Cyber defences put to the test

In recent years, the Norwegian automotive group Bertel O. Steen has undergone significant transformation to accelerate their digital development.

Additionally, the group has undertaken an equally important internal reassessment of their digital security practices. This is already paying off.

“I have been asked about the worst possible outcome in the event of a cyber-attack. My response is always that this is aquestion for our business managers, as they will face the most significant consequences,” says Steingrim Soug, Head of Data Security at Bertel O. Steen.

Today, the group has a defined plan for managing security and defence-in-depth, a type of cyber-security in which several layers of control are used so that there’s always a back-up in place. However, not long ago, criminals were at their doorstep– charging in at full speed.

Among the measures implemented by Soug and his team was the introduction of guidelines to make the group’s systems and network solutions more resilient in the event of an attack.

For several years, Bertel O. Steen has had an ongoing agreement with Telenor for the surveillance of their security platform. Telenor acts as the group’s Security Operation Centre (SOC), taking on the day-to-day responsibility for implementing security measures against external threats.

“We already had a strong security ‘shell’, which made it difficult to gain access to our network. Our challenge was that if someone managed to breach the first layer, there were too many open paths leading deeper into our network,” Soug explains.

The goal became to implement measures that would minimise the potential damage if a hacker managed to breach the outer layer of security.

However, for a large group like Bertel O. Steen, this isn’t achieved by simply pressing a few keys on the keyboard.

“Our entire structure is comprised of more than 3,000 full-time employees across over 100 companies. In our network we operate more than 6,000 different users and we have over 7,000 endpoints.

In addition, we manage several thousand operational technology(OT) units. Because of this, the network had to be divided into different zones, which allowed us to isolate a potential attack.

”This approach was also applied to their cloud solutions. Nothing was to operate with more than the necessary configurations and permissions, and the overall defence-in-depth security was to be strengthened.

“For instance, our encryption keys are now stored in different locations, making it impossible to lock the entire network from any single point within the system. This follows the same logic as not keeping the keys to all your cars in the same safe at the dealership,” says Soug.

Additionally, the emergency preparedness and contingency planning for IT security needed an upgrade. This was partially addressed by creating standard procedures for handling attacks or incidents.

Bertel O. Steen utilises an ISO-certified management system that covers their entire business. This means there are specific,formal requirements for how actions are to be performed and documented at all levels, including within IT and security.

“These procedures are part of the group’s overall crisis management plan, which outlines how different types of crises should be handled. The plan defines specific roles, each with its own tasks and areas of responsibility,” Soug explains.

Along with a clear specification of purpose and scope, the procedures include a detailed description of the CSIRT (Computer Security Incident Response Team), along with its members and functions. The procedures also outline how to alert and summon the crisis management team, and the key points that should always be covered in these meetings.

The group has also developed action cards, which describe the different roles in the crisis management team and their respective tasks.

“The action cards are essentially checklists detailing what to evaluate, what to remember for damage limitation, and the steps to take to ensure a return to operations and the resolution of the crisis,” Soug says.

The alarm bells sound However, as the work to implement the new measures and procedures is well underway, the alarm at the SOC suddenly goes off. Telenor has detected suspicious activity in one of the group’s login portals.

“We have a solution that allows users to sign in through a website that provides access to a range of applications. The system is designed so that users only see the applications they have permission to access,” Soug explains.

By mistake, the solution was momentarily downgraded, making it vulnerable to a security flaw known as Citrix Bleed. In principle,this means that a hacker could take control of an already signedin user, along with all their inherent permissions.

“We noticed that they had extracted a list of usernames from the login system and installed a couple of trojans, malware hidden inlegitimate applications. Fortunately, the security systems quickly detected the trojans, and they were automatically removed.”

The hackers then attempted to sign in to the different applications in the portal. However, they were thwarted by the two-factor authentication requirement.

“When you are in the middle of an attack, the situation can feel quite stressful. This is where management systems and action cards come in handy. They provide an opportunity to double-check what you are supposed to do in any given situation,” Soug says.

Today, both the operations and IT departments at Bertel O. Steen have their own incident response teams that handle issues and report to the group’s overall emergency response team.

“One of the defined roles in our procedures is that of a log-keeper.

This role has a single task: to log all decisions made and the reasoning behind them. This is incredibly important for evaluating our crisis management after the crisis.

”Bertel O. Steen’s action card for IT security incidents states that systems that are hacked or infected should not be restarted, but isolated. The reason for this is that restarting a system often initiates a standardised setup, which deletes all logs and applications installed on the server.

“Sadly, a mistake was made in this instance. The incident was interpreted as an operating error rather than a security error. The instruction for operating errors is to restart to recover quickly.

This made it difficult to uncover exactly what had happened and complicated the handling of the situation.

”If Bertel O. Steen had isolated the portal instead, which they had the opportunity to do through the zoning of the network, all the digital traces would have been available after the incident.

Without multi-layer security, the hackers could have easily penetrated deep into the network. There, they could have potentially deleted or downloaded all the customer data in the group or encrypted all their systems.

Soug believes the consequences could have been catastrophic.