ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

266 Comments

  1. Tomi Engdahl says:

    Old RF Protocols Expose Cranes to Remote Hacker Attacks
    https://www.securityweek.com/old-rf-protocols-expose-cranes-remote-hacker-attacks

    A team of researchers from Japan-based cybersecurity firm Trend Micro has analyzed the communication mechanisms used by cranes and other industrial machines and discovered serious vulnerabilities that can make it easy for malicious actors to launch remote attacks.

    Cranes, hoists, drills and other heavy machinery used in the manufacturing, construction, transportation and mining sectors often rely on radio frequency (RF) controllers. These systems include a transmitter that sends out commands via radio waves, and a receiver that interprets those commands.

    Reply
  2. Tomi Engdahl says:

    Researchers Create PoC Malware for Hacking Smart Buildings
    https://www.securityweek.com/researchers-create-poc-malware-hacking-smart-buildings

    Researchers at IoT security company ForeScout have created a piece of malware to demonstrate how malicious actors could remotely hack into smart buildings.

    Smart buildings have become increasingly common. They rely on building automation systems – including sensors, controllers and actuators – to control heating, ventilation, air conditioning, lighting, surveillance, elevators, and access.

    The automation systems that power smart buildings are similar to industrial control systems (ICS), but ForeScout warns that their security should be handled differently given that building automation systems are much more open and interconnected compared to ICS. Furthermore, when it comes to the threats targeting these systems, the final payload is much easier to deliver in the case of building systems as the physical processes involved are less complicated.

    Reply
  3. Tomi Engdahl says:

    Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers
    https://www.securityweek.com/hackers-can-abuse-legitimate-features-hijack-industrial-controllers-expert

    Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns.

    Programmable logic controllers (PLCs) allow users to control and monitor physical processes in industrial environments. While these types of devices are known to have vulnerabilities, including ones that could be leveraged to create a dangerous worm, researchers have shown in the past that malicious actors may also be able to abuse legitimate PLC features to achieve their goals.

    Roee Stark, a senior software engineer at industrial cybersecurity firm Indegy, has now demonstrated another type of attack that only leverages legitimate features. The expert has analyzed PLCs made by Rockwell Automation and found that certain Common Industrial Protocol (CIP) commands can be abused for malicious purposes.

    Reply
  4. Tomi Engdahl says:

    Malware Built to Hack Building Automation Systems
    Researchers dig into vulnerabilities in popular building automation systems, devices.
    https://www.darkreading.com/vulnerabilities—threats/malware-built-to-hack-%20building-automation-systems/d/d-id/1333671

    S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.

    Reply
  5. Tomi Engdahl says:

    To Improve Critical Infrastructure Security, Bring IT and OT Together
    https://securityintelligence.com/to-improve-critical-infrastructure-security-bring-it-and-ot-together/

    As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.

    Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.

    Until security becomes a priority, industrial organizations will remain soft targets for threat actors.

    Reply
  6. Tomi Engdahl says:

    Proactive management of plant cybersecurity
    https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/

    A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.

    The inward-looking plant control system is giving way to a wider and flatter network architecture, which requires a different cybersecurity focus. Operations technology (OT) is undergoing a sea change in goals, structure, and management—as is information technology (IT) with the integration of the plant control system with the business systems. This is making it necessary to manage enormous data flows inside the plant.

    Reply
  7. Tomi Engdahl says:

    Thousands of industrial refrigerators can be remotely defrosted, thanks to default passwords
    https://techcrunch.com/2019/02/08/industrial-refrigerators-defrost-flaw/?sr_share=facebook&utm_source=tcfbpage

    Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost.

    More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems.

    Reply
  8. Tomi Engdahl says:

    Proactive management of plant cybersecurity
    A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
    https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/

    Reply
  9. Tomi Engdahl says:

    Siemens Warns of Critical Remote-Code Execution ICS Flaw
    https://threatpost.com/siemens-critical-remote-code-execution/141768/

    The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.

    One of the flaws affecting SICAM 230 is rated critical, with a CVSS v.3 score of 10: CVE-2018-3991 allows a specially crafted TCP packet sent to port 22347/tcp to cause a heap overflow, potentially leading to remote code-execution.

    Another, CVE-2018-3990, has a CVSS score of 9.3. It allows a specially crafted I/O request packet to cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege-escalation.

    Other flaws of note amid the 16 advisories include three denial-of-service vulnerabilities with a CVSS v3.0 score of 7.5 in the EN100 Ethernet Communication Module and SIPROTEC 5 relays.

    Reply
  10. Tomi Engdahl says:

    Network kit biz Phoenix takes heat as flaws may leave industrial control system security in ashes
    Oil, gas, maritime systems affected by latest bug findings
    https://www.theregister.co.uk/2019/02/11/phoenix_switch_flaws/

    Companies running a popular brand of industrial Ethernet switch are being advised to update their firmware ASAP following a series of bug disclosures.

    Security house Positive Technologies took credit today for the discovery of six CVE-listed security vulnerabilities in the Phoenix Contact FL Switch 3xxx, 4xxx, and 48xx industrial control switches. The flaws are addressed in firmware versions 1.35 or newer.

    Reply
  11. Tomi Engdahl says:

    ICS/SCADA Attackers Up Their Game
    https://www.darkreading.com/threat-intelligence/ics-scada-attackers-up-their-game/d/d-id/1333893
    “The threats are getting worse,” says Robert M. Lee, CEO and
    co-founder of Dragos, whose company this week published its annual
    findings on ICS threats and engagements with its industrial clients in
    2018. “But people are being really proactive about this. And maybe
    it’s not communitywide and we have to reach more, but you’ve got some
    real forward-leaning companies that are pushed into the right
    direction.”. Report at
    https://dragos.com/wp-content/uploads/yir-ics-vulnerabilities-2018.pdf.
    The biggest shift is their using so-called “living off the land”
    methods, though not in the same way attackers operate in IT networks.
    It’s not their using Remote Desktop Protocol (RDP)-type attacks, for
    example, but instead employing native industrial protocols, Lee says.
    “These are things enterprise security would not detect,” he says.

    Reply
  12. Tomi Engdahl says:

    Germany sees big rise in security problems affecting infrastructure
    https://www.reuters.com/article/us-germany-cybersecurity-idUSKCN1Q60CS

    Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking.

    The Welt am Sonntag weekly had reported on Sunday that Germany had learned of 157 hacker attacks on critical infrastructure companies in the second half of 2018 compared to 145 attacks in the whole of the previous year.

    Reply
  13. Tomi Engdahl says:

    Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
    https://threatpost.com/hacker-capsize-ship-sea/142077/

    Capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.

    With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), the question becomes, what could an adversary do with that access?

    “If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.

    Reply
  14. Tomi Engdahl says:

    Serious Flaws in WibuKey DRM Impact Siemens Products
    https://www.securityweek.com/serious-flaws-wibukey-drm-impact-siemens-products

    Siemens has informed customers that some of its products are affected by recently disclosed vulnerabilities affecting the WibuKey digital rights management (DRM) solution from Wibu Systems.

    Cisco Talos revealed in December that the WibuKey DRM has three vulnerabilities that can lead to information disclosure, privilege escalation, and remote code execution. Cisco noted at the time that WibuKey is used by many applications, including the V-Ray image rendering software, the ArchiCAD architectural design software, and the Straton industrial automation software.

    It turns out that Siemens also uses WibuKey for some of its products, including SICAM 230, a process control and monitoring system designed for the energy sector, and the SIMATIC WinCC Open Architecture (OA) human-machine interface (HMI) product.

    Reply
  15. Tomi Engdahl says:

    Got Critical Infrastructure? Then You Should Know How To Protect It
    https://www.securityweek.com/got-critical-infrastructure-then-you-should-know-how-protect-it

    Both IT and OT Teams Should be Able to Quickly Access and Analyze all Data Relevant to Their Needs

    Reply
  16. Tomi Engdahl says:

    Tripwire Launches Industrial Cybersecurity Assessment Service
    https://www.securityweek.com/tripwire-launches-industrial-cybersecurity-assessment-service

    Belden-owned Tripwire on Monday announced the availability of two new assessment services designed to help enterprises and industrial organizations find potentially dangerous vulnerabilities in their systems.

    One of the new services, Industrial Cybersecurity Assessment, provides experts who can discover vulnerabilities in industrial control system (ICS) environments and determine if they can actually be exploited and if they pose a significant risk.

    Reply
  17. Tomi Engdahl says:

    ICS/SCADA Attackers Up Their Game
    https://www.darkreading.com/threat-intelligence/ics-scada-attackers-up-their-game/d/d-id/1333893

    With attackers operating more aggressively and stealthily, some industrial network operators are working to get a jump on the threats

    In nearly 40% of the incident response (IR) engagements conducted by Dragos in 2018, the attacker had been inside the network for more than a year. About one-fourth of its IR engagements were to determine whether a cyberattack was the cause of an outage or other event.

    Even so, only about 20% to 30% of ICS organizations in North America today use real-time network monitoring to detect and thwart attacks, according to Lee. That’s the main security best practice recommended for ICS/SCADA organizations, and North America is actually ahead of other regions in adopting it.

    https://dragos.com/wp-content/uploads/yir-ics-vulnerabilities-2018.pdf

    Reply
  18. Tomi Engdahl says:

    Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software
    https://www.securityweek.com/rockwell-automation-patches-critical-dosrce-flaw-rslinx-software

    Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution.

    Reply
  19. Tomi Engdahl says:

    Many Vulnerabilities Discovered in Moxa Industrial Switches
    https://www.securityweek.com/many-vulnerabilities-discovered-moxa-industrial-switches

    Over a dozen vulnerabilities, including ones classified as critical, have been found by Positive Technologies researchers in EDS and IKS switches made by industrial networking solutions provider Moxa. The vendor has released patches and mitigations that should address the flaws.

    The impacted industrial switches have been used worldwide, particularly in the energy, critical manufacturing, and transportation sectors, according to ICS-CERT.

    Five security holes have been identified by Positive Technologies employees in EDS-405A, EDS-408A, and EDS-510A switches. The list includes the storage of passwords in plain text, the use of predictable session IDs, the lack of encryption for sensitive data, the lack of mechanisms for preventing brute-force attacks, and flaws that can be exploited to cause a denial-of-service (DoS) condition.

    https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01

    Reply
  20. Tomi Engdahl says:

    Dragos Acquires NexDefense, Releases Free ICS Assessment Tools
    https://www.securityweek.com/dragos-acquires-nexdefense-releases-free-ics-assessment-tools

    Industrial cybersecurity firm Dragos on Monday announced the acquisition of NexDefense, a company that specializes in visibility technology for industrial control systems (ICS), and the launch of free ICS security assessment tools.

    Reply
  21. Tomi Engdahl says:

    Learn how to use the ISA/IEC 62443 Standard to keep hackers out of your Industrial Control Systems with ISA’s IC32E cybersecurity training.

    Reply
  22. Tomi Engdahl says:

    Shamoon malware destroys data at Italian oil and gas company
    https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

    About a tenth of Saipem’s IT infrastructure infected with infamous data-wiping Shamoon malware.

    Reply
  23. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Norsk Hydro, one of the world’s largest producers of aluminum, has shut down several metal extrusion plants as it deals with a ransomware attack

    Aluminum producer switches to manual operations after ransomware infection
    UPDATE: Cyber-attack identified as LockerGoga ransomware infection.
    https://www.zdnet.com/article/aluminium-producer-switches-to-manual-operations-after-extensive-cyber-attack/

    Norsk Hydro, one of the world’s largest aluminium producers, revealed today that it “became victim of an extensive cyber-attack” that crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference.

    News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges.

    “Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas,” the company said. “IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”

    Norsk Hydro: Hydro subject to cyber-attack
    https://newsweb.oslobors.no/message/472389

    Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas. IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.

    Reply
  24. Tomi Engdahl says:

    Industrial Cybersecurity Firm Nozomi Launches Research Department
    https://www.securityweek.com/industrial-cybersecurity-firm-nozomi-launches-research-department

    While this is the formal launch of its research department, Nozomi has already conducted detailed analysis of some major threats targeting industrial control systems (ICS), including the GreyEnergy and Triton/Trisis malware families. The company has also created and released some tools that may be useful to defenders.

    In the past year, Nozomi says it has also identified and reported over a dozen vulnerabilities affecting ICS products, including flaws that can lead to safety incidents or disruptions to production.

    Reply
  25. Tomi Engdahl says:

    Aluminum Giant Norsk Hydro Hit by Ransomware
    https://www.securityweek.com/aluminum-giant-norsk-hydro-hit-ransomware

    Norwegian metals and energy giant Norsk Hydro, one of the world’s biggest aluminum producers, has been hit by a ransomware attack that has impacted operations, forcing the company to resort to manual processes.

    Reply
  26. Tomi Engdahl says:

    Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator
    https://www.securityweek.com/schneider-electric-working-patch-flaw-triconex-tristation-emulator

    A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.

    The vulnerability, discovered by a researcher from industrial cybersecurity firm Applied Risk, can be exploited to cause a DoS condition on an emulated controller by sending it specially crafted Triconex System Access Application (TSAA) packets over the network on UDP port 1500.

    Reply
  27. Tomi Engdahl says:

    Mitä tapahtuu SCADA-hunajapurkilla?
    https://medium.com/@combitech/mitä-tapahtuu-scada-hunajapurkilla-d44c1cb93958

    Internetiin kytketyt teollisuuden automaatiojärjestelmät ovat loistavia maaleja. Usein niissä ei ole käyttäjän tunnistusta eikä viestien salausta eli kuka tahansa verkossa oleva voi käskyttää laitteita. Jatkuvasti käynnissä olevia järjestelmiä ei ole myöskään ehditty päivittää sitten 80-luvun.

    Reply
  28. Tomi Engdahl says:

    Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
    https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

    Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

    PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

    “The bug corrupts the CIP daemon in a way that some values returned by the devices are corrupted. It also prevents any new connection to be established with the device,” Merle explained.

    Reply
  29. Tomi Engdahl says:

    One in two industrial computers hit by cyberattacks
    https://www.itproportal.com/features/one-in-two-industrial-computers-hit-by-cyberattacks/

    Almost every other Industrial Control System (ICS) computer was attacked by malware last year, new research has revealed.

    A report by Kaspersky Lab warned that the threat is rising, as in 2018, 47.2 per cent of machines were attacked, compared to 44 per cent the year before.

    Vietnam, Algeria and Tunisia were the countries most affected by this rising threat. On the other end of the spectrum are Ireland, Switzerland and Denmark.

    Reply
  30. Tomi Engdahl says:

    20% of Industrial Control Systems Affected by Critical Vulnerabilities
    https://www.bleepingcomputer.com/news/security/20-percent-of-industrial-control-systems-affected-by-critical-vulnerabilities/

    Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7 which are designated to security issues of high or critical risk levels, with 20% of vulnerable ICS devices being impacted by critical security issues.

    Reply
  31. Tomi Engdahl says:

    Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
    https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

    Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

    PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

    Reply
  32. Tomi Engdahl says:

    Active vs. Passive Monitoring: No Longer an Either-Or Proposition
    https://www.securityweek.com/active-vs-passive-monitoring-no-longer-either-or-proposition

    Most experienced security professionals have heard the axiom, “You can’t protect what you can’t see.” It’s admittedly a truism for cybersecurity… obviously the more you know and understand about your environment, the better equipped you are to detect and investigate suspicious behavior. But it also leads to a classic security conundrum: how do you implement discovery and monitoring in your environment while preserving operational stability? The question has driven a long-running debate in security circles: active vs. passive scanning, which approach is better for endpoint discovery and anomaly detection? Veteran security professionals are well-acquainted with the two options, but I frequently speak with operational personnel who are less familiar and primarily concerned with the potential negative impact on the operational technology (OT) process

    Passive monitoring silently analyzes network traffic through a span port or tap to identify endpoints and traffic patterns. It creates no additional network traffic and has virtually no risk of disrupting critical processes by interacting directly with endpoints.

    Active monitoring works by sending test traffic into the network and polling endpoints with which it comes into contact. Active monitoring can be very effective in gathering basic profile information such as device name, IP and MAC address, NetFlow or syslog data, as well as more granular configuration data such as make and model, firmware versions, installed software/versions and OS patch levels. By sending packets directly to endpoints, active scanning can be faster in collecting data, but this also increases the risk of endpoint malfunction by pushing incompatible queries to them or saturating smaller networks with traffic. And active scanning typically does not monitor the network 24/7, so it may not detect transient endpoints or devices in listen-only mode.

    Reply
  33. Tomi Engdahl says:

    Rethink the organization’s structure
    Cyber-physical environments will change what managers do.
    https://www.controleng.com/articles/rethink-the-organizations-structure/

    According to a 2019 white paper by the World Economic Forum (WEC) and McKinsey & Co., manufacturers adopting Industry 4.0 can scale their businesses two ways:

    Though operational excellence and production system innovations; or
    By entering new markets.

    This thesis is supported by other McKinsey research. According to a 2016 study, nearly 90 percent of surveyed companies believe that Industry 4.0 innovations would help them improve their competitive positions and operational effectiveness. Eighty percent of U.S. companies think Industry 4.0 would allow new competitors from other industries to enter their markets.

    The authors proposed a framework based on smart, cyber-physical systems that connect equipment, software and people. The framework is based on the following four pillars:

    1. Interconnection. The systems connect people, machines, sensors, devices and software through IIoT and allow communication among them.

    2. Information transparency. Data collected through interconnection must be available to operators for decision-making.

    3. Technical assistance. The intent is twofold: a) to shift low-value tasks from people to cyber-physical systems, and b) for systems to arm personnel with analyses and information for timely, effective decisions.

    4. Decentralized decisions. Systems make decisions and take actions autonomously.

    In one common approach to Industry 4.0 adoption, many consulting and advisory firms advocate a proof-of-concept approach where a quick win demonstrating value incentivizes teams to expand Industry 4.0 to other functional areas.

    This approach assumes that an implementing company is either testing with a non-strategic initiative, such as energy management, or that it otherwise has a well-built foundation. If the underlying data, process and technology architecture is strong, it makes sense to test a closed cyberphysical loop. In contrast, if a company foundation is shaky, a proof-of-concept is probably premature.

    In our case example, the fuel company didn’t have a strong foundation. Its data was inaccurate, its processes manual and inefficient. Its systems didn’t meet its needs. As a result, the company’s cyber environment is incapable of mirroring its physical environment, let alone optimizing it.

    The company needs to first build a strong foundation by:

    Architecting an environment that spans enterprise resources planning, manufacturing execution system and distributed control system environments with the IIoT, business intelligence and Big Data warehousing;
    Properly implementing those solutions; and
    Assuring that the cyber-world mirrors the physical world through system adoption and disciplined business processing.

    Once it builds this foundation, the company can wade into a strategy-driving Industry 4.0 proof-of-concept project.

    Reply
  34. Tomi Engdahl says:

    Manufacturing and process facility trends: Cybersecurity
    https://www.controleng.com/articles/manufacturing-and-process-facility-trends-cybersecurity/

    Technology update: Cybersecurity remains a key concern for manufacturing and process facilities as explained in the media session at ARC Forum 2019.

    Reply
  35. Tomi Engdahl says:

    TXOne Networks Unveils First Industrial Cybersecurity Product
    https://www.securityweek.com/txone-networks-unveils-first-industrial-cybersecurity-product

    TXOne Networks, a joint venture between cybersecurity firm Trend Micro and industrial networking solutions provider Moxa, this week unveiled its first product, an industrial intrusion prevention system (IPS).

    Trend Micro and Moxa announced the launch of TXOne Networks in November 2018. The new company focuses on industrial internet of things (IIoT) security and it will offer gateways, endpoint agents and network segmentation solutions designed to help organizations secure, control and monitor equipment and operational technology (OT).

    Reply
  36. Tomi Engdahl says:

    ROCKWELL AUTOMATION MALWARE REPORT
    https://cyberx-labs.com/resources/rockwell-automation-malware-report/

    Researchers from our Industrial Threat Intelligence team have revealed a remote code execution vulnerability in the Allen-Bradley MicroLogix family of controllers from Rockwell Automation

    Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
    https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/

    Reply
  37. Tomi Engdahl says:

    Most OT Organizations Hit by Damaging Cyberattacks: Survey
    https://www.securityweek.com/most-ot-organizations-hit-damaging-cyberattacks-survey

    A majority of organizations that have operational technology (OT) infrastructure experienced at least one damaging cyberattack in the past two years, according to a survey conducted by Ponemon Institute and Tenable.

    Reply
  38. Tomi Engdahl says:

    Triton Hackers Focus on Maintaining Access to Compromised Systems: FireEye
    https://www.securityweek.com/triton-hackers-focus-maintaining-access-compromised-systems-fireeye

    The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the incident and the company has been tracking the threat ever since.

    FireEye revealed on Wednesday that it recently responded to another attack carried out by the Triton group against a critical infrastructure facility.

    The cybersecurity firm says it has come across several custom tools used by the threat actor, including ones designed for credential harvesting (SecHack, WebShell), remote command execution (NetExec), and several backdoors based on OpenSSH, Bitvise, PLINK and Cryptcat. The attackers have also relied on widely available tools, such as Mimikatz.

    FireEye, which previously linked Triton to a research institute owned by the Russian government, pointed out that disruptive attacks aimed at industrial environments take a lot of preparation.

    In one attack analyzed by the company, the attackers had been present in the target’s network for nearly a year before gaining access to an engineering workstation in charge of safety instrumented systems (SIS).

    Reply
  39. Tomi Engdahl says:

    90% of Infrastructure Security Pros Have Been Hacked in the Last Two Years
    https://www.designnews.com/design-hardware-software/90-infrastructure-security-pros-have-been-hacked-last-two-years/213044111660594?ADTRK=UBM&elq_mid=8200&elq_cid=876648

    According to a report commissioned by Tenable, 62% of respondents said their organizations have suffered multiple attacks.

    Reply
  40. Tomi Engdahl says:

    TRITON Attacks Underscore Need for Better Defenses
    https://www.darkreading.com/vulnerabilities—threats/triton-attacks-underscore-need-for-better-defenses/d/d-id/1334418

    As attackers focus on cyber-physical systems, companies must improve their visibility into IT system compromises as well as limit actions on operational-technology networks, experts say.

    Security experts have a warning for critical-infrastructure companies: The group behind the TRITON attack on industrial control systems is not unique.

    After revealing last week that the same set of tools used by the TRITON attackers were also found in a second victim’s network, security services firm FireEye stressed that attackers are likely in the networks of some of the facilities that are home to the 18,000 Triconex safety systems installed in plants worldwide.

    “The reason we published this information is that we believe this is happening elsewhere,” says Nathan Brubaker, senior manager of cyber threat analysis at FireEye. “We found them twice, and that is not very likely considering how many targets there are in the world. There is a decent chance they are in other systems.”

    Reply
  41. Tomi Engdahl says:

    LockerGoga: Ransomware Targeting Critical Infrastructure
    https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure.html

    Discovered early this year, LockerGoga is a new ransomware family that has been detected attacking industrial companies, severely compromising their operations. The file-encrypting malware’s entrance to the scene began when it was allegedly involved in attacking an engineering consulting firm based in France. Just two weeks ago, it made headlines again for crippling the operations of the an international manufacturer. And shortly thereafter, two American chemical companies were also reported to have been hit by the same malware.

    Reply
  42. Tomi Engdahl says:

    SAS 2019: Triton ICS Malware Hits A Second Victim
    https://threatpost.com/triton-ics-malware-second-victim/143658/

    In only the second known attack of the Russia-linked malware, which shut down an oil refinery in 2017, another Mideast target has been hit.

    SINGAPORE – The Triton malware, which first came to light after a disruptive critical-infrastructure attack on Saudi oil giant Petro Rabigh in 2017, has found a second victim.

    Reply
  43. Tomi Engdahl says:

    TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
    https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html

    FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*