http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.
Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”
266 Comments
Tomi Engdahl says:
Reuters:
US blames North Korean gov’t for cyber attacks since ’09 across media, aerospace, financial sectors and key infrastructure, mainly hitting old Microsoft systems
U.S. blames North Korea for hacking spree, says more attacks likely
http://www.reuters.com/article/us-northkorea-cyber-usa-idUSKBN1942MK
The U.S. government on Tuesday issued a rare alert squarely blaming the North Korean government for a raft of cyber attacks stretching back to 2009 and warning that more were likely.
The joint warning from the U.S. Department of Homeland Security and the Federal Bureau of Investigation said that “cyber actors of the North Korean government,” referred to in the report as “Hidden Cobra,” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally.
Tomi Engdahl says:
Putting Smart Tech on Old Machines
Manufacturers are deploying advanced-technology solutions on older factory equipment – but at what cost?
https://www.designnews.com/automation-motion-control/putting-smart-tech-on-old-machines/62576852556902?cid=nl.x.dn14.edt.aud.dn.20170614.tst004t
Most manufacturing equipment is designed and deployed to last at least a couple decades. In that timeframe, tons of important new technology is introduced. Many manufacturers seek ways to derive the benefits of advanced-manufacturing technology without having to replace existing equipment that remains in fine working order. Yet many of the existing machines were simply not designed to support new technology.
One current example is connectivity. The Internet of Things (IoT) offers a wide range of benefits, but tying it to older machines is not easy.
“It is difficult to deploy IoT solutions alongside legacy equipment. The reason is that legacy systems were designed with particular requirements in mind, such as minimal data transferred at relatively long update rates,”
Sticking new technology on legacy equipment can lead to problems when the older equipment isn’t structured to support data-driven tools. “Often, end-users try to bolt on these new solutions and they create a complex problem from a maintenance point of view,” said Mustard. “If the organization becomes dependent on the new IoT and big data solution – if they run their business based on the output of this equipment – they can find themselves unable to function if the complicated and unreliable infrastructure does not deliver.”
Cybersecurity is another critical consideration when connecting older equipment to the outside world. Much of this equipment was conceived to live in an air-gapped world. “Legacy equipment was not designed with security in mind. It was designed to be used in relatively secure facilities with everything self-contained,” said Mustard. “IoT solutions are all about enabling businesses to get real-time data from manufacturing systems in order to manage the business, communicate with suppliers and customers, and with machinery manufactures who are maintaining the production line.”
Tomi Engdahl says:
Industry Reactions to ‘CrashOverride’ Malware: Feedback Friday
http://www.securityweek.com/industry-reactions-crashoverride-malware-feedback-friday
ESET and Dragos this week published reports detailing a sophisticated piece of malware believed to have been used in the December 2016 attack aimed at Ukraine’s power grid.
Dubbed Industroyer and CrashOverride, this modular malware has several components: a backdoor, a launcher, a data wiper, DoS and port scanner tools, and at least four payloads.
The payloads allow the malware’s operators to control electric circuit breakers via industrial communication protocols, which suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.
Researchers described some theoretical attack scenarios involving this malware and warned that the threat could be adapted for attacks on other countries, including the U.S., and other sectors.
http://www.securityweek.com/industroyer-ics-malware-linked-ukraine-power-grid-attack
Tomi Engdahl says:
Which Malware are Specifically Designed to Target ISC Systems?
http://resources.infosecinstitute.com/malware-specifically-designed-target-isc-systems/
After the discovery of the Stuxnet malware, cyber-security firms industry started looking at ICS malware with increasing interest. This specific family of malware can target industrial control system causing serious damages and put in danger human lives.
Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research, named MIMICS, based on completely public datasets related to incidents involving ICS over the last 13+ years.
Tomi Engdahl says:
Industroyer: Biggest threat to industrial control systems since Stuxnet
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.
Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.
Figure 1: Scheme of Industroyer operation
Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).
The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.
In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.
What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.
Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).
Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.
Tomi Engdahl says:
ICS Security Pros Increasingly Concerned About Ransomware: Survey
http://www.securityweek.com/ics-security-pros-increasingly-concerned-about-ransomware-survey
Many security practitioners in the field of industrial control systems (ICS) believe the level of risk is high, and they are increasingly concerned about ransomware and embedded controllers, according to the SANS Institute’s fourth annual ICS cyber security survey.
ICS security experts from organizations of all sizes told SANS that they believe the top threat vectors are devices that cannot protect themselves, such as embedded controllers (44%), internal threats, including accidents (43%), external threats, such as nation-state actors and hacktivists (40%), and ransomware and other extortion attempts (35%).
Ransomware has made a lot of headlines in the past year and industrial systems are at risk, as demonstrated by both theoretical attack scenarios and in-the-wild threats such as the WannaCry malware. As a result, the number of ICS security experts concerned about ransomware has nearly doubled compared to data from the previous SANS survey.
“Although ransomware primarily infects commercial OS-based systems (e.g., Windows, Linux), the integration of these into ICS environments and the dependence of ICS on devices running these operating systems has extended ransomware’s effectiveness and reach,” SANS said in its report. “Publicly known operational impacts remain few to date but, we expect more to follow, especially given public demonstrations of ransomware targeting ICS/SCADA.”
Tomi Engdahl says:
Inadequate Boundary Protections Common in Critical Infrastructure: ICS-CERT
http://www.securityweek.com/inadequate-boundary-protections-common-critical-infrastructure-ics-cert
The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations.
ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017.
Assessments are offered to both government organizations and private sector companies whose owners and operators request them. Last year, the CERT conducted assessments in 12 of the 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, emergency services, dams, energy, food and agriculture, IT, government facilities, transportation, and water and wastewater systems.
Similar to the previous two years, inadequate boundary protection remained the most common flaw – 94 discoveries representing more than 13 percent of all weaknesses identified during assessments.
The second most prevalent type of vulnerability, with 42 discoveries, is “least functionality.” This refers to organizations failing to implement controls to ensure that unnecessary services, ports, protocols or applications that can be exploited to gain access to ICS are disabled.
https://ics-cert.us-cert.gov/monitors
Tomi Engdahl says:
Dell Launches Endpoint Security Product for Air-Gapped Systems
http://www.securityweek.com/dell-launches-endpoint-security-product-air-gapped-systems
Dell announced on Thursday the availability of a new version of its Endpoint Security Suite Enterprise product designed specifically for air-gapped systems.
The solution is designed to protect isolated computers from malware, insiders and other threats using artificial intelligence and predictive mathematical models provided by endpoint security firm Cylance.
Researchers demonstrated in the past years that malware can leverage several methods to exfiltrate sensitive data from air-gapped systems, including through noise, LEDs, heat and radio frequencies.
Since isolated systems are not connected to the Internet, the security products installed on them cannot automatically receive regular malware definitions and other updates. By teaming up with Cylance, whose mathematical models only require a few updates per year, Dell has developed a solution that can protect a device without requiring an Internet connection.
The air gap version of Dell Endpoint Security Suite Enterprise is available now in the United States and other select countries around the world.
Tomi Engdahl says:
Air Gap or Not, Why ICS/SCADA Networks Are at Risk
http://www.securityweek.com/air-gap-or-not-why-icsscada-networks-are-risk
The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure.
In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.
Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk.
The Need to Exchange Files
Compromised Personal Devices
Vulnerabilities and Human Error
The Insider Threat
Connected Technologies and IIoT
Tomi Engdahl says:
Hundreds of Java Flaws Patched by Schneider in Trio TView Software
http://www.securityweek.com/hundreds-java-flaws-patched-schneider-trio-tview-software
Energy management and automation solutions giant Schneider Electric was informed by a researcher that its Trio TView software uses a version of Java that was released in 2011 and is affected by hundreds of vulnerabilities.
Researcher Karn Ganeshen informed Schneider that the version of Java Runtime Environment (JRE) used in Trio TView, a management and diagnostics software for industrial radio systems, is outdated and contains numerous vulnerabilities.
Tomi Engdahl says:
New CyberX Technology Predicts ICS Attack Vectors
http://www.securityweek.com/new-cyberx-technology-predicts-ics-attack-vectors
Industrial cybersecurity and threat intelligence firm CyberX announced on Thursday the availability of a new simulation technology that allows organizations to predict breach and attack vectors on their networks.
The new industrial control systems (ICS) security service, named ICS Attack Vector Prediction, leverages proprietary analytics to continuously predict possible attack avenues and help organizations prevent breaches.
The solution provides a visual representation of all possible attack chains targeting critical assets in the operational technology (OT) network. Scenarios are ranked based on the level of risk to help security teams prioritize mitigation.
Tomi Engdahl says:
How Hackers Can Use ‘Evil Bubbles’ to Destroy Industrial Pumps
https://www.wired.com/story/evil-bubbles-industrial-pump-hack
Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.
In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.
“Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”
Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.
That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.
“She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”
Tomi Engdahl says:
Fuzzing Tests Show ICS Protocols Least Mature
http://www.securityweek.com/fuzzing-tests-show-ics-protocols-least-mature
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.
Fuzzing is a testing technique designed for finding software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw and further investigation is warranted. If the number of crashes is high and the time to first failure (TTFF) is short, the likelihood of exploitable vulnerabilities increases.
Synopsys’ State of Fuzzing 2017 report is based on 4.8 billion results obtained in 2016 from tests targeting 250 protocols used in industrial, Internet of Things (IoT), automotive, financial services, government, healthcare and other sectors.
In the case of ICS, Synopsys customers tested protocols such as IEC-61850 MMS, IEC-104 Server, Modbus PLC, OPC UA, DNP3 and MQTT. There are also some protocols used for both ICS and IoT, including CIP and CoAP Server.
Many of these protocols had the TTFF within five minutes. Modbus, for instance, had 37 failures after 1.5 million tests and an average test runtime of 16 minutes. The OPC UA protocol had over 16,000 failures with a testing runtime of 4.5 hours.
In comparison, the Address Resolution Protocol (ARP), which is used to convert an IP address into a physical address and is the most mature protocol, had zero failures after over 340,000 tests with an average runtime of 30 hours.
Four of the five least mature protocols, based on average TTFF, are ICS protocols, including IEC-61850 MMS, Modbus PLC, DNP3 and MQTT.
“The protocols typically associated with ICS showed the most immaturity,”
“Many demonstrated rapid time to first failures, with IEC-61850 MMS measured in a matter of seconds. This has bearing on IoT, as many of the protocols used in ICS are also used in IoT. Clearly, more testing is needed for the protocols within ICS and IoT, as the potential for discovering more vulnerabilities is greater in these industry verticals than in others.”
State of Fuzzing 2017
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/state-of-fuzzing-2017.pdf
Fuzzing is a proven technology used to find vulnerabilities in software by sending malformed input to a
target and observing the result. If the target behaves unexpectedly or crashes, then further investigation
is required. That investigation may expose a vulnerability that may be exploited for malicious purposes.
Fuzzing is equally valuable to those who develop software and those who consume it. It plays a role in
the implementation, verification, and release phases of the software development life cycle (SDLC) and
can be a vital indicator of undetected vulnerabilities (zero days) that may affect the integrity of systems
already in use. The real goal of fuzzing is not merely to crash a program but to hijack it
Tomi Engdahl says:
Overcoming the Lost Decade of Information Security in ICS Networks
http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks
If you thought things were bad in the world of IT network security over the past decade, I have an incredibly bleak thesis to present to you.
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses. That focus is why we currently have a market of approximately 2,000 security solutions (the value of which is a topic for another discussion).
In the world of critical infrastructure/industrial control systems (ICS) security (aka operational technology), despite nearly two decades of discussion around nightmarish cyberattack scenarios and outcomes, the past 10 years can arguably be labeled “The Lost Decade of Information Security.”
I would argue that we are no better off today in terms of cybersecurity readiness than we were 10 years ago. This belief keeps me up at night and wakes me before the sun many mornings as the threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.
What is encouraging is that in the past two years – and notably the past few months – we have seen an accelerated pace of awareness and prioritization being given to ICS security.
Where We Went Wrong
• Failing to “bridge the gap” between IT and ICS (Engineering) staff – These teams approach the world with completely different viewpoints, backgrounds and missions. ICS staff have safety and uptime as the core thought in every decision they make – and they have zero tolerance for the introduction of security controls which jeopardize either. Even a concept as basic as patching is problematic as it brings downtime to production. These teams have made strides in terms of working with one another; but a lack of solutions built specifically for ICS, that don’t jeopardize uptime and safety and offer a demonstrable value to both teams has resulted in a closed-door policy in most cases. “I own the shop floor. I need to keep production moving. I need to make sure nothing fails that could cause safety concerns for our teams or the public. “NO – you are NOT putting that in my network.”
• Falling victim to the notion that prescriptive commands/standards could and would be implemented – Kudos for giving ICS security focus.
• Trying to force the “square pegs” of IT security into the “round holes” of ICS networks – IT security tools were not designed for fragile ICS networks. Approaches like active scanning, active querying and other “standard IT tools” have crashed PLCs, interrupted uptime and caused significant problems when implemented.
• Delaying investment because “these attacks are theoretical – they aren’t happening” – Logically, cybersecurity budgets over the past decade were dedicated to the areas where the bleeding was occurring. Have no idea who’s inside your network? Full packet capture and forensics tools. Dealing with a million point solutions? SIEMs and orchestration tools. Suffering under the scourge of spear-phishing? Advanced endpoint solutions, etc. Makes sense and you can’t really fault people for investing this way.
• Believing that the concept of “air-gapped” networks were ever a reality/would stand up against business and efficiency demands – “We’ll design the network so it can’t be accessed from the outside/so there is no interconnectivity with the IT network.” Sounded good for a time, but business demands have eradicated the notion of an “air-gapped” ICS network. Maintenance requirements, connectivity to the supply chain, remote analytics, managing “top floor to shop floor” KPIs, the desire to drive predictive analytics – these needs have seen “air gapping” go the way of the dinosaur. As a result, air gaps now have one thing in common with unicorns – they don’t exist.
• Difficult to implement, hard to consume, cumbersome to maintain previous-generation ICS specific solutions – There have been a number of promising ICS specific cybersecurity solutions that have emerged and failed to gain mainstream traction over the years. Difficulty in implementation (let’s put this firewall in front of every PLC), difficulty in consumption (massive installation projects, significant upfront time to configure) and unwieldy/unrealistic maintenance requirements saw these promises fail. They simply didn’t understand the unique needs of the ICS consumer.
So, practically, what actions can we take – right now – to vault the state of ICS security forward?
First, we need to stop “studying” the problem.
We need immediate focus and investment from government, board rooms, CIOs/CISOs, ICS owner/operators, security vendors and ICS equipment manufacturers on the problems confronting us.
We need a reference architecture which delivers the “biggest bang for the buck” and the most rapid increase in security readiness. An easily and rapidly (i.e., months not years) implementable framework which focuses on risk assessment, real-time monitoring, high-risk vulnerability management, threat intelligence, advanced endpoint protection and rapid response.
Tomi Engdahl says:
Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas
http://www.techrepublic.com/article/cyberweapons-are-now-in-play-from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/
Cyberwarfare has begun. Unlike nuclear weapons, cyberweapons can be proliferated more quickly and the threat from accidentally setting them off is even greater.
On April 7, 2017, a radio frequency trigger hack caused 156 emergency sirens in Dallas, a city of 1.2 million people, to wail concurrently for 81 minutes. The incident serves as a clarion call to organizations everywhere that cyberweapons could be used against your infrastructure in order to make a statement.
“Technically, each siren went off for 90 seconds, 15 times. There was a lot of confusion,” said Dallas public information officer Richard Hill, because there were no storms in the region. “We had close to 4,000 calls to 911. The system was nearly overwhelmed.”
As a show-of-force in December 2015, cyberattacks by Russian-linked hackers took down a large portion of the Ukraine power grid. “The initial breach of the Ukraine power grid was—as so often in cyberattacks—down to the human factor,” wrote ZDNet’s Charles McLellan. “Spearphishing and social engineering were used to gain entry to the network. Once inside, the attackers exploited the fact that operational systems—the ones that controlled the power grid—were connected to regular IT systems.”
Dallas’ outdoor warning system, like most municipalities in the United States, is radio controlled and triggered when a storm is imminent by a signal sent from the National Weather Service. For security reasons, the city of Dallas would not discuss the details of how the system was compromised. But the city’s senior public information officer, Monica Cordova, said, “we believe [the attack] came from the Dallas area.”
It could take the city’s leaders months to reveal what many security experts already know: Cyberattacks against outdated critical infrastructure are as easy to execute as the stakes are high. And the arsenal of cyberweapons—malware that is designed to inflict disruption, damage, and destruction—is growing rapidly.
“As technology is increasingly integrated into the manner in which our society operates,” said Chris Pogue, CISO of cybersecurity firm Nuix, “the potential of cyberattacks that have a kinetic impact also increases.”
“Code proliferates very quickly and is easy to build or steal. Anyone with a laptop, some coding skills, and a few free hours can create a ‘cyberweapon.’”
Sergio Caltagirone, director of threat intelligence and analytics at Dragos
Pogue can rattle off a long list of attacks against critical infrastructure that portend a future where companies, government agencies, and consumers are all victims of cyberweapons.
When everything becomes a cyberweapon
One week after the Dallas incident—at 11:21 am UTC, 10,895 kilometers away—a North Korean ballistic missile fired and exploded moments after launch. The April 2017 test was the latest in a series of recent North Korean missile misfires.
Reporting by CBS News and The New York Times indicates that American-made cyberweapons may have been responsible for the floundering rockets. “Presuming the missile batteries run on a computer-based launch control system, which they do,” Pogue speculated, “an attacker could do anything the system allows: change fuel mixtures, time on launchpad after engine fire but before launch, destination of target, trajectory, and payload arming and disarming.”
“The public, companies, or governments should be less concerned about these weapons and more concerned with everything else that’s out there, including malware, hackers, and the government.”
Jack Rice, former CIA case officer
Tomi Engdahl says:
Underwriters Laboratories Releases Cybersecurity Standards for Industrial Control
https://www.designnews.com/automation-motion-control/underwriters-laboratories-releases-cybersecurity-standards-industrial-control/132202681657313?cid=nl.x.dn14.edt.aud.dn.20170822.tst004t
UL have developed cybersecurity standards in association with the Department of Homeland Security and the Defense Advanced Research Projects Agency.
As more than most software applications available today are comprised of open-source components, organizations must be especially vigilant to implement rigorous software supply chain management systems and procedures to mitigate the potential risk from third-party applications. Thus, Underwriters Laboratories (UL) has developed a set of cybersecurity standards – UL 2900-2-2 – specifically designed for industrial control systems (ICS).
The standards were developed to offer testable cybersecurity criteria for third-party software and to validate the security claims of software vendors.
In addition, UL has ongoing research partnerships with the Department of Homeland Security ( DHS ICS-CERT) and the Defense Advanced Research Projects Agency ( DARPA ICS ) to help mitigate industrial IoT cyber risks.
Cybersecurity is always a moving target. UL built this into the standards, so they will be updated as changes in the security environment change. “We’re in a continuous feedback mode for continuous improvement. There is no silver bullet or magic way to solve the problem,” said Modeste.
UL created standards that are designed to adapt to developments in the security environment, a function that is consistent with updates that software vendors provide. “The standards are continually updated. Vendors are producing products, but those products are not static. They make revisions and updates,” said Modeste. “The vendor adapts, so they roll out any new changes. We take that into consideration. We look at how to ensure your vendor is doing the due diligence.”
Ongoing UL Cybersecurity Standards
UL began publishing standards for the ICS providers last year. “We published a series of standards in 2016. We published more this past summer. We started three years ago as we worked is an advisory the Obama Administration,” said Modeste. “We met with several agencies with the government, DHS being the biggest one. We partnered with various agencies, including DARPA. We also include several consultants and utilities.”
The standards come out of UL’s Cybersecurity Assurance Program) UL CAP, which offers third party support to allow users to evaluate both the security of network-connectable products and systems, as well as the vendor processes for developing and maintaining products and systems for security.
“The standards are focused on the manufacturing community, to help them build good design into their products,”
Tomi Engdahl says:
Researchers Demo Remote Hacking of Industrial Cobots
http://www.securityweek.com/researchers-demo-remote-hacking-industrial-cobots
Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.
A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.
A brief analysis of mobile applications, software and firmware led to the discovery of nearly 50 vulnerabilities, including weaknesses related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.
Tomi Engdahl says:
Assessing Cyber and Physical Risks to Oil & Gas Sector
http://www.securityweek.com/assessing-cyber-and-physical-risks-oil-gas-sector
This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:
Unsecure technologies are prevalent
Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.
Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.
Threat actors are more complex
While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address.
State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.
Damages can be severe
Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.
So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.
Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies.
Tomi Engdahl says:
Saturday, August 26, 2017
The Cassandra Coefficient and ICS Cyper – Some Thoughts
http://blog.iec61850.com/2017/08/the-cassandra-coefficient-and-ics-cyper.html
Do you have a idea what “The Cassandra Coefficient” is all about and how it relates to ICS cyber security? Joe Weiss discusses the issues in a recent publication:
Cassandra coefficient and ICS cyber – is this why the system is broken
Brief extract from the publication:
Joe Weiss writes: ” … What I have found is that each time another IT cyber event occurs more attention goes to the IT at the expense of ICS cyber security. The other common theme is “wait until something big happens or something happens to me, then we can take action”. Because there are minimal ICS cyber forensics and appropriate training at the control system layer (not just the network), there are very few publicly documented ICS cyber cases. However, I have been able to document more than 950 actual cases resulting in more than 1,000 deaths and more than $50 Billion in direct damages. I was recently at a major end-user where I was to give a seminar. The evening before I had dinner with their OT cyber security expert who mentioned he had been involved in an actual malicious ICS cyber security event that affected their facilities. For various reasons the event was not documented.
Cassandra coefficient and ICS cyber – is this why the system is broken
https://www.controlglobal.com/blogs/unfettered/cassandra-coefficient-and-ics-cyber-is-this-why-the-system-is-broken/
-Response availability – Is this a problem that could have been mitigated with some response?
(Dale’s Rating: High)The answer to this question is clearly yes, although you will find significant disagreement among credible experts on the best way to prevent or mitigate a catastrophe caused by an ICS cyber incident.
– Initial Occurrence Syndrome – It has never happened before
(Dale’s Rating: Medium) We have seen Stuxnet, Ukrainian Power Grids, German Steel Mills, Merck, and many others who have been impacted by ICS cyber incidents. The IOT botnet Mirai caused an economic impact. Definitions of a catastrophe vary, but compared to what is possible we have not seen a catastrophe caused by an ICS cyber incident. Many companies and organizations remained unconvinced that it can happen to them, but the larger organizations are no longer in denial that it could happen. They may still rely on the fact that it never happened before as an excuse to reduce the action and amount spent as Richard Clarke discussed in his S4x17 Keynote.
- Erroneous Consensus – Experts Mistakenly Agree Risk is Low
(Dale’s Rating: Low)It’s hard to say there is a consensus in the ICS security space about the likelihood and shape of a cyber incident caused catastrophe. There are scenarios, but those scenarios are highly debated. The US Electric Grid is a good example of widely varying views by experts on the likelihood of widespread and sustained outages.If I had to judge, there is more of a consensus that a catastrophe will happen, with a wide range of estimates on the where, what and when. There is not a consensus that the risk is low.
Magnitude Overload – The sheer size of the problem overwhelms
(Dale’s Rating: Ultra High) There are multiple sectors in the ICS world that could cause a catastrophe in terms of loss of life, economic impact to companies, sectors and regions, and environmental damage. While there are commonalities, when you look at stopping potential high consequence incidents, the actions required are very sector specific and more likely even sub-sector specific.
Outlandishness – Does it appear to be science fiction
(Dale’s Rating: Medium) It does not rate high because similar cyber incidents that have not resulted in catastrophes have happened, and talk to a forthcoming engineer and you will sometimes hear how they could cause a catastrophe. It does not rate low because a number of the scenarios presented at conferences are dreamed up by hackers / researchers lacking in the knowledge of the engineering, automation and safety systems. There are many outlandish scenarios.
- Invisible Obvious – Not seen because it is too obvious
(Dale’s Rating: Low) We seem to be past the surprise that control and configuration of a physical process allows you to control and alter the physical process.
Tomi Engdahl says:
Is Winter Coming in Industrial Control Systems Cybersecurity?
http://www.securityweek.com/winter-coming-industrial-control-systems-cybersecurity
In 2005, the breach of Card Systems (a major payment card processor), which exposed 40+ million credit cards, was labeled “The Biggest Hack of All Time” – the breach made worldwide news and the cover of Newsweek with a multipage article highlighting the dangerous new reality of cyberthreats. Fast forward to just last week with the announcement of the Equifax breach impacting 143 million individuals’ personally identifiable information, credit histories and card details and it should be apparent that nothing has gotten better in the world of IT security in the past 12 years. To the contrary, our ability to counter and combat threats has been nothing short of a failure.
Why reference these IT network breaches if my focus is on the industrial control systems (ICS) or operational technology (OT) networks that power critical infrastructure and run our global economy? I point to them as stark reminders to anyone thinking that the security of these networks is either “on par” (a horrible standard at best) or better than those of their IT counterparts. This could not be further from the truth. IT networks have been where “the bloodshed” has been for so long now that they’ve rightfully commanded the lion’s share of investment in new solutions, people and processes. Conversely, despite all the conversations related to how we must prepare against nightmare outcomes from breaches in the OT domain – as there (until recently) has been a lack of major threat activity in this space – there has been a dearth of funding and advancement.
Just last week, Symantec released a report claiming that an advanced adversary has gained access to the OT networks of dozens of firms in the energy sector – giving them the ability, Symantec claims, to “turn off the lights” if they so wished. This follows the July disclosure of a major campaign targeting U.S. energy and nuclear facilities – which was likely conducted through lateral movement from IT to OT networks.
Tomi Engdahl says:
Cybersecurity for pipelines, other SCADA systems
It’s critical to stay up-to-date with cybersecurity measures to improve defenses against cyberattacks.
http://www.controleng.com/single-article/cybersecurity-for-pipelines-other-scada-systems/93945d45c0a2570979abac165a456e76.html
SCADA 2.0, IIoT development
As old as the SCADA concept is, it has not lost any of its importance. In fact, the role of SCADA systems is growing, which is broadening their definition. With a higher degree of protocol standardization and greater connectivity to corporate information technology (IT) networks, the potential for a cyber-attack also increases and is growing.
The trends toward business systems using and processing SCADA data create new avenues and reasons for system exploitation. Sharing data is often the lifeblood for many companies, but new threats can emerge in the process.
On the other hand, developing technologies also are changing the current situation as the IIoT merges with SCADA to become “SCADA 2.0.” This still has some time before development is complete, but there are many possibilities, including its design and how it could affect security considerations
The RTU, at least as a gateway, no longer will be included since it won’t be needed. The individual field instruments and actuators at the hypothetical pipeline pump station will all communicate directly with the ubiquitous network, just as a technician visiting the site might call back to the office on a smartphone. The data from the devices goes to the cloud and can be captured and used by whichever part of the company needs it, from anywhere. At this point it’s difficult to say exactly what the network might look like, however it most likely will be 4G or 5G capable, but the communication will be direct. New networking technologies like low power wide area network (LoRa WAN) may be included as well.
Setup for these installations will be easier than with current SCADA systems. It will be as easy as installing the field device, turning it on, and connecting it to the cloud. This will get rid of all the expensive and dangerous manual operations still being done at many sites. If a level instrument is added to the storage tank, the need for a worker to be sent out for maintenance no longer will be necessary.
The reality of this concept is some time away since the networks with the necessary requirements don’t currently exist. Coverage and speed are improving all the time, but 5G or even 4G in all the areas where pipeline pumping stations are located is not there yet.
Accommodating multiple SCADA systems
One current aspect of monitoring technology is the idea of multiple SCADA systems at one location, and the user might not even realize it. How does this happen?
A turbine-compressor set might have its own system to remotely monitor performance and conditions, and there is probably an existing SCADA system. These original equipment manufacturer (OEM) systems often are included to verify performance requirements written into purchase agreements. This kind of monitoring keeps everyone honest and helps the party responsible for maintenance stay informed with what’s happening. The system is in communication with the OEM’s headquarters and sends data back every day via its own network. Having this kind of communication is necessary and is ultimately a good thing for the most part, but there can be problems.
Signs of threats to come
Cyber criminals looking to make money from their exploits have been stealing financial data, personal information, and credit card numbers for a long time. Major retailers and financial service companies have fallen prey largely for this reason. Fortunately, industrial companies don’t necessarily have much in the way of such marketable data capable of being stolen. The scary alternative is ransomware, which has targeted hospitals and now spread to many other users in the recent “WannaCry” ransomware attacks.
Returning to the example of the hypothetical pipeline station for this scenario, say the operators at the central control room receive an alarm via the SCADA system because transportation has been shut off. Calling up the human-machine interface (HMI), they see a top-level screen saying that access to the RTU has been locked out and encrypted. The only way to regain control is by paying to get the access code.
The option for the company is to pay, or send somebody out to the site to take it offline and turn operations back on manually. This is only temporary because it is not practical to leave an operator at the site on a continuous basis. The only real solution is to take out the compromised RTU and replace it, at a cost significantly higher than the ransom.
This situation may seem unrealistic, however, as technology and cyber criminals become more advanced, predicting situations like this should be considered.
Defensive strategies for SCADA systems
The following are a few defensive suggestions:
Maintain physical security at remote sites: RTUs and other network-connected hardware should be in locked enclosures. Unused ports should be plugged with epoxy.
Update old systems: Any company still running equipment using Windows 95, or even more recent but still obsolete versions, is asking for trouble. Platforms running un-updated software can be just as bad. WannaCry only worked on outdated and un-updated Windows platforms.
Use network identification: Intrusion detection systems are very useful tools, but many companies fear they can disrupt networks. They can be designed for low-impact and with a passive response to make them easier to use on operating networks.
Train personnel: Workers are still the weakest link in cyber defenses. Social engineering, phishing, and spear phishing remain effective hacking tools. Don’t open unknown attachments, don’t plug in unknown thumb drives, etc.
Maintain network traffic logs: It’s hard to know if something strange is happening if you can’t identify right from wrong. Logs help establish baselines, so they can help determine where intruders have been and what damage may have been made or attempted.
Use available cybersecurity resources: The International Society of Automation http://www.isa.org and the National Institute of Standards and Technology http://www.nist.gov ISA/IEC 62443 offers many helpful resources and provide best practices for network administrators and defenders, as do NIST 800-14 and 800-16.
It will be easier to implement more cybersecurity measures with new technologies, but many companies find themselves still working with yesterday’s equipment and software.
Tomi Engdahl says:
Standards group creates draft report on updating critical IT, OT infrastructure
http://www.controleng.com/single-article/standards-group-creates-draft-report-on-updating-critical-it-ot-infrastructure/4e6326d90a207cea85c0592dfd945c27.html
The National Institute of Standards and Technology (NIST) has created a technical draft report that is designed to will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or suffer compromises to information technology (IT) or operations technology (OT).
Tomi Engdahl says:
DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
http://www.securityweek.com/ddos-attacks-more-likely-hit-critical-infrastructure-apts-europol
While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment (IOCTA).
The report covers a wide range of topics, including cyber-dependent crime, online child exploitation, payment fraud, criminal markets, the convergence of cyber and terrorism, cross-cutting crime factors, and the geographical distribution of cybercrime. According to the police agency, we’re seeing a “global epidemic” in ransomware attacks.
When it comes to critical infrastructure attacks, Europol pointed out that the focus is often on the worst case scenario – sophisticated state-sponsored actors targeting supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) in power plants and heavy industry organizations.
However, these are not the most likely and most common types of attacks – at least not from a law enforcement perspective as they are more likely to be considered threats to national security. More likely attacks, based on reports received by law enforcement agencies in Europe, are ones that don’t require attackers to breach isolated networks, such as distributed denial-of-service (DDoS) attacks, which often rely on easy-to-use and widely available tools known as booters or stressers.
While these types of attacks may not lead to a shutdown of the power grid, they can still cause serious disruptions to important utilities and services.
“While DDoS is often a tool for extortion, the lack of communication from the attackers may suggest that these attacks were of an ideological nature,” Europol said in its report. “Although European law enforcement recorded an increasing number of these attacks last year, they also note that they only had moderate, short-lived impact.”
Internet Organised Crime Threat Assessment (IOCTA) 2017
https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017
Tomi Engdahl says:
Cyber attacks against manufacturers rising, according to report
http://www.controleng.com/single-article/cyber-attacks-against-manufacturers-rising-according-to-report/15bc6946903a5798e21de3348606998e.html
Cyber attacks against manufacturers are occurring more frequently, according to a report by NTT Security, and the level of sophistication is also increasing.
Manufacturers are a key target for cyber attacks—and they are continuing to rise, according to research by NTT Security. In addition, the sophistication of cyber attacks continues to rise across all corners of the world, according to NTT Security’s Q2 Threat Intelligence Report.
The following is the attack profile of the manufacturing industry:
The manufacturing industry was the most heavily targeted industry during Q2 2017, accounting for 34% of attack activity.
The manufacturing industry was also heavily targeted throughout 2016, appearing in the “top three” in five of the six geographic regions. No other industry appeared in the top three more than twice
Fifty-eight percent of malware distribution in manufacturing environments was via web-based downloads.
Eighty-six percent of malware in the manufacturing industry were variants of Trojans and droppers.
Reconnaissance accounted for 33% of all activity aimed at manufacturing clients in Q2 2017.
Tomi Engdahl says:
Steps to Improve Critical Infrastructure and ICS Network Security
http://www.securityweek.com/steps-improve-critical-infrastructure-and-ics-network-security
These Prescriptive Steps Can Help the State of Security in Your ICS Network Environment
For this part, we’ll look more at the macro level of what needs to be done:
1. Acknowledge the threat and communicate it LOUDLY across your organization: A year ago, you might struggle to find examples that would be cause for pause or turn heads inside your organization. Today, you should be able to clearly demonstrate the need for action.
2. Stand up a project NOW – this year – to improve security for your ICS network as early as possible into 2018: If you believe the thesis that the threat is growing and we will see more attacks in the very near future, then there is no time but the present to take action. As the NIAC stated “…a narrow and fleeting window of opportunity,” is upon us.
3. Talk to your suppliers, your peers and industry analysts about where you should be focusing: In the past few months, a number of the world’s biggest ICS equipment vendors have announced partnerships with cybersecurity firms. These are the people that make your network gear/that have a responsibility to help you protect it. Talk to them – get their input on where they think you need to focus.
4. Tackle the biggest issues first: Asset discovery is a major issue in ICS network environments. “No way, Galina – we know exactly what is in our network. I have it all documented right here on this Excel spreadsheet dated this time last year.” Trust me, this is a norm in this space. I cannot even enumerate how many times we’ve walked into an engagement and immediately shown the practioner a huge list of assets they didn’t even know they had. You can’t secure what you don’t know you have.
Tomi Engdahl says:
Industrial Cyber Security for Dummies
http://media.wiley.com/assets/7359/00/9781119403593.pdf
Tomi Engdahl says:
Industrial Products Also Vulnerable to KRACK Wi-Fi Attack
http://www.securityweek.com/industrial-products-also-vulnerable-krack-wi-fi-attack
Some industrial networking devices are also vulnerable to the recently disclosed KRACK Wi-Fi attack, including products from Cisco, Rockwell Automation and Sierra Wireless.
KRACK, or Key Reinstallation Attack, is the name assigned to a series of vulnerabilities in the WPA2 protocol, which secures modern Wi-Fi networks. The flaws can allow an attacker within range of the targeted device to read information that the user believes is encrypted and, in some cases, possibly even inject and manipulate data (e.g. inject malware into a website).
The vulnerabilities are tracked as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. The security holes have been confirmed to affect products from tens of vendors, but many of them have already started releasing patches.
In the case of Cisco, many of the company’s products are affected, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points.
According to an advisory from ICS-CERT, Rockwell Automation is working on releasing a firmware update for its Stratix 5100 Wireless Access Point/Workgroup Bridge.
Sierra Wireless has also released an advisory to inform customers that a dozen of its products, including access points and client devices, are affected by the vulnerabilities.
Tomi Engdahl says:
The Future of Industrial Security – IT and OT Convergence
http://www.securityweek.com/future-industrial-security-it-and-ot-convergence
In industrial organizations, security is traditionally divided across three silos: physical security, IT security and operational security (plant security and system integrity). This divide makes it more difficult for facilities operators to identify and respond to incidents.
Also, modern-day operations often span complex IT (information technology) and OT (operational technology) infrastructures and typically include thousands of devices, which are increasingly being connected via the Industrial Internet of Things (IIoT). This creates new challenges for securing industrial environments, and makes cyber-physical security threats even more difficult to detect, investigate and remediate.
To protect this complex attack surface, many industrial organizations have devised ways to converge their IT and OT groups — or they are researching options for doing so. However, the ‘convergence challenge’ is truly a tough nut to crack as two main barriers exist.
IT and OT are Very Different
IT environments are very dynamic. For example, IT systems are patched, upgraded and replaced on a regular basis. IT staff are concerned about data confidentiality, integrity, and availability (aka CIA). They are very knowledgable about the latest IT trends and threats. However, IT personnel are typically not familiar with OT networks or industrial control systems, and few of them ever set foot on a plant floor.
In contrast, OT staff work in an operational environment where stability, safety and reliability are top priorities. Their jobs involve maintaining the stability of complex and sensitive environments such as oil refineries, chemical plants and water utilities that are populated with legacy systems that were implemented and haven’t changed for decades. The motto is: “if it works, don’t touch it”. OT engineers recoil at the thought of IT personnel being involved in the safety of their plants or tinkering with industrial control systems (ICS).
IT and OT use Different Technologies
In general, IT people are used to working with the latest and greatest hardware and software, including the best security available to protect their networks. They tend to spend most of their time patching, upgrading and replacing systems.
Meanwhile, OT staff are used to working with legacy technologies, many of which pre-date the internet era.
Tomi Engdahl says:
Practical Steps for Getting Started with IT/OT Security Convergence
http://www.securityweek.com/practical-steps-getting-started-itot-security-convergence
These three recommendations can help you get started:
1. Collaborate with OT to create a tailored security plan for the operations domain congruent with the broader security strategy and goals. From inception, think about the differences between the IT and OT environments and then embrace the reality that you can’t take what you’ve been doing in IT all these years, even if successful, and translate it directly to OT.
2. Establish a common lexicon and frame of reference around cybersecurity. This means taking what IT security people are passionate about (e.g., threats and vulnerabilities) and translating that into concerns in the operations domain (e.g., downtime and compromised quality) to show how the right security investments can actually improve operational outcomes.
3. Put some near-term security measures in place for immediate benefits. Using the OT security plan you’ve jointly created, work in partnership to identify and implement a handful of security protections that aren’t in place today and that will demonstrably improve the environment without negatively impacting operations.
• Improve the separation between OT and the rest of the business. In order for the business side to consume production data, the data must travel ‘northbound’ into the IT space.
• Lock down remote access to OT environments. Every industrial organization has employees, contractors, and vendors who need remote access to their OT environments. Clearly defined access controls, particularly for employees and contractors, can help protect against threats they may unwittingly introduce to the environment. However, restricting access to vendors can be more challenging because much of the OT equipment must be remotely maintained by a vendor under the terms of a support contract or warranty.
• Restrict portable media use through corporate-issued devices. Another risk to the operational domain is hand-carried malware. Some of the most destructive malware is very often carried into the OT environment by an employee with a USB drive or a vendor whose laptop may have become infected.
Ultimately, the goal of IT/OT convergence is to make the OT side more resilient through effective cyber protections, and instill confidence in your board and senior executives.
Tomi Engdahl says:
Detecting the Cyber Enemy Within
Once the firewalls are up, it’s time to seek out the latent cyber bug.
https://www.designnews.com/automation-motion-control/detecting-cyber-enemy-within/3726883557751?ADTRK=UBM&elq_mid=1863&elq_cid=876648
“There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked.”
I heard these chilling words a couple years ago at an IoT conference. The implication is there may be bugs inside a company’s network that are laying low, collecting vital information and waiting for an opportune time to attack.
While much of the cybersecurity attention is focused on preventing unwanted entry, companies also need to scrub the inside of their networks to make sure they’re free of latent malicious threats that entered before the firewall was strong enough to withstand attack. To help with this effort, Rockwell Automation has introduced threat-detection services to monitor the insides of the control system for the presence of unwanted intruders.
Tomi Engdahl says:
Protecting Critical Infrastructure When a Dragonfly Beats its Wings
http://www.securityweek.com/protecting-critical-infrastructure-when-dragonfly-beats-its-wings
The Threat of Cyberattacks on Power Networks is Real, But We Have the Ability to Build Defenses That Minimize The Disruption to Services
News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.
Anyone who works in security quickly gets used to the dilemma at the heart of what we do. It’s vital for us to communicate openly, clearly and with transparency about the threats faced in today’s networked world. Yet all too often, we run the risk of creating an unnecessary public panic which still doesn’t have the required effect of motivating those responsible for protecting critical systems into following good security practice.
The recent revelations were published by researchers at Symantec and concern a cyber-attack group known as Dragonfly. They found that over a two-year period Dragonfly-affiliated hackers have been stepping up their attempts to compromise energy industry infrastructure, notably in the US, Turkey and Switzerland. The Symantec researchers found that the behavior of the Dragonfly group suggests they may not be state-sponsored, but that they have been conducting many exploratory attacks in order to determine how power supply systems work and what could be compromised and controlled as a result.
An obvious target
This shouldn’t come as a shock. Even the most innocuous web server will face dozens, if not hundreds, of attacks every day. Industrial control systems and critical national infrastructure have always been prime targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era, whether that be for monetary gain, secret information, or just pure curiosity.
What’s important in the Symantec report is not that energy systems are under attack, but that the methods detected – email phishing, Trojan malware and watering hole websites – are all well understood and can be mitigated against.
Symantec was keen to point out that it has already integrated protections from the known Dragonfly attack methods into its software. Even so, it would be foolish to underestimate Dragonfly. It’s clearly a sophisticated group with a clear purpose, and while Dragonfly’s primary mechanisms at present appear to be based on social engineering, there are plenty of other state and non-state sponsored groups who have yet more sophisticated tools at their disposal.
What’s more, the industrial internet of things (IIoT) continues to expand and our power infrastructure is diversifying to include smart grids and new, decentralised generation and transmission technologies. These may be beyond the control of traditional energy companies, but are still connected to their networks, introducing many more potential points of weakness to protect. We already know that there are many hundreds of thousands of consumer devices out there that are poorly secured against malware such as Mirai and its successors . The risk is that the same weaknesses may be unwittingly introduced to critical infrastructures.
Building our defenses
What does defense in-depth mean for the power supply industry? For a start, more work needs to be done to convince utility companies that security spending must be an absolute business priority. Proactive regimes that include regular retraining and offensive exercises, such as penetration testing and “red teaming”, require ongoing investment and a commitment at all levels, but are essential to keeping defenses honed.
On a practical level, it should be a given for even the smallest business in this day and age that application and client software is regularly patched and up-to-date, but as recent ransomware outbreaks have shown, this is not something we can take for granted.
For power companies, the challenge here isn’t just about rapid deployment of desktop and server software security patches, there are myriad field devices and control systems that need protecting too, which requires careful consideration. The update-and-patch ethos applies just as it does in the server world, but many of the MTUs, the RTUs and the IEDs may be legacy units for which security was an afterthought. They must be supplemented with intelligence in the network that can spot anomalies and improve the ability to detect new threats and signatureless malware.
Improving capabilities for prevention and detection of attacks, however, won’t be effective without similar investment in the ability to respond to incidents. This requires the development of specialist forensic skills and knowledge within the ICS and SCADA environment, so that once an incident is detected, it can be quickly neutralised and identified with the least possible disruption to operations. To further minimize disruption, solid plans for business continuity also need to be drawn up and prepared.
Tomi Engdahl says:
Collaborative robots and cybersecurity concerns for manufacturers
https://www.controleng.com/single-article/collaborative-robots-and-cybersecurity-concerns-for-manufacturers/147fc1947240c14122180913a48f3f32.html
Some collaborative robots have cybersecurity flaws or weaknesses, which undermines the entire point of having a robot work together with humans in the first place. Manufacturers need to take the issue seriously and system integrators should ensure safe operating conditions.
Collaborative robots, or “cobots,” are designed to work safely alongside humans in a number of ways from the laboratory to the warehouse floor to the production line. Robot makers go to great lengths to ensure these robotic systems are safe to work alongside humans.
Recent research has shown that some collaborative robots have cybersecurity flaws, which undermines the entire point of a collaborative robot and putting human workers at risk. Cybersecurity needs to be taken very seriously when it comes to collaborative robots. Why is it so serious? Is this different than cybersecurity in industrial robots?
The collaborative robot cybersecurity problem
With industrial robots, poor cybersecurity poses a major problem to the parts being produced. They could be produced just a millimeter or two off from the required specifications, causing part failure down the line. They could also be forced to stretch beyond their capabilities and break, or another of other things.
If someone hacks into a robot, they basically have full control. This presents many dangers with industrial robots, as it does with collaborative robots. But the two dangers are slightly different, since collaborative robots are meant to work alongside people. It’s human laborers that are at most risk when a collaborative robot is compromised.
Tomi Engdahl says:
Stopping industrial control system network threats
https://www.controleng.com/single-article/stopping-industrial-control-system-network-threats/4ba1a250eabd751e07c196fdb61b8356.html
Threats to the industrial control system (ICS) network infrastructure are at an all-time high and the sophistication of these are easy for perpetrators because of its aging infrastructure, lack of security planning/design, and minimal focus to protect ICS assets.
Threats to the industrial control system (ICS) network infrastructure are at an all-time high and the and the level of sophistication is greater than ever before. The increased volume and sophistication of these attacks make an ICS an easy target for perpetrators because of its aging infrastructure, lack of security planning/design, and minimal focus to protect ICS assets.
A detailed analysis of the infrastructure and operational aspects of a business can provide great insight to the level of risk as well as identify potential countermeasures to protect key assets. This type of holistic approach should be taken to assure all aspects are considered to fully understand the actual level of risk posed to the production system. This includes the cyber and physical security, as well as the status of the system lifecycle. To help discern the exact level of risk, each element should be evaluated thoroughly to understand the design, operational, and maintenance differences to preserve the livelihood of production systems.
ICS evolution
Historically, ICS providers utilized proprietary hardware and/or software solutions, which were physically isolated from external connections. Today, ICS utilizes commercial off-the-shelf (COTS) components and standard operating systems and common communication protocols. The move from proprietary systems to open technology allows for the use of third-party hardware and software components, which has helped drive the overall lifecycle costs of ICS down. In addition, the adaptation of standard common components and associated communication protocols facilitates easier connections with information technology (IT) or business systems. This sharing of data from the production system to the business system can potentially provide valuable business insight with minimal effort to collect and analyze the data.
These same features that have improved the lifecycles and made connectivity a snap can expose the vulnerabilities of ICS applications which were are not specifically designed with security as a primary focus. ICS providers typically publish recommended security practices which define a specific methodology to allow for connecting to external systems, but ultimately the responsibility of securing an ICS network is completely up to the end user to deploy and maintain. Securing these networks to ensure production availability and protection from a security concern should be a comprehensive business objective defined and supported by management.
Many of the infrastructures deployed today do not follow the National Institute of Standards and Technology (NIST) standard guide to Industrial Control System Security, which is recognized by the Department of Homeland Security. The Presidential Policy Directive – Critical Infrastructure Security and Resilience (PPD-21), proactively coordinates, strengthens, and maintains critical infrastructure that is vital to public safety, prosperity, and overall well-being.
Managing IT and ICS infrastructure
The IT and ICS infrastructure both utilize common networking components, but they are very different when it comes to maintenance, operation, and security management. The security goals of an IT business network and ICS network are completely different concepts, but they are based on the same principles of confidentiality, integrity, and availability.
For IT, business owners are mainly concerned about disclosure of intellectual property and confidentiality is the highest priority. Next, the integrity of the data is very important and that is followed by network availability. The ICS network has different priorities due to the critical nature of production system data. The dependence upon human interface requires the availability of the system to be the highest priority for the industrial sector.
Tomi Engdahl says:
Call to Arms on Cybersecurity for Industrial Control
https://www.eetimes.com/document.asp?doc_id=1332547&
Since last spring, U.S. Department of Homeland Security warnings to manufacturers and infrastructure owners about industrial control systems’ vulnerabilities to cyberattack have grown increasingly dire. In October, those warnings were recast as stark realities when DHS and the FBI issued a joint technical alert confirming ICS cyberattacks against manufacturers as well as energy, nuclear, and water utilities. The breaches are part of a long-term campaign targeting small and low-security networks as vectors for gaining access to larger, high-value networks in the energy sector.
Tomi Engdahl says:
Using 4G LTE wireless technology to secure industrial automation and control systems
http://www.cablinginstall.com/articles/pt/2017/11/using-4g-lte-wireless-technology-to-secure-industrial-automation-and-control-systems.html?cmpid=enl_cim_cim_data_center_newsletter_2017-11-20
Supporting business needs by improving defense-in-depth cybersecurity for industrial automation and control systems (IACSs) is a key challenge today. For example, oil, gas, and water plants need to access scattered and remote areas and wells, but cybersecurity can be a major challenge, which may require physical security and cybersecurity protections and controls. Wireless technology, such as 4G LTE [long-term evolution], has become the standard platform for Internet service provider cellular networks. In addition, it is being introduced to serve industrial applications. 4G LTE technology’s reliability may satisfy industrial business needs and connect many sites and plants easily to minimize cost and increase flexibility.
How to Use 4G LTE Wireless Technology to Secure Industrial Automation and Control Systems
https://automation.isa.org/2017/11/4g-lte-wireless-technology-secure-industrial-automation-process-control-systems/
Supporting business needs by improving defense-in-depth cybersecurity for industrial automation and control systems (IACSs) is a key challenge today. For example, oil, gas, and water plants need to access scattered and remote areas and wells, but cybersecurity can be a major challenge, which may require physical security and cybersecurity protections and controls. Therefore, wireless technology, such as 4G (long-term evolution [LTE]), is becoming the standard platform for Internet service provider cellular networks. In addition, it is being introduced to serve industrial applications. Its reliability may satisfy industrial business needs and connect many sites and plants easily to minimize cost and increase flexibility.
The main aspects of cybersecurity in wireless and LTE are privacy and confidentiality because of common attacks in a shared medium. For instance, passive attacks (eavesdropping, physical layer attacks, radio frequency jamming) and active attacks (hacking and man-in-the-middle attacks) are common challenges in the wireless domain. Therefore, robust mutual authentication and encryption mechanisms will protect an IACS. This was clearly demonstrated in the proof of concept (POC) conducted to test security solutions and controls of LTE wireless technology for IACSs, such as supervisory control and data acquisition (SCADA) systems and closed-circuit television (CCTV). A Yokogawa SCADA system (remote terminal unit [RTU] and SCADA host) was used as a SCADA platform, and a Huawei e-LTE broadband multimedia digital wireless system as a communication platform.
4G (LTE) wireless security
Generally, oil and gas operations are spread across large geographical areas, and workers at centralized control centers manage and operate day-to-day field operations, which are subject to harsh environmental conditions. SCADA systems electronically monitor and manage remote operations using advanced operational technology/information technology (OT/IT) solutions. In the “old days,” and even today, ultrahigh frequency (UHF) radios connected field RTUs via low-speed serial interface (RS232) radio channels that did not exceed 25 kHz, which the UHF modems use to modulate SCADA signals at roughly 19.6 kbps. This approach is adequate for the SCADA host to pull data from field devices and send supervisory control commands, such as a close/open command to a valve and a start/stop command to a pump, to the field. High speed is needed whenever there is an asset management solution for diagnostic purposes. In general, wireless communication is allowed for noncritical SCADA monitoring applications, and there should be a physical and logical segregation from non-SCADA applications in terms of network, communications hardware, servers, etc.
The ISA100, Wireless Systems for Automation Committee grouped wireless applications into three classifications: monitoring, control, and safety (figure 2). Wireless technology is becoming very popular for instrumentation (ISA100.11a) as well as for backhaul long-range process automation connectivity (ISA100.15).
A collaboration of national and regional telecoms standards bodies, known as the Third Generation Partnership Project (3GPP), developed LTE.
4G (LTE) technology has the potential to concurrently serve several industrial applications, such as:
oil and gas SCADA systems
cathodic protection monitoring and control
CCTV remote surveillance and alerting
mobile voice/video conferencing
energy management
wastewater management
vibration monitoring
power monitoring systems
microseismic sensing and intelligent field applications
4G (LTE) security overview
. From a high-level network architecture point of view, LTE consists of the following three main components:
user equipment (UE) or customer premises equipment (CPE)
evolved UMTS Terrestrial Radio Access Network (EUTRAN)
evolved packet core (EPC)
These components communicate with each other via standard interfaces.
The 3GPP segments the LTE security architecture into five functional domains; 3GPP TS 33.401 defines these domains as follows:
Network access security uses universal subscriber identity module (USIM) to provide secure access for a user to the evolved packet system (EPS). It includes mutual authentication and privacy features.
Network domain security refers to features that allow secure communications between the EPS and EPC nodes to protect against attacks on the network.
User domain security secures access to the terminal, such as a screen-lock password and PIN, to enable USIM usage.
Application domain security is the security features used by applications, such as HTTP.
Visibility and configurability of security tells a user whether or not a security feature is in operation, and gives user-configured control over whether the use of a service depends on enabled security features.
UE stores user and device confidential information. For UE to be able to communicate with a 4G (LTE) system, it has to register with the access layer. This is called user-to-network registration, and it has to be secured. It is important to notice that data traffic carried over LTE is not encrypted end to end, which makes it subject to being captured by a nontrusted entity at certain points. Encryption starts at the end-user device and terminates at the network side, whereas in 3G, data encryption starts at the end-user device, crossing the network all the way to the radio network controller.
Security observations
LTE technology with effective security controls, such as VPN (IPSec) and GRE, can serve voice, video, and broadband industrial data and applications simultaneously.
4,000 IPSec tunnels can be configured on the firewall, USG 6370. Therefore, the firewall can support up to 4,000 remote field sites.
The system throughput decreased by 30 percent using an IPSec tunnel and GRE tunnel.
The POC proved that a secure LTE wireless platform can serve multiple IT and OT systems, such as SCADA and CCTV applications, and allocate the required resources.
Tomi Engdahl says:
More Industrial Products at Risk of KRACK Attacks
http://www.securityweek.com/more-industrial-products-risk-krack-attacks
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.
The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs.
The vulnerabilities impact many products, including devices designed for use in industrial environments. The first industrial solutions providers to warn customers about the KRACK attack were Cisco, Rockwell Automation and Sierra Wireless.
Siemens said the KRACK vulnerabilities affect some of its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS products.
Swiss-based ABB informed customers that TropOS broadband mesh routers and bridges running Mesh OS 8.5.2 or prior are also vulnerable to KRACK attacks. ABB has yet to release patches, but it did provide workarounds and mitigations.
German industrial automation firm Phoenix Contact also confirmed that three of the KRACK flaws affect some of its BL2, FL, ITC, RAD, TPC and VMT products.
Lantronix informed customers that several of its wireless connectivity solutions are impacted by KRACK
“In most cases KRACK attacks present virtually no risk to those large industrial and critical infrastructure systems that do not use 802.11 technologies. Today, such systems constitute an absolute majority,”
Tomi Engdahl says:
Five Ways to Overcome the Cultural Barriers to IT/OT Security Convergence
http://www.securityweek.com/five-ways-overcome-cultural-barriers-itot-security-convergence
Trying to deal with cultural barriers and silos while under pressure to respond to directives or an attack is rarely advisable. Instead, here are five recommendations that can help you, as an IT security professional, proactively work in partnership with your OT counterparts to protect the business better.
1. Involve the right people. From inception you need to ensure the right people are at the table. Typically, executive management establishes the desired outcomes that drive policy, procedures, and requirements. Senior IT personnel must ensure that the right security controls are in place to align with the needs and requirements of the business.
2. Look for alternative technology-based solutions. IT staff look for the most efficient ways to address threats and vulnerabilities, for example patching systems directly. But this approach can involve taking systems offline for hours at a time, which is often not viable for mission-critical systems in an OT environment. Instead, think about the desired outcome and look for alternative ways to reach it.
3. Appreciate that technology isn’t always the answer. There are many ways to support security strategy and goals that don’t require technology-based controls. For example, there is a relatively simple security regulation that states every time a user accesses a company PC, a login banner must be displayed to warn possible intruders against illegal uses of the system, and to advise legitimate users of acceptable use policies and that systems may be monitored. But in an OT environment, where systems run continuously, and authorized users change at each shift without logging in again, how do you address this requirement? A simple workaround that doesn’t involve any IT investment for costly software modifications, is to print, laminate, and affix the banner physically to the monitor.
4. Dispense with the fear of duplication. The IT and OT environments both have their own technical staff, so there is some overlap of skill sets which can cause each side to view the other as a threat. But this can be overcome by understanding that the two teams have very different responsibilities and typically neither is interested in assuming the responsibilities of the other.
5. Tool up to expand support for OT. Visibility across your infrastructure is critical to better protection. But getting comprehensive visibility into the operations domain is a challenge when everyone isn’t using the same technology. The latest Windows and Mac OS environments on the IT side don’t necessarily translate to the OT side.
The IT/OT integration imperative for utility distribution businesses
https://www.accenture.com/t20161128T165149Z__w__/us-en/_acnmedia/PDF-36/Accenture-IT-OT-Integration-Imperative-Utilities.pdf
Tomi Engdahl says:
U.S. Indicts Chinese For Hacking Siemens, Moody’s
http://www.securityweek.com/us-indicts-chinese-hacking-siemens-moody
U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s.
Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.
Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.
According to the indictment, the hackers:
• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.
• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.
• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.
“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”
Tomi Engdahl says:
ICS-CERT Advice on AV Updates Solid, But Impractical
http://www.securityweek.com/ics-cert-advice-av-updates-solid-impractical
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has offered some advice on how antivirus software should be updated in industrial environments, but the recommended method is not very practical and experts warn that organizations should not rely only on antiviruses to protect critical systems.
ICS-CERT recommendations on updating AVs in industrial networks
ICS-CERT, a component of the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), coordinates security incidents involving control systems and facilitates information sharing in an effort to reduce the risk of cyberattacks. The organization’s latest Monitor newsletter provides some advice on how organizations should update their antiviruses in ICS environments.
“Antivirus software, when properly deployed and up-to-date, is an important part of a defense-in-depth strategy to guard against malicious software (malware),” ICS-CERT said. “Such software is widely used in Information Technology (IT) and ICS infrastructures. In business IT environments, it is common practice to configure each antivirus client to update directly from the antivirus vendor; however, because ICS and IT systems require separation by the ICS demilitarized zone (DMZ), ICS systems require different antivirus update methods.”
The ICS DMZ is the level between the enterprise zone and the control network. The DMZ, in addition to historians and remote access servers, can include the antivirus, Windows Server Update Services (WSUS), and patch servers.
Since the ICS DMZ is typically not allowed to communicate directly to the Internet, updating these services cannot be done automatically from the vendor’s server. One method for updating antiviruses on these systems is to manually download the update, copy it to a removable media drive, and then connect that drive to the machine needing the update.
However, the process is not as straightforward as it sounds. ICS-CERT has advised organizations to first verify the source of the update, and then download the update file to a dedicated host. The file should be scanned for malware and its cryptographic hash needs to be verified in order to ensure it hasn’t been tampered with.
The removable media drive should also be scanned for malware and locked (i.e. prevent files from being written to it) once the update files have been copied.
“This process is more labor intensive than an automatic chaining of updates, but it is not prohibitively time-consuming,” ICS-CERT said. “This ‘sneakernet’ method is common in air-gapped networks. Automatically ‘daisy chaining’ the updates, which is similar to the process used in many IT environments, is convenient but not recommended.”
Tomi Engdahl says:
Critical Flaw in WAGO PLC Exposes Organizations to Attacks
http://www.securityweek.com/critical-flaw-wago-plc-exposes-organizations-attacks
Programmable logic controllers (PLCs) from Germany-based industrial automation company WAGO are affected by a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.
The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector.
The security hole exists due to the use of version 2.4.7.0 of the CODESYS Runtime Toolkit. This embedded software is developed by 3S-Smart Software Solutions and it’s used by several vendors in hundreds of PLCs and other industrial controllers.
A few years ago, researcher Reid Wightman discovered that versions 2.3.x and 2.4.x of CODESYS Runtime were affected by critical access control and directory traversal vulnerabilities that could have been exploited to hack devices.
An attacker can use this method to write, read or delete arbitrary files, which can be done with a tool created by Digital Bonds several years ago for interacting with PLCs that use CODESYS. Since SSH is enabled by default on PFC200 PLCs, an unauthenticated hacker can exploit this to rewrite the etc/shadow file, which stores password hashes, and gain root privileges to the device.
Tomi Engdahl says:
Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
http://www.securityweek.com/hackers-can-steal-data-air-gapped-industrial-networks-plcs
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).
Attackers may be able to plant a piece of malware on an isolated network, including via compromised update mechanisms or infected USB drives, but using that malware to send valuable data outside the organization poses its own challenges.
In the past few years, Israeli researchers have found several methods that can be used to jump the air gap, including via infrared cameras, scanners, the LEDs on routers and hard drives, heat emissions, radio signals, and the noise made by hard drives and fans. One of their proof-of-concept (PoC) malware, named AirHopper, uses electromagnetic signals emitted by a computer’s graphics card to send data to a nearby receiver.
Researchers at CyberX, a company that specializes in protecting industrial control systems (ICS), have found a way to apply a similar data exfiltration method to systems in air-gapped industrial networks. The method was first disclosed in October at SecurityWeek’s ICS Cyber Security Conference by CyberX VP of Research David Atch.
Tomi Engdahl says:
Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
http://www.securityweek.com/industrial-firms-slow-adopt-cybersecurity-measures-honeywell
Industrial companies are slow to adopt cyber security capabilities and technology to protect their data and operations, according to a report released on Wednesday by industrial giant Honeywell.
A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.
However, the study found that organizations underinvest in cybersecurity best practices in terms of people, processes and technology – three elements that need to work in harmony for an organizational culture that takes security seriously, Honeywell said.
Tomi Engdahl says:
Serious Flaw Found in Many Siemens Industrial Products
http://www.securityweek.com/serious-flaw-found-many-siemens-industrial-products
Several product lines from Siemens are affected by a serious vulnerability that can be exploited by a remote attacker to cause systems to enter a denial-of-service (DoS) condition.
The flaw, tracked as CVE-2017-12741 and rated “high severity,” was reported to Siemens by George Lashenko of industrial cybersecurity firm CyberX.
According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters.
An attacker can cause affected systems to malfunction by sending them specially crafted packets via UDP port 161, which is used for the simple network management protocol (SNMP). In order to recover from the DoS condition, the devices must be manually restarted.
The mitigating factors section of Siemens’ advisory lists the requirement that the attacker must have network access for exploitation, and the fact that it advises organizations to operate these devices only in trusted environments.
However, CyberX told SecurityWeek that there are roughly 2,000 Siemens devices accessible from the Internet, including approximately 400 that have an open SNMP port, which could make them vulnerable to the company’s exploit.
Tomi Engdahl says:
Rockwell Automation Patches Serious Flaw in FactoryTalk Product
http://www.securityweek.com/rockwell-automation-patches-serious-flaw-factorytalk-product
ICS-CERT informed organizations this week that Rockwell Automation has patched a high severity denial-of-service (DoS) vulnerability in one of its FactoryTalk products.
The vulnerability affects version 2.90 and earlier of FactoryTalk Alarms and Events (FTAE), a FactoryTalk Services Platform component installed by the Studio 5000 Logix Designer PLC programming and configuration tool, and the FactoryTalk View SE HMI software.
The security hole, reported to Rockwell Automation by an unnamed company in the oil and gas sector, is tracked as CVE-2017-14022 and it has been assigned a CVSS score of 7.5. It allows an unauthenticated attacker with remote access to the product to cause its history archiver service to stall or terminate by sending specially crafted packets to TCP port 403.
Tomi Engdahl says:
Jim Finkle / Reuters:
“Triton” malware, likely the work of a nation-state, found in Schneider Electric industrial safety systems often used in nuclear, oil and gas plants
Hackers halt plant operations in watershed cyber attack
https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271
Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.
FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).
Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.
Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.
Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant
“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”
The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.
Tomi Engdahl says:
EcoStruxure™ Triconex Safety Systems
https://www.schneider-electric.com/b2b/en/products/industrial-automation-control/triconex-safety-systems/
Tomi Engdahl says:
Sophisticated ‘Triton’ malware shuts down industrial plant in hacker attack
https://www.digitaltrends.com/computing/triton-industrial-plant-hacker-attack/
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Tomi Engdahl says:
ABB and HPE Forge Partnership to Blend OT/IT
ABB and Hewlett Packard have created a service the combines OT and IT technology.
https://www.designnews.com/automation-motion-control/abb-and-hpe-forge-partnership-blend-otit/75050807057983?ADTRK=UBM&elq_mid=2466&elq_cid=876648
ABB and Hewlett Packard Enterprise (HPE) have created a partnership that combines ABB’s digital manufacturing system ABB Ability with HPE’s information technology (IT) solutions. The partnership is designed to provide manufacturers with actionable insights from vast amounts of industrial data. The goal is to increase the efficiency and flexibility of manufacturing operations.
The partnership blends ABB’s operations technology (OT) and HPE’s IT capabilities. The companies will deliver combined solutions designed to merge OT and IT in order to turn data into automatic action. The joint solution will combine cloud platforms like Microsoft Azure with IT systems running in corporate data centers and at the edge of the network. The companies will employ a mix of IT platforms to accelerate data processing in industrial plants while also enabling control of industrial processes across multiple locations.
Design News: As part of the agreement is to overcome OT/IT conflict, I would guess the companies see this as an ongoing problem. Could you characterize the current state of the problem and suggest a potential path forward?
Volkhard Bregulla: Industrial equipment today generates vast amounts of sensor data which all can be of value to optimize operation or create new services – however, currently only a small portion of this data is actually processed and translated into insights or automatic action, e.g. for predictive maintenance or intelligent machine control. There are several reasons for that.
One is mainly technical: Industrial plants often have a great number of different OT systems and different interfaces in their networks, creating high volumes of diverse data, and putting high demands on data acquisition, analytics engines, and networks. This requires specifically designed IT systems which firstly integrate OT and IT functions like data acquisition, analytics, and control based on standard IT technology; and secondly are optimized to run at the edge, i.e. close to the industrial equipment, to deliver the required speed, security and reliability which is required by OT systems. Because transferring the sensor data to remote data centers or clouds costs too much time (latency), is too unsecure and unreliable – and there is simply not enough bandwidth to do that.
Another main reason why many industrial customers don’t capture the value of their industrial data is a lack of combined OT/IT expertise.
Solving those two problems – with regards to technology and expertise – is exactly the rationale of the ABB/HPE partnership. Two of the leading OT and IT companies join forces to create the technology solutions and provide the expertise required to capture the value of industrial data and create intelligent plants to drive efficiency, flexibility, and innovation.
DN: With massive amounts of data coming off the plant floor now that IoT systems and inexpensive sensors are gathering so much data, I would guess HPE would offer expertise both in processing and perhaps determining what data is important. Is that part of the reason HPE is involved?
VB: One of HPE’s contributions in the partnership with ABB is to provide hybrid IT platforms which enable customers to choose the location where they run their ABB Ability solutions – based on requirements like performance, speed, security, compliance, or cross-site collaboration.
Tomi Engdahl says:
Bringing safety and security together for process control applications
https://www.controleng.com/single-article/bringing-safety-and-security-together-for-process-control-applications/412f09ec6e154f705bd7483d0810270a.html
It is important to understand the interaction between safety and security in process control applications to make better overall decisions.
Every production process comes with inherent risks. To achieve the greatest degree of safety and security, it is vital to implement an effective separation of the process control and safety systems, which is required for functional safety and cybersecurity standards. There is a lot at stake, including the employees’ health, the company’s assets, and the environment.
It often is not possible to eliminate all potential risks; especially in complex systems.
A more common definition of safety is the absence of unacceptable risks. Reducing risks to an acceptable level is functional safety’s task. An application’s safety depends on the function of a corresponding technical system, such as a safety controller. If this system fulfills its protective function, the application is regarded as functionally safe.
Separate layers reduce risks
The process industry increasingly is becoming aware of the importance of relevant standards for the safety and profitability of systems. Technical standard IEC 61511, Functional safety – Safety instrumented systems for the process industry sector, defines the best way to reduce the risk of incidents and downtime. It prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures (see Figure 1). Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process.
IEC 61511 also prescribes independence, diversity, and physical separation for each protection level. To fulfill these requirements, the functions of the different layers need to be sufficiently independent of each other. It is not sufficient to use different I/O modules for the different layers because automation systems also are dependent on functions in I/O bus systems, CPUs and software. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations, and philosophies. In concrete terms, this means the system architecture must, fundamentally, be designed so no component in the process control system level or the safety level can be used simultaneously.
Rising risk
In the last 10 years, the risk of cyber attacks on industrial systems has risen due to increasing digitalization. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety. System operators need to be aware of these risks and address them. This can be achieved in a variety of ways. Unlike functional safety systems, which are intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation as well as against attacks intended to disrupt production processes or steal industrial secrets.
Safety and security have become more closely meshed. Cybersecurity plays a key role, particularly for safety-oriented systems, because it forms the last line of defense against a potential catastrophe.
Standards define the framework
Compliance with international standards is necessary in the design, operation, and specification of safety controllers. IEC 61508, Functional Safety, is the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic, and programmable electronic devices). IEC 61511 is the fundamental standard for the process industry and defines the applicable criteria for the selection of safety function components.
The IEC 62443 cybersecurity series of standards for information technology (IT) security in networks and systems must also be considered. It specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full life cycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS), and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthorized access (
Cybersecurity by design
Safety and security are closely related aspects of process systems, which must be considered separately and as a whole.
Standardized hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult or impossible to assess the risks analytically, which could arise from a system update. For example, updates to the process control system could affect the functions of the safety system integrated into the control system.
To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. For effective cybersecurity, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cybersecurity in mind, right from the start. This applies equally to the firmware and the application software.
A common feature of the process industry standard and the cybersecurity standard is the required separation of the SIS and the BPCS. This independence of safety systems is a good idea from a practical and economic perspective. The SIS and BPCS have, for example, very different life cycles and rates of change. System operators are free to choose “best-of-breed” solutions from different manufacturers.
Tomi Engdahl says:
Cybersecurity Dangers Will Spike in 2018
While the cyber danger increases for industrial networks, holistic security is gaining ground.
https://www.designnews.com/automation-motion-control/cybersecurity-dangers-will-spike-2018/178950264557972