ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

77 Comments

  1. Tomi Engdahl says:

    Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT
    http://www.securityweek.com/shared-accounts-increasingly-problematic-critical-infrastructure-ics-cert

    Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

    Critical infrastructure owners and operators can ask ICS-CERT to conduct onsite cybersecurity assessments of their industrial control systems (ICS) in order to help them strengthen their cybersecurity posture.

    Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.

    As for identification and authentication issues, these can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.

    Identification and authentication issues first made ICS-CERT’s top six weakness categories in 2015, when it was on the fourth position. In 2016 it jumped one position and last year it was the second most common security weakness.

    Of all the identification and authentication issues, shared and group accounts are particularly concerning.

    “[Shared and group accounts] make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” ICS-CERT said in its latest Monitor report.

    https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2017_S508C.pdf

    Reply
  2. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2908&elq_cid=876648

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    As cyberattacks become more prevalent and sophisticated, the nature of the attacker is changing. We’re seeing fewer lone wolves, and more organized criminals who are packaging attack kits and selling them on the dark web. Their attacks aim at either commerce or control. The IT intruders seek commercially valuable personal or financial data, while operational technology (OT) attacks seek control of plants or factories for potential sabotage.

    Sometimes OT attackers want to do damage, while other times they hide and wait. For years, we’ve heard rumors that hostile governments have placed potentially destructive cyber-bugs in US power plants, but they are reluctant to set their bugs in motion, because the US has bugs in their plants, as well.

    “The attackers’ goals for IT systems is information exfiltration, but for industrial OT systems, the attacker’s goal is typically sabotage,” Ashok Banerjee, CTO for enterprise security products at Symantec, told Design News. “Attackers typically want to have remote control of the industrial network and be able to disable a power grid or cause a collision or explosion. Typically, attackers hold this control for extended intervals, triggering it when needed.”

    The Race to Counter Cyberattacks

    Since the beginnings of the first computer viruses, there has been a race between the hackers and cyber protection. Banerjee believes the defense against attacks is finally pulling ahead in the race. “Cyberattacks and cyber defense have co-evolved. With the rise of cybersecurity, attackers with increasing sophistication have flown just below the radar of three or four different products,” said Banerjee. “2018 will be the year where multiple products will orchestrate learnings across static scans, network behavior, process behavior, IO behavior, content behavior, and IoT interactions to determine benign and malicious elements. This will be the year where multiple technologies work together to protect from the next frontiers of attacks.”

    A Changing Perimeter Is Difficult to Secure

    Securing the perimeter was much easier in the days when the perimeter simply surrounded a building or an industrial operation. Connectivity has changed the very nature of the perimeter. “The perimeter is more porous than ever before. Our greatest assets are increasingly in the cloud. That includes customer data in CRM or HR data in Workday,”

    Reply
  3. Tomi Engdahl says:

    Cyber-attackers have a new way to damage data center infrastructure
    http://www.cablinginstall.com/articles/pt/2018/01/cyber-attackers-have-a-new-way-to-damage-data-center-infrastructure.html?cmpid=enl_cim_cim_data_center_newsletter_2018-01-16&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=1974690

    A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems. A recent Triton attack targeted Schneider Electric’s Triconex safety system, and the malware has already had at least one victim, the security research firms reported. Like Stuxnet and Industroyer, Triton is most likely to be used by nation-state attackers against critical infrastructure

    Attackers Have a New Way to Damage Data Center Infrastructure
    http://www.datacenterknowledge.com/security/attackers-have-new-way-damage-data-center-infrastructure

    A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems.

    Data centers, for example, are filled with industrial control systems that manage life safety, power, cooling, and other critical environment factors, said Andrew Howard, CTO at Kudelski Security. “These systems provide a different attack vector into data centers,” he said.

    Damage caused by these kinds of attacks is different than damage from the more common cyber threats. “They typically have a greater impact on the availability of systems and data than on the confidentiality or integrity aspects,” Howard said.

    In addition, an attack on a data center’s safety system can have a larger “blast radius” than the traditional, more targeted attacks. For example, attackers might be going after just one of the companies using a particular data center. Taking out the entire facility would affect every other company that uses it.

    As global tensions rise, hostile nation states might step up these kinds of attacks

    “We are going to see increases in these types of covert attacks designed to do damage or create disruption,” he said. “Much more investment from operators to modernize these public services will be required to protect them from attack.”

    And it’s not just data centers’ safety systems that are at risk, said Ben Miller, director of threat operations at Dragos. “Data center HVAC and building automation systems are leveraging similar types of communications and controllers and are often overlooked,” he said. “Attacking these systems, similar to how TRISIS attacked safety systems, could impact backup power or cooling that are essential to equipment operation.”

    “Access to critical systems should not be universal and should be restricted via network segmentation, a locked-down host, and multi-step authentication,”

    Reply
  4. Tomi Engdahl says:

    Assessing Cyber and Physical Risks to Manufacturers
    http://www.securityweek.com/assessing-cyber-and-physical-risks-manufacturers

    Manufacturers serve as critical building blocks of modern society. They are integral to the existence of the products we consume, the essential services we need, and the infrastructure on which we rely. Our reliance on them also means that, according to the U.S. Department of Homeland Security (DHS), “a direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors.”

    Although security incidents that occur in consumer-facing industries like retail and financial services tend to attract the most attention, those suffered by manufacturers can be far more damaging. The challenge is that the manufacturing industry tends to be particularly susceptible to various cyber and physical security risks. Here’s why:

    Antiquated Operational Technology (OT) Environments
    Increasingly Complex Supply Chains
    An Abundance of Intellectual Property

    When it comes to accurately evaluating and mitigating security risks facing manufacturers, the above characteristics should serve purely a starting point. It’s crucial to remember that regardless of industry or function, safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires a comprehensive understanding of all factors contributing to an organization’s risk.

    Reply
  5. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2937&elq_cid=876648

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    Reply
  6. Tomi Engdahl says:

    Triton Malware Exploited Zero-Day in Schneider Electric Devices
    http://www.securityweek.com/triton-malware-exploited-zero-day-schneider-electric-devices

    The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

    The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

    Reply
  7. Tomi Engdahl says:

    Preparing for NIS – Europe’s First Dedicated Cybersecurity Law
    http://www.securityweek.com/preparing-NIS-Directive-europes-first-dedicated-cybersecurity-law

    In May of this year, an important new European law will come into force which will affect providers of networking and operational technology (OT) systems in vital sectors such as energy, healthcare and finance across the continent.

    The EU Directive on Security of Network and Information Systems (commonly known as the NIS Directive) seeks to improve the standards of security across Europe, and hold those who do not prepare for cyberattack properly, fully accountable.

    The NIS Directive has been billed as the first true piece of cybersecurity legislation passed by the EU, and will work alongside another important piece of regulation – the General Data Protection Regulation (GDPR) – to focus efforts on reducing cybercrime in Europe. Like GDPR, the NIS Directive seeks to achieve this through a system of new structures and information sharing bodies, as well as rules and enforcement capabilities.

    Reply
  8. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Schneider Electric researchers share more details about “Triton” malware, which exploited a firmware flaw in company’s Triconex Tricon industrial safety systems

    Menacing Malware Shows the Dangers of Industrial System Sabotage
    https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage

    A recent digital attack on the control systems of an industrial plant has renewed concerns about the threat hacking poses to critical infrastructure. And while security researchers offered some analysis last month of the malware used in the attack, called Triton or Trisis, newly revealed details of how it works expose just how vulnerable industrial plants—and their failsafe mechanisms—could be to manipulation.

    Unprecedented Malware Targets Industrial Safety Systems in the Middle East
    https://www.wired.com/story/triton-malware-targets-industrial-safety-systems-in-the-middle-east/

    Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.

    Security firm FireEye today has revealed the existence of Triton, also known as Trisis, a family of malware built to compromise industrial control systems.

    the sophisticated malware appeared, it targets equipment that’s sold by Schneider Electric, often used in oil and gas facilities, though also sometimes in nuclear energy facilities or manufacturing plants. Specifically, the Triton malware is designed to tamper with or even disable Schneider’s Triconex products, which are known as “safety-instrumented systems,” as well as “distributed control systems,”

    Reply
  9. Tomi Engdahl says:

    Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
    https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

    Reply
  10. Tomi Engdahl says:

    Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks
    http://www.securityweek.com/gemalto-licensing-tool-exposes-ics-corporate-systems-attacks

    A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

    Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.

    Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.

    Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.

    In addition to installing the latest version of the Sentinel driver, Kaspersky has advised users to close port 1947 if it’s not needed for regular activities.

    The vulnerable Gemalto software is found in the products of several major companies, including ABB, General Electric, HP, Cadac Group, Siemens, and Zemax.

    Reply
  11. Tomi Engdahl says:

    Three reasons to perform an industrial control system assessment
    https://www.controleng.com/single-article/three-reasons-to-perform-an-industrial-control-system-assessment/4b6fd670670ccceecd8abd4b4af21f92.html

    Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.

    Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as:

    Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
    The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
    OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
    Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.

    While those reasons still characterize some the realities in today’s OT system, other factors have changed, providing the OT departments with more options than previously available to them. With technology developing faster than ever and more areas of the plant improving with smart devices, the plant is more capable than ever to increase production from its ICS and, concurrently, more vulnerable to unauthorized users. If movies, headlines, and personal experiences can teach us anything, it is that the bad actors will target OT systems for any motive and by all means necessary.

    Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:

    Unexpected and unexplainable shutdowns
    Loss of production time
    Loss of raw materials
    Missed deadlines
    Poor quality resulting from unidentified changes to the process
    Safety breaches and injuries from machines being started at the wrong times.

    How to assess an ICS
    1. Know what you have
    2. Know who has access
    3. Know what’s been changed

    Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see.

    Reply
  12. Tomi Engdahl says:

    Sean Lyngaas / The Verge:
    How governments and the nuclear energy industry are preparing for future cybersecurity threats using hands-on exercises and training laboratories

    Hacking nuclear systems is the ultimate cyber threat. Are we prepared?
    Nightmare scenario
    https://www.theverge.com/2018/1/23/16920062/hacking-nuclear-systems-cyberattack

    The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.

    A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.

    It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.

    “It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life.”

    “Adversaries are getting smarter.”

    Reply
  13. Tomi Engdahl says:

    Risks to ICS Environments From Spectre and Meltdown Attacks
    http://www.securityweek.com/risks-ics-environments-spectre-and-meltdown-attacks

    The recently disclosed Spectre and Meltdown vulnerabilities, which affect hardware running in the majority of the world’s computing devices have made headlines recently. The list of at risk equipment includes workstations, servers, phones, tablets, as well as Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on most Intel chips manufactured after 2010. Many AMD, ARM and other chipsets are also affected.

    Which devices are at risk?

    Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.

    Many HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat.

    Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are likely vulnerable. However, Spectre and Meltdown vulnerabilities in these systems does not necessarily mean industrial control devices are at risk.

    What is the impact to industrial control devices and systems?

    The Spectre and Meltdown vulnerabilities can be used to compromise a device, allowing an attacker to access privileged data in the system. The vulnerabilities do not grant access to the system, they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.

    While this is a serious threat in systems with multiple users, like a cloud solution for example, it doesn’t pose a high level of risk in single-user systems.

    To use an analogy, these vulnerabilities essentially enable you to read people’s minds — as long as you’re in the same room with them.

    They’re effective in a multi-tenant environments where one user’s secrets must be kept private from other users.

    Since ICS environments are not multi-tenant, these vulnerabilities do not enable access to any data not already available to anyone with system access.

    What can be done to mitigate the risk?

    First and foremost, being aware of what exists in the ICS environment is critical, since undocumented devices can’t be secured. Therefore, automated asset inventory tools are essential to understanding what equipment is at risk and requires attention.

    Next, having in-depth visibility into asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.

    Finally, in order to exploit these vulnerabilities, an attacker needs access to the network. This emphasizes the importance of having a network monitoring system, which can identify anyone connecting into the network, as well as communicating with or modifying key assets.

    Reply
  14. Tomi Engdahl says:

    UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
    http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines

    The UK government has warned that Britain’s most critical industries must boost their cybersecurity or face potentially hefty fines under the EU’s Networks and Information Systems Directive (NISD).

    The warning comes less than four months before the deadline for the NISD, adopted by the EU on July 6, 2016, to be transposed into EU member states’ national laws (May 9, 2018, which aligns with the date for GDPR enforcement).

    NISD is designed to ensure the security of network systems not already covered by the GDPR — but its primary purpose is to ensure the security of the industries that comprise the critical infrastructure (such as power and water, healthcare and transport). These companies, or covered entities, are defined within the directive as ‘operators of essential services’ (OES), and ‘digital service providers’ (DSPs).

    Since it is a Directive rather than a Regulation, the NIS Directive has some national flexibility in its implementation. For example, the UK government had earlier proposed that maximum fines under the directive should be between €10 million and €20 million or 2% to 4% of annual global turnover. It has now settled on a maximum fine of €17 million.

    The UK has made it clear that a breach of an OES will not automatically trigger a fine. This will depend on the judgment of separate industry sector regulators, or competent authorities. The primary factor will be whether the breached OES/DSP has made adequate cyber security provisions — in practice, this will probably depend upon how well the firm has implemented the ‘NIS Directive: Top-level objectives’ guidelines published by the National Cyber Security Centre (NCSC, part of GCHQ) Sunday. However, the government also states, “New regulators will be able to assess critical industries to make sure plans are as robust as possible.”

    The key part of the EU’s NIS Directive is Article 14: Security requirements and incident notification. This specifies, “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.”

    Reply
  15. Tomi Engdahl says:

    Increasing Number of Industrial Systems Accessible From Web: Study
    http://www.securityweek.com/increasing-number-industrial-systems-accessible-web-study

    The number of industrial control systems (ICS) accessible from the Internet has increased significantly in the past year, reaching more than 175,000 components, according to a new report from Positive Technologies.

    Using the Shodan, Censys and Google search engines, researchers identified 175,632 ICS components accessible from the Web. In comparison, similar searches conducted in the previous year uncovered just over 162,000 systems.

    Of all the systems identified in 2017, more than 66,000 were accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework (39,000), Ethernet/IP (25,000), BACnet (13,000), and the Lantronix discovery protocol (10,000).

    Reply
  16. Tomi Engdahl says:

    Siemens Patches Flaws in Plant Management Product
    http://www.securityweek.com/siemens-patches-flaws-plant-management-product

    Siemens has informed customers that a component of its TeleControl Basic product is affected by several vulnerabilities that can be exploited by an attacker to escalate privileges, bypass authentication, and launch denial-of-service (DoS) attacks.

    Siemens’ TeleControl Basic system allows organizations to monitor and control plant processes. The solution can also be used to optimize the operation of municipal facilities, including water treatment, traffic monitoring, and energy distribution. TeleControl Server Basic is the software used for the TeleControl Basic control center.

    Reply
  17. Tomi Engdahl says:

    The Time to Focus on Critical Infrastructure Security is Now
    http://www.securityweek.com/time-focus-critical-infrastructure-security-now

    The Software That Controls our Infrastructure is Vulnerable to Attack

    Is the world becoming desensitized to cyber attacks?

    Television has shown us examples of our own government using nonkinetic warfare, shutting down power in specific regions to demonstrate our strength and resolve. On screen, elected officials stare grimly at satellite images as large areas glowing from electric light slowly grow dark.

    This is not a new idea. I grew up with war and espionage movies that always included a “cut the power” part of the mission. That is because disruption of infrastructure is a key element of sound military strategy. Except in these movies, someone had to physically disrupt the power—someone had to be on-site. What is new is the ability to cut the power from a safe distance with the stroke of a key or the click of a mouse. No bombs, no missiles, no exotic kinetic devices.

    Reply
  18. Tomi Engdahl says:

    Three reasons to perform an industrial control system assessment
    https://www.controleng.com/single-article/three-reasons-to-perform-an-industrial-control-system-assessment/4b6fd670670ccceecd8abd4b4af21f92.html

    Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.

    Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as:

    Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
    The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
    OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
    Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.

    While those reasons still characterize some the realities in today’s OT system, other factors have changed, providing the OT departments with more options than previously available to them.

    Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:

    Unexpected and unexplainable shutdowns
    Loss of production time
    Loss of raw materials
    Missed deadlines
    Poor quality resulting from unidentified changes to the process
    Safety breaches and injuries from machines being started at the wrong times.

    Lack of accurate insight into the ICS’s users, networks, processes, and changes may account for part of the misdiagnosis. For example, a batch system that often experiences unplanned shutdowns on weekends may be attributed to old hardware or operator error. In reality, it could be a bit of bad-actor programming that causes a process shutdown at defined intervals, but no one in the plant is aware of the malicious code buried in an obscure controller by an unknown entity.

    How to assess an ICS
    1. Know what you have
    2. Know who has access
    3. Know what’s been changed

    Next steps

    Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see.

    Reply
  19. Tomi Engdahl says:

    Cyber incidents add to downtime costs
    https://www.controleng.com/single-article/cyber-incidents-add-to-downtime-costs/3f53671e33c35553a2cb0be3daae6493.html

    Cyber incidents can add to downtime costs in a big way if there isn’t a solid cybersecurity plan in place to mitigate the worst effects.

    When users come to grips with understanding downtime costs as they relate to cybersecurity, that could lead them to a discussion about a security return on investment (ROI).

    “Security investments are really good business,” said Doug Wylie, director at SANS Institute. “Making an investment in security is really aiding us in risk avoidance. It accelerates our ability to make sure we are addressing risk so we can respond and recover.”

    While technology is available to help deal with security issues, but Wylie said security all comes down to people. “It is a people problem first. When we are making our investments, the first dollars spent should be oriented toward people to make solid decisions to address downtime and make sure we are getting a return on investment.”

    Looking at ROI and understanding the cost of downtime is an end-point of a security issue, but before end users jump into a security program, they need to start somewhere.

    Reply
  20. Tomi Engdahl says:

    Understanding the value of best practices
    The discipline required to follow standardized programming best practices can pay off in the long run.
    https://www.controleng.com/single-article/understanding-the-value-of-best-practices/721a428ff34269b05469d92b271e8633.html

    Reply
  21. Tomi Engdahl says:

    Create a secure network for shop floor devices
    http://www.controleng.com/single-article/create-a-secure-network-for-shop-floor-devices/61dd51d7462d23374f3c5fbaa2bc11c5.html

    Operations technology (OT) environments consist of many devices using different protocols and different languages. This can cause a security risk if plant operators don’t take steps to mitigate the risk and create awareness for everyone on the plant floor.

    In an increasingly connected world, it is critical for manufacturers to strengthen their defenses against cyber threats. However, securing industrial operations is a unique challenge because plant floors can’t be secured with the same approach used to secure information technology (IT) networks. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. There is a dizzying variety of devices from different makes, models, and generations communicating through different protocols. Plant operators need to learn to speak these devices’ different languages in order to begin securing them.

    To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need a way of communicating with their devices. This is easy in a corporate IT environment because these devices are all IP-based and speak the same language. This is more difficult in OT environments because of the variety of devices and protocols and languages involved.

    What language a device speaks can depend on the type of device, the age of device, the manufacturer, and more. Programmable logic controllers (PLCs), for example, communicate in a range of different protocols including Ethernet/IP, Modbus, and Simple Network Management Protocol (SNMP). This gets even more complex when considering the different variations of remote terminal units (RTUs) and distributed control systems (DCSs). If operators can’t talk to all the devices on the network, it’s difficult to know what needs to be secured.

    Plant operators should start with understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls. They should also identify which of those devices are critical to operations and therefore highly sensitive.

    In this case, a “no touch” approach is the approach for these devices. The “no-touch” approach uses integration with an intermediary device that talks to the PLCs in order to configure the devices and backup these configurations. Once integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary’s database and ingesting the configuration data.

    Once network visibility is established, operators can start hardening the environment. OT security solutions should identify what’s on the network, detect changes, identify where the risks are, and mitigate them. Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyber attacks.

    Reply
  22. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    As cyberattacks become more prevalent and sophisticated, the nature of the attacker is changing. We’re seeing fewer lone wolves, and more organized criminals who are packaging attack kits and selling them on the dark web. Their attacks aim at either commerce or control. The IT intruders seek commercially valuable personal or financial data, while operational technology (OT) attacks seek control of plants or factories for potential sabotage.

    Reply
  23. Tomi Engdahl says:

    A Hardware Fix for the OT/IT Conflict
    This solution to the OT/IT conflict involves a hardware translator rather than network connectivity.
    https://www.designnews.com/automation-motion-control/hardware-fix-otit-conflict/164918610958126

    The clash between the Operations Technology (OT) team and the IT team at industrial facilities is not trivial. The conflict is an issue of two legitimate missions. OT is tasked with keeping the operation running at all costs, while IT is tasked with keeping the network secure no matter what. That’s all fine until the two networks are connected.

    The IT and OT folks are both hyper-diligent about the data integrity of their networks. Yet both disciplines manage security, change management, and their data types differently. Then, the expertise of one is in direct conflict with the expertise of the other. Both OT and IT share the same overall goals: to exchange data between PLCs on the OT side with the database servers on the IT side.

    When IT wants to reboot all networked computers to update patches – a critical security function – OT cries foul. OT computers can’t be shut down for updates without shutting down the process. Thus the networking clash rages as both sides struggle for a software solution.

    A Hardware Solution for a Hard Problem

    Yet what if the solution isn’t in the software? What if the plant computers aren’t connected to the network? What if the necessary data exchange from the plant to the IT databases jumps through a hardware device in the MES?

    The hardware company, ElliTek proposes a hardware fix for the OT/IT dilemma. “ElliTek is a machine builder. We discovered the most significant part of exchanging data between the plant and the business side was not the technical aspect of the communication, it was the OT/IT conflict. It is an organization issue, not a technical issue,” Keary Donovan, market development manager at ElliTek, told Design News. “Everybody thinks they already have the solution to the OT/IT issue. There are all kinds of middleware and OPC [open platform communications] solutions that say then can solve the conflict, but it doesn’t solve the issue.”

    An Appliance Designed to Solve a Software Issue

    Creating a network connection between the plant and business networks doesn’t solve the underlying conflict. “Vendors think they have this solved. If you go up to the IT guy, he knows how to connect,”

    Donovan suggests that the issue can be solved by not merging the plant and business networks. “We created an appliance that can solve these two missions without interfering with the other. We isolate those two rather than combining them,” said Donovan. “We’re a translator. We talk natively to the PLC and talk natively to the database. We’re not putting a PC on the plant network and having it talk to the business databases. That would require shutting down the process for a update. You don’t have any Windows updates affecting the machines if you’ve separated them.”

    Hackers Can’t Break Through the Non-Connected Data Exchange

    Donovan suggests that firmware can share data without connecting to a non-plant PC. “You have to design a firmware that can speak those languages. Let’s take Rockwell. You don’t need Rockwell control PLC logic on your computer to read the Rockwell PLC,” he said. “We read the PLC and map it to wherever you want to map it to. But we’re not running the Rockwell PLC on the PC. We’re using a telecommunications point-to-point. It’s simple, but not easy. We made a hardware device for the software solution everyone is looking for.”

    Reply
  24. Tomi Engdahl says:

    Industrial System Cyberattacks Aim for Sabotage
    https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105

    More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.

    Sometimes OT attackers want to do damage, while other times they hide and wait. For years, we’ve heard rumors that hostile governments have placed potentially destructive cyber-bugs in US power plants, but they are reluctant to set their bugs in motion, because the US has bugs in their plants, as well.

    Reply
  25. Tomi Engdahl says:

    Web Server Used in 100 ICS Products Affected by Critical Flaw
    https://www.securityweek.com/web-server-used-100-ics-products-affected-critical-flaw

    A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

    The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

    According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

    Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

    “A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.

    https://customers.codesys.com/fileadmin/data/customers/security/2018/Advisory2018-01_LCDS-282.pdf

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*