want to continue their employment? There are extensive attempts to address these issues, but the rules are confusing.

You’ll need to involve your lawyer to help wade through the issues, and that leads to the obligatory disclaimer: Do not misconstrue this to be legal advice. Check with your lawyer.

The CCPA is only the beginning. Expect to see similar laws in other states and at a national level too. Please forward this to your friends and associates, so they know they only have until July 1, 2020, to prepare.

The post Information that You Need to Know About the California Consumer Privacy Act appeared first on Foster Institute.

The post Good News for Windows 7 Users appeared first on Foster Institute.

In the past several days, two of our customers suffered a potential breach when their users opened Word documents sent as attachments. The infected files slipped right past sophisticated email protection systems.

Fortunately, at both companies, the IT teams got involved early on and averted disaster.

In one case, the attachment came from a trusted third party that was unaware their systems were compromised. Remember, your security is only as good as the security of your third party providers.

If you unexpectedly receive an email message with any attachments other than pdf files, be very skeptical and notify IT immediately. You may save the security of your organization.

The post Avoid Opening Word Attachments – Check with IT First appeared first on Foster Institute.

Any of your computers that you purchased six years ago came with Windows 7 installed. Unless you paid for new licenses and gave your team time to upgrade them, those computers run Windows 7 today.

Some of your options include:
– Buy new computers
– If the computer is strong enough, upgrade Windows 7 to Windows 8.1 or Windows 10
– You can ask your IT team if you use a technology called VDI. If so, they can uninstall Windows 7 completely. They can install Linux, or make a bootable thumb drive, or use a No Touch Desktop program. The computer can function as a screen and keyboard to a server where Windows runs

If, for any reason, you need to keep Windows 7 on some workstations, be sure to give your IT team time to implement compensating controls. For example, they can isolate the computers from the rest. Ask them to install Microsoft’s downloadable EMET security tool that works in Windows 7.

Support for Windows 8.0 ended in 2016.
Support for Windows 8.1 ends on January 10, 2023.

Please forward this to your friends and business associates, so they know January 14 is the when Windows 7 becomes a severe security risk to their networks.

The post Microsoft Will Stop Protecting Windows 7 on January 14, 2020 appeared first on Foster Institute.