ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

131 Comments

  1. Tomi Engdahl says:

    Understanding industrial control systems security basics
    https://www.controleng.com/single-article/understanding-industrial-control-systems-security-basics/c9a78f9f00dd6209b36325e0f9ec9197.html

    Cover story: It’s critical to implement an in-depth cybersecurity plan to help protect industrial control systems (ICSs) against a cyber attack. Identify threats, vulnerabilities, standards, and documents.

    An industrial control system (ICS) is a general term used for any distributed control system (DCS), programmable logic controller (PLC), supervisory control and data acquisition (SCADA) or any automation system used in industrial environments that includes critical infrastructures. ICS security is designed to protect the system from any interference either intentional or unintentional, which may lead to unintended ICS operations.

    Industrial control system security

    ICS security can be very broadly categorized as cybersecurity. Though the word “cybersecurity” implies the intention is to look at only the “internet” connection, that is not the case when it comes to ICS environments.

    The necessity of ICS security is sought after even more now that the number of threats has increased. Regulations are being enforced and companies have a legal, moral, and financial obligation to limit the risk. IEC 61511:2016- Functional Safety- Safety instrumented systems for the process industry sector also demands security assessments on safety instrumented system (SIS) design in control systems.

    Because of the recent outcry over cyberattacks, ICS security has received more attention as a necessity to protect against external hackers. However, cybersecurity is one part of ICS security; threats against modern control systems come in many forms.

    Identify threats
    Identify ICS security vulnerabilities

    Security standards for ICSs

    Some of the main standards are:

    ISA99 – Industrial Automation and Control Systems Security /IEC 62443 series of standards
    The National Institute for Standards Technology (NIST) SP 800-82 – Guide to Industrial Control Systems Security standard
    The North American Electric Reliability Council CIP series of standards.

    The following are other industry and sector-specific standards:

    The American Petroleum Institute (API) 1164 – Pipeline SCADA Security
    Chemical Sector Cyber Security Program
    American Water Works Association (AWWA) G430-09 Security Practices for Operation and Management.

    A proper risk assessment should occur to suit the organization’s needs. The risk assessment may include:

    The plan
    The test environment
    Metrics and documentation.

    Tools such as implementing a virtual private network (VPN), an intrusion detection system (IDS), and a paired firewall with a demilitarized zone (DMZ) are tools to use to strengthen the network against threats. Firewall programming needs to start with “deny all” access and permit access to specific IP address TCP/UDP ports later on.

    Reply
  2. Tomi Engdahl says:

    Data center infrastructure often an overlooked security risk: Report
    http://www.cablinginstall.com/articles/pt/2018/04/data-center-infrastructure-often-an-overlooked-security-risk-report.html?cmpid=enl_cim_cim_data_center_newsletter_2018-04-24&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=2078269

    Maria Korolov of Data Center Knowledge notes that “in the rush to secure networks, servers, and endpoint devices many organizations overlook the risks hidden in the physical infrastructure necessary to keep data centers operating. Power supplies, heating and cooling systems, even security systems themselves can all be entry points for both determined threat actors and casual attackers who scan the internet for insecure access points. One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.”

    Data Center Infrastructure, the Often-Overlooked Security Risk
    http://www.datacenterknowledge.com/security/data-center-infrastructure-often-overlooked-security-risk

    Power supplies, cooling systems, even security systems themselves can all be entry points for attackers.

    One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.

    “The bad guys are going after anything that’s open and available,” said Bob Hunter, founder and CEO at AlphaGuardian Networks.

    Take, for example, rack power distribution units. Since data center administrators need to know what’s going on with the power to their servers, the PDUs typically offer either local or remote monitoring, but the security on these systems is extremely weak.

    Hackers can get in and hijack systems for ransom, or, more frequently and insidiously, keep their access a secret in order to steal data or compute cycles.

    Network segmentation is a good security principle, he added, but it only serves to slow down attackers, not stop them completely.

    “Segmentation is a speed bump,” he said. “In the Target break, the building management system was on a physically separate network from the data itself, so they had to jump from one to the other. It took a while to do that, but at the end of the day, they were able to do it.”

    And the people responsible for infrastructure security are often busy with other tasks, such as maintaining data center operations, he added.

    “To add additional complexity, the industrial control systems were not designed with security in mind,” said Niall Browne, CSO at Domo, a business intelligence company. “They often have default passwords and have not been patched in years, as the manufacturer was slow to release upgrades, or the customer was hesitant to deploy them for fear of causing a service interruption to critical functions.”

    “The customer leaves their back doors open and gets hacked; that can shut down the entire data center eventually.”

    It’s one of the biggest vulnerabilities in the data center, Hunter said.

    “Everyone wants remote access to the PDUs, because they want to remotely reboot their PDUs if the server goes down,” he said.

    Ponemon Institute recently released a survey of risk professionals, in which 97 percent said that unsecured internet-enabled devices could be catastrophic for their organizations.

    “If it has an IP address, it can be hacked and needs to be secured,” said Mike Jordan, senior director at consulting firm The Santa Fe Group. “You can slap an IP address on anything these days. Data center infrastructure is no exception, and it makes subcontracting support of data center infrastructure like HVAC, security cameras, and power management more compelling.”

    However, only 9 percent of survey respondents said they were fully aware of all the physical devices in their environment that were connected to the internet.

    Reply
  3. Tomi Engdahl says:

    Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks
    https://www.securityweek.com/internet-exposure-flaws-put-industrial-safety-controllers-risk-attacks

    SINGAPORE — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Researchers have discovered a potentially serious vulnerability in industrial safety controllers and a significant number of the impacted devices are directly exposed to the Internet, making it easy for malicious actors to launch attacks and possibly cause damage.

    Safety systems are designed to prevent incidents in industrial environments by restoring processes to a safe state or shut them down if parameters indicate a potentially hazardous situation. While these devices play an important role in ensuring physical safety, they can and have been targeted by malicious hackers. The best example is the Triton/Trisis/Hatman attack, which leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.

    Researchers at industrial cybersecurity firm Applied Risk have analyzed safety controllers from several major vendors, including Siemens, ABB, Rockwell Automation’s Allen Bradley, Pilz, and Phoenix Contact.

    The research is ongoing, but they have identified a denial-of-service (DoS) flaw that may affect several products.

    The security hole can be leveraged to cause the device to enter a DoS condition by sending it a specially crafted TCP packet. Specifically, the attack relies on EtherNet/IP, one of the most widely used industrial network protocols.

    All impacted vendors have been informed. Rockwell Automation, which has assigned CVE-2017-9312 to this vulnerability, is expected to release a patch and an advisory sometime in May.

    Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people.

    Reply
  4. Tomi Engdahl says:

    Defense in Depth

    Defense in depth is defined in the Schneider Electric white paper, “Practical Overview of Implementing IEC 62443 Security Levels in Industrial Control Applications,” as the coordinated use of security countermeasures to protect the integrity of information assets in a network. The following are the six steps required to implement a defense in depth strategy, according to Schneider Electric.

    Create a Security Plan – The most important step in the overall defense in depth process involves creating a security plan. In the security plan, personnel create a detailed audit of all of the equipment connected to the industrial control network, map how the equipment is connected, review the security configuration of equipment, and assess potential system vulnerabilities. The security plan includes the impacts of products, architectures, people, and corporate processes. A completed security plan is required before any additional steps can be taken to improve system security. Otherwise, the personnel may think a system is secure without being cognizant of potential attack vectors.
    Separate Networks – Once a detailed network map is created in the security plan, networks can be separated by a major function. An example would be dividing a network into an enterprise, plant, process, and field zones. All conduits between the zones should be identified.
    Perimeter Protection – In this step, conduits between zones are properly protected. An important part in this step includes securing remote access.
    Network Segmentation – In this step, zones created in step two can be divided into smaller zones based on location or function. The perimeters of these segmented zones are protected. It is important to note that the security level assigned to each zone can vary. For example, the security level tied to equipment in a monitoring role can be set to Level 1, while the security level ascribed to a safety system can be set to Level 3. The level of each segmented zone does not have to be same as its neighbors.
    Device Hardening – Adding features to ICS devices to improve their ability withstand a cyberattack. This reduces the likelihood that network elements will be compromised should a hacker gain access to a network.
    Monitor and Update – Actively monitoring the network activity to detect potential threats, and patch products as new software/ firmware is made available to address vulnerabilities or to add security features.

    Sources:
    http://scnavigator.avnet.com/article/april-2018/building-effective-cyber-hygiene-into-the-connected-supply-chain/
    https://www.schneider-electric.com/en/download/document/998-20186845/

    Reply
  5. Tomi Engdahl says:

    Cyber Risks in Additive Manufacturing Threaten to Unravel the Digital Thread
    http://scnavigator.avnet.com/article/april-2018/cyber-risks-in-am-threaten-to-unravel-the-digital-thread/

    Wherever data and information are transmitted, used, or accessed, companies must anticipate that someone, somewhere may try to exploit those data and information for personal gain, or to inflict harm or damage. For organizations deploying additive manufacturing (AM) technology, acknowledging this sad reality is not just a business imperative, but potentially a true matter of life and death.

    AM is one area where cyber risk poses an especially significant danger. Potential uses for AM span numerous industries as a way to address supply chain challenges associated with unpredictable inventory and expensive-to-produce parts in remote locations. However, the very nature of additive manufacturing technology-with its reliance on digital data files and connectivity to transmit them-leaves it open to significant security exposures, from product malfunctions to intellectual property theft and brand risk, along with other new threats conventional manufacturers may not face.

    The data generated about an object during the AM design and production processes, for example, can be considerable, generating a strand of information that runs through the AM object’s lifespan known as the “digital thread”.

    “To maintain the integrity of the AM supply chain, organizations must recognize that the intrinsic value of their business may be shifting from the end product to the information that enables that end product.”

    Reply
  6. Tomi Engdahl says:

    Threat intelligence is a critical organizational need
    https://www.plantengineering.com/single-article/threat-intelligence-is-a-critical-organizational-need/3e297e86bde11f5c4c5ac32790a72b1f.html

    Cover story: Continuous threat intelligence collection, analysis, and optimization can help organizations improve cybersecurity measures.

    Facility owners should define what they hope to achieve from threat intelligence; including:

    Types of alerts needed
    Vendor news
    How intelligence is collected, reported and communicated to relevant stakeholders
    Analysis process
    How threat intelligence would be used.

    Reply
  7. Tomi Engdahl says:

    Microsoft Unveils New Solution for Securing Critical Infrastructure
    https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

    Microsoft last week unveiled Trusted Cyber Physical Systems (TCPS), a new solution designed to help protect critical infrastructure against modern cyber threats.

    Microsoft provided the recent Triton and NotPetya attacks as examples of significant threats hitting critical infrastructure. Triton was used in a highly targeted campaign aimed at an organization in the Middle East, while NotPetya disrupted the operations of several major companies, with many reporting losses of hundreds of millions of dollars.

    Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems.

    Cyber-physical systems (CPS) are referred to as Internet-of-Things (IoT) in an industrial context. TCPS is based on four main principles: separating critical from non-critical operations through hardware isolation; ensuring that the code responsible for critical operations can be audited; the ability of each component to process data only from trustworthy sources and each component being able to attest its trustworthiness to other components; and reducing the attack surface by reducing the number of trusted entities.

    One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements (e.g. chip on a credit card), Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.

    TEE offers several advantages from a security viewpoint, including the fact that code running in a TEE is small and thus has a minimal attack surface, the code is considered trusted, all the data is encrypted, and the TEE hardware ensures that software running outside the trusted environment cannot break in.

    Reply
  8. Tomi Engdahl says:

    Schneider Electric Development Tools Affected by Critical Flaw
    https://www.securityweek.com/schneider-electric-development-tools-affected-critical-flaw

    Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products.

    InduSoft Web Studio is a toolset designed for developing human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions, and InTouch Machine Edition is an HMI/SCADA development tool that can be used for both advanced applications and small-footprint embedded devices. The products are used worldwide in the manufacturing, oil and gas, water and wastewater, automotive, building automation, and renewable energy sectors.

    “The vulnerability is similar to CVE-2017-14024 in that it involves calling mbstowcs() in TCPServer.dll. However, this new vulnerability leverages command 50 instead of command 49. The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234,” Tenable explained.

    Reply
  9. Tomi Engdahl says:

    Vlad that’s over: Remote code flaws in Schneider Electric apps whacked
    Putin the patch, critical infrastructure firms warned
    https://www.theregister.co.uk/2018/05/02/security_firm_uncovers_zeroday_exploit_in_critical_infrastructure_software/

    Infosec researchers at Tenable Security have unearthed a remote code execution flaw in critical infrastructure software made by energy management multinational Schneider Electric.

    The vulnerability could have allowed miscreants to control underlying critical infrastructure systems, researchers said.

    The apps affected – used widely in oil and gas, water and other critical infrastructure facilities – were InduSoft Web Studio and InTouch Machine Edition.

    Reply
  10. Tomi Engdahl says:

    Microsoft Unveils New Solution for Securing Critical Infrastructure
    https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

    Microsoft last week unveiled Trusted Cyber Physical Systems (TCPS), a new solution designed to help protect critical infrastructure against modern cyber threats.

    Microsoft provided the recent Triton and NotPetya attacks as examples of significant threats hitting critical infrastructure. Triton was used in a highly targeted campaign aimed at an organization in the Middle East, while NotPetya disrupted the operations of several major companies, with many reporting losses of hundreds of millions of dollars.

    Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems.

    Cyber-physical systems (CPS) are referred to as Internet-of-Things (IoT) in an industrial context. TCPS is based on four main principles: separating critical from non-critical operations through hardware isolation; ensuring that the code responsible for critical operations can be audited; the ability of each component to process data only from trustworthy sources and each component being able to attest its trustworthiness to other components; and reducing the attack surface by reducing the number of trusted entities.

    One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements (e.g. chip on a credit card), Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.

    Reply
  11. Tomi Engdahl says:

    Siemens Patches DoS Flaws in Medium Voltage Converters
    https://www.securityweek.com/siemens-patches-dos-flaws-medium-voltage-converters

    Siemens has released updates for many of its SINAMICS medium voltage converters to address two remotely exploitable denial-of-service (DoS) vulnerabilities.

    According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors.Siemens patches two DoS vulnerabilities in SINAMICS medium voltage converters

    The more serious of the flaws, identified as CVE-2017-12741 and classified “high severity,” can be exploited to cause a DoS condition by sending specially crafted packets to the device on UDP port 161.

    Reply
  12. Tomi Engdahl says:

    ‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK
    https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk

    A threat actor has been targeting business and industrial control networks at electric utilities in the United States and United Kingdom, according to industrial cybersecurity firm Dragos.

    The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analyzing Dragonfly attacks.

    According to Dragos, a report published by the DHS in October 2017 combined Dragonfly attacks with Allanite activity.

    Allanite leverages phishing and watering hole attacks to gain access to targeted networks. The group does not use any malware and instead relies on legitimate tools often available in Windows, Dragos says.

    In July 2017, US officials told the press that the hackers had not gained access to operational networks, but Dragos confirmed third-party reports that Allanite did in fact harvest information directly from ICS networks.

    Dragos believes with moderate confidence that the threat actor gains access to industrial systems in an effort to obtain information needed to develop disruptive capabilities and be ready in case it decides to cause damage. However, the security firm says the group has yet to actually cause any disruption or damage.

    Reply
  13. Tomi Engdahl says:

    Advice from the Triton cybersecurity incident
    https://www.controleng.com/single-article/advice-from-the-triton-cybersecurity-incident/ff45641b315e192fc76714047a4d488f.html

    Cybersecurity incident: Human errors enabled it, but the Triconex safety controller shut down the plant as designed, say experts with Schneider Electric and ARC Advisory Group. But it’s still a call to action for industry. Have you implemented changes since then?

    Breach of an industrial, triple-redundant safety controller should dispel any thought hackers might not care about industrial facilities or that process controls are low-risk cybersecurity targets. All facilities, even if already heeding advice from Schneider Electric and ARC Advisory Group, need to have a response plan in place. The Aug. 4, 2017, cyberattack on a on a Triconex safety system that included the first instance of process safety system-specific malware, dubbed TRITON, was described in a media and analyst lunch on Feb. 13. That triple-redundant safety controller brand is part of the Schneider Electric EcoStruxure Triconex safety instrumented system (SIS). A summary of advice from each expert follows.

    Cybersecurity wake-up call

    Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, explained that because of how the Triton cyberattack was executed– the attack vector– it is a call to action for everyone associated with this industry. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaMultiple cybersecurity lapses allowed a safety controller breach. Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, said this is an industry call to action. A Triconex controller model 3008, brought to market in 2001 and installed as part of a large automation project in 2007, was affected by a security breach. When the controller picked up an anomaly in the malware the attackers injected into its code, the controller reacted as it was intended: It safely brought the plant to a safe state via a shutdown on Aug. 4, 2017.

    Upon being notified of the shutdown, Schneider Electric worked closely with the end user, independent cybersecurity organizations and the U.S. Department of Homeland Security/ICS-CERT and others to investigate the incident. The evidence they gathered indicates multiple security lapses allowed the breach to occur.

    A remote attacker, through a corporate system, logged onto a machine and was playing with code. An individual made an error not specific to the controller and exposed it to remote access through Microsoft XP [no longer supported] software. Practices outlined in controller documentation, and in the IEC 62443 series of standards on industrial automation and control systems (IACS) from the ISA99 Industrial Automation and Control Systems Security committee, if followed, would have prevented the breach.

    Don’t panic; assess risks

    Larry O’Brien, vice president research for process automation, ARC Advisory Group, said there are ways to execute a response to and defend against a systemic, multiphase cybersecurity attack. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaReconsider cybersecurity processes, procedures, and training. Larry O’Brien, vice president research for process automation, ARC Advisory Group, said the industry shouldn’t panic, but it should reconsider best practices regarding processes, procedures, and people. There are ways to execute a response to and defend against a systemic, multiphase attack.

    In this same incident, the attack(s) breached another vendor’s distributed control system (DCS); so while the shutdown was initiated as designed, it’s better not to suffer a breach and shut down a process.

    Other human errors on site, including leaving the controller’s keyswitch in program mode while it was in operation and leaving the controller cabinets unlocked, added significant risk for a cybersecurity attack. To lower the risks of such incidents, customers should continue to apply cybersecurity best practices across their operations, as well as always implement the instructions vendors provide within their systems documentation. For example, a recommended practice is to dedicate a laptop for use with the DCS and not let anyone else or anything connect to it.

    Schneider Electric’s open and helpful response to this incident has been applauded and should be a blueprint for other vendors’ responses because this won’t be the last incident.

    What’s the attraction for hackers? By reprograming the DCS and the safety system, attackers can push the plant into an unsafe state without those at the plant and the safety system realizing it. That means if an incident occurred, the expected result, i.e., the safety system shutting down the plant, wouldn’t happen. Idaho National Labs demonstrated such a DCS spoofing event at least 10 years ago.

    Program mode, cybersecurity standards

    Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said leaving a controller key in program position is inexcusable. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaHave any of your controllers been left in program mode?

    Three best practices follow.

    Gary Freburger, president, process automation, Schneider Electric, said attacks on industrial systems are an international threat to public safety that can only be addressed and resolved through transparency and collaboration that go beyond borders and competitive interests. Courtesy: Mark T. Hoske, Control Engineering, CFE Media1. Commit to educate and address people, processes, and technologies with a relentless drive to publish and standardize best practices and share information.

    2. Use common standards across all equipment and across multiple providers, with feedback and guidance from those involved.

    3. Ensure collaboration through transparency. Don’t say or believe anything is secure. A lot of people are trying to get into these systems. Everyone needs to respond correctly knowing what was done before, to know how to correct it.

    Reply
  14. Tomi Engdahl says:

    Understanding industrial control systems security basics
    https://www.controleng.com/single-article/understanding-industrial-control-systems-security-basics/c9a78f9f00dd6209b36325e0f9ec9197.html

    Cover story: It’s critical to implement an in-depth cybersecurity plan to help protect industrial control systems (ICSs) against a cyber attack. Identify threats, vulnerabilities, standards, and documents.

    Reply
  15. Tomi Engdahl says:

    Security
    Hacking train Wi-Fi may expose passenger data and control systems
    Researcher finds security hotspots on some rail networks
    https://www.theregister.co.uk/2018/05/11/train_wifi_hackable_on_some_networks/

    Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers’ credit card information, according to infosec biz Pen Test Partners this week.

    The research was conducted over several years, said Pen Test’s Ken Munro. “In most cases they are pretty secure, although whether the Wi-Fi works or not is another matter,” he added.

    But in a handful of cases Munro was able to bridge the wireless network to the wired network and find a database server containing default credentials, enabling him to access the credit card data of customers paying for the Wi-Fi, including the passenger’s name, email address and card details.

    He said he was not aware of any incidents of networks being compromised but warned in the worst-case scenario it might be possible for miscreants to take control of the train. “It might be possible, and this is speculation, to lock the braking system.”

    Munro refused to name the operators affected by the weak security set-up – the vulnerabilities still exist.

    Part of the problem is a lack of segregation between the Wi-Fi networks.

    Hacking train passenger Wi-Fi
    https://www.pentestpartners.com/security-blog/hacking-train-passenger-wi-fi/

    Reply
  16. Tomi Engdahl says:

    Security Gaps Remain as OT, IT Converge
    https://www.securityweek.com/security-gaps-remain-ot-it-converge

    The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices — and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

    The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

    Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet’s senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: “IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler.”

    https://www.fortinet.com/blog/industry-trends/fortinet-is-a-preferred-partner-for-securing-ics-scada-systems.html

    Reply
  17. Tomi Engdahl says:

    Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
    https://www.securityweek.com/severe-dos-flaw-discovered-siemens-simatic-plcs

    Siemens informed customers on Tuesday that some of its SIMATIC S7-400 CPUs are affected by a high severity denial-of-service (DoS) vulnerability.

    SIMATIC S7-400 is a family of programmable logic controllers (PLCs) designed for process control in industrial environments. The product is used worldwide in the automotive, mechanical equipment manufacturing, building engineering, steel, power generation and distribution, chemical, warehousing, food, and pharmaceutical sectors.

    Siemens discovered that these devices fail to properly validate S7 communication packets, allowing a remote attacker to trigger a DoS condition that causes the system to enter DEFECT mode and remain so until it’s manually restarted.

    Reply
  18. Tomi Engdahl says:

    Critical Code Execution Flaws Patched in Advantech WebAccess
    https://www.securityweek.com/critical-code-execution-flaws-patched-advantech-webaccess

    Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.

    Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

    Reply
  19. Tomi Engdahl says:

    Understanding the convergence of IT and OT
    https://www.controleng.com/single-article/understanding-the-convergence-of-it-and-ot/bf2d3ec1764b8679638866145475830e.html

    Information technology (IT) and operations technology (OT) are converging to improve manufacturing operations, that can offer benefits such as improved productivity and security.

    Learning from IT/OT challenges

    IT and OT have different backgrounds, but their conjoined applicability arises from the IIoT. However, there are two key challenges for both parties including retentive control of systems and machines and employee safety.

    Sound security solutions should be in place with features including:

    Identifying and authenticating all devices and machines: All devices within the system, be it within the plant or on the field, should be ensured. Only approved devices and systems should communicate with each other. This would lessen the risk of hacking, insertion of rogue and untrusted devices into the network, and mitigate unwarranted control of any systems or machines.
    Encryption: Encrypting all communications between IT/OT devices would ensure privacy of the data being relayed.
    Data integrity: Ensuring the integrity of the data generated from these systems is a high priority. Though smart analytics are a major driver in IIoT adoption, these are worthless if the data is inaccurate.

    Manufactured goods also contain embedded software or firmware. Enabling the remote upgradation of these softwares and firmwares would ensure their integrity.

    The future of IT/OT

    There are plenty of opportunities going forward, as more devices start to join the IIoT network. The converging IT/OT will offer out-of-the-box integration solutions for plant automation, asset management and manufacturing execution systems with IT apps such as supply chain and enterprise resource planning (ERP) apps at the enterprise level and provide analytics. If the present trends continue, it is very likely that the separation between OT and IT would fade until they become potentially one and the same.

    To ensure this, it’s vital both sides consider the other’s expertise and point-of-view and work together toward the the same goals of providing optimal security and productivity.

    Reply
  20. Tomi Engdahl says:

    Defending Industrial Control Systems with Tripwire
    https://www.tripwire.com/solutions/industrial-control-systems/defending-industrial-control-systems-with-tripwire-register/?referredby=hirschmann/

    Threats to Industrial Control Systems (ICS) are increasing—a reality that ICS-centric industries have begun to recognize. As a response to the growing need for protection from cyberattacks, the Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) and the National Security Agency (NSA) have published Seven Steps to Effectively Defend Industrial Control Systems, a paper aimed at providing practical steps organizations can take to protect their infrastructure.

    Tripwire is uniquely positioned to help organizations defend their Industrial Control Systems.

    Reply
  21. Tomi Engdahl says:

    Critical Flaws Patched in Phoenix Contact Industrial Switches
    https://www.securityweek.com/critical-flaws-patched-phoenix-contact-industrial-switches

    Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.

    Reply
  22. Tomi Engdahl says:

    Finding common ground for IT/OT convergence
    https://www.controleng.com/single-article/finding-common-ground-for-itot-convergence/a2a0dda75da62e752ca2cde610e0f918.html

    Finding a common understanding between information technology (IT) and operations technology (OT) means avoiding a lot of issues with overall facility operations.

    Reply
  23. Tomi Engdahl says:

    Why IIoT Security Is So Difficult
    https://semiengineering.com/why-iiot-security-is-so-difficult/

    A fragmented market and ecosystem mean it will take at least five years to get security to a meaningful level.

    Despite the high risk of a market filled with billions of at least partially unprotected devices, it is likely to take five years or more to reach a “meaningful” level of security in the Industrial IoT.

    The market, which potentially includes every connected device with an integrated circuit, is fragmented into vertical industries, specialty chips, and filled with competing OEMs, carriers, integrators, networking providers. There are so many pieces, in fact, that it is difficult to dovetail all of them into a workable number of best practices and standards specifications, according to Richard Soley, executive director of the Industrial Internet Consortium and chairman and CEO of the Object Management Group.

    One of the biggest hurdles is unifying all the various factions involved in the Industrial IoT behind a relatively small, well-defined set of definitions of what security actually is and how to get chipmakers to build it into their products consistently.

    “A lot of it’s already pretty standard, so that shouldn’t be too bad”

    The market for microcontrollers is very fragmented, which is part of the reason Arm introduced its Platform Security Architecture (PSA) program last October. The company provides open-source software and higher-level APIs to make it easier for developers to write trusted code, according to Neil Parris, director of products for Arm’s IoT Device IP business unit.

    “We’re writing documentation with suggested recipes of what needs to go into a PSA chip for various security levels,”

    “The hardware is different for every vendor,”

    Intel’s Enhanced Privacy ID and Arm’s PSA are ways to build basic security into silicon before the chips or IP are incorporated into larger chipsets. Microsoft’s Azure Sphere announcement in February addressed similar issues, but on such a narrow, platform-dependent basis.

    “The cheapest thing would be to integrate security inside the chip – design in a root of trust, key material, crypto accelerator and key essential security services, spending on what package it’s a part of, and you have something to provide a root of trust that takes up a tiny fraction of a square millimeter,”

    Bigger problems
    There are more hurdles to cross than simply getting chipmakers to make IoT devices boot securely, however.

    The most obvious problem from a customer perspective is the inability of most organizations to see or identify an average of 40% of the devices on their networks, or know what they’re doing from moment to moment, according to Lumeta, a security monitoring firm whose analysis of the IoT infrastructure of 200 organizations was an important part of Cisco’s 2018 Annual CyberSecurity Report, released in February.

    Once a device is connected to the Internet, however, the idea that a device can remain protected goes out the window and the technical staff becomes responsible for investigating potential security risks in each piece of software and at each layer of the communications stack

    CyberX also found that:

    • 60% of industrial organizations allow passwords to cross OT networks unencrypted;
    • 50% run no antivirus software;
    • 82% use remote-management protocols that are vulnerable to digital reconnaissance;
    • And three out of four reported using at least one controller running a version of Windows for which Microsoft no longer provides patches.

    Only 8.5% of industrial organizations responding to a survey said they were “very ready” to address cybersecurity

    “In a typical IT environment you can shut things down or block ports to respond to something you don’t like,” Hanna said. “In an OT environment, if you block a port you may not be able to see the pressure level inside a vessel. You often can’t do a port scan of OT systems. Many of them will crash if you scan them for vulnerabilities. And in OT, having a backup to take over if the primary fails doesn’t make sense. Attackers are now going after the safety systems, as well as destabilizing the main system. So you start out thinking you have suspenders and a belt, and they’ve cut them both so you’re not protected at all.”

    “Security has become a regular point of discussion with customers at conferences,”

    Reply
  24. Tomi Engdahl says:

    Hardcoded Credentials Expose Yokogawa Controllers to Attacks
    https://www.securityweek.com/hardcoded-credentials-expose-yokogawa-controllers-attacks

    Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.

    Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.

    The flaw is tracked as CVE-2018-10592 and it has been rated critical by both ICS-CERT and Yokogawa itself. The issue was discovered by VDLab, an industrial cybersecurity lab set up by Chinese companies Venustech and Dongfang Electric.

    The vendor patched the vulnerability with the release of version R4.10. Customers have been advised to update the firmware on their devices and also implement overall security measures to protect their systems.

    Reply
  25. Tomi Engdahl says:

    Trends 2018: Critical infrastructure attacks on the rise
    https://www.welivesecurity.com/2018/05/30/trends-2018-critical-infrastructure-attacks/?

    Healthcare sectors, critical manufacturing, food production and transportation also said to be targets for cybercriminals

    Cyberthreats to critical infrastructure jumped into the headlines in 2017, starting with a Reuters report in January that a recent power outage in Ukraine “was a cyber-attack”. In last year’s Trends report we said that we expected infrastructure attacks to “continue to generate headlines and disrupt lives in 2017”. Sadly, we were right, and unfortunately, I have to say that the same trend is likely to continue in 2018 for reasons outlined in this update. It should be noted that critical infrastructure is more than just the power grid and includes the defense and healthcare sectors, critical manufacturing and food production, water, and transportation.

    Reply
  26. Tomi Engdahl says:

    Hardcoded Credentials Expose Yokogawa Controllers to Attacks
    https://www.securityweek.com/hardcoded-credentials-expose-yokogawa-controllers-attacks

    Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.

    Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.

    Reply
  27. Tomi Engdahl says:

    Interconnectivity Has Put ICS Environments in Cyber Risk Crosshairs
    https://www.securityweek.com/interconnectivity-has-put-ics-environments-cyber-risk-crosshairs

    Tell any IT professional that the computer running the electrical grid has not been updated in 20 years, or that the machine that controls operations in the bottling plant was last tuned up when Y2K was still being planned, and they will look at you like you are crazy. They simply will not believe you. Why? Because information technology (IT) and operational technology (OT) approaches to operations are polar opposites. While IT is predicated on innovation and security, OT is more about letting systems run reliably, with as little change as possible. The chasm between IT and OT is wide and deep, but not for much longer.

    Reply
  28. Tomi Engdahl says:

    Triton ICS Malware Developed Using Legitimate Code
    https://www.securityweek.com/triton-ics-malware-developed-using-legitimate-code

    The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.

    Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.Triconex controller targeted by Triton ICS malware

    FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.

    The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.

    It’s unclear how the attackers obtained the hardware and software they used to test the malware.

    A Totally Tubular Treatise on TRITON and TriStation
    https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html

    Reply
  29. Tomi Engdahl says:

    Pwned with ’4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
    How Shamoon and Stuxnet et al ran riot
    https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/

    Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.

    A presentation at last week’s BSides conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

    The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.

    Historically everything was “air-gapped” but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring

    Godfrey explained that security has never been a design criteria for industrial control kit and this hasn’t changed with the advent of IoT in the domain of SCADA systems. As a result, issues such as default hard-coded credentials and lack of encryption abound.

    Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98

    “Industrial control setups certainly don’t have the maturity of enterprise environments,”

    Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more.

    Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

    INSINIA has developed a device that automatically scans networks and shuts down components. The “weaponised” Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can “kill industrial processes with only four lines of code”, according to Godfrey.

    The wider security community has recognised the risk posed to industrial control systems from malware in the wake of high-profile attacks such as the Shamoon assault on Saudi Aramco and the BlackEnergy attacks on electricity distribution facilities in Ukraine.

    The famous Stuxnet attack on Iran’s uranium-enrichment facilities

    large number of industrial control systems exposed to the internet, which are easily found using Shodan, the search engine for the IoT.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*