Cyber defences put to the test
The automotive group Bertel O. Steen has significantly ramped up its digital security practices in the last few years. This paid off, when hackers appeared in their systems.
In recent years, the Norwegian automotive group Bertel O. Steen has undergone significant transformation to accelerate their digital development.
Additionally, the group has undertaken an equally important internal reassessment of their digital security practices. This is already paying off.
“I have been asked about the worst possible outcome in the event of a cyber-attack. My response is always that this is aquestion for our business managers, as they will face the most significant consequences,” says Steingrim Soug, Head of Data Security at Bertel O. Steen.
Today, the group has a defined plan for managing security and defence-in-depth, a type of cyber-security in which several layers of control are used so that there’s always a back-up in place. However, not long ago, criminals were at their doorstep– charging in at full speed.
BERTEL O. STEEN
When the warning lights flash
“As we supply products to both the military and the police, we are likely to be more attractive targets for certain types of attacks.
This is a reality we have to deal with. We also experienced a specific incident that served as a significant eye-opener for many,”says Soug.
To most Norwegians, the name Bertel O. Steen is synonymous with cars. This is no surprise, given their over 100-year history of importing popular car brands – with their portfolio including cars from Mercedes-Benz, Kia, and the Stellant is brands.
However, the family group is also an important name within realestate, the defence industry, and the energy sector.
Hence, when 30 shops in one of their car dealership chains Mobile were affected by a massive cyber-attack in 2022, the people at Bertel O. Steen held their breath.
“When the news broke, many likely felt that the hackers had come too close for comfort. Mobile is an independent dealer within the Bertel O. Steen group and is therefore not directly connected to the same systems or networks. Still, it made the group’s top management react,” says Soug.
Following the extensive cyber-attack, the group conducted amaturity analysis and decided to upgrade their digital security.
Soug himself was hired to be Chief Information Security Officer(CISO), with responsibility for internal IT security.
This decision may have come in the nick of time, as it wasn’t long before the warning lights were flashing again.
Fortifying internal defences
Among the measures implemented by Soug and his team was the introduction of guidelines to make the group’s systems and network solutions more resilient in the event of an attack.
For several years, Bertel O. Steen has had an ongoing agreement with Telenor for the surveillance of their security platform. Telenor acts as the group’s Security Operation Centre (SOC), taking on the day-to-day responsibility for implementing security measures against external threats.
“We already had a strong security ‘shell’, which made it difficult to gain access to our network. Our challenge was that if someone managed to breach the first layer, there were too many open paths leading deeper into our network,” Soug explains.
The goal became to implement measures that would minimise the potential damage if a hacker managed to breach the outer layer of security.
However, for a large group like Bertel O. Steen, this isn’t achieved by simply pressing a few keys on the keyboard.
“Our entire structure is comprised of more than 3,000 full-time employees across over 100 companies. In our network we operate more than 6,000 different users and we have over 7,000 endpoints.
In addition, we manage several thousand operational technology(OT) units. Because of this, the network had to be divided into different zones, which allowed us to isolate a potential attack.
”This approach was also applied to their cloud solutions. Nothing was to operate with more than the necessary configurations and permissions, and the overall defence-in-depth security was to be strengthened.
“For instance, our encryption keys are now stored in different locations, making it impossible to lock the entire network from any single point within the system. This follows the same logic as not keeping the keys to all your cars in the same safe at the dealership,” says Soug.
If someone managed to breach the first layer, there were too many open paths leading deeper into our network.
Strengthened preparedness
Additionally, the emergency preparedness and contingency planning for IT security needed an upgrade. This was partially addressed by creating standard procedures for handling attacks or incidents.
Bertel O. Steen utilises an ISO-certified management system that covers their entire business. This means there are specific,formal requirements for how actions are to be performed and documented at all levels, including within IT and security.
“These procedures are part of the group’s overall crisis management plan, which outlines how different types of crises should be handled. The plan defines specific roles, each with its own tasks and areas of responsibility,” Soug explains.
Along with a clear specification of purpose and scope, the procedures include a detailed description of the CSIRT (Computer Security Incident Response Team), along with its members and functions. The procedures also outline how to alert and summon the crisis management team, and the key points that should always be covered in these meetings.
The group has also developed action cards, which describe the different roles in the crisis management team and their respective tasks.
“The action cards are essentially checklists detailing what to evaluate, what to remember for damage limitation, and the steps to take to ensure a return to operations and the resolution of the crisis,” Soug says.
The alarm bells sound However, as the work to implement the new measures and procedures is well underway, the alarm at the SOC suddenly goes off. Telenor has detected suspicious activity in one of the group’s login portals.
“We have a solution that allows users to sign in through a website that provides access to a range of applications. The system is designed so that users only see the applications they have permission to access,” Soug explains.
By mistake, the solution was momentarily downgraded, making it vulnerable to a security flaw known as Citrix Bleed. In principle,this means that a hacker could take control of an already signedin user, along with all their inherent permissions.
“We noticed that they had extracted a list of usernames from the login system and installed a couple of trojans, malware hidden inlegitimate applications. Fortunately, the security systems quickly detected the trojans, and they were automatically removed.”
When you are in the middle of an attack, the situation can feel quite stressful. This is where management systems and action cards come in handy.
The hackers then attempted to sign in to the different applications in the portal. However, they were thwarted by the two-factor authentication requirement.
“When you are in the middle of an attack, the situation can feel quite stressful. This is where management systems and action cards come in handy. They provide an opportunity to double-check what you are supposed to do in any given situation,” Soug says.
Today, both the operations and IT departments at Bertel O. Steen have their own incident response teams that handle issues and report to the group’s overall emergency response team.
“One of the defined roles in our procedures is that of a log-keeper.
This role has a single task: to log all decisions made and the reasoning behind them. This is incredibly important for evaluating our crisis management after the crisis.
”Bertel O. Steen’s action card for IT security incidents states that systems that are hacked or infected should not be restarted, but isolated. The reason for this is that restarting a system often initiates a standardised setup, which deletes all logs and applications installed on the server.
“Sadly, a mistake was made in this instance. The incident was interpreted as an operating error rather than a security error. The instruction for operating errors is to restart to recover quickly.
This made it difficult to uncover exactly what had happened and complicated the handling of the situation.
”If Bertel O. Steen had isolated the portal instead, which they had the opportunity to do through the zoning of the network, all the digital traces would have been available after the incident.
Without multi-layer security, the hackers could have easily penetrated deep into the network. There, they could have potentially deleted or downloaded all the customer data in the group or encrypted all their systems.
Soug believes the consequences could have been catastrophic.
Ultimately, IT security is about business operations. If your systems are affected, it can have a direct impact on both earnings and customer relations.
Thinking holistically
“Over the next few weeks, we observed thousands of log-in attempts from places like Russia and Bulgaria. Luckily, these largely consisted of blind password guessing, and we saw that they started to give up after a while.”
“It is easy to develop guidelines and procedures but implementing them takes time. A structured approach is essential. We now have a security strategy with defined goals for where we should be within two years, encompassing both technical and organisational objectives.
”Soug believes it is no longer possible to solve security challenges one by one.
“You have to think holistically. This means that the guidelines need to include everything from hardening—making devices and services more secure by changing their configurations or removing functionality—to training users and obtaining cyber insurance.”
“Ultimately, IT security is about business operations. If your systems are affected, it can have a direct impact on both earnings and customer relations. If the systems shut down completely,we are talking about losses in the millions for each passing hour.”
“If they are down long enough, it could mean that we lose our most important customers,” Soug concludes.