Simulating an OT breach | Apple explains why it scrapped the CSAM tool
CyberInsights #109 - Caldera for OT | Apple and the security - privacy debate
Breach and Attack Simulation for Operational Technology
Testing your OT using the MITRE ATT&CK framework just became easier.
MITRE and CISA released a new open source tool for testing the security of Operational Technology (OT). [LINK]
Well, technically, it is not a new tool, but a new plugin to the MITRE Caldera breach and attack simulation tool. The new tool has 29 new OT testing capabilities over and above the regular BAS (Breach and Attack Simulation) capabilities of Caldera. The new repo is available here. Caldera for OT supports three OT protocols - BACnet, Modbus & DNP3. Read more about it here in the official release statement.
Take Action:
CISOs of setups that use OT should benefit from this. If you are not doing red teaming for your OT setup, this might be a good time to start.
If you have an in-house testing team, help them build the capabilities for OT attack simulation using this plugin for Caldera.
If you are a cybersecurity professional in the testing side - OT testing is a good skill to have in your repertoire.
Apple's CSAM Photo-Scanning Decision Ignites Debate
Apple finds itself at the centre of most security vs. privacy debates. Its decision, like always, will set the direction of the debate.
The initial plan was quite utopian.
Apple was setting up a system where it would scan iCloud photos to detect if they contained Child Sexual Abuse Material (CSAM). This was quite controversial. Read an article about it here. This was in August 2021.
Then, in December, Apple decided to halt the program. [LINK]
A child safety NGO then asked Apple about it and Apple replied, explaining its logic. The article is interesting, not just because it details Apple’s thinking about the issue, but also because it is one of the few times we get a glimpse at what Apple is actually thinking. [LINK].
Apple writes:
After having consulted extensively with child safety advocates, human rights organizations, privacy and security technologists, and academics, and having considered scanning technology from virtually every angle, we concluded it was not practically possible to implement without ultimately imperiling the security and privacy of our users.
The Wired has been tracking this development over the years and has some insightful articles about it.
Take Action:
As an information security professional, like it or not, you are in the middle of the security vs. privacy debate. The recent UK encryption law that seeks to weaken encryption to ensure safety is one such debate.
Read the reply from Apple. It highlights some of the core issues about the dilemma. This will be useful when threat modelling your applications for security and privacy concerns.
Always cool to see OT / ICS get some love. This is definitely good news. Other than just the terminology is there a notable difference between BAS and adversary emulation?