ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

266 Comments

  1. Tomi Engdahl says:

    Malware on ICS Increasingly Comes From Internet: Kaspersky
    https://www.securityweek.com/malware-ics-increasingly-comes-internet-kaspersky

    Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.

    According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.

    Reply
  2. Tomi Engdahl says:

    ThreatList: Attacks on Industrial Control Systems on the Rise
    https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/

    The main source of infection on industrial control systems was the internet, researchers at Kaspersky Lab found in a new report.

    The systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors are increasingly in the crosshairs of cyber-attackers: A full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.

    That’s according to Kaspersky Lab, which analyzed telemetry information from customers using industrial automation computers through the end of June. The data indicates a consistent rise in the percentage of attacks on this segment; the year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.

    Reply
  3. Tomi Engdahl says:

    How To Protect Tomorrow’s Critical Infrastructure
    https://pentestmag.com/how-to-protect-tomorrows-critical-infrastructure/

    Cyber security is therefore one of the key concerns for those who manage modern manufacturing plants as well as any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardized protection measures.

    Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves.

    Reply
  4. Tomi Engdahl says:

    IT Versus OT Patching, Explained
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1333711

    Last December, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility.

    The TRITON/TRISIS malware was the first designed to attack an industrial plant’s physical safety control systems, called a safety instrumented system (SIS). After the attack, several industrial cybersecurity firms provided detailed analyses of the attack and the malware.

    The following explanation of the differences in software patching between information technology (IT) and operational technology (OT) environments is given in this context.

    How is the patching process different for ICS environments compared to IT environments?

    Industrial control system (ICS) environments are radically different from IT environments when it comes to patching.

    Because ICS control large-scale physical processes like petroleum refining pumps and fuel storage tanks that run 24/7, they can typically be updated only during scheduled maintenance periods — usually once a quarter or twice a year. Additionally, this is legacy equipment that was installed 15 or more years ago, and any patches must carefully be tested before deployment.

    The situation was even more complex in the TRITON case because that attack exploited a zero-day vulnerability in the SIS PLC firmware, which resides at the innermost level of the software stack that runs these devices.

    How quickly can ICS systems be updated compared to how fast malware can be repurposed by other malicious actors?

    It’s clear that the attackers in the TRITON case had intimate knowledge of the exact model and firmware revision level of the PLC.

    This implies that, as time goes by, attacks on the industrial side of the business become more and more common as the knowledge of attack methods propagates while the networks remain vulnerable. The best way to resolve that gap is to have defense-in-depth including continuous monitoring and threat simulation.

    How can OEMs protect against these types of attacks?

    Due to the “insecure-by-design” nature of legacy protocols, combined with the difficulty of regularly patching ICS systems, organizations should implement compensating controls and defense-in-depth beyond simple perimeter security.

    Continuous network monitoring can be used to immediately detect anomalous or unauthorized activity that indicates that an attacker has breached the OT network and is now performing reconnaissance and attempting to compromise devices.

    Another technology that can help is automated ICS threat modeling, which enables organizations to prioritize patching and mitigation efforts based on the risk to their most critical “crown-jewel” assets because it isn’t possible to patch everything.

    Reply
  5. Tomi Engdahl says:

    The Day When the Industrial IoT Gets Hacked
    https://www.eetimes.com/document.asp?doc_id=1333710

    The more devices that get connected to the industrial internet of things (IIoT) networks, the more that those networks get hacked and attacked. Cyberattacks of all kinds used to be directed mostly at IT networks but not anymore. Many of today’s attackers are going after the industrial control system (ICS) and operational technology (OT) side of the IIoT.

    Here, the threats are potentially larger and much more damaging, from ransomware demands to industrial espionage to altering production process code that can change industrial robot safety levels, affect product contents and manufacturing yields, or even cause massive damage.

    From the design engineer’s point of view, effective cybersecurity for ICS and everything else in a firm’s IIoT comprises two different but related efforts:

    On one hand, designing security into an embedded device that forms all, or part of, an IIoT endpoint
    On the other hand, acquiring and managing cybersecurity technology that protects those devices as they are manufactured in the engineer’s company and as they, and other IIoT devices, are deployed on the company’s factory floor and throughout the plant

    Reply
  6. Tomi Engdahl says:

    Industrial networks in need of RAT control
    https://www.kaspersky.com/blog/rats-in-ics/23949/

    Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause.

    Reply
  7. Tomi Engdahl says:

    Legitimate RATs Pose Serious Risk to Industrial Systems
    https://www.securityweek.com/legitimate-rats-pose-serious-risk-industrial-systems

    Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.

    A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).

    The highest percentage of ICS computers with RATs were found in Kazakhstan, where over half of all analyzed systems had a remote admin tool installed. In the United States, 29% of the devices monitored by Kaspersky had a legitimate RAT. It’s worth noting that this does not include the remote desktop tool found by default in Windows.

    Industrial organizations may use RATs to control or monitor HMIs or SCADA systems from a workstation, to connect multiple operators to one workstation, or connect computers on the corporate network to devices on the OT network.

    “Some of [these scenarios] indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes,” Kaspersky researchers said.

    Reply
  8. Tomi Engdahl says:

    Understand network security: public key encryption and industrial automation
    https://www.controleng.com/single-article/understand-network-security-public-key-encryption-and-industrial-automation/095cbe779ce8ccaeeb0b639d61b6e754.html?OCVALIDATE=

    Remove unnecessary fear, take a proactive approach to network security as the Internet of Things (IoT) continues to rapidly expand.

    Reply
  9. Tomi Engdahl says:

    How much control goes to the cloud?
    https://www.controleng.com/single-article/how-much-control-goes-to-the-cloud/41585c7f36c6369fc21e84cbbe7123b6.html?OCVALIDATE=

    Cloud computing is gaining ground as industrial plants become more efficient, but it’s important to recognize where computing is needed and where it should be taking place.

    Reply
  10. Tomi Engdahl says:

    Using Compliance as a Springboard to Better OT Cybersecurity
    https://www.securityweek.com/using-compliance-springboard-better-ot-cybersecurity

    Although regulations may feel like a burden, their influence should be viewed as wholly positive. Firstly, they establish norms and standards, a baseline for good practice which individual companies can use to set their own benchmarks. Secondly, they raise public awareness of these standards so that customers can hold corporates to account when they don’t meet them.

    When it comes to critical infrastructure, there are many international bodies that have developed regulatory frameworks and standards for OT cybersecurity. They all differ slightly, but the overall aims are the same: to promote best practice security standards and ensure that they are followed with a punitive enforcement regime for those who fail to meet them.

    This global corpus of laws is evolving and is predominantly led by the EU with its Network and Information Systems Regulation 2018 (NIS Directive), and the US. In the latter, the NERC Critical Information Protection (CIP) standards, which can be used to impose fines of up to a million dollars a day for security breaches in the power industry, are among the best-established cybersecurity rules in the world, while newer initiatives such as the NIST Cybersecurity Framework are more comprehensive.

    Preparing for NIS – Europe’s First Dedicated Cybersecurity Law
    https://www.securityweek.com/preparing-NIS-Directive-europes-first-dedicated-cybersecurity-law

    Reply
  11. Tomi Engdahl says:

    Why the IIoT is So Vulnerable to Cyberattacks
    https://www.eetimes.com/document.asp?doc_id=1333693&&utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=66416888&_hsenc=p2ANqtz–Xnmp6VINxfo241_kjT_rv8IftwNKZZ__5DI3HyfM9t_e-lGHb8-3yoJYYMPHLd4e5N02bEHzOLIq44–JmErl7tTMC8-7XDDnDkj0eo7zu5WwKDg&_hsmi=66416888

    We are seeing a number of attacks both on industrial control systems (ICS) and on the operational technology (OT) side of the industrial IoT (IIoT) with increasing frequency.

    Why is the IIoT so vulnerable to cyberattacks?

    We talked to ICS and OT specialists at major cybersecurity solutions providers, as well as key industry analysts, to suss out the answers.

    The consensus was a list of several elements that have combined to create a perfect storm over the last few years:

    a big increase in the number of sensors and devices being connected to each organization’s IIoT, forming a huge potential attack surface
    decades-old OT equipment and control systems never designed for exposure to the internet and, therefore, not designed for security
    a patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs)
    poor or absent cybersecurity practices and technology, including a lack of either designed for the very different ICS/OT environment, not the IT environment
    lack of budgets, or insufficient budgets, for implementing cybersecurity awareness, monitoring, and prevention technology
    a steep escalation in the numbers and types of attackers

    Reply
  12. Tomi Engdahl says:

    Constructing the Future of ICS Cybersecurity
    https://www.darkreading.com/perimeter/constructing-the-future-of-ics-cybersecurity/d/d-id/1332995

    As industrial control systems are connected to the cloud and the IoT, experts discuss security challenges.

    (ISC)² SECURITY CONGRESS – New Orleans – Technology is accelerating and industry is catching up. As industrial control systems (ICS) are connected to the Internet of Things and send data to the cloud, experts have begun to anticipate the security implications.

    The IoT is growing and now it’s moving into the industrial space, said Graham Speake, senior ICS manager at Accenture, during a presentation at (ISC)² Security Congress held this week in New Orleans. As it does, security pros have to think about securing the data their systems handle.

    “Industry is always a bit slow,” he explained, pointing to the oil and gas industry as an example. If you told those firms six to seven years ago that they would be sending data to the cloud, they would have been hesitant to believe you, said Speake. Now, “industry is catching up.”

    The number of devices is increasing 10% each year, he continued, and the world is expected to have 20+ billion devices by 2020. While many of these connected devices will be for personal use, a growing amount will be seen in industry, where machines are being connected to the cloud and more employees are using wearables, both for productivity and safety.

    Reply
  13. Tomi Engdahl says:

    ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
    https://www.fireeye.com/blog/threat-research/2018/10/ics-tactical-security-trends-analysis-of-security-risks-observed-in-field.html

    Most Common High and Critical Security Risks in ICS Environments

    FireEye iSIGHT Intelligence organized the critical and high security risks identified during Mandiant ICS Healthchecks into nine unique categories (Table 1). The three most common were:

    Vulnerabilities, Patches, and Updates (32 percent)
    Identity and Access Management (25 percent)
    Architecture and Network Segmentation (11 percent)

    In most of these cases, basic security best practices would be enough to stop (or at least make it more difficult for) threat actors to target an organization’s systems. The implications are vast because specialized malware or actors targeting infrastructure would likely look for these flaws first to exploit throughout the targeted attack lifecycle.

    Reply
  14. Tomi Engdahl says:

    IEC 61850: Are Your Substations Secure?
    https://applied-risk.com/blog/iec-61850-are-your-substations-secure

    In a rapidly growing world, the demands for substation automation are increasing. Cyber security need and deployment of IEC 61850 have been key topics changing Substation Automation Systems landscape. The interconnectivity and level of grid automation, as well as IT/OT convergence are introducing a new era of challenges for electrical facilities. In the meantime, security issues for the power industry have become increasingly important topic internationally, and particular in the light of the Ukrainian electric grid hack.

    The IEC 61850 protocols standard enable interaction with other systems.

    This article covers the security specifications of the IEC61850 standard with focus on vulnerabilities in the communication protocols and proposed countermeasures

    Substation networks are often segregated from business networks, and should be not exposed to public network or Internet. This physical separation acts as a first line of defense to mitigate multiple attack scenarios, and should be maintained with care.

    As part of the IEC 61850, protocol gateways are often used to limit the amount of data that will leave the substation.

    The protocol gateway acts as a buffer between the external network and the internal one. Therefore, this gateway should not be relied upon as a security control without thorough security testing.

    In the meantime, implementation of TLS encryption for the IEC61850-8-1 (MMS) is provided by the IEC 62351-4 standard. The advantage of this is, that the connection can be authenticated, the channel can be encrypted and/or messages can be signed to ensure integrity of the communication. However the technical implementation of TLS for IEC61850 may vary between vendors, and might not always work, as the IEC 62351-4 standard is subject for interpretation on various technical details, and is not yet widely adopted by the industry.

    The bad & the ugly

    IEC 61850 has several security deficiencies that could be leveraged by skilled attackers to compromise the system, which could result in a blackout. The following key areas should be considered when adopting IEC 61850:

    - Hardcoded functions: IEC 61850 contains powerful functions that can cause unexpected events to occur.

    - Authentication: Authentication is available embedded in the IEC61850 MMS based protocol. However, the implementation is not widely supported, and uses plain-text passwords.

    - Key management: Key management introduces additional risk

    - Firmware integrity: The firmware is usually not being signed,

    - Message Integrity (GOOSE): GOOSE protocol does not have any means to authenticate a publisher. This means that anyone on the network is able to impersonate a publisher.

    Reply
  15. Tomi Engdahl says:

    IEEE Program Tackles Challenges of Ethics in Automation
    https://associationsnow.com/2018/10/ieee-program-aims-tackle-challenges-ethics-automation/

    The Ethics Certification Program for Autonomous and Intelligent Systems, announced by the IEEE Standards Association this week, will develop standards for reliability and safety of products and services that use artificial intelligence and automation technology.

    Automation technology is moving fast, and a new certification program from IEEE aims to ensure that the ethical elements keep up with the tech.

    This week, the IEEE Standards Association (IEEE-SA) announced the creation of the Ethics Certification Program for Autonomous and Intelligent Systems (ECPAIS), which will focus on building processes for ensuring standards in autonomous technology. The program, which complements IEEE’s P7000 standards for addressing ethical concerns in technology, will focus on issues of transparency, accountability, and algorithmic bias.

    Reply
  16. Tomi Engdahl says:

    Feds Investigate After Hackers Attack Water Utility
    https://www.securityweek.com/feds-investigate-after-hackers-attack-water-utility

    Federal and state officials are working with a North Carolina water utility after hackers attacked some of its computer systems.

    The head of the Onslow Water and Sewer Authority said in a news release Monday that its internal computer system, including servers and personal computers, were subjected to what was characterized as “a sophisticated ransomware attack.”

    CEO Jeffrey Hudson said while customer information wasn’t compromised in the attack, many other databases have to be recreated. He added that the FBI, the Department of Homeland Security and the state of North Carolina have been called in.

    Hudson said the utility began experiencing virus attacks from a malware system on Oct. 4. He said it was believed the virus was brought under control, but security specialists were called when the problem persisted.

    Reply
  17. Tomi Engdahl says:

    Cyber Security for Manufacturing
    https://www.eef.org.uk/resources-and-knowledge/research-and-intelligence/industry-reports/cyber-security-for-manufacturers

    Nearly half of manufacturers have been the victim of cyber-crime, with the sector now the third most targeted for attack, according to a new report published today.

    This report, published by EEF and AIG and carried out by The Royal United Services Institute (RUSI), pinpoints the susceptibility of manufacturers to cyber risk, revealing that 41 per cent of companies do not believe they have access to enough information to even assess their true cyber risk. And 45 per cent feel that they do not have access to the right tools for the job.

    Cyber threat is holding back companies from investing in digital technologies, with a third of those surveyed nervous of digital improvement. Moreover, a worryingly large 12 per cent of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.

    Reply
  18. Tomi Engdahl says:

    ICS Security Plagued with Basic, Avoidable Mistakes
    https://threatpost.com/ics-security-plagued-with-basic-avoidable-mistakes/138273/
    A survey of ICS security posture found outdated firewalls, improper segmentation password mistakes and more.
    At least 33 percent of the security issues found in industrial control systems (ICS) are rated as being of high or

    critical risk.
    FireEye iSIGHT Intelligence compiled data from dozens of ICS security health assessment engagements performed by its

    Mandiant division, and found that these issues include unpatched vulnerabilities (32 percent); password issues (25 percent); and problems with architecture and network segmentation (11 percent).

    Reply
  19. Tomi Engdahl says:

    TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
    https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

    TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute

    FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow

    Reply
  20. Tomi Engdahl says:

    How to design secure remote-controlled operations
    https://www.controleng.com/single-article/how-to-design-secure-remote-controlled-operations/aeb78012c3b45e073634fc001f94d9c8.html?OCVALIDATE=

    Six tips can help with cybersecurity and remote-controlled or remote-monitoring applications for industrial control systems (ICSs).

    Providing remote access to anyone—vendors, contractors or the most valued customers—can be very risky business, yet it’s often promoted as a way to help shorten unplanned downtime with remote troubleshooting. One means of risk reduction is two-factor authentication technology, which is designed to enable secure connectivity and future-proof breach prevention across an organization.

    For cybersecurity awareness, just ask the folks at Target, Sony and the U.S. Office of Personnel Management (OPM). They were breached as a result of the theft of credentials of an extranet user—earning their place on CSO’s list of the biggest data breaches of the 21st century.

    These types of attacks aren’t contained to enterprises. The Wall Street Journal reported that when Russian hackers infiltrated the control rooms of U.S. utilities in 2017, blackouts were potentially caused after the networks of trusted vendors were penetrated.

    Yet, in an industrial environment, with systems located remotely or spread across multiple organizations’ responsibilities, maintaining mission-critical operations depends on providing extranet access. Gaps in security infrastructures arise when companies prioritize productivity over security and are reluctant to add security measures as they’ll make individuals jump through hoops to get to the needed information.

    However, when it’s impossible to control all components involved in a connection, this provides an open invitation for attackers to steal credentials, often through malware techniques on a machine that does not belong to the hosting organization.

    Reply
  21. Tomi Engdahl says:

    ICS Networks Continue to be Soft Targets For Cyberattacks
    CyberX study shows that many industrial control system environments are riddled with vulnerabilities.
    https://www.darkreading.com/vulnerabilities—threats/ics-networks-continue-to-be-soft-targets-for-cyberattacks/d/d-id/1333119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

    ICS security vendor CyberX recently analyzed one year’s worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.

    The exercise showed that a high percentage of organizations that operate ICSes are less safe than generally perceived and are not adequately addressing critical security issues.

    “Most OT organizations are serious about security practices but hampered by the age and design of legacy networks,” says Phil Neray, vice president of industrial cybersecurity at CyberX. “But that doesn’t mean nothing can be done.”

    Reply
  22. Tomi Engdahl says:

    USB Drives Deliver Dangerous Malware to Industrial Facilities: Honeywell
    https://www.securityweek.com/usb-drives-deliver-dangerous-malware-industrial-facilities-honeywell

    Malware is still being delivered to industrial facilities via USB removable storage devices and some threats can cause significant disruptions, according to a report published on Thursday by Honeywell.

    The industrial giant last year launched SMX, a product designed to protect facilities from USB-born threats, and the company has also been using it to determine the risk posed by USB drives to such organizations.

    Honeywell has analyzed data collected from 50 locations across the United States, South America, Europe and the Middle East. The enterprises whose systems were part of the study represented the energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors.

    Honeywell said its product had blocked at least one suspicious file in 44% of the analyzed locations. Of the neutralized threats, 26% could have caused major disruptions to industrial control systems (ICS), including loss of control or loss of view.

    Furthermore, Honeywell says 16% of the detected malware samples were specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).

    Reply
  23. Tomi Engdahl says:

    Cyberattacks Against Energy Sector Are Higher Than Average: Report
    https://www.securityweek.com/cyberattacks-against-energy-sector-are-higher-average-report

    Even if OT Systems Are Not Compromised, Cyberattacks Against IT Networks of Energy Suppliers Are Common

    Attacks against critical infrastructure industries such as those targeting the energy supply — actual and potential — are rarely out of the news. Russia and Russian state actors are the probable aggressors. But we are still in the Cold War era of attacks against energy utilities. There has been no cyber related-successful attack against the supply of energy in the United States.

    Reply
  24. Tomi Engdahl says:

    ICS Devices Vulnerable to Side-Channel Attacks: Researcher
    https://www.securityweek.com/ics-devices-vulnerable-side-channel-attacks-researcher

    Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA.

    Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations.

    While side-channel attacks have been known for a long time, few research papers describe their impact on industrial systems.

    Andreou said he conducted successful experiments on protection devices from three major vendors, but he believes products from other companies are affected as well if the microprocessors they use are vulnerable to these types of attacks.

    While the tested devices are 5-10 years old, the researcher says newer products likely have the same vulnerabilities

    In the case of the analyzed protection devices, an attacker can extract the encryption key and use it to make configuration changes. Since these systems are used to protect the power grid, changing their settings can have serious consequences, Andreou told SecurityWeek.

    A malicious actor could cause the system to fail or have it send false data back to its operator.

    Conducting an attack could take hours, most of which involves physical preparation (e.g., opening the targeted device, connecting sensors). The software part of the attack is much faster and the key can be obtained in a matter of minutes.

    Reply
  25. Tomi Engdahl says:

    USB threat vector trends and implications for industrial operators
    https://www.helpnetsecurity.com/2018/11/02/industrial-usb-threats/

    The findings

    The threats targeted a wide variety of industrial sites, including refineries, chemical plants and pulp-and-paper manufacturers.

    Trojans were the most pervasive – 55% of all the malware detected – followed by bots (11%), hacktools (6%) and Potentially Unwanted Applications (5%).

    15 percent of the threats detected and blocked were well-known threats such as Mirai (6%), Stuxnet (2%), TRITON (2%), and WannaCry (1%).

    26 percent of the detected threats were capable of significant disruption by causing operators to lose visibility or control of their operations, and and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.

    9% of the threats was designed to directly exploit USB protocol or interface weaknesses, and some were able to attack the USB interface itself.

    “2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,” the researchers pointed out.

    Advice for industrial administrators

    Their advice to companies that run ICSes is to:

    Regularly update systems, AVs and other security solutions in use
    Improve USB security
    Tightly control outbound network connectivity (“The attack types here reveal a tendency for hackers to establish remote access, and to download additional payloads as needed.”)
    Patch and harden end nodes.
    Preempt loss due to ransomware by maintaining regular backups and having a tested recovery process in place.

    Reply
  26. Tomi Engdahl says:

    What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure
    https://www.securityweek.com/what-onslow-water-and-sewer-authority-can-teach-about-responsible-disclosure

    Critical Infrastructure Operators Must Plan for Scenarios in Which a Physical and Cyber Event Occur Simultaneously

    This case study is worth exploring in more detail for several reasons. First, it is commendable to see such a swift, responsible, and transparent disclosure by the water utility. Second, the fact that the malware did not bleed into ONWASA’s OT networks is indicative of either luck, good cyber hygiene, or a combination of both. And lastly, the proximity of the attack’s timing to Hurricane Florence highlights the degree to which incident response plans must account for physical and environmental conditions.

    Let’s delve deeper into each one of these points.

    Swift, Responsible, and Transparent Disclosure

    As mentioned, ONWASA first discovered the malicious activity on October 4th. The malware EMOTET, a known trojan that typically targets the financial sector, was persistent on their network and ultimately launched the Ryuk ransomware on October 13th. Just two days later, ONWASA’s CEO, Jeffrey Hudson, released a detailed press release outlining the background of the infection and the steps taken by the utility to mitigate what he described as a “targeted” operation carried out by cyber criminals. By this point, at least some of their customers were undoubtedly experiencing problems interfacing with the utility, either online or otherwise. Hudson’s statements were critical to assuaging any concerns among ONWASA’s customers that the water supply was threatened or dangerous to consume. He drew a clear distinction between ONWASA’s business operations and their water operations.

    Containing the Incident

    Part of the reason the messaging was so successful in this instance is because the scope of the incident was limited to business services. In cases of ransomware impacting organizations with a sizeable OT footprint, such as public utilities, containing the incident is usually a product of good cyber hygiene, luck, or some combination thereof.

    Timing is Everything

    Finally, perhaps the most consequential part of this story is that the attack occurred relative to Hurricane Florence, the Category 4 storm that struck the Carolinas less than a month earlier in September and brought more than 35 inches of rain. The aftermath of such a storm is perhaps the most critical time for a water and sewage utility like ONWASA. Their operations are fundamental to ensuring the health and safety of citizens during the recovery process.

    Fortunately, in this case, water and wastewater services were not disrupted and ONWASA’s plants were capable of operating manually until the affected systems were restored. This highlights two critical points.

    Reply
  27. Tomi Engdahl says:

    Siemens Releases 7 Advisories for SIMATIC, SCALANCE Vulnerabilities
    https://www.securityweek.com/siemens-releases-7-advisories-simatic-scalance-vulnerabilities

    Siemens on Tuesday released 7 new advisories to inform customers of potentially serious vulnerabilities affecting various SIMATIC and SCALANCE products. Patches and/or mitigations are available for all impacted products.

    According to the industrial giant, members of China’s CNCERT CC discovered two high severity flaws in SIMATIC S7 CPUs. An attacker who has access to impacted devices on TCP port 102 via Ethernet, MPI or Profibus can cause a denial-of-service (DoS) condition by sending specially crafted packets.

    Reply
  28. Tomi Engdahl says:

    CVSS Scores Often Misleading for ICS Vulnerabilities: Experts
    https://www.securityweek.com/cvss-scores-often-misleading-ics-vulnerabilities-experts

    While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.

    Maintained by the CVSS Special Interest Group (SIG), CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.” The score, which reflects the severity of a vulnerability, should help organizations assess and prioritize weaknesses in their systems. The score can reflect a low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9) or critical (9.0-10.0) severity.

    The current version of the system, CVSSv3, allows users to calculate a base score – which is constant over time and across environments – using factors such as attack vector, attack complexity, required privileges, user interaction, scope, confidentiality, integrity, and availability. The temporal score, which reflects characteristics that may change over time but not across environments, is calculated based on exploit code maturity, remediation level, and report confidence. The environmental score, which represents attributes relevant to a particular user’s environment, is calculated based on the importance of the affected asset, measured in terms of confidentiality, integrity and availability.

    The way a CVSS score is calculated is transparent, but it’s still not uncommon for vendors and researchers to disagree on the severity rating assigned to a vulnerability.

    CVSS scoring was originally developed for IT systems and is often not accurate in the case of industrial systems

    The use of CVSS for rating ICS vulnerabilities

    Moreno Carullo, co-founder and CTO of Nozomi Networks, believes that while CVSS has value because it standardizes vulnerability scoring, it should only serve as a guide.

    “You should always have a look at the vector and evaluate your own ‘score,’ based on what makes the most sense for your environment,” Carullo said.

    Paolo Emiliani, industrial and SCADA research security analyst at Positive Technologies, says the CVSS score should be applied to specific industrial processes for it to be efficient in prioritizing vulnerabilities.

    John Elder, senior ICS security consultant at Applied Risk, believes CVSS scores can be misleading in both IT and ICS environments due to the different scenarios required for exploitation. However, he says the CVSS score can be a good starting point when assessing the full impact of a vulnerability.

    “Another argument against the effectiveness of CVSS scoring for ICS devices is the numerical values of the exploitability weights,” Kfir told SecurityWeek. “The current numerical weight values are calculated based on historical and statistical data of cyber-incidents, which are mostly from IT networks. As a consequence, the scoring based on this method is biased against ICS devices as there is not a wide historical database of incidents for numerically estimating the ‘exploitability’ value on ICS networks.”

    Reply
  29. Tomi Engdahl says:

    Preventing physical damage from cyberattacks
    All too often, security vulnerabilities are much closer to home, much simpler, and in some ways more concerning precisely because they can affect our everyday lives.
    https://www.csemag.com/single-article/preventing-physical-damage-from-cyberattacks/829f45838267938a0d3c0e5e6dfaf75b

    Ways to increase system security

    Broadly speaking, defending these systems can be broken down into two categories: external and internal attacks. External attacks will most likely originate from the Internet. For this reason, all Internet connections should be treated as potentially hostile and secured against intrusion. Several options can be explored:

    No connection – while obviously secure, this severely limits the functionality of modern systems, which need to exchange data with a host of other applications or need to be monitored / controlled from remote locations.
    Remote desktop application – this requires a dedicated software package running on a remote computer. While effective, this in turn creates another point of vulnerability at the remote computer itself, which must likewise be protected.
    Virtual Private Network (VPN) Firewall – similar to a remote desktop but with a more secure connection. The remote computer itself still requires protection.
    Dedicated EMCS / SCADA Web Server – rather than connecting an EMCS directly to the Internet, a separate server is placed behind a firewall and access to the server itself is restricted.

    Reply
  30. Tomi Engdahl says:

    Is your marine or power plant’s operating environment cyber secured?
    https://www.maritimemanual.com/is-your-marine-or-power-plants-operating-environment-cyber-secured/

    Cyberattacks pose one of the most significant threats to a company’s information and operation systems. Cyber risks can have significant consequences for the health and safety of operating environments as well as data integrity. Companies also need to follow national or regional standards involving regular audits, often requiring extensive support from an external partner to cover the global operating ground of regulations.

    Creating a comprehensive approach to cyber security helps marine and energy industry service providers safeguard their products and the operating environment – now and in the future.

    Cyber security measures tailored to operational needs

    Wärtsilä’s spectrum of cyber services ranges from risk assessment to technical controls and threat monitoring. Wärtsilä also launched recently the world’s first International Maritime Cyber Centre of Excellence in Singapore, consisting of a Maritime Cyber Emergency Response Team and a cyber academy.

    “We have a 360-degree approach to creating a safe and compliant operating environment for marine and energy companies, all the way from customised risk assessment to a cyber management system with governance,” says Eklund. “Our global knowledge and presence also set us up as a unique advisor on industry standards, an area that is vital for operational safety.”

    Reply
  31. Tomi Engdahl says:

    Symantec Intros USB Scanning Tool for ICS Operators
    ICSP Neural is designed to address USB-borne malware threats.
    https://www.darkreading.com/attacks-breaches/symantec-intros-usb-scanning-tool-for-ics-operators/d/d-id/1333417

    USB-borne malware continues to present a major threat to industrial control systems (ICS) nearly a decade after the Stuxnet attacks on Iran’s nuclear infrastructure first highlighted the danger.

    This week Symantec unveiled a new product it says is designed to help organizations in critical infrastructure sectors better manage the threat.

    The security vendor’s new Industrial Control System Protection Neural (ICSP Neural) is a rugged USB scanning station that ICS operators can install in their environments for vetting the security of USB devices before the devices are inserted into a critical control system.

    Reply
  32. Tomi Engdahl says:

    Hoarding threat information ‘not a competitive advantage,’ DHS official tells corporate leaders
    https://www.cyberscoop.com/hoarding-threat-information-not-competitive-advantage-dhs-official-tells-corporate-leaders/

    “Cybersecurity, infrastructure security, is not a competitive advantage,” Bradford Willke, a top official in DHS’s Cybersecurity and Infrastructure Security Agency, said Tuesday.

    If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost,”

    Willke cited a December 2015 blackout in Ukraine caused by suspected Russian government hackers as a cautionary tale in information-hoarding.

    Six months before the cyberattack, which left 225,000 people without power, a Ukrainian power company saw warning signs of the threat but failed to share that information with other companies in the sector, Willke said.

    Reply
  33. Tomi Engdahl says:

    Claroty Adds New Capabilities to Industrial Security Platform
    https://www.securityweek.com/claroty-adds-new-capabilities-industrial-security-platform

    Industrial cybersecurity firm Claroty on Tuesday announced significant enhancements to its threat detection product, along with technology integrations with several cybersecurity, network infrastructure and industrial automation providers.

    Claroty provides an ICS security platform that includes real-time threat detection, continuous vulnerability monitoring, and secure remote access capabilities.

    Reply
  34. Tomi Engdahl says:

    Synopsys’ Taylor Armerding warns that air gaps, a valuable barrier against cyberattacks, are disappearing from industrial control systems and considers what that means for the global shipping industry.

    Air gaps in ICS going, going … and so is security
    https://www.synopsys.com/blogs/software-security/smart-shipping-ics-air-gap/

    As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. What’s next?

    Reply
  35. Tomi Engdahl says:

    Study finds USB drives are a security threat to process control systems
    https://www.plantengineering.com/articles/study-finds-usb-drives-are-a-security-threat-to-process-control-systems/

    Honeywell research finds exposure through portable USB drives can cause serious disruption to process facilities through unsecure or malicious files.

    Reply
  36. Tomi Engdahl says:

    Playing catch-up with cybersecurity
    https://www.controleng.com/articles/playing-catch-up-with-cybersecurity/

    Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.

    Minimize cyber risk, impact

    What you will get are the next-best ideas for consideration, meaning: If the technology cannot (yet) prevent the hack, what can you do to minimize the odds or the impact? Here’s my take:

    Wherever possible, address the risk in your contracts. While this is rather obvious low-hanging fruit, it is nonetheless important. If cyber intrusion occurs, be sure to ask:

    What was your company’s contractual connection to the event, even if just via proposal or purchase order?
    Is there any argument that the intrusion happened because there was a vulnerability in your equipment or procedures?
    Could best practices have prevented the intrusion?

    If the event is serious enough, all those questions (and more) are likely to be directed at you—and your company will be in a much better place if the answers can be framed by supportive language in the applicable project terms and conditions.

    Reply
  37. Tomi Engdahl says:

    Digital transformation needs a solid cybersecurity plan
    https://www.controleng.com/articles/digital-transformation-plans-need-cybersecurity/

    Companies looking to perform digital transformation need to tackle cybersecurity and they need everyone–not just IT–to take responsibility to make it work.

    Along those lines, Gorskie said he has met with plenty of his customers and they feel their security posture is better than average. But the reality is that may be more of a pipe dream than anything else.

    That is why he feels manufacturers should start off with a basic assessment of their site.

    There are seven key categories/vectors a user should look at:

    Network security
    Workstation hardening
    User account management
    Patch and security management
    Physical and perimeter security
    Security monitoring
    Data management

    Once that assessment comes out there should be a report looking at what issues should be addressed first and that is the beginning of the journey toward a more secure environment.

    “Most users will be ready to start immediately after doing an assessment,” Gorskie said.

    “Patching the most important thing to do, and we don’t do it,” he said.

    Once the user is ready to start their cybersecurity journey, they need to move to create policies and procedures, Gorskie said.

    “It is not rocket science, it is something we do every day,” he said.

    Gorskie related creating security procedures to safety procedures.

    “If you don’t follow safety procedures, you will eventually be let go,” he said. “Security should be the same way. It is about doing the right thing and making sure you follow it.”

    While he said OT security is different than IT security, there needs to be a change in mindset on the plant floor. The reality is there are plenty of tasks IT people do on a daily basis, Gorskie said, but there are some things OT does.

    Reply
  38. Tomi Engdahl says:

    Serious DoS Flaw Impacts Several Yokogawa Products
    https://www.securityweek.com/serious-dos-flaw-impacts-several-yokogawa-products

    A serious denial-of-service (DoS) vulnerability impacts several industrial automation products from Japanese electrical engineering and software company Yokogawa Electric.

    Reply
  39. Tomi Engdahl says:

    ICS Security Experts Share Tales From the Trenches
    https://www.securityweek.com/ics-security-experts-share-interesting-stories

    SecurityWeek has reached out to several companies that offer products and solutions designed for protecting industrial control systems (ICS) against cyber threats and asked their experts to share some interesting stories from the field.

    Reply
  40. Tomi Engdahl says:

    Playing catch-up with cybersecurity
    https://www.controleng.com/articles/playing-catch-up-with-cybersecurity/

    for the end user, it matters little whether you can push the contract responsibility to the “other guy” if the “other guy” has no way of paying for the liability or insuring it.

    Cybersecurity risks need help from contracts and insurance beyond technologies, policies, and people. Pretending cybersecurity risks aren’t there isn’t on any list of best practices.

    An examination of applications for cyber insurance coverage can be helpful as a guide for curtailing potential exposure, according to suggestions from my partner Patrick O’Connor.

    Among the questions asked:

    How much of the information technology (IT) is outsourced?
    How many names can be found in databases under your control?
    Do you have a third-party endorsement of your privacy processes and practices?
    What is your encryption strategy?
    What physical security strategies are in place to control human access to the servers?
    Do you have a chief security officer?

    I am not the one to tell you how the actuaries take all that information and turn it into a premium, but I do know the people who figure out that equation will be the insurance heroes of tomorrow. The larger lesson is more basic: at present, contracts and insurance can only do so much. The cyber “front line,” for now, is in your own company’s ways of doing things.

    Reply
  41. Tomi Engdahl says:

    ICS/IIoT taxonomy needed for cybersecurity
    https://www.controleng.com/articles/ics-iiot-taxonomy-needed-for-cybersecurity/

    There is many opinions and beliefs on what an industrial control system (ICS) is and what the Industrial Internet of Things (IIoT) comprises, which makes a common understanding crucial.

    ICS/IIoT taxonomy

    The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication.

    Here are some possible categories:

    Value–What would be the consequence if integrity or availability of the ICS/IIoT is compromised
    Architecture–Classic Purdue model, IoT, classic + cloud?
    Maturity of ICSsec program–Huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
    Sector/system type–This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.

    This is far from a complete list of possibilities.

    The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS.

    Reply
  42. Tomi Engdahl says:

    A new taxonomy for SCADA attacks
    https://www.helpnetsecurity.com/2019/01/15/analyze-scada-attacks/

    Attacks aimed at SCADA networks are still much rarer than those targeting IT networks, but the number is slowly rising.

    “The current lack of a single taxonomy to analyze security incidents leads to difficulties in understanding the threat landscape in an unbiased way,”

    Reply
  43. Tomi Engdahl says:

    Exclusive: Hackers Take Control Of Giant Construction Cranes
    https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#65b8d79d1d0a

    Federico Maggi will never forget the first time he saw a crane being hacked.

    Last March, he was on a strange kind of road trip. Travelling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.

    Surprise, surprise: They weren’t having much luck. But one such manager, who Maggi fondly remembers as Matteo, was game.

    Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.

    “I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.

    Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.”

    It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.

    Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations
    https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/attacks-against-industrial-machines-via-vulnerable-radio-remote-controllers-security-analysis-and-recommendations

    Radio frequency (RF) technology is being used in operations to control various industrial machines. However, the lack of implemented security in RF communication protocols could lead to production sabotage, system control, and unauthorized access.

    Reply
  44. Tomi Engdahl says:

    Schneider Electric Teams With Nozomi on Critical Infrastructure Security
    https://www.securityweek.com/schneider-electric-teams-nozomi-critical-infrastructure-security

    Schneider Electric has teamed up with industrial cybersecurity firm Nozomi Networks to offer anomaly detection, vulnerability assessment, and other services to customers in the critical infrastructure and other industrial sectors.

    Schneider’s EcoStruxure IoT architecture and platform, which has been deployed in nearly half a million sites around the world, can be combined with Nozomi’s SCADAguardian solution.

    According to Nozomi, SCADAguardian can provide EcoStruxure users in the oil and gas, power, building automation and other sectors accurate asset discovery and threat detection. The company’s solutions are designed to provide cyber resiliency and real-time operational visibility.

    Schneider’s consultants are trained to provide support for organizations opting for Nozomi’s services.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*