Cyber risks for Industrial environments continue to increase

Industrial control systems (ICS) are a privileged target of different categories of threat actors.

Researchers observed a significant increase of brute force attacks on supervisory control and data acquisition (SCADA) systems.

In December, IBM warned of the availability of a penetration testing framework named smod that was used in many attacks in the wild. 

Organization in any industry can get cyber-attacks against their ICS system and need to adoptvnecessary countermeasures.

According to Kaspersky, every month, an average of 20.1% of industrial computers is targeted by malware.


  1. Tomi Engdahl says:

    The Seven Most Dangerous New Attack Techniques, and What’s Coming Next

  2. Tomi Engdahl says:

    Cybersecurity attacks on IIoT infrastructure expected to increase in 2017

    A survey by security company Tripwire found that 96% of IT security professionals expected attacks on critical Industrial Internet of Things (IIoT) infrastructure segments such as energy, utilities, government, healthcare, and finance.

    Most organizations are expecting an increase in cyber attacks on Industrial Internet of Things (IIoT) infrastructure this year, according to a survey commissioned by informant technology (IT) security company Tripwire. The survey found that 96% of IT security professionals expected attacks on critical Industrial IoT infrastructure segments such as energy, utilities, government, healthcare and finance.

    The study of 403 IT security professionals worldwide, revealed that an overwhelming majority of feel additional precautions are needed to adequately secure the IIoT, and more than half (51%) do not feel prepared for such attacks. Sixty-four percent said they already recognize the need to protect against IIoT attacks, as they continue to gain popularity among hackers.

  3. Tomi Engdahl says:

    The Threat to Critical Infrastructure – Growing Right Beneath Our Eyes

    Nation-States do Not Fear Reprisal and are Likely to use ICS Attacks as a Component of Geo-Political Conflict

    My early conversations left me concerned as there didn’t seem to be much recognition of a problem. Increasingly, we’ve been met with a more encouraging amount of agreement in those discussions – from energy, to manufacturing, to oil and gas and so on – a majority understand they have serious problems to fix but we’d estimate only roughly 50% of those are prioritizing their resources to fix them.

    What of the remaining 50%? They fall into two categories:

    A. They don’t understand the level of exposure of their ICS networks/have a false sense of security. Unlike IT networks where dozens of security technologies are deployed/reporting back on activity, ICS networks are generally a blind spot for Security teams.

    B. They think the risk is still hypothetical / doesn’t warrant a priority focus over the dozens of IT Security projects they need to tackle because the volume of attacks pales in comparison to the noisy IT domain.

    To a degree, when using this attack based calculus, these folks aren’t – or, better phrased, weren’t wrong. The daily barrage of attacks from all angles and from all adversaries isn’t a reality in ICS…yet. Clearly, there are major gaps that need to be filled on the IT side to drive better security – and as a result, this needs to be a priority. But where the argument falls apart rather quickly is when we do the math – literally! The only way to adequately prioritize activities is to calculate the risk.

    Let’s Start with Consequence (Impact):

    One could argue rather reasonably that the ‘cat and mouse’ or ‘whack-a-mole’ approach to IT security that we’ve relied upon for the past 10-20 years has been ‘effective enough.’

    In ICS, we aren’t talking about data theft, we’re not talking about micro-level impact where individuals, companies or certain Government agencies/agendas are impacted – we’re talking about a macro level issue related to the potential disruption of essential services that drive the global economy and support day to day life. We cannot afford to rely on the same (sub)standard we used in IT Security over the past 10 years.

    The notion of cold-war era “Mutually Assured Destruction” as a deterrent force has dimmed and nation-states, jihadists and even cyber-criminals have taken notice. With Stuxnet, the 2013 New York Dam attack, the 2014 “Sandworm Team” campaign which penetrated U.S. Electrical Utilities, the December 2015 Ukraine power-grid attack (believed to have been perpetrated by Sandworm Team), a repeat of that attack late in 2016, and with IBM releasing an end of 2016 report pointing to a 110% increase year-over-year in ICS attacks, the writing is clearly on the wall.

    Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict. Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game. And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS.

  4. Tomi Engdahl says:

    New SCADA Flaws Allow Ransomware, Other Attacks

    Mission-critical control systems that don’t pose an obvious risk can be hijacked and leveraged for attacks by profit-driven cybercriminals and other threat actors, researchers warned.

    Proof-of-concept (PoC) ransomware designed to target industrial control systems (ICS) was described recently by security firm CRITIFENCE and researchers at the Georgia Institute of Technology.

    These attacks focused on programmable logic controllers (PLCs), which are often critical for operations and can represent a tempting and easy target for malicious actors. However, Alexandru Ariciu. ICS security consultant at Applied Risk, disclosed another potential target on Thursday at SecurityWeek’s 2017 Singapore ICS Cyber Security Conference.

    Ariciu showed that ransomware attacks, which he has dubbed “Scythe,” can also target SCADA devices that are inconspicuous and which may be considered less risky.

    Affected vendors have not been named, but the devices have been described by the expert as various types of I/O systems that stand between field devices and the OPC server (e.g. remote terminal units, or RTUs). The devices are powered by an embedded operating system and they run a web server.

    Thousands of these systems are easily accessible from the Internet, allowing attackers to hijack them by replacing their firmware with a malicious version.

  5. Tomi Engdahl says:

    Intel AMT Firmware Vulnerability CVE-2017-5689

    Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689).
    Your servers are in danger now through Intel AMT technology!

  6. Tomi Engdahl says:

    Develop safety through security

    Safety implications of security often end up overlooked and companies need to learn how to assess, manage and mitigate risks for industrial security.

    As organizations implement connected, information-enabled architectures to improve productivity, efficiency and safety that means industrial security cannot be too far behind.

    Whether it’s remote access to production machinery, wireless access to pumping stations, or connecting plant-floor equipment to the IT infrastructure, greater connectivity can provide significant improvements in productivity and safety. But it also increases risks—not only to intellectual property, profits and mission-critical production assets, but also to people and the environment.

    The connected enterprise unites people, processes and things. It brings together enterprise-level IT and plant-level operations technology (OT) systems into a common network infrastructure. And it harnesses the power of enabling technologies, from data and analytics software to smart devices that make up the Internet of Things (IoT).

    What does this mean for manufacturers and industrial operators? It means production intelligence for measuring and improving nearly every aspect of their operations, including quality, productivity, uptime and overall equipment effectiveness (OEE). It means enterprise-wide connectivity for instantaneous information sharing and seamless collaboration across an organization. It means remote monitoring of critical production assets and systems dispersed across remote locations.

    For all the opportunities, however, there are also risks. More connection points can create more entrance points for security threats. These threats can be physical or digital, internal or external, and malicious or unintentional. And they can pose a danger in many ways, including intellectual property loss, disrupted operations and compromised product quality.

    Safety as attack vector

    Breached machine- and process-safety systems can create cascading safety consequences.

    For starters, compromised safety systems that don’t stop machines when they reach a dangerous state or when a safety device ends up triggered can expose workers to the very threat they should receive protection from. Additionally, safety systems that aren’t able to stop production beyond certain operating conditions can expose other employees or an entire plant to risks, such as fires, chemical leaks or explosions.

    The risks can be especially high in industries where employees work with hazardous or volatile materials, such as in chemical manufacturing. And the risks will only grow as collaborative robotics become more prevalent, with employees and robots working side-by-side on production lines.

  7. Tomi Engdahl says:

    Fuzzing Tests Show ICS Protocols Least Mature

    Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.

    Fuzzing is a testing technique designed for finding software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw and further investigation is warranted. If the number of crashes is high and the time to first failure (TTFF) is short, the likelihood of exploitable vulnerabilities increases.

    Synopsys’ State of Fuzzing 2017 report is based on 4.8 billion results obtained in 2016 from tests targeting 250 protocols used in industrial, Internet of Things (IoT), automotive, financial services, government, healthcare and other sectors.

    In the case of ICS, Synopsys customers tested protocols such as IEC-61850 MMS, IEC-104 Server, Modbus PLC, OPC UA, DNP3 and MQTT. There are also some protocols used for both ICS and IoT, including CIP and CoAP Server.

    Many of these protocols had the TTFF within five minutes. Modbus, for instance, had 37 failures after 1.5 million tests and an average test runtime of 16 minutes. The OPC UA protocol had over 16,000 failures with a testing runtime of 4.5 hours.

    In comparison, the Address Resolution Protocol (ARP), which is used to convert an IP address into a physical address and is the most mature protocol, had zero failures after over 340,000 tests with an average runtime of 30 hours.

    Four of the five least mature protocols, based on average TTFF, are ICS protocols, including IEC-61850 MMS, Modbus PLC, DNP3 and MQTT.

    “The protocols typically associated with ICS showed the most immaturity,”

    “Many demonstrated rapid time to first failures, with IEC-61850 MMS measured in a matter of seconds. This has bearing on IoT, as many of the protocols used in ICS are also used in IoT. Clearly, more testing is needed for the protocols within ICS and IoT, as the potential for discovering more vulnerabilities is greater in these industry verticals than in others.”

    State of Fuzzing 2017

    Fuzzing is a proven technology used to find vulnerabilities in software by sending malformed input to a
    target and observing the result. If the target behaves unexpectedly or crashes, then further investigation
    is required. That investigation may expose a vulnerability that may be exploited for malicious purposes.
    Fuzzing is equally valuable to those who develop software and those who consume it. It plays a role in
    the implementation, verification, and release phases of the software development life cycle (SDLC) and
    can be a vital indicator of undetected vulnerabilities (zero days) that may affect the integrity of systems
    already in use. The real goal of fuzzing is not merely to crash a program but to hijack it


Leave a Comment

Your email address will not be published. Required fields are marked *