Connect with us

TECHNOLOGY

Gas stations and beyond: Why cybersecurity is a top priority for industrial infrastructure

December 19, 2021 1:55 p.m.

By Chris Connell, Managing Director for Asia Pacific at Kaspersky

Industrial Control Systems (ICS) demand specific approaches to cybersecurity due to their complex structure, connected devices with different capabilities, software and operating systems, and critical functions. And this isn’t just a theory. 

Something as common as a gas station has all the attributes of an ICS, such as connected equipment including pumps and tanks, controllers, a management system, a payment system, as well as connection to the corporate network, third-party service systems, and the internet. Just like any industrial facility, it has cybersecurity issues that companies should consider, to avoid disruptions that may affect the business, its employees, and the general public. This happened recently when gas stations in Iran were shut down because of a targeted attack. 

This look through an ICS infrastructure is based on our research carried out at the end of 2020. It included the analysis of a modern gas station’s automation software architecture, a typical infrastructure, and the communications inside it. This allowed us to classify potential attack vectors and their impact on the fuel station’s network. 

At a gas station

Imagine you’re driving your car and you need to fill it. You stop at a gas station, put the dispenser in the tank, and go to the convenience store to pay for the fuel. Once inside, the fresh coffee smells nice, you take some snacks for the road, complete your purchase and return to your vehicle.

To deliver the fuel to your tank, several systems should work: the back-office system and point of sales are used for payments and management functions. They are connected to the forecourt controller (FCC). This is the area with pumps outside the convenience store where customers park their cars to fill up. It is equipped with many systems such as a pump control, an automatic tank gauge (ATG), payment systems, etc. The FCC is the main device that controls fuel distribution, so when you pay through a cashier, the FCC commands the pump to supply it to your car so you can continue your journey. 

Information about operations, the amount of fuel sold and available is transmitted to the management system locally and then to a head office that accumulates information from all stations. 

Where are the problems? 

Through our research, we managed to classify what could go wrong in this process. There are several potential operational technology (OT) and IT security issues that can affect the work of the station. 

The first group of risks involves potential remote access from external networks. Just like many industrial systems today, the gas station employs solutions that are connected to public services through the internet, these include cloud banking systems or specialised fleet management systems. Remote access to the fuel station allows further malicious actions inside the network. 

This was a real case described in one of Kaspersky’s studies. At the gas station, fuel management software was used to track the amount stored, set the price, and process payments. The system was connected to the internet and had vulnerabilities that allowed remote admin access with the ability to even change the fuel price. 

There are also suppliers and service companies that have access to some parts of the infrastructure. Compromising these third parties may open doors to the target system for attackers. In fact, this type of threat is of great concern for companies of any size profile: a third (32%) of large organizations suffered attacks involving data shared with suppliers. What’s more, the financial impact of such incidents on enterprises is the highest across all types of attacks in 2021. 

Another set of risks involves network and device issues that may potentially lead to the disruption of fuel station services or direct financial impact. Attacks can come from remote networks or by connecting to wireless networks or wired network ports available onsite. 

Then, if the network is not segmented, the attack can spread from entry points such as secondary equipment in a shop and office workstations to critical components such as fuel management controls. The usage of unencrypted protocols (HTTP, CDP, FTP, Telnet, etc.) in the gas station network may allow adversaries to disclose sensitive information for further attack development. 

Another critical but evergreen problem is vulnerabilities or security flaws in the fuel controller, POS terminals, and network equipment, as well as corporate endpoints and applications. In 2015, 5,800 automatic tank gauges (ATGs) were found to be exposed to unauthorized access from the internet because of a lack of password protection on a serial port. ATG is an electronic component placed in the tank that monitors the level of fuel and checks if it is leaking fluid. And through this serial port, the ATG can be programmed. If the signal it transfers is not correct, the operator won’t get an alert about any deviation. Figures from 2015 also suggested that at the time, most systems were in gas stations in the US and represented 3% of those used in the country. By compromising such critical systems as automatic tank gauges, criminals can unlock options for fraud or even physical damage. 

It is also important to verify all workstations used on the forecourt such as points of sale, back-office systems, fuel controllers or payment terminals, as well as their configuration and even access to USB ports. For example, a lack of encryption or incompliancy to the PCI DSS standard in a payment system can contribute to the risk of an attack. For a fuel controller, it is also important to check industrial protocols. Lack of source authentication or integrity control may give adversaries, performing a man-in-the-middle attack, the opportunity to intercept data and manipulate station controllers. 

Another point to manage is wireless gateways and reader units. A security assessment should be performed to identify insecure industrial protocols, the possibility of jamming and spoofing attacks. 

How to improve

There are major security measures that should help increase the overall level of operational technology infrastructure. It is applicable to fuel stations but is no less relevant to any industrial network. 

Network security: Purpose-based network segmentation enhances overall security and minimizes the surface of a possible attack. The segment of the network that has access to untrusted parts of it, such as corporate IT, should also be separated and protected with appropriate enterprise-grade protection software. 

Passive OT network monitoring is essential for asset and communication inventory and detection of intrusions before they affect the technological process. Monitoring data also helps IT security teams to analyze events and consider hardening measures. 

Access control: This should include restricting physical and logical access to the automation and control system. Security measures for remote access control for service companies will help to avoid third-party incidents. 

Endpoint protection: It is important to implement specialized industrial-grade security software for OT hosts and servers. Ensure that the software is approved by the automation vendor and compatible with its solutions. This should help to avoid a situation where the protection product affects operation functions. 

Security management: A system for centralized security event collection and protection software policy management should be implemented. It is also important that the solution allows vulnerability and patch management. If the system can be integrated with Security Information and Event Management (SIEM), that is a ‘nice to have’ option for organizations that plan to upgrade their protection level. Real-time continuous monitoring and endpoint data collection with rules-based response and analysis capabilities will help to further improve protection from advanced attacks. 

A more fundamental approach that involves long-term measures is also important to improve the overall cybersecurity posture. This means adhering to industry standards for information security controls such as IEC 62443, NIST, NERC CIP, and so on. The organization should also conduct penetration testing or security analysis regularly, to identify vulnerabilities and information security problems before they are exploited by someone. And then, of course, follow all recommended measures to fix them properly. 

Going deeper, there are specific requirements for companies with different levels of protection. But the measures listed above are essential to fill most cybersecurity gaps. Be it a fuel station, refinery, or giant car manufacturer, the basic principles of OT and IT protection should allow the company to build a reliable cybersecurity system and develop it according to their needs. This will provide a great foundation for satisfied business owners and happy clients. 

TECHNOLOGY

Top AI camera phone HONOR Magic6 Pro now available nationwide with free HONOR Watch GS3! 

9:05 p.m. May 20, 2024

Leading smart devices provider in the Philippines, HONOR, continues to expand all over in the country as it opens its latest HONOR Experience Store in SM City San Lazaro. It marked also the First Day Sale of the impressive HONOR Magic6 Pro, dubbed as the Top AI Camera Phone available in the market, currently priced at P59,999. 

“This incredible Magic AI camera phone to date immensely made waves in the market and now that it’s officially available here in the Philippines, we’re also excited to have a double celebration as unveil our newest experience store in SM City San Lazaro,” said Stephen Cheng, HONOR Philippines Vice President. 

The HONOR Magic6 Pro is available with FREE HONOR Watch GS3 worth Php 11,999 when purchased in physical stores from May 18 to May 31.  

The store was officially opened through a ribbon-cutting ceremony executed by Bluelite Operations Manager Joseph Chua, Bluelite Purchasing Manager Hyacinth Simbulan, SM San Lazaro Asst. Mall Manager Darcy Royo, HONOR PH Brand Marketing Manager Joepy Libo-on, HONOR PH Retails Sales Director Tom Yuan, and HONOR PH PR Manager Pao Oga. 

To extend the fun and excitement, consumers participated during the Guess the Phone Challenge as they familiarize themselves with various HONOR smartphones and identify their lucky pick on the spot.  

HONOR Magic6 Pro’s Pro-Level Specs 

The HONOR Magic6 Pro is known for its impressive camera with 180MP resolution, Second-generation Silicon-carbon Battery with 5600mAh battery capacity, Snapdragon 8 Gen 3 processor, Magic Ring, Magic Portal, HONOR NanoCrystal Shield, and IP68 Dust and Water Resistance Certification.  

Available in Epi Green and Black, HONOR Magic6 Pro can be purchased through selected HONOR Experience Stores, and via Shopee (https://bit.ly/Shop_M6Pro_PR), Lazada (https://bit.ly/Laz_M6Pro_PR), and TikTok Shop (https://bit.ly/TikTok_M6Pro_PR)

For more affordable offers, the HONOR Magic6 Pro is also available at Home Credit for as low as P1,719/month with FREE Harman Kardon Luna and HONOR Earbuds X3 worth P11,699. Take advantage of the offer at https://bit.ly/HONORPH_HomeCredit. 

HONOR Lazada Flash Sale on May 19-21! 

Shop for your favorite HONOR devices and enjoy up to P5,000 off on top of Exclusive Vouchers and Freebies only from May 19 to May 21 via Lazada! Get the HONOR 90 Lite 5G for only P8,990 with FREE Band 6; HONOR X9a 5G for P11,990 from its original price of P16,990 with FREE Band 6, HONOR X8b for P11,400 with FREE X5 Earbuds; and HONOR X7b for only P7,600! Check out your orders now at Lazada https://www.lazada.com.ph/shop/honor.  

For more exciting announcements, head on to HONOR Philippines’ social media platforms: Facebook (Facebook.com/HonorPhilippines), Instagram (Instagram.com/honorph/) and TikTok Shop: (Tiktok.com/@honorphilippines). To check out HONOR’s complete list of retail stores, go to https://www.hihonor.com/ph/retailers/.

Continue Reading

TECHNOLOGY

PLDT Enterprise bags 3 Stevie Awards: Celebrating diverse innovations in Events and Digital Communication

12:34 p.m. May 6, 2024

PLDT Enterprise, the corporate business arm of the leading Philippine telecommunications and digital services provider PLDT, proudly announced its latest victories at the 2024 Asia-Pacific Stevie Awards.

The Philippine Digital Convention (PH Digicon) 2023 VISION: Reimagine Tomorrow’s Enterprise secured a Silver Stevie® under the category of Innovation in the Use of Events and a Bronze Stevie® for Innovation in Business-to-Business Events, while the “Visionaries” campaign received a Bronze Stevie® in the category of Innovation in the Use of Social Media. These accolades once again highlighted PLDT Enterprise’s relentless pursuit of excellence and innovation in the digital communication space.

“We are deeply honored by the recognition bestowed upon us at the Stevie Awards, which underscores our unwavering dedication to business excellence and innovation,” stated Mitch Locsin, First Vice President and Head of Enterprise and International Core Business at PLDT and Smart. “These awards are a testament to our expertise and steadfast commitment to propelling businesses towards success in the digital age. As we continue to garner accolades, they serve to reaffirm our role as a catalyst for transformative digital solutions within the B2B marketplace, and they celebrate our deep-rooted mission to empower enterprises across the spectrum with the tools and services necessary to thrive in an increasingly connected world.”

PH Digicon Uniting and Empowering Visionaries

PH Digicon 2023 VISION: Reimagine Tomorrow’s Enterprise was the most recent leg of the pioneering annual digital conference that once again brought together industry leaders to discuss and explore the future of digital enterprise. The convention offered a platform for businesses to reimagine their operations in the emerging digital landscape.

As the 9th edition of the widely anticipated industry event, it drew a record-breaking number of participants eager to immerse themselves in the latest technologies, hear from digital thought leaders and trailblazers, network with business experts, and participate in on-ground activities such as Digi Grounds, Digi Hub, and SME Zone, to form a shared vision on how to foster the Philippines’ digital transformation.

The event also featured the Start-Up Innovation Challenge, the final pitching and demo day for start-ups to showcase their ideas to industry experts on how to solve everyday challenges using technologies involving Internet of Things (IoT), Artificial Intelligence (AI), 5G, Smart Cities, Immersive Technologies, and Environmental, Social, and Corporate Governance (ESG). 

The event stood as a hallmark in PLDT Enterprise’s event calendar, not just for its scale but for its role in shaping the dialogue around digital transformation in the region. This year’s theme, “Reimagine Tomorrow’s Enterprise,” resonated deeply with attendees, as the event featured industry experts and thought leaders including prominent C-suite executives who shared their insights into the emerging trends and future of digital business. It served as an incubator for innovative ideas, fostering a space where technology and strategy converged to inspire businesses to embark on transformational journeys.

The success of PH Digicon 2023 VISION: Reimagine Tomorrow’s Enterprise in elevating the conversation on digital innovation is further validated by its Silver Stevie® and Bronze Stevie® Awards, marking it as a pivotal event that not only forecasts the trajectory of digital enterprise but actively contributes to its evolution.

Leading the Industry by Example

The “Visionaries” campaign, on the other hand, was a transformative movement celebrating customer success stories across diverse personas and industries, from SME founders, large enterprise leaders, local government unit partners, to international carriers. It showcased the digital transformation journeys of PLDT Enterprise’s customers and reinforced the brand’s customer-centric approach.

The Bronze Stevie® Award for Innovation in the Use of Social Media through the “Visionaries” campaign is a compelling affirmation of PLDT Enterprise’s leadership by example in the realm of digital storytelling and innovation. This prestigious award is a testament to the company’s success as a digital transformation ally for businesses, showcasing their ability to not just follow but set trends in the dynamic narrative of enterprise technology.

The “Visionaries” campaign exemplifies PLDT Enterprise’s role as an architect of change, demonstrating their expertise in crafting impactful stories that resonate with the audience and galvanize the market. As champions of digital innovation, PLDT Enterprise’s approach goes beyond traditional methods, reflecting a pioneering spirit that is essential for leaders in the digital age.

Raising the Bar for Industry and Innovation

“As we celebrate these Stevie Awards, we’re reminded that at the heart of our innovative endeavors lies our commitment to our customers,” added Locsin. “PH Digicon and the ‘Visionaries’ campaign are embodiments of our promise to propel our business partners and customers to success, ensuring that every initiative is attuned to the needs and aspirations of our clients. This commitment is not just a tagline; it’s a guiding principle that steers our journey towards a customer-centric future. Our accolades in events and digital communication stand as milestones along this path, reaffirming our pledge to support every enterprise in achieving their digital transformation goals,” he concluded.

The Asia-Pacific Stevie® Awards are renowned for recognizing innovation in all its forms across the 29 nations of the Asia-Pacific region. The wins at the Stevie Awards, alongside its recent accolades at the ANVIL and Quill Awards, further cement PLDT Enterprise’s position as a thought leader and customer-centric business in the telecommunications and digital services industry.

Download all attachments as a zip file

Continue Reading

TECHNOLOGY

SEA 2023: Cybercriminals clog business networks with financial phishing

6:36 p.m. March 18, 2024

In 2023, Kaspersky anti-phishing technologies detected nearly 500,000 attempts to follow a phishing link on businesses’ devices in Southeast Asia (SEA). Interestingly, this number only refers to phishing links related to finance matters – e-commerce, banking, and payment systems.

Phishing persuades users to take action which gives a scammer access to your device, accounts, or personal information. By pretending to be a person or organization the users trust, they can more easily infect the victim with malware or steal their information.

These social engineering schemes “bait” with trust to get valuable information. This could be anything from a social media login, to your entire identity via your social security number. These schemes may urge the user to open an attachment, follow a link, fill out a form, or reply with personal information.

“Financial phishing” is a type of phishing which refers to fraudulent resources related to banking, payment systems and digital shops. Payment system phishing includes pages impersonating well-known payment brands.

From January to December last year, Kaspersky solutions detected and blocked a total of 455,708 financial phishing attempts targeting companies of various sizes in the region. The statistics reflect clicks on phishing links placed in various communication channels, including emails, fraudulent web sites, messengers, social media, etc. 

“Phishing is a trusted technique for cybercriminals when it comes to infiltrating business networks because they usually work. The rise of generative AI helps cybercriminals to make phishing messages or scam resources more convincing. As a result, it becomes challenging for people to distinguish between a scam and a legitimate communication. That’s why the role of robust security solutions increases,” comments Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky. 

The Philippines logged the highest number of financial phishing at 163,279 attempts in 2023, followed by Malaysia with 124,105. Indonesia chalked up 97,465 incidents while Vietnam experienced 36,130 phishing attacks related to financial matters. Thailand and Singapore registered the least number of this threat at 25,227 and 9,502 respectively.

“Cybercriminals employ various tactics, including financial-related phishing, to deceive employees and trick them into falling victim to an attack Our recent study showed employee security violations can be as damaging as external hacking for companies in Asia Pacific which means the human factor continues to play a role in making businesses vulnerable. Tools to help safeguard against human error are a vital step forward, but they can’t exclude employee education, skills development, and overall strengthening of the company’s ability to detect and respond to cyberattacks,” adds Yeo.

To help companies protect their systems against the damages of a successful phishing attack, Kaspersky experts recommend:

  • To advance decision-makers’ understanding of the importance of cybersecurity and how best to distribute budgets to stay ahead of threats, engage them with Kaspersky Interactive Protection Simulation for enhanced C-level professional education.
  • Consider experts’ help. For example, Kaspersky Assessments family of professional services identifies security gaps in your system’s configuration, and the Security Architecture Design helps create an IT security infrastructure that’s a perfect fit for a particular company. Every step of implementation is grounded in real security needs, giving decision-makers convincing arguments to allocate budgets.
  • Install and use enterprise security solutions with anti-phishing software: The Advanced Anomaly Control feature within Kaspersky Endpoint Security for Business Advanced, Kaspersky Total Security for Business and Kaspersky Endpoint Detection and Response Optimum help prevent potentially dangerous activities that are ‘out of the norm’, both undertaken by the user and initiated by the attacker who has already seized control of the system.  
Continue Reading