ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

24 Comments

  1. Tomi Engdahl says:

    Reuters:
    US blames North Korean gov’t for cyber attacks since ’09 across media, aerospace, financial sectors and key infrastructure, mainly hitting old Microsoft systems

    U.S. blames North Korea for hacking spree, says more attacks likely
    http://www.reuters.com/article/us-northkorea-cyber-usa-idUSKBN1942MK

    The U.S. government on Tuesday issued a rare alert squarely blaming the North Korean government for a raft of cyber attacks stretching back to 2009 and warning that more were likely.

    The joint warning from the U.S. Department of Homeland Security and the Federal Bureau of Investigation said that “cyber actors of the North Korean government,” referred to in the report as “Hidden Cobra,” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally.

    Reply
  2. Tomi Engdahl says:

    Putting Smart Tech on Old Machines
    Manufacturers are deploying advanced-technology solutions on older factory equipment – but at what cost?
    https://www.designnews.com/automation-motion-control/putting-smart-tech-on-old-machines/62576852556902?cid=nl.x.dn14.edt.aud.dn.20170614.tst004t

    Most manufacturing equipment is designed and deployed to last at least a couple decades. In that timeframe, tons of important new technology is introduced. Many manufacturers seek ways to derive the benefits of advanced-manufacturing technology without having to replace existing equipment that remains in fine working order. Yet many of the existing machines were simply not designed to support new technology.

    One current example is connectivity. The Internet of Things (IoT) offers a wide range of benefits, but tying it to older machines is not easy.

    “It is difficult to deploy IoT solutions alongside legacy equipment. The reason is that legacy systems were designed with particular requirements in mind, such as minimal data transferred at relatively long update rates,”

    Sticking new technology on legacy equipment can lead to problems when the older equipment isn’t structured to support data-driven tools. “Often, end-users try to bolt on these new solutions and they create a complex problem from a maintenance point of view,” said Mustard. “If the organization becomes dependent on the new IoT and big data solution – if they run their business based on the output of this equipment – they can find themselves unable to function if the complicated and unreliable infrastructure does not deliver.”

    Cybersecurity is another critical consideration when connecting older equipment to the outside world. Much of this equipment was conceived to live in an air-gapped world. “Legacy equipment was not designed with security in mind. It was designed to be used in relatively secure facilities with everything self-contained,” said Mustard. “IoT solutions are all about enabling businesses to get real-time data from manufacturing systems in order to manage the business, communicate with suppliers and customers, and with machinery manufactures who are maintaining the production line.”

    Reply
  3. Tomi Engdahl says:

    Industry Reactions to ‘CrashOverride’ Malware: Feedback Friday
    http://www.securityweek.com/industry-reactions-crashoverride-malware-feedback-friday

    ESET and Dragos this week published reports detailing a sophisticated piece of malware believed to have been used in the December 2016 attack aimed at Ukraine’s power grid.

    Dubbed Industroyer and CrashOverride, this modular malware has several components: a backdoor, a launcher, a data wiper, DoS and port scanner tools, and at least four payloads.

    The payloads allow the malware’s operators to control electric circuit breakers via industrial communication protocols, which suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

    Researchers described some theoretical attack scenarios involving this malware and warned that the threat could be adapted for attacks on other countries, including the U.S., and other sectors.

    http://www.securityweek.com/industroyer-ics-malware-linked-ukraine-power-grid-attack

    Reply
  4. Tomi Engdahl says:

    Which Malware are Specifically Designed to Target ISC Systems?
    http://resources.infosecinstitute.com/malware-specifically-designed-target-isc-systems/

    After the discovery of the Stuxnet malware, cyber-security firms industry started looking at ICS malware with increasing interest. This specific family of malware can target industrial control system causing serious damages and put in danger human lives.

    Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research, named MIMICS, based on completely public datasets related to incidents involving ICS over the last 13+ years.

    Reply
  5. Tomi Engdahl says:

    Industroyer: Biggest threat to industrial control systems since Stuxnet
    https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

    The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.

    Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.

    Figure 1: Scheme of Industroyer operation

    Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).

    The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.

    In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.

    What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

    Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).

    Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.

    Reply
  6. Tomi Engdahl says:

    ICS Security Pros Increasingly Concerned About Ransomware: Survey
    http://www.securityweek.com/ics-security-pros-increasingly-concerned-about-ransomware-survey

    Many security practitioners in the field of industrial control systems (ICS) believe the level of risk is high, and they are increasingly concerned about ransomware and embedded controllers, according to the SANS Institute’s fourth annual ICS cyber security survey.

    ICS security experts from organizations of all sizes told SANS that they believe the top threat vectors are devices that cannot protect themselves, such as embedded controllers (44%), internal threats, including accidents (43%), external threats, such as nation-state actors and hacktivists (40%), and ransomware and other extortion attempts (35%).

    Ransomware has made a lot of headlines in the past year and industrial systems are at risk, as demonstrated by both theoretical attack scenarios and in-the-wild threats such as the WannaCry malware. As a result, the number of ICS security experts concerned about ransomware has nearly doubled compared to data from the previous SANS survey.

    “Although ransomware primarily infects commercial OS-based systems (e.g., Windows, Linux), the integration of these into ICS environments and the dependence of ICS on devices running these operating systems has extended ransomware’s effectiveness and reach,” SANS said in its report. “Publicly known operational impacts remain few to date but, we expect more to follow, especially given public demonstrations of ransomware targeting ICS/SCADA.”

    Reply
  7. Tomi Engdahl says:

    Inadequate Boundary Protections Common in Critical Infrastructure: ICS-CERT
    http://www.securityweek.com/inadequate-boundary-protections-common-critical-infrastructure-ics-cert

    The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations.

    ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017.

    Assessments are offered to both government organizations and private sector companies whose owners and operators request them. Last year, the CERT conducted assessments in 12 of the 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, emergency services, dams, energy, food and agriculture, IT, government facilities, transportation, and water and wastewater systems.

    Similar to the previous two years, inadequate boundary protection remained the most common flaw – 94 discoveries representing more than 13 percent of all weaknesses identified during assessments.

    The second most prevalent type of vulnerability, with 42 discoveries, is “least functionality.” This refers to organizations failing to implement controls to ensure that unnecessary services, ports, protocols or applications that can be exploited to gain access to ICS are disabled.

    https://ics-cert.us-cert.gov/monitors

    Reply
  8. Tomi Engdahl says:

    Dell Launches Endpoint Security Product for Air-Gapped Systems
    http://www.securityweek.com/dell-launches-endpoint-security-product-air-gapped-systems

    Dell announced on Thursday the availability of a new version of its Endpoint Security Suite Enterprise product designed specifically for air-gapped systems.

    The solution is designed to protect isolated computers from malware, insiders and other threats using artificial intelligence and predictive mathematical models provided by endpoint security firm Cylance.

    Researchers demonstrated in the past years that malware can leverage several methods to exfiltrate sensitive data from air-gapped systems, including through noise, LEDs, heat and radio frequencies.

    Since isolated systems are not connected to the Internet, the security products installed on them cannot automatically receive regular malware definitions and other updates. By teaming up with Cylance, whose mathematical models only require a few updates per year, Dell has developed a solution that can protect a device without requiring an Internet connection.

    The air gap version of Dell Endpoint Security Suite Enterprise is available now in the United States and other select countries around the world.

    Reply
  9. Tomi Engdahl says:

    Air Gap or Not, Why ICS/SCADA Networks Are at Risk
    http://www.securityweek.com/air-gap-or-not-why-icsscada-networks-are-risk

    The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure.

    In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.

    Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk.

    The Need to Exchange Files
    Compromised Personal Devices
    Vulnerabilities and Human Error
    The Insider Threat
    Connected Technologies and IIoT

    Reply
  10. Tomi Engdahl says:

    Hundreds of Java Flaws Patched by Schneider in Trio TView Software
    http://www.securityweek.com/hundreds-java-flaws-patched-schneider-trio-tview-software

    Energy management and automation solutions giant Schneider Electric was informed by a researcher that its Trio TView software uses a version of Java that was released in 2011 and is affected by hundreds of vulnerabilities.

    Researcher Karn Ganeshen informed Schneider that the version of Java Runtime Environment (JRE) used in Trio TView, a management and diagnostics software for industrial radio systems, is outdated and contains numerous vulnerabilities.

    Reply
  11. Tomi Engdahl says:

    New CyberX Technology Predicts ICS Attack Vectors
    http://www.securityweek.com/new-cyberx-technology-predicts-ics-attack-vectors

    Industrial cybersecurity and threat intelligence firm CyberX announced on Thursday the availability of a new simulation technology that allows organizations to predict breach and attack vectors on their networks.

    The new industrial control systems (ICS) security service, named ICS Attack Vector Prediction, leverages proprietary analytics to continuously predict possible attack avenues and help organizations prevent breaches.

    The solution provides a visual representation of all possible attack chains targeting critical assets in the operational technology (OT) network. Scenarios are ranked based on the level of risk to help security teams prioritize mitigation.

    Reply
  12. Tomi Engdahl says:

    How Hackers Can Use ‘Evil Bubbles’ to Destroy Industrial Pumps
    https://www.wired.com/story/evil-bubbles-industrial-pump-hack

    Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.

    In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.

    “Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”

    Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

    That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.

    “She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”

    Reply
  13. Tomi Engdahl says:

    Fuzzing Tests Show ICS Protocols Least Mature
    http://www.securityweek.com/fuzzing-tests-show-ics-protocols-least-mature

    Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.

    Fuzzing is a testing technique designed for finding software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw and further investigation is warranted. If the number of crashes is high and the time to first failure (TTFF) is short, the likelihood of exploitable vulnerabilities increases.

    Synopsys’ State of Fuzzing 2017 report is based on 4.8 billion results obtained in 2016 from tests targeting 250 protocols used in industrial, Internet of Things (IoT), automotive, financial services, government, healthcare and other sectors.

    In the case of ICS, Synopsys customers tested protocols such as IEC-61850 MMS, IEC-104 Server, Modbus PLC, OPC UA, DNP3 and MQTT. There are also some protocols used for both ICS and IoT, including CIP and CoAP Server.

    Many of these protocols had the TTFF within five minutes. Modbus, for instance, had 37 failures after 1.5 million tests and an average test runtime of 16 minutes. The OPC UA protocol had over 16,000 failures with a testing runtime of 4.5 hours.

    In comparison, the Address Resolution Protocol (ARP), which is used to convert an IP address into a physical address and is the most mature protocol, had zero failures after over 340,000 tests with an average runtime of 30 hours.

    Four of the five least mature protocols, based on average TTFF, are ICS protocols, including IEC-61850 MMS, Modbus PLC, DNP3 and MQTT.

    “The protocols typically associated with ICS showed the most immaturity,”

    “Many demonstrated rapid time to first failures, with IEC-61850 MMS measured in a matter of seconds. This has bearing on IoT, as many of the protocols used in ICS are also used in IoT. Clearly, more testing is needed for the protocols within ICS and IoT, as the potential for discovering more vulnerabilities is greater in these industry verticals than in others.”

    State of Fuzzing 2017
    https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/state-of-fuzzing-2017.pdf

    Fuzzing is a proven technology used to find vulnerabilities in software by sending malformed input to a
    target and observing the result. If the target behaves unexpectedly or crashes, then further investigation
    is required. That investigation may expose a vulnerability that may be exploited for malicious purposes.
    Fuzzing is equally valuable to those who develop software and those who consume it. It plays a role in
    the implementation, verification, and release phases of the software development life cycle (SDLC) and
    can be a vital indicator of undetected vulnerabilities (zero days) that may affect the integrity of systems
    already in use. The real goal of fuzzing is not merely to crash a program but to hijack it

    Reply
  14. Tomi Engdahl says:

    Overcoming the Lost Decade of Information Security in ICS Networks
    http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks

    If you thought things were bad in the world of IT network security over the past decade, I have an incredibly bleak thesis to present to you.

    Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses. That focus is why we currently have a market of approximately 2,000 security solutions (the value of which is a topic for another discussion).

    In the world of critical infrastructure/industrial control systems (ICS) security (aka operational technology), despite nearly two decades of discussion around nightmarish cyberattack scenarios and outcomes, the past 10 years can arguably be labeled “The Lost Decade of Information Security.”

    I would argue that we are no better off today in terms of cybersecurity readiness than we were 10 years ago. This belief keeps me up at night and wakes me before the sun many mornings as the threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.

    What is encouraging is that in the past two years – and notably the past few months – we have seen an accelerated pace of awareness and prioritization being given to ICS security.

    Where We Went Wrong

    • Failing to “bridge the gap” between IT and ICS (Engineering) staff – These teams approach the world with completely different viewpoints, backgrounds and missions. ICS staff have safety and uptime as the core thought in every decision they make – and they have zero tolerance for the introduction of security controls which jeopardize either. Even a concept as basic as patching is problematic as it brings downtime to production. These teams have made strides in terms of working with one another; but a lack of solutions built specifically for ICS, that don’t jeopardize uptime and safety and offer a demonstrable value to both teams has resulted in a closed-door policy in most cases. “I own the shop floor. I need to keep production moving. I need to make sure nothing fails that could cause safety concerns for our teams or the public. “NO – you are NOT putting that in my network.”

    • Falling victim to the notion that prescriptive commands/standards could and would be implemented – Kudos for giving ICS security focus.

    • Trying to force the “square pegs” of IT security into the “round holes” of ICS networks – IT security tools were not designed for fragile ICS networks. Approaches like active scanning, active querying and other “standard IT tools” have crashed PLCs, interrupted uptime and caused significant problems when implemented.

    • Delaying investment because “these attacks are theoretical – they aren’t happening” – Logically, cybersecurity budgets over the past decade were dedicated to the areas where the bleeding was occurring. Have no idea who’s inside your network? Full packet capture and forensics tools. Dealing with a million point solutions? SIEMs and orchestration tools. Suffering under the scourge of spear-phishing? Advanced endpoint solutions, etc. Makes sense and you can’t really fault people for investing this way.

    • Believing that the concept of “air-gapped” networks were ever a reality/would stand up against business and efficiency demands – “We’ll design the network so it can’t be accessed from the outside/so there is no interconnectivity with the IT network.” Sounded good for a time, but business demands have eradicated the notion of an “air-gapped” ICS network. Maintenance requirements, connectivity to the supply chain, remote analytics, managing “top floor to shop floor” KPIs, the desire to drive predictive analytics – these needs have seen “air gapping” go the way of the dinosaur. As a result, air gaps now have one thing in common with unicorns – they don’t exist.

    • Difficult to implement, hard to consume, cumbersome to maintain previous-generation ICS specific solutions – There have been a number of promising ICS specific cybersecurity solutions that have emerged and failed to gain mainstream traction over the years. Difficulty in implementation (let’s put this firewall in front of every PLC), difficulty in consumption (massive installation projects, significant upfront time to configure) and unwieldy/unrealistic maintenance requirements saw these promises fail. They simply didn’t understand the unique needs of the ICS consumer.

    So, practically, what actions can we take – right now – to vault the state of ICS security forward?

    First, we need to stop “studying” the problem.

    We need immediate focus and investment from government, board rooms, CIOs/CISOs, ICS owner/operators, security vendors and ICS equipment manufacturers on the problems confronting us.

    We need a reference architecture which delivers the “biggest bang for the buck” and the most rapid increase in security readiness. An easily and rapidly (i.e., months not years) implementable framework which focuses on risk assessment, real-time monitoring, high-risk vulnerability management, threat intelligence, advanced endpoint protection and rapid response.

    Reply
  15. Tomi Engdahl says:

    Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas
    http://www.techrepublic.com/article/cyberweapons-are-now-in-play-from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/

    Cyberwarfare has begun. Unlike nuclear weapons, cyberweapons can be proliferated more quickly and the threat from accidentally setting them off is even greater.

    On April 7, 2017, a radio frequency trigger hack caused 156 emergency sirens in Dallas, a city of 1.2 million people, to wail concurrently for 81 minutes. The incident serves as a clarion call to organizations everywhere that cyberweapons could be used against your infrastructure in order to make a statement.

    “Technically, each siren went off for 90 seconds, 15 times. There was a lot of confusion,” said Dallas public information officer Richard Hill, because there were no storms in the region. “We had close to 4,000 calls to 911. The system was nearly overwhelmed.”

    As a show-of-force in December 2015, cyberattacks by Russian-linked hackers took down a large portion of the Ukraine power grid. “The initial breach of the Ukraine power grid was—as so often in cyberattacks—down to the human factor,” wrote ZDNet’s Charles McLellan. “Spearphishing and social engineering were used to gain entry to the network. Once inside, the attackers exploited the fact that operational systems—the ones that controlled the power grid—were connected to regular IT systems.”

    Dallas’ outdoor warning system, like most municipalities in the United States, is radio controlled and triggered when a storm is imminent by a signal sent from the National Weather Service. For security reasons, the city of Dallas would not discuss the details of how the system was compromised. But the city’s senior public information officer, Monica Cordova, said, “we believe [the attack] came from the Dallas area.”

    It could take the city’s leaders months to reveal what many security experts already know: Cyberattacks against outdated critical infrastructure are as easy to execute as the stakes are high. And the arsenal of cyberweapons—malware that is designed to inflict disruption, damage, and destruction—is growing rapidly.

    “As technology is increasingly integrated into the manner in which our society operates,” said Chris Pogue, CISO of cybersecurity firm Nuix, “the potential of cyberattacks that have a kinetic impact also increases.”

    “Code proliferates very quickly and is easy to build or steal. Anyone with a laptop, some coding skills, and a few free hours can create a ‘cyberweapon.’”
    Sergio Caltagirone, director of threat intelligence and analytics at Dragos

    Pogue can rattle off a long list of attacks against critical infrastructure that portend a future where companies, government agencies, and consumers are all victims of cyberweapons.

    When everything becomes a cyberweapon

    One week after the Dallas incident—at 11:21 am UTC, 10,895 kilometers away—a North Korean ballistic missile fired and exploded moments after launch. The April 2017 test was the latest in a series of recent North Korean missile misfires.

    Reporting by CBS News and The New York Times indicates that American-made cyberweapons may have been responsible for the floundering rockets. “Presuming the missile batteries run on a computer-based launch control system, which they do,” Pogue speculated, “an attacker could do anything the system allows: change fuel mixtures, time on launchpad after engine fire but before launch, destination of target, trajectory, and payload arming and disarming.”

    “The public, companies, or governments should be less concerned about these weapons and more concerned with everything else that’s out there, including malware, hackers, and the government.”
    Jack Rice, former CIA case officer

    Reply
  16. Tomi Engdahl says:

    Underwriters Laboratories Releases Cybersecurity Standards for Industrial Control
    https://www.designnews.com/automation-motion-control/underwriters-laboratories-releases-cybersecurity-standards-industrial-control/132202681657313?cid=nl.x.dn14.edt.aud.dn.20170822.tst004t

    UL have developed cybersecurity standards in association with the Department of Homeland Security and the Defense Advanced Research Projects Agency.

    As more than most software applications available today are comprised of open-source components, organizations must be especially vigilant to implement rigorous software supply chain management systems and procedures to mitigate the potential risk from third-party applications. Thus, Underwriters Laboratories (UL) has developed a set of cybersecurity standards – UL 2900-2-2 – specifically designed for industrial control systems (ICS).

    The standards were developed to offer testable cybersecurity criteria for third-party software and to validate the security claims of software vendors.

    In addition, UL has ongoing research partnerships with the Department of Homeland Security ( DHS ICS-CERT) and the Defense Advanced Research Projects Agency ( DARPA ICS ) to help mitigate industrial IoT cyber risks.

    Cybersecurity is always a moving target. UL built this into the standards, so they will be updated as changes in the security environment change. “We’re in a continuous feedback mode for continuous improvement. There is no silver bullet or magic way to solve the problem,” said Modeste.

    UL created standards that are designed to adapt to developments in the security environment, a function that is consistent with updates that software vendors provide. “The standards are continually updated. Vendors are producing products, but those products are not static. They make revisions and updates,” said Modeste. “The vendor adapts, so they roll out any new changes. We take that into consideration. We look at how to ensure your vendor is doing the due diligence.”

    Ongoing UL Cybersecurity Standards

    UL began publishing standards for the ICS providers last year. “We published a series of standards in 2016. We published more this past summer. We started three years ago as we worked is an advisory the Obama Administration,” said Modeste. “We met with several agencies with the government, DHS being the biggest one. We partnered with various agencies, including DARPA. We also include several consultants and utilities.”

    The standards come out of UL’s Cybersecurity Assurance Program) UL CAP, which offers third party support to allow users to evaluate both the security of network-connectable products and systems, as well as the vendor processes for developing and maintaining products and systems for security.

    “The standards are focused on the manufacturing community, to help them build good design into their products,”

    Reply
  17. Tomi Engdahl says:

    Researchers Demo Remote Hacking of Industrial Cobots
    http://www.securityweek.com/researchers-demo-remote-hacking-industrial-cobots

    Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.

    A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.

    A brief analysis of mobile applications, software and firmware led to the discovery of nearly 50 vulnerabilities, including weaknesses related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.

    Reply
  18. Tomi Engdahl says:

    Assessing Cyber and Physical Risks to Oil & Gas Sector
    http://www.securityweek.com/assessing-cyber-and-physical-risks-oil-gas-sector

    This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:

    Unsecure technologies are prevalent

    Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.

    Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.

    Threat actors are more complex

    While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address.

    State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.

    Damages can be severe

    Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.

    So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.

    Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies.

    Reply
  19. Tomi Engdahl says:

    Saturday, August 26, 2017
    The Cassandra Coefficient and ICS Cyper – Some Thoughts
    http://blog.iec61850.com/2017/08/the-cassandra-coefficient-and-ics-cyper.html

    Do you have a idea what “The Cassandra Coefficient” is all about and how it relates to ICS cyber security? Joe Weiss discusses the issues in a recent publication:

    Cassandra coefficient and ICS cyber – is this why the system is broken

    Brief extract from the publication:
    Joe Weiss writes: ” … What I have found is that each time another IT cyber event occurs more attention goes to the IT at the expense of ICS cyber security. The other common theme is “wait until something big happens or something happens to me, then we can take action”. Because there are minimal ICS cyber forensics and appropriate training at the control system layer (not just the network), there are very few publicly documented ICS cyber cases. However, I have been able to document more than 950 actual cases resulting in more than 1,000 deaths and more than $50 Billion in direct damages. I was recently at a major end-user where I was to give a seminar. The evening before I had dinner with their OT cyber security expert who mentioned he had been involved in an actual malicious ICS cyber security event that affected their facilities. For various reasons the event was not documented.

    Cassandra coefficient and ICS cyber – is this why the system is broken
    https://www.controlglobal.com/blogs/unfettered/cassandra-coefficient-and-ics-cyber-is-this-why-the-system-is-broken/

    -Response availability – Is this a problem that could have been mitigated with some response?

    (Dale’s Rating: High)The answer to this question is clearly yes, although you will find significant disagreement among credible experts on the best way to prevent or mitigate a catastrophe caused by an ICS cyber incident.

    – Initial Occurrence Syndrome – It has never happened before

    (Dale’s Rating: Medium) We have seen Stuxnet, Ukrainian Power Grids, German Steel Mills, Merck, and many others who have been impacted by ICS cyber incidents. The IOT botnet Mirai caused an economic impact. Definitions of a catastrophe vary, but compared to what is possible we have not seen a catastrophe caused by an ICS cyber incident. Many companies and organizations remained unconvinced that it can happen to them, but the larger organizations are no longer in denial that it could happen. They may still rely on the fact that it never happened before as an excuse to reduce the action and amount spent as Richard Clarke discussed in his S4x17 Keynote.

    - Erroneous Consensus – Experts Mistakenly Agree Risk is Low

    (Dale’s Rating: Low)It’s hard to say there is a consensus in the ICS security space about the likelihood and shape of a cyber incident caused catastrophe. There are scenarios, but those scenarios are highly debated. The US Electric Grid is a good example of widely varying views by experts on the likelihood of widespread and sustained outages.If I had to judge, there is more of a consensus that a catastrophe will happen, with a wide range of estimates on the where, what and when. There is not a consensus that the risk is low.

    Magnitude Overload – The sheer size of the problem overwhelms

    (Dale’s Rating: Ultra High) There are multiple sectors in the ICS world that could cause a catastrophe in terms of loss of life, economic impact to companies, sectors and regions, and environmental damage. While there are commonalities, when you look at stopping potential high consequence incidents, the actions required are very sector specific and more likely even sub-sector specific.

    Outlandishness – Does it appear to be science fiction

    (Dale’s Rating: Medium) It does not rate high because similar cyber incidents that have not resulted in catastrophes have happened, and talk to a forthcoming engineer and you will sometimes hear how they could cause a catastrophe. It does not rate low because a number of the scenarios presented at conferences are dreamed up by hackers / researchers lacking in the knowledge of the engineering, automation and safety systems. There are many outlandish scenarios.

    - Invisible Obvious – Not seen because it is too obvious

    (Dale’s Rating: Low) We seem to be past the surprise that control and configuration of a physical process allows you to control and alter the physical process.

    Reply
  20. Tomi Engdahl says:

    Is Winter Coming in Industrial Control Systems Cybersecurity?
    http://www.securityweek.com/winter-coming-industrial-control-systems-cybersecurity

    In 2005, the breach of Card Systems (a major payment card processor), which exposed 40+ million credit cards, was labeled “The Biggest Hack of All Time” – the breach made worldwide news and the cover of Newsweek with a multipage article highlighting the dangerous new reality of cyberthreats. Fast forward to just last week with the announcement of the Equifax breach impacting 143 million individuals’ personally identifiable information, credit histories and card details and it should be apparent that nothing has gotten better in the world of IT security in the past 12 years. To the contrary, our ability to counter and combat threats has been nothing short of a failure.

    Why reference these IT network breaches if my focus is on the industrial control systems (ICS) or operational technology (OT) networks that power critical infrastructure and run our global economy? I point to them as stark reminders to anyone thinking that the security of these networks is either “on par” (a horrible standard at best) or better than those of their IT counterparts. This could not be further from the truth. IT networks have been where “the bloodshed” has been for so long now that they’ve rightfully commanded the lion’s share of investment in new solutions, people and processes. Conversely, despite all the conversations related to how we must prepare against nightmare outcomes from breaches in the OT domain – as there (until recently) has been a lack of major threat activity in this space – there has been a dearth of funding and advancement.

    Just last week, Symantec released a report claiming that an advanced adversary has gained access to the OT networks of dozens of firms in the energy sector – giving them the ability, Symantec claims, to “turn off the lights” if they so wished. This follows the July disclosure of a major campaign targeting U.S. energy and nuclear facilities – which was likely conducted through lateral movement from IT to OT networks.

    Reply
  21. Tomi Engdahl says:

    Cybersecurity for pipelines, other SCADA systems
    It’s critical to stay up-to-date with cybersecurity measures to improve defenses against cyberattacks.
    http://www.controleng.com/single-article/cybersecurity-for-pipelines-other-scada-systems/93945d45c0a2570979abac165a456e76.html

    SCADA 2.0, IIoT development

    As old as the SCADA concept is, it has not lost any of its importance. In fact, the role of SCADA systems is growing, which is broadening their definition. With a higher degree of protocol standardization and greater connectivity to corporate information technology (IT) networks, the potential for a cyber-attack also increases and is growing.

    The trends toward business systems using and processing SCADA data create new avenues and reasons for system exploitation. Sharing data is often the lifeblood for many companies, but new threats can emerge in the process.

    On the other hand, developing technologies also are changing the current situation as the IIoT merges with SCADA to become “SCADA 2.0.” This still has some time before development is complete, but there are many possibilities, including its design and how it could affect security considerations

    The RTU, at least as a gateway, no longer will be included since it won’t be needed. The individual field instruments and actuators at the hypothetical pipeline pump station will all communicate directly with the ubiquitous network, just as a technician visiting the site might call back to the office on a smartphone. The data from the devices goes to the cloud and can be captured and used by whichever part of the company needs it, from anywhere. At this point it’s difficult to say exactly what the network might look like, however it most likely will be 4G or 5G capable, but the communication will be direct. New networking technologies like low power wide area network (LoRa WAN) may be included as well.

    Setup for these installations will be easier than with current SCADA systems. It will be as easy as installing the field device, turning it on, and connecting it to the cloud. This will get rid of all the expensive and dangerous manual operations still being done at many sites. If a level instrument is added to the storage tank, the need for a worker to be sent out for maintenance no longer will be necessary.

    The reality of this concept is some time away since the networks with the necessary requirements don’t currently exist. Coverage and speed are improving all the time, but 5G or even 4G in all the areas where pipeline pumping stations are located is not there yet.

    Accommodating multiple SCADA systems

    One current aspect of monitoring technology is the idea of multiple SCADA systems at one location, and the user might not even realize it. How does this happen?

    A turbine-compressor set might have its own system to remotely monitor performance and conditions, and there is probably an existing SCADA system. These original equipment manufacturer (OEM) systems often are included to verify performance requirements written into purchase agreements. This kind of monitoring keeps everyone honest and helps the party responsible for maintenance stay informed with what’s happening. The system is in communication with the OEM’s headquarters and sends data back every day via its own network. Having this kind of communication is necessary and is ultimately a good thing for the most part, but there can be problems.

    Signs of threats to come

    Cyber criminals looking to make money from their exploits have been stealing financial data, personal information, and credit card numbers for a long time. Major retailers and financial service companies have fallen prey largely for this reason. Fortunately, industrial companies don’t necessarily have much in the way of such marketable data capable of being stolen. The scary alternative is ransomware, which has targeted hospitals and now spread to many other users in the recent “WannaCry” ransomware attacks.

    Returning to the example of the hypothetical pipeline station for this scenario, say the operators at the central control room receive an alarm via the SCADA system because transportation has been shut off. Calling up the human-machine interface (HMI), they see a top-level screen saying that access to the RTU has been locked out and encrypted. The only way to regain control is by paying to get the access code.

    The option for the company is to pay, or send somebody out to the site to take it offline and turn operations back on manually. This is only temporary because it is not practical to leave an operator at the site on a continuous basis. The only real solution is to take out the compromised RTU and replace it, at a cost significantly higher than the ransom.

    This situation may seem unrealistic, however, as technology and cyber criminals become more advanced, predicting situations like this should be considered.

    Defensive strategies for SCADA systems

    The following are a few defensive suggestions:

    Maintain physical security at remote sites: RTUs and other network-connected hardware should be in locked enclosures. Unused ports should be plugged with epoxy.
    Update old systems: Any company still running equipment using Windows 95, or even more recent but still obsolete versions, is asking for trouble. Platforms running un-updated software can be just as bad. WannaCry only worked on outdated and un-updated Windows platforms.
    Use network identification: Intrusion detection systems are very useful tools, but many companies fear they can disrupt networks. They can be designed for low-impact and with a passive response to make them easier to use on operating networks.
    Train personnel: Workers are still the weakest link in cyber defenses. Social engineering, phishing, and spear phishing remain effective hacking tools. Don’t open unknown attachments, don’t plug in unknown thumb drives, etc.
    Maintain network traffic logs: It’s hard to know if something strange is happening if you can’t identify right from wrong. Logs help establish baselines, so they can help determine where intruders have been and what damage may have been made or attempted.
    Use available cybersecurity resources: The International Society of Automation http://www.isa.org and the National Institute of Standards and Technology http://www.nist.gov ISA/IEC 62443 offers many helpful resources and provide best practices for network administrators and defenders, as do NIST 800-14 and 800-16.

    It will be easier to implement more cybersecurity measures with new technologies, but many companies find themselves still working with yesterday’s equipment and software.

    Reply
  22. Tomi Engdahl says:

    Standards group creates draft report on updating critical IT, OT infrastructure
    http://www.controleng.com/single-article/standards-group-creates-draft-report-on-updating-critical-it-ot-infrastructure/4e6326d90a207cea85c0592dfd945c27.html

    The National Institute of Standards and Technology (NIST) has created a technical draft report that is designed to will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or suffer compromises to information technology (IT) or operations technology (OT).

    Reply
  23. Tomi Engdahl says:

    DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
    http://www.securityweek.com/ddos-attacks-more-likely-hit-critical-infrastructure-apts-europol

    While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment (IOCTA).

    The report covers a wide range of topics, including cyber-dependent crime, online child exploitation, payment fraud, criminal markets, the convergence of cyber and terrorism, cross-cutting crime factors, and the geographical distribution of cybercrime. According to the police agency, we’re seeing a “global epidemic” in ransomware attacks.

    When it comes to critical infrastructure attacks, Europol pointed out that the focus is often on the worst case scenario – sophisticated state-sponsored actors targeting supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) in power plants and heavy industry organizations.

    However, these are not the most likely and most common types of attacks – at least not from a law enforcement perspective as they are more likely to be considered threats to national security. More likely attacks, based on reports received by law enforcement agencies in Europe, are ones that don’t require attackers to breach isolated networks, such as distributed denial-of-service (DDoS) attacks, which often rely on easy-to-use and widely available tools known as booters or stressers.

    While these types of attacks may not lead to a shutdown of the power grid, they can still cause serious disruptions to important utilities and services.

    “While DDoS is often a tool for extortion, the lack of communication from the attackers may suggest that these attacks were of an ideological nature,” Europol said in its report. “Although European law enforcement recorded an increasing number of these attacks last year, they also note that they only had moderate, short-lived impact.”

    Internet Organised Crime Threat Assessment (IOCTA) 2017
    https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017

    Reply
  24. Tomi Engdahl says:

    Cyber attacks against manufacturers rising, according to report
    http://www.controleng.com/single-article/cyber-attacks-against-manufacturers-rising-according-to-report/15bc6946903a5798e21de3348606998e.html

    Cyber attacks against manufacturers are occurring more frequently, according to a report by NTT Security, and the level of sophistication is also increasing.

    Manufacturers are a key target for cyber attacks—and they are continuing to rise, according to research by NTT Security. In addition, the sophistication of cyber attacks continues to rise across all corners of the world, according to NTT Security’s Q2 Threat Intelligence Report.

    The following is the attack profile of the manufacturing industry:

    The manufacturing industry was the most heavily targeted industry during Q2 2017, accounting for 34% of attack activity.
    The manufacturing industry was also heavily targeted throughout 2016, appearing in the “top three” in five of the six geographic regions. No other industry appeared in the top three more than twice
    Fifty-eight percent of malware distribution in manufacturing environments was via web-based downloads.
    Eighty-six percent of malware in the manufacturing industry were variants of Trojans and droppers.
    Reconnaissance accounted for 33% of all activity aimed at manufacturing clients in Q2 2017.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*