Monthly Archives: November 2021

The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide between the IT & OT Teams

A primary challenge to improving the security of organizations’ Industrial Control System (ICS) and Operational Technology (OT) environments, as revealed in this research, is the need to overcome the cultural and technical differences between OT and IT teams. Ideally, organizations should work toward establishing a unified IT and OT approach to addressing the threats and closing the gaps in security that leave organizations vulnerable to cyber attackers. Sponsored by Dragos, Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices within their organizations.

In the context of this research, OT represents the programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples include industrial control systems (ICS), building management systems, safety control systems, and physical access control mechanisms.

ICS encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system components such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components that act together to achieve an industrial objective.

The cultural divide between IT and OT teams affects the ability to secure both the IT and the ICS/OT environment. Because of the lack of alignment between an organization’s cybersecurity policies and procedures with OT and ICS security objectives, only 35 percent of respondents say their IT and OT teams have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities. Only 39 percent of respondents say IT and OT teams work cohesively to achieve a mature security posture in both the IT and OT environments.

The risks created by the cultural divide between the IT & OT Teams 

  • Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity program. However, only 21 percent of respondents say their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions. A fully mature program also means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment and a cross-functional team of IT and OT SMEs work together cohesively. 
  • As the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats. Sixty-three percent of respondents say their organizations had an ICS/OT cybersecurity incident in the past two years. 
  • For the first time, this research calculates the cost of one cybersecurity incident in the ICS/OT environment. The average cost per cybersecurity incident research is $2,989,550 (the calculation is shown in Table 1 of this report). An average of 316 days is spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT and IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382. This equals the average total cost of $2,989,550. 
  • The majority of respondents say senior management lacks an understanding about the cyber risks in the ICS/OT environments. As a result, not enough resources are allocated to defend the ICS/OT environments. Paradoxically, according to 56 percent of respondents, the primary blocker for investing in ICS/OT cybersecurity is that ICS/OT cybersecurity is managed by the engineering department, which does not have security expertise followed by 53 percent of respondents who say ICS/OT security is managed by an IT department without engineering expertise. 
  • The Director/Manager of IT and the VP of Engineering are the functions most respondents in this study report to. However, by far the VP of Engineering is most accountable for the security of the ICS/OT program. Only 12 percent of respondents say the CISO is most accountable for the security of ICS/OT program. Further, only 35 percent of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41 percent say such reporting takes place only when a security incident occur.
  • Only 38 percent of respondents say the security safeguards in place to protect the ICS and OT environments are covered during board meetings and only 36 percent of respondents say the effectiveness and efficiency of security programs and measures are presented.
  • Cultural and technical differences must be overcome to have OT and IT teams work cohesively. The challenges often are not caused by a competition for budget dollars and new security projects (only 32 percent of respondents). Rather, it is the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors that cause conflicts between these two functions (50 percent and 44 percent of respondents, respectively).
  • Only 46 percent of respondents say their organizations are effective in gathering intelligence about threats to the ICS/OT environment and 45 percent of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle.

To read the full report, visit, Dragos.com. 

She donated to help a friend get a kidney; then., she was forced to make a ‘hostage’ video

Bob Sullivan

A California woman who thought she was helping an old friend pay for a kidney transplant has been caught up in an Instagram hacking scheme with a nightmarish twist —  criminals drained her bank account via Zelle and then forced her to make a hostage-style video endorsing a get-rich-quick scheme in an attempt to get some of it back.

I found her “hostage” video online, which was posted by an Instagram account containing hundreds of similar videos endorsing a scheme promising 1,000 percent% on investments; many seem to be coerced.

Makaylah Lervold wrote to me on Friday desperately seeking help getting a refund after her bank account was hacked and criminals sent themselves about $3,000 of her money. The hack followed a chain of events that began with an old friend reaching out over Instagram messages saying he’d finally found a kidney donor match after a four-year search.  Lervold had met the sick friend several years ago at work, but hadn’t stayed in touch, though she was aware that he was indeed seeking a transplant.  His search was public; I’ve been able to confirm it through local news coverage.  Lervold said she messaged with the writer, whom she now knows was an imposter, and agreed to take a phone call from a hospital representative who would provide instructions on how to contribute.

She sent $1,000 to the caller’s account via Zelle, thinking it was a donation. Instead, the money was sent to a criminal’s account. The caller gleaned enough information — she asked for Lervold’s authentication codes — that the criminal or someone else was able to transfer nearly $3,000 more out of Lervold’s account through a series of additional Zelle transactions.  Lervold provided a screenshot of those transactions to me. Then, using stolen credentials, someone hacked into Lervold’s Instagram account and locked her out. The criminal subsequently threatened Lervold with more financial crimes unless she produced a video endorsing an investment scheme.

“Hi everyone. It’s Makaylah,” she says in the video. “I’m just here. I want to let you know about a huge opportunity. I just invested $1,500 with [name removed] and she turned my $1,500 investment into $15,000. Don’t miss out on this opportunity. I’m so grateful. Thank you [name removed]. Hit her up. She will invest your money. And turn it into a huge profit. You won’t regret it.”

Other videos on the “investment” Instagram account page contain similar messages. The account has more than 1,500 followers and has made 1,700 posts, dating back well into last year.

Posing as an old acquaintance, I contacted the hijacked account that originally belonged to Lervold’s sick friend, offering congratulations for finding a kidney match. The response came quickly: “Thank you so much sweetheart and I was about to ask you if you’d be interested in making some extra money.” Then later in our exchange, the imposter wrote, “Can you help me out $300 until tomorrow morning. I was short on a bill…I’m actually at the hospital.”

That victim declined to respond to a request for an interview.

Joseph Cox at Motherboard reported last week on a victim who was also forced to make a hostage-style video after being coerced into a bogus bitcoin investment. It’s unclear if these incidents are related, but my concern is the compelling tactic of forced video endorsement.

Lervold said the experience was terrifying.

“I’m so distraught…it was really scary,” she said. They drained all the money that I had saved for my wedding in June. It’s devastating. …  They forced me to make a video just like the last video they posted on my friend’s hacked account. …  They said if I didn’t do it they would completely drain my account. It was the scariest situation I have ever been in.”

Worse yet, when she contacted me, the criminals were using Lervold’s hijacked account in an attempt to scam her friends, she said.

“Now they are trying to scam my friends and inviting people from my Instagram to our wedding and are asking for money,” Lervold said.

She provided me with screen grabs of a dialog between a friend and the hacker in which the criminal offers to invite the friend to the wedding…then tries to convince the friend to send in money for the investment scheme.

“Did you see my ad? I actually made $15k from the investment. I posted it,” the message from the criminal, posting as Lervold, says. “Was wondering if you’d like to tap in.”

Last week, I reported that there was a large increase in consumers reporting that their Instagram accounts had been attacked by hackers. This complex scheme…involving trusted friend relationships, and hopping from one hijacked account to another, armed with intimate knowledge of each hacked victim…shows why hacked Instagram attacks can fetch nearly $50 on the digital black market.

Lervold said she reported that her Instagram account had been hacked to Facebook late last week; she has not yet heard back from the company. On Facebook, she can be seen pleading for friends to unfollow her Instagram account and asking them to report it as fraudulent so they would not be deceived by her video.

Monday afternoon I reported her account to Facebook’s media relations deparment, along with the account hosting the hostage videos.  Facebook has not yet returned my request for comment, but by Tuesday morning, Lervold’s account and the account hosting the hostage videos were both taken offline.

“Apparently each scam is different,” Lervold said. “They were messaging me already knowing I was (the kidney patient’s) friend. Which is why they knew I would donate. Other people they have used this investment scam saying they can turn a certain amount of money and turn it into a huge profit. Like the videos. You can turn $1,000 into $10,000. They took over my account and are asking people for money to help with my wedding. They must have read personal messages and are using that to get to my Instagram friends…the read back years in my messages.”

Eva Velasquez, CEO of the Identity Theft Resource Center, said her agency has been tracking the large increase in Instagram scams.  She said she was very concerned about the hostage video trend.

“It’s a new twist on ransoms,” she said. “Instead of asking for money, they are asking for videos.”

Her message to the public: Don’t make coerced videos. Paying the “ransom” doesn’t work.

“Do not make these videos endorsing something to get your money back or your account back because it’s not going to happen, you’re not getting it back,” she warned.  “Just walk away from the account.”  Work through the social media companies to get account access restored she said, admittedly an “arduous process.”

She warned that victims would suffer even deeper emotional consequences than those who send money to criminals — because their accounts and their words can be used to scam friends.

“When you add a layer that you were an instrument of victimization involving people you know and love, who are part of your personal network. that just adds another layer of emotional grief,” she said.

Velasquez also reminded users never to share authentication credentials — including two-factor text message codes  — with anyone.

I’ve decided that those SMS codes should no longer be used; it’s time that users switch to an authentication app for two-factor needs.  There are too many stories about criminals accessing text messages through hacking or coercion.