http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.
Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”
266 Comments
Tomi Engdahl says:
Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT
http://www.securityweek.com/shared-accounts-increasingly-problematic-critical-infrastructure-ics-cert
Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.
Critical infrastructure owners and operators can ask ICS-CERT to conduct onsite cybersecurity assessments of their industrial control systems (ICS) in order to help them strengthen their cybersecurity posture.
Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.
As for identification and authentication issues, these can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.
Identification and authentication issues first made ICS-CERT’s top six weakness categories in 2015, when it was on the fourth position. In 2016 it jumped one position and last year it was the second most common security weakness.
Of all the identification and authentication issues, shared and group accounts are particularly concerning.
“[Shared and group accounts] make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” ICS-CERT said in its latest Monitor report.
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2017_S508C.pdf
Tomi Engdahl says:
Industrial System Cyberattacks Aim for Sabotage
https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2908&elq_cid=876648
More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.
As cyberattacks become more prevalent and sophisticated, the nature of the attacker is changing. We’re seeing fewer lone wolves, and more organized criminals who are packaging attack kits and selling them on the dark web. Their attacks aim at either commerce or control. The IT intruders seek commercially valuable personal or financial data, while operational technology (OT) attacks seek control of plants or factories for potential sabotage.
Sometimes OT attackers want to do damage, while other times they hide and wait. For years, we’ve heard rumors that hostile governments have placed potentially destructive cyber-bugs in US power plants, but they are reluctant to set their bugs in motion, because the US has bugs in their plants, as well.
“The attackers’ goals for IT systems is information exfiltration, but for industrial OT systems, the attacker’s goal is typically sabotage,” Ashok Banerjee, CTO for enterprise security products at Symantec, told Design News. “Attackers typically want to have remote control of the industrial network and be able to disable a power grid or cause a collision or explosion. Typically, attackers hold this control for extended intervals, triggering it when needed.”
The Race to Counter Cyberattacks
Since the beginnings of the first computer viruses, there has been a race between the hackers and cyber protection. Banerjee believes the defense against attacks is finally pulling ahead in the race. “Cyberattacks and cyber defense have co-evolved. With the rise of cybersecurity, attackers with increasing sophistication have flown just below the radar of three or four different products,” said Banerjee. “2018 will be the year where multiple products will orchestrate learnings across static scans, network behavior, process behavior, IO behavior, content behavior, and IoT interactions to determine benign and malicious elements. This will be the year where multiple technologies work together to protect from the next frontiers of attacks.”
A Changing Perimeter Is Difficult to Secure
Securing the perimeter was much easier in the days when the perimeter simply surrounded a building or an industrial operation. Connectivity has changed the very nature of the perimeter. “The perimeter is more porous than ever before. Our greatest assets are increasingly in the cloud. That includes customer data in CRM or HR data in Workday,”
Tomi Engdahl says:
Cyber-attackers have a new way to damage data center infrastructure
http://www.cablinginstall.com/articles/pt/2018/01/cyber-attackers-have-a-new-way-to-damage-data-center-infrastructure.html?cmpid=enl_cim_cim_data_center_newsletter_2018-01-16&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=1974690
A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems. A recent Triton attack targeted Schneider Electric’s Triconex safety system, and the malware has already had at least one victim, the security research firms reported. Like Stuxnet and Industroyer, Triton is most likely to be used by nation-state attackers against critical infrastructure
Attackers Have a New Way to Damage Data Center Infrastructure
http://www.datacenterknowledge.com/security/attackers-have-new-way-damage-data-center-infrastructure
A new kind of malware, known as Triton or TRISIS, goes after industrial safety systems that provide emergency shutdown capabilities. Experts say it can also be effective in attacking data center power and cooling systems.
Data centers, for example, are filled with industrial control systems that manage life safety, power, cooling, and other critical environment factors, said Andrew Howard, CTO at Kudelski Security. “These systems provide a different attack vector into data centers,” he said.
Damage caused by these kinds of attacks is different than damage from the more common cyber threats. “They typically have a greater impact on the availability of systems and data than on the confidentiality or integrity aspects,” Howard said.
In addition, an attack on a data center’s safety system can have a larger “blast radius” than the traditional, more targeted attacks. For example, attackers might be going after just one of the companies using a particular data center. Taking out the entire facility would affect every other company that uses it.
As global tensions rise, hostile nation states might step up these kinds of attacks
“We are going to see increases in these types of covert attacks designed to do damage or create disruption,” he said. “Much more investment from operators to modernize these public services will be required to protect them from attack.”
And it’s not just data centers’ safety systems that are at risk, said Ben Miller, director of threat operations at Dragos. “Data center HVAC and building automation systems are leveraging similar types of communications and controllers and are often overlooked,” he said. “Attacking these systems, similar to how TRISIS attacked safety systems, could impact backup power or cooling that are essential to equipment operation.”
“Access to critical systems should not be universal and should be restricted via network segmentation, a locked-down host, and multi-step authentication,”
Tomi Engdahl says:
Assessing Cyber and Physical Risks to Manufacturers
http://www.securityweek.com/assessing-cyber-and-physical-risks-manufacturers
Manufacturers serve as critical building blocks of modern society. They are integral to the existence of the products we consume, the essential services we need, and the infrastructure on which we rely. Our reliance on them also means that, according to the U.S. Department of Homeland Security (DHS), “a direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors.”
Although security incidents that occur in consumer-facing industries like retail and financial services tend to attract the most attention, those suffered by manufacturers can be far more damaging. The challenge is that the manufacturing industry tends to be particularly susceptible to various cyber and physical security risks. Here’s why:
Antiquated Operational Technology (OT) Environments
Increasingly Complex Supply Chains
An Abundance of Intellectual Property
When it comes to accurately evaluating and mitigating security risks facing manufacturers, the above characteristics should serve purely a starting point. It’s crucial to remember that regardless of industry or function, safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires a comprehensive understanding of all factors contributing to an organization’s risk.
Tomi Engdahl says:
Industrial System Cyberattacks Aim for Sabotage
https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105?ADTRK=UBM&elq_mid=2937&elq_cid=876648
More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.
Tomi Engdahl says:
Triton Malware Exploited Zero-Day in Schneider Electric Devices
http://www.securityweek.com/triton-malware-exploited-zero-day-schneider-electric-devices
The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.
The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.
Tomi Engdahl says:
Preparing for NIS – Europe’s First Dedicated Cybersecurity Law
http://www.securityweek.com/preparing-NIS-Directive-europes-first-dedicated-cybersecurity-law
In May of this year, an important new European law will come into force which will affect providers of networking and operational technology (OT) systems in vital sectors such as energy, healthcare and finance across the continent.
The EU Directive on Security of Network and Information Systems (commonly known as the NIS Directive) seeks to improve the standards of security across Europe, and hold those who do not prepare for cyberattack properly, fully accountable.
The NIS Directive has been billed as the first true piece of cybersecurity legislation passed by the EU, and will work alongside another important piece of regulation – the General Data Protection Regulation (GDPR) – to focus efforts on reducing cybercrime in Europe. Like GDPR, the NIS Directive seeks to achieve this through a system of new structures and information sharing bodies, as well as rules and enforcement capabilities.
Tomi Engdahl says:
Lily Hay Newman / Wired:
Schneider Electric researchers share more details about “Triton” malware, which exploited a firmware flaw in company’s Triconex Tricon industrial safety systems
Menacing Malware Shows the Dangers of Industrial System Sabotage
https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage
A recent digital attack on the control systems of an industrial plant has renewed concerns about the threat hacking poses to critical infrastructure. And while security researchers offered some analysis last month of the malware used in the attack, called Triton or Trisis, newly revealed details of how it works expose just how vulnerable industrial plants—and their failsafe mechanisms—could be to manipulation.
Unprecedented Malware Targets Industrial Safety Systems in the Middle East
https://www.wired.com/story/triton-malware-targets-industrial-safety-systems-in-the-middle-east/
Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.
Security firm FireEye today has revealed the existence of Triton, also known as Trisis, a family of malware built to compromise industrial control systems.
the sophisticated malware appeared, it targets equipment that’s sold by Schneider Electric, often used in oil and gas facilities, though also sometimes in nuclear energy facilities or manufacturing plants. Specifically, the Triton malware is designed to tamper with or even disable Schneider’s Triconex products, which are known as “safety-instrumented systems,” as well as “distributed control systems,”
Tomi Engdahl says:
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Tomi Engdahl says:
Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks
http://www.securityweek.com/gemalto-licensing-tool-exposes-ics-corporate-systems-attacks
A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.
Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.
Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.
Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.
In addition to installing the latest version of the Sentinel driver, Kaspersky has advised users to close port 1947 if it’s not needed for regular activities.
The vulnerable Gemalto software is found in the products of several major companies, including ABB, General Electric, HP, Cadac Group, Siemens, and Zemax.
Tomi Engdahl says:
Three reasons to perform an industrial control system assessment
https://www.controleng.com/single-article/three-reasons-to-perform-an-industrial-control-system-assessment/4b6fd670670ccceecd8abd4b4af21f92.html
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as:
Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.
While those reasons still characterize some the realities in today’s OT system, other factors have changed, providing the OT departments with more options than previously available to them. With technology developing faster than ever and more areas of the plant improving with smart devices, the plant is more capable than ever to increase production from its ICS and, concurrently, more vulnerable to unauthorized users. If movies, headlines, and personal experiences can teach us anything, it is that the bad actors will target OT systems for any motive and by all means necessary.
Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:
Unexpected and unexplainable shutdowns
Loss of production time
Loss of raw materials
Missed deadlines
Poor quality resulting from unidentified changes to the process
Safety breaches and injuries from machines being started at the wrong times.
How to assess an ICS
1. Know what you have
2. Know who has access
3. Know what’s been changed
Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see.
Tomi Engdahl says:
Sean Lyngaas / The Verge:
How governments and the nuclear energy industry are preparing for future cybersecurity threats using hands-on exercises and training laboratories
Hacking nuclear systems is the ultimate cyber threat. Are we prepared?
Nightmare scenario
https://www.theverge.com/2018/1/23/16920062/hacking-nuclear-systems-cyberattack
The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.
A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.
It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.
“It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life.”
“Adversaries are getting smarter.”
Tomi Engdahl says:
Risks to ICS Environments From Spectre and Meltdown Attacks
http://www.securityweek.com/risks-ics-environments-spectre-and-meltdown-attacks
The recently disclosed Spectre and Meltdown vulnerabilities, which affect hardware running in the majority of the world’s computing devices have made headlines recently. The list of at risk equipment includes workstations, servers, phones, tablets, as well as Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on most Intel chips manufactured after 2010. Many AMD, ARM and other chipsets are also affected.
Which devices are at risk?
Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.
Many HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat.
Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are likely vulnerable. However, Spectre and Meltdown vulnerabilities in these systems does not necessarily mean industrial control devices are at risk.
What is the impact to industrial control devices and systems?
The Spectre and Meltdown vulnerabilities can be used to compromise a device, allowing an attacker to access privileged data in the system. The vulnerabilities do not grant access to the system, they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.
While this is a serious threat in systems with multiple users, like a cloud solution for example, it doesn’t pose a high level of risk in single-user systems.
To use an analogy, these vulnerabilities essentially enable you to read people’s minds — as long as you’re in the same room with them.
They’re effective in a multi-tenant environments where one user’s secrets must be kept private from other users.
Since ICS environments are not multi-tenant, these vulnerabilities do not enable access to any data not already available to anyone with system access.
What can be done to mitigate the risk?
First and foremost, being aware of what exists in the ICS environment is critical, since undocumented devices can’t be secured. Therefore, automated asset inventory tools are essential to understanding what equipment is at risk and requires attention.
Next, having in-depth visibility into asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.
Finally, in order to exploit these vulnerabilities, an attacker needs access to the network. This emphasizes the importance of having a network monitoring system, which can identify anyone connecting into the network, as well as communicating with or modifying key assets.
Tomi Engdahl says:
UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
The UK government has warned that Britain’s most critical industries must boost their cybersecurity or face potentially hefty fines under the EU’s Networks and Information Systems Directive (NISD).
The warning comes less than four months before the deadline for the NISD, adopted by the EU on July 6, 2016, to be transposed into EU member states’ national laws (May 9, 2018, which aligns with the date for GDPR enforcement).
NISD is designed to ensure the security of network systems not already covered by the GDPR — but its primary purpose is to ensure the security of the industries that comprise the critical infrastructure (such as power and water, healthcare and transport). These companies, or covered entities, are defined within the directive as ‘operators of essential services’ (OES), and ‘digital service providers’ (DSPs).
Since it is a Directive rather than a Regulation, the NIS Directive has some national flexibility in its implementation. For example, the UK government had earlier proposed that maximum fines under the directive should be between €10 million and €20 million or 2% to 4% of annual global turnover. It has now settled on a maximum fine of €17 million.
The UK has made it clear that a breach of an OES will not automatically trigger a fine. This will depend on the judgment of separate industry sector regulators, or competent authorities. The primary factor will be whether the breached OES/DSP has made adequate cyber security provisions — in practice, this will probably depend upon how well the firm has implemented the ‘NIS Directive: Top-level objectives’ guidelines published by the National Cyber Security Centre (NCSC, part of GCHQ) Sunday. However, the government also states, “New regulators will be able to assess critical industries to make sure plans are as robust as possible.”
The key part of the EU’s NIS Directive is Article 14: Security requirements and incident notification. This specifies, “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.”
Tomi Engdahl says:
Increasing Number of Industrial Systems Accessible From Web: Study
http://www.securityweek.com/increasing-number-industrial-systems-accessible-web-study
The number of industrial control systems (ICS) accessible from the Internet has increased significantly in the past year, reaching more than 175,000 components, according to a new report from Positive Technologies.
Using the Shodan, Censys and Google search engines, researchers identified 175,632 ICS components accessible from the Web. In comparison, similar searches conducted in the previous year uncovered just over 162,000 systems.
Of all the systems identified in 2017, more than 66,000 were accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework (39,000), Ethernet/IP (25,000), BACnet (13,000), and the Lantronix discovery protocol (10,000).
Tomi Engdahl says:
Siemens Patches Flaws in Plant Management Product
http://www.securityweek.com/siemens-patches-flaws-plant-management-product
Siemens has informed customers that a component of its TeleControl Basic product is affected by several vulnerabilities that can be exploited by an attacker to escalate privileges, bypass authentication, and launch denial-of-service (DoS) attacks.
Siemens’ TeleControl Basic system allows organizations to monitor and control plant processes. The solution can also be used to optimize the operation of municipal facilities, including water treatment, traffic monitoring, and energy distribution. TeleControl Server Basic is the software used for the TeleControl Basic control center.
Tomi Engdahl says:
The Time to Focus on Critical Infrastructure Security is Now
http://www.securityweek.com/time-focus-critical-infrastructure-security-now
The Software That Controls our Infrastructure is Vulnerable to Attack
Is the world becoming desensitized to cyber attacks?
Television has shown us examples of our own government using nonkinetic warfare, shutting down power in specific regions to demonstrate our strength and resolve. On screen, elected officials stare grimly at satellite images as large areas glowing from electric light slowly grow dark.
This is not a new idea. I grew up with war and espionage movies that always included a “cut the power” part of the mission. That is because disruption of infrastructure is a key element of sound military strategy. Except in these movies, someone had to physically disrupt the power—someone had to be on-site. What is new is the ability to cut the power from a safe distance with the stroke of a key or the click of a mouse. No bombs, no missiles, no exotic kinetic devices.
Tomi Engdahl says:
Three reasons to perform an industrial control system assessment
https://www.controleng.com/single-article/three-reasons-to-perform-an-industrial-control-system-assessment/4b6fd670670ccceecd8abd4b4af21f92.html
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as:
Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.
While those reasons still characterize some the realities in today’s OT system, other factors have changed, providing the OT departments with more options than previously available to them.
Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:
Unexpected and unexplainable shutdowns
Loss of production time
Loss of raw materials
Missed deadlines
Poor quality resulting from unidentified changes to the process
Safety breaches and injuries from machines being started at the wrong times.
Lack of accurate insight into the ICS’s users, networks, processes, and changes may account for part of the misdiagnosis. For example, a batch system that often experiences unplanned shutdowns on weekends may be attributed to old hardware or operator error. In reality, it could be a bit of bad-actor programming that causes a process shutdown at defined intervals, but no one in the plant is aware of the malicious code buried in an obscure controller by an unknown entity.
How to assess an ICS
1. Know what you have
2. Know who has access
3. Know what’s been changed
Next steps
Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see.
Tomi Engdahl says:
Cyber incidents add to downtime costs
https://www.controleng.com/single-article/cyber-incidents-add-to-downtime-costs/3f53671e33c35553a2cb0be3daae6493.html
Cyber incidents can add to downtime costs in a big way if there isn’t a solid cybersecurity plan in place to mitigate the worst effects.
When users come to grips with understanding downtime costs as they relate to cybersecurity, that could lead them to a discussion about a security return on investment (ROI).
“Security investments are really good business,” said Doug Wylie, director at SANS Institute. “Making an investment in security is really aiding us in risk avoidance. It accelerates our ability to make sure we are addressing risk so we can respond and recover.”
While technology is available to help deal with security issues, but Wylie said security all comes down to people. “It is a people problem first. When we are making our investments, the first dollars spent should be oriented toward people to make solid decisions to address downtime and make sure we are getting a return on investment.”
Looking at ROI and understanding the cost of downtime is an end-point of a security issue, but before end users jump into a security program, they need to start somewhere.
Tomi Engdahl says:
Understanding the value of best practices
The discipline required to follow standardized programming best practices can pay off in the long run.
https://www.controleng.com/single-article/understanding-the-value-of-best-practices/721a428ff34269b05469d92b271e8633.html
Tomi Engdahl says:
Create a secure network for shop floor devices
http://www.controleng.com/single-article/create-a-secure-network-for-shop-floor-devices/61dd51d7462d23374f3c5fbaa2bc11c5.html
Operations technology (OT) environments consist of many devices using different protocols and different languages. This can cause a security risk if plant operators don’t take steps to mitigate the risk and create awareness for everyone on the plant floor.
In an increasingly connected world, it is critical for manufacturers to strengthen their defenses against cyber threats. However, securing industrial operations is a unique challenge because plant floors can’t be secured with the same approach used to secure information technology (IT) networks. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. There is a dizzying variety of devices from different makes, models, and generations communicating through different protocols. Plant operators need to learn to speak these devices’ different languages in order to begin securing them.
To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need a way of communicating with their devices. This is easy in a corporate IT environment because these devices are all IP-based and speak the same language. This is more difficult in OT environments because of the variety of devices and protocols and languages involved.
What language a device speaks can depend on the type of device, the age of device, the manufacturer, and more. Programmable logic controllers (PLCs), for example, communicate in a range of different protocols including Ethernet/IP, Modbus, and Simple Network Management Protocol (SNMP). This gets even more complex when considering the different variations of remote terminal units (RTUs) and distributed control systems (DCSs). If operators can’t talk to all the devices on the network, it’s difficult to know what needs to be secured.
Plant operators should start with understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls. They should also identify which of those devices are critical to operations and therefore highly sensitive.
In this case, a “no touch” approach is the approach for these devices. The “no-touch” approach uses integration with an intermediary device that talks to the PLCs in order to configure the devices and backup these configurations. Once integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary’s database and ingesting the configuration data.
Once network visibility is established, operators can start hardening the environment. OT security solutions should identify what’s on the network, detect changes, identify where the risks are, and mitigate them. Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyber attacks.
Tomi Engdahl says:
Industrial System Cyberattacks Aim for Sabotage
https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105
More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.
As cyberattacks become more prevalent and sophisticated, the nature of the attacker is changing. We’re seeing fewer lone wolves, and more organized criminals who are packaging attack kits and selling them on the dark web. Their attacks aim at either commerce or control. The IT intruders seek commercially valuable personal or financial data, while operational technology (OT) attacks seek control of plants or factories for potential sabotage.
Tomi Engdahl says:
A Hardware Fix for the OT/IT Conflict
This solution to the OT/IT conflict involves a hardware translator rather than network connectivity.
https://www.designnews.com/automation-motion-control/hardware-fix-otit-conflict/164918610958126
The clash between the Operations Technology (OT) team and the IT team at industrial facilities is not trivial. The conflict is an issue of two legitimate missions. OT is tasked with keeping the operation running at all costs, while IT is tasked with keeping the network secure no matter what. That’s all fine until the two networks are connected.
The IT and OT folks are both hyper-diligent about the data integrity of their networks. Yet both disciplines manage security, change management, and their data types differently. Then, the expertise of one is in direct conflict with the expertise of the other. Both OT and IT share the same overall goals: to exchange data between PLCs on the OT side with the database servers on the IT side.
When IT wants to reboot all networked computers to update patches – a critical security function – OT cries foul. OT computers can’t be shut down for updates without shutting down the process. Thus the networking clash rages as both sides struggle for a software solution.
A Hardware Solution for a Hard Problem
Yet what if the solution isn’t in the software? What if the plant computers aren’t connected to the network? What if the necessary data exchange from the plant to the IT databases jumps through a hardware device in the MES?
The hardware company, ElliTek proposes a hardware fix for the OT/IT dilemma. “ElliTek is a machine builder. We discovered the most significant part of exchanging data between the plant and the business side was not the technical aspect of the communication, it was the OT/IT conflict. It is an organization issue, not a technical issue,” Keary Donovan, market development manager at ElliTek, told Design News. “Everybody thinks they already have the solution to the OT/IT issue. There are all kinds of middleware and OPC [open platform communications] solutions that say then can solve the conflict, but it doesn’t solve the issue.”
An Appliance Designed to Solve a Software Issue
Creating a network connection between the plant and business networks doesn’t solve the underlying conflict. “Vendors think they have this solved. If you go up to the IT guy, he knows how to connect,”
Donovan suggests that the issue can be solved by not merging the plant and business networks. “We created an appliance that can solve these two missions without interfering with the other. We isolate those two rather than combining them,” said Donovan. “We’re a translator. We talk natively to the PLC and talk natively to the database. We’re not putting a PC on the plant network and having it talk to the business databases. That would require shutting down the process for a update. You don’t have any Windows updates affecting the machines if you’ve separated them.”
Hackers Can’t Break Through the Non-Connected Data Exchange
Donovan suggests that firmware can share data without connecting to a non-plant PC. “You have to design a firmware that can speak those languages. Let’s take Rockwell. You don’t need Rockwell control PLC logic on your computer to read the Rockwell PLC,” he said. “We read the PLC and map it to wherever you want to map it to. But we’re not running the Rockwell PLC on the PC. We’re using a telecommunications point-to-point. It’s simple, but not easy. We made a hardware device for the software solution everyone is looking for.”
Tomi Engdahl says:
Industrial System Cyberattacks Aim for Sabotage
https://www.designnews.com/automation-motion-control/industrial-system-cyberattacks-aim-sabotage/207848967658105
More like vandals than thieves and unlike IT attackers who seek personal and financial data, industrial hacks seek to destroy systems.
Sometimes OT attackers want to do damage, while other times they hide and wait. For years, we’ve heard rumors that hostile governments have placed potentially destructive cyber-bugs in US power plants, but they are reluctant to set their bugs in motion, because the US has bugs in their plants, as well.
Tomi Engdahl says:
Web Server Used in 100 ICS Products Affected by Critical Flaw
https://www.securityweek.com/web-server-used-100-ics-products-affected-critical-flaw
A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.
The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.
According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.
Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.
“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.
https://customers.codesys.com/fileadmin/data/customers/security/2018/Advisory2018-01_LCDS-282.pdf
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/02/01/viestintavirasto-huolissaan-iot-laitteista-verkkotestit-alkoivat/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/taaltako-loytyy-seuraava-kyberhyokkaysten-kohde-suomessa-isot-vaikutukset-heikko-suojaus-6700100
Tomi Engdahl says:
Test, Test & Test Again – Are Your Safety Instrumented Systems Cybersecure?
https://www.securityweek.com/test-test-test-again-are-your-safety-instrumented-systems-cybersecure
The benefits of implementing an Industrial Internet of Things (IIoT) strategy are indisputable. Cloud computing, big data, remote sensors and converged networks are continuing to help industrial facilities work smarter. However, in recent years it has become apparent that the cybersecurity of these environments has been somewhat of an afterthought. That is a big problem, especially when you consider the ramifications of an attacker taking remote control of Safety Instrumented Systems (SIS).
Hardwired security
Traditionally, heavy industry has relied on hardwired, manual failsafes that acted independently of the Basic Process Control System (BPCS). Today’s ICS environment, however, is increasingly reliant on networked systems for both safety and efficiency purposes. The reason for this is that deploying smart sensors and allowing remote access to BCPS can yield results through greater operational awareness and analytics, which is convenient and useful.
The rise of TRITON
The malware, dubbed TRITON, was extremely capable. It was discovered after it triggered an emergency shutdown in an unnamed facility in Saudi Arabia, but the researchers believed it was being used to probe the network for something else. Its actual purpose is still unknown, it could have been looking for ways to take further control of the SIS or learning how to manipulate the system in order to carry out a major coordinated attack. It also may simply have been harvesting high-value data from networked sensors that the SIS was monitoring.
What is known about TRITON is that it gave attackers remote control of a critical SIS, and the fallout from its use could have been much worse than it was. The attacks design suggests that it was created with the kind of resources only available to nation-states, underlining just how important security for SIS is.
Make no mistake, while TRITON made use of zero-day issues in the Triconex operating system, this is not an issue which is isolated to a single brand of controller in a single organisation. There are a great many SISs that are not being deployed and operated with optimum cybersecurity in mind, and a great many industrial firms who do not know the extent to which their environment is at risk.
What should industry be doing now?
The solutions are straightforward: SIS controllers must be deployed with full network segregation from the BCPS environment wherever possible. Safety and control systems must be separated in order to avoid leaving a back door open in the last line of defense. The challenge is that it’s very hard to retrofit that kind of network segregation, it must be part of a system architecture and design. This segregation becomes much harder to achieve once a system has been deployed.
Secure by design must be our mantra in the networked world. If we leave an opportunity open for cyberattack, it’s a matter of when, not if, somebody finds it. Manufacturers must also share the responsibility for securing SIS products. There is no excuse for passing the buck to end customers. Attacks on SIS put us all at risk and we all need to ensure systems are secure by design from the outset.
Furthermore, there must be robust policies in place to maintain security. Significant investment needs to be made in training, not just around security for the SIS but, for all elements of the ICS. Staff must understand how to detect an attack, effectively react to attacks already underway and engage in continuous assessments against the latest risks.
The need for ongoing, repeated network testing and monitoring for anomalous behavior – along with the tools to do so – is well defined in the IEC 62443 security standards. It’s important for operators to understand that even though they may be compliant, they must test, test and then test again.
Tomi Engdahl says:
Asset management’s role in ICS security
http://www.controleng.com/single-article/asset-management-s-role-in-ics-security/0c6892cd02cacabd0ff10fe4fc2e6aa2.html
Most industrial control system (ICS) networks were designed and implemented before the advent of cyber crime, and the availability of automated asset management capabilities, which makes it difficult to assess risk and apply effective defenses. Three major pain points for users are highlighted.
Given the increase in cyber attacks against critical infrastructures in the U.S. and abroad, the need to secure industrial control systems (ICS) has never been greater.
Unfortunately, ICS networks are difficult to secure since they lack basic, automated asset discovery and management capabilities, which are common in IT networks.
Most ICS networks were designed and implemented before the advent of cyber crime, and the availability of automated asset management capabilities. Without an up-to-date and accurate inventory of ICS assets, including automation controllers responsible for managing physical processes, it is virtually impossible to assess risk and apply effective defenses.
Beyond security, asset management can play a pivotal role in maintaining operational reliability and safety, since it enables OT personnel to track changes made to devices, prioritize threat mitigation efforts, restore misconfigured devices to a “known good” state, and plan maintenance schedules.
As ICS networks grow, so does asset complexity. The number and variety of different devices, versions and firmware within a network, coupled with decades of consolidation and M&A activities, can become manually unfeasible to manage.
Tomi Engdahl says:
IIC Publishes Best Practices for Securing Industrial Endpoints
https://www.securityweek.com/iic-publishes-best-practices-securing-industrial-endpoints
ndustrial Internet Consortium Guidance Aims to Improve IIoT Endpoint Security for Manufacturers and Practitioners
The Industrial Internet Consortium (IIC) has published a new paper designed to provide a concise overview of the countermeasures necessary to secure industrial endpoints; that is, the industrial internet of things (IIoT).
The paper (PDF) is not meant to provide a checklist for compliance or certification, but rather a starting point to understand what is necessary to ensure IIoT endpoint security. It is, in fact, a distillation of best practices drawn from existing guidance and compliance frameworks: (IISF [IIC-IISF2016], Industrie 4.0 [Ind4.0-ITSec], IEC 62443 [IEC-62443-11], and NIST SP 800-53 [NIST-800-53r4] [NIST-800-53r5]).
“Although there are existing documents such as the IIC’s own Industrial Internet of Things Security Framework (PDF) and other documents from NIST and IEC,” comments Dean Weber, CTO at Mocana, “they’re complex and abstract; and it’s often challenging for practitioners to know how the guidance applies to them in particular.”
But however complex the problem, the need to ensure security for the IIoT, both for itself and for the role it plays in the critical infrastructure, is increasing rapidly. The IIoT is an expanding and fundamental part of operational technology, rapidly increasing its attack surface. Criminals are attracted by the possibility of extorting companies that rely on their OT, while nation states are surveilling — and sometimes employing — methods to disrupt critical infrastructures.
This paper provides a starting point for improving IIoT endpoint security, such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units, vehicle control systems; and communications infrastructures and gateways.
IIC Endpoint Security Best Practices
http://www.iiconsortium.org/pdf/Endpoint_Security_Best_Practices_Final_Mar_2018.pdf
Tomi Engdahl says:
Test, Test & Test Again – Are Your Safety Instrumented Systems Cybersecure?
https://www.securityweek.com/test-test-test-again-are-your-safety-instrumented-systems-cybersecure
The benefits of implementing an Industrial Internet of Things (IIoT) strategy are indisputable. Cloud computing, big data, remote sensors and converged networks are continuing to help industrial facilities work smarter. However, in recent years it has become apparent that the cybersecurity of these environments has been somewhat of an afterthought. That is a big problem, especially when you consider the ramifications of an attacker taking remote control of Safety Instrumented Systems (SIS).
SIS are the last line of defense against critical failure in Industrial Control Systems (ICS). Their use is critical in hazardous environments, such as nuclear, chemical and oil and gas facilities. They are the failsafe devices which monitor process outputs looking for signs of danger and step in to prevent catastrophic incidents such as a reactor overheating, or a major explosion. If an attacker gains control of an SIS within one of these facilities, the impact may not only be decreased productivity and therefore monetary losses, but it could result in severe environmental damage, mass panic among a nation’s’ citizens, and the loss of human life.
Hardwired security
Traditionally, heavy industry has relied on hardwired, manual failsafes that acted independently of the Basic Process Control System (BPCS). Today’s ICS environment, however, is increasingly reliant on networked systems for both safety and efficiency purposes. The reason for this is that deploying smart sensors and allowing remote access to BCPS can yield results through greater operational awareness and analytics, which is convenient and useful.
The problem is that the balance has shifted too far from security. The network-first approach to system design often leads to sharing some element of a network between SIS and BPCS, using standardised and open technologies. As BPCS operators and engineers often work in Windows or Linux environments, this creates the potential for an attacker to target common platforms and SIS, with potentially devastating consequences.
The attack surface isn’t limited to engineering workstations either. If the SIS isn’t fully segregated from other networks, every device becomes a risk.
Tomi Engdahl says:
First Malware to Attack Industrial Control Safety Systems
https://www.eetimes.com/document.asp?doc_id=1333077
Less than two months after October’s U.S. Department of Homeland Security/FBI joint technical alert confirmed cyberattacks against industrial control systems, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility. The TRITON/TRISIS/HatMan malware is the first designed to attack an industrial plant’s safety systems. Since the attack, security firms and the safety system supplier have provided detailed analyses of the attack and the malware.
A team from FireEye’s Mandiant cybersecurity service wrote in a December blog that it responded to the attack when the new malware took remote control of a workstation running a Schneider Electric Triconex Safety Instrumented System (SIS). The SIS, used in oil and gas plants and nuclear facilities, monitors critical industrial processes and automatically shuts them down if they exceed safety limits. The new malware, which FireEye dubbed TRITON, then tried to reprogram the SIS controllers. Some controllers entered a failsafe mode, shutting down the industrial process and prompting the facility’s owner to investigate and identify the attack.
The FireEye blog said TRITON’s ability to prevent safety systems from operating as intended, which could then result in physical consequences, is consistent with attacks made by two previous types of malware — Stuxnet and Industroyer/Crash Override — that can disrupt the ICS of manufacturers and infrastructure systems like energy and water utilities.
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Tomi Engdahl says:
Reuters:
In a first, US publicly accuses Russia for cyberattack campaign dating back to at least March 2016 targeting the US power grid and other critical infrastructure — WASHINGTON (Reuters) – The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching …
In a first, U.S. blames Russia for cyber attacks on energy grid
https://www.reuters.com/article/us-usa-russia-sanctions-energygrid/u-s-blames-russia-for-cyber-attacks-on-energy-grid-other-sectors-idUSKCN1GR2G3?il=0
The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid, marking the first time the United States has publicly accused Moscow of hacking into American energy infrastructure.
Tomi Engdahl says:
Hackers Tried to Cause Saudi Petrochemical Plant Blast: NYT
https://www.securityweek.com/hackers-tried-cause-saudi-petrochemical-plant-blast-nyt
Cyber-attackers tried to trigger a deadly explosion at a petrochemical plant in Saudi Arabia in August and failed only because of a code glitch, The New York Times reported.
Investigators declined to identify the suspected attackers, but people interviewed by the newspaper unanimously said that it most likely aimed to cause a blast that would have guaranteed casualties. A bug in the attackers’ code accidentally shut down the system instead, according to the report.
The cyber-attack — which could signal plans for other attacks around the world — was likely the work of hackers supported by a government, according to multiple insiders interviewed by the newspaper.
All sources declined to name the company operating the plant as well as the countries suspected to have backed the hackers, The New York Times said.
Security experts however told the newspaper that Iran, China, Russia, Israel and the United States had the technical capacity to launch an attack of that magnitude.
A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try.
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html?rref=SecurityWeek
In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion.
Tomi Engdahl says:
https://selinc.com/mktg/122222/?utm_source=facebook&utm_medium=social_sdn&utm_campaign=mpn1603&utm_term=sdn&utm_content=sdn_cyber
Traditional networks use features such as MAC tables, the Rapid Spanning Tree Protocol (RSTP), and cast types for conveniences like “plug and play” functionality. However, these features also make traditional networking vulnerable to cybersecurity threats.
With software-defined networking (SDN) from SEL, all network flows and backup paths are specifically defined in the controller, so there is no need for MAC tables or RSTP. In addition, SDN uses traffic engineering to process forwarding behavior rather than relying on “cast types,” which pose security risks. This processing eliminates common LAN security threats, including:
MAC flooding, in which attackers overwhelm the switch with MAC addresses.
MAC table poisoning, in which attackers convince the switch that they are a false MAC address.
Address Resolution Protocol (ARP) spoofing, in which an attacker sends false ARP messages, causing traffic to be misdirected.
Bridge Protocol Data Unit (BPDU) attacks, which disrupt the network’s spanning-tree protocol.
Flooding using multicast and broadcast Ethernet destinations.
Tomi Engdahl says:
Purpose-Engineered,
Active-Defense Cybersecurity
for Industrial Control Systems
https://cdn.selinc.com/assets/Literature/Publications/White%20Papers/LWP0024_Purpose-EngineeredActive_RS_20170824.pdf?v=20170825-062952
Tomi Engdahl says:
Energy Sector Most Impacted by ICS Flaws, Attacks: Study
https://www.securityweek.com/energy-sector-most-impacted-ics-flaws-attacks-study
The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab.
The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations.
Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities.
Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61).
Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology.
Tomi Engdahl says:
Severe Vulnerabilities Expose MicroLogix PLCs to Attacks
https://www.securityweek.com/severe-vulnerabilities-expose-micrologix-plcs-attacks
Rockwell Automation has released patches and mitigations for several potentially serious vulnerabilities discovered by Cisco Talos researchers in its Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs).
According to Cisco Talos, the vulnerabilities can be exploited for denial-of-service (DoS) attacks, modifying a device’s configuration and ladder logic, and writing or removing data on its memory module.
Since these controllers are typically used in industrial environments, including in critical infrastructure organizations, exploitation of the flaws could result in significant damage, Talos said.
Tomi Engdahl says:
Cyber Defense Tool Is an Early Warning System for Grid Attacks
https://spectrum.ieee.org/energywise/energy/the-smarter-grid/cyber-defense-tool-targets-grid-vulnerability
A new tool will enable grid operators to better detect not only a brutal physical attack, but also a hacker probing for vulnerabilities
Grid operators worry that the loss of one or more critical substations could trigger an outage that cascades across a region
Tomi Engdahl says:
Cybersecurity Meets Physical Safety: Shoring-Up Weak Links in Critical Operations
http://cotsjournalonline.com/cybersecurity-meets-physical-safety-shoring-up-weak-links-in-critical-operations/
Cyber-attacks are a daily occurrence for the US Air Force. In an unfortunate parallel to private industry, Air Force networks are attacked, and defended, thousands of times each week. I know this too well as former Secretary of the Air Force. In my current role, I also am well aware that operators of public as well as private critical networks are forced to pour more time, attention and resources than ever before into computer network security because it is so critical to our nation’s safety and economic vitality.
In light of these costs, and associated high stakes, a clear return on investment is imperative. Such a return is not certain if we train our sights solely on network security. Cyber intruders have shown us repeatedly that many avenues are open to them for launching attacks and compromising critical data. That’s why the Air Force is investing more heavily in operational security, and the private sector cannot afford to fail following suit.
Tomi Engdahl says:
http://cotsjournalonline.com/cybersecurity-meets-physical-safety-shoring-up-weak-links-in-critical-operations/
Here are methods for applying DHS recommendations to ICS:
Application Whitelisting – The only way to truly detect and prevent attempted execution of malware uploaded by adversaries is through application whitelisting applied to the networked connections between ICS devices. In the event an application is compromised, any attempted action is limited to preapproved operations. This helps prevent an attack from spreading which, in turn, improves system reliability and integrity.
Ensuring Proper Configuration/Patch Management – Systems that are fully certified to highest security-implementation standards allow users to safely monitor and control operations across facilities. Unauthorized access beyond an initial entry point is blocked, as are man-in-the-middle and other attacks. Such controlled access facilitates configuration and patch implementations by limiting access to key management systems.
Reducing Attack Surfaces – Technology with end-to-end encryption can create a segmented network for ICS devices whereby they are rendered invisible to unauthorized devices such as infected flash drives. Advanced certificate-based authentication can block port reuse and unauthorized access by, for example, a contractor’s unauthorized laptop. It can assure that only necessary and approved communications occur between known devices.
Building a Defendable Environment – Validated cryptographic protections can isolate critical-control traffic from other traffic even when transported over the same physical network. Through device-level firewall functionality and command-level whitelisting, all host-to-host communications are monitored and restricted.
Managing Authentication – Network and ICS data can be segmented using centralized PKI (public key infrastructure) security. To breach such a segmented system, an attacker would have to simultaneously compromise security frameworks on two separate network segments.
Securing Remote Access – Access should be secured through encrypted connections using PKI-based authentication. Monitor-only modes are useful for permitting exclusively valid and authorized data to be exported without opening a link that an attacker can use to send traffic in, or tunnel data out.
Monitoring and Response – Military-grade technology is available to industry for advanced monitoring. When unauthorized activity is detected, such systems block access and send an alert to approved personnel.
Tomi Engdahl says:
Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco
https://www.securityweek.com/unprotected-switches-expose-critical-infrastructure-attacks-cisco
Cisco has advised organizations to ensure that their switches cannot be hacked via the Smart Install protocol. The networking giant has identified hundreds of thousands of exposed devices and warned that critical infrastructure could be at risk.
The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled. It also made available an open source tool for identifying devices that use the protocol.
Attackers can abuse the Smart Install protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new IOS image, and execute high-privilege commands. These attacks rely on the fact that many organizations fail to securely configure their switches, rather than an actual vulnerability.
The flaw, tracked as CVE-2018-0171, allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or execute arbitrary code by sending specially crafted Smart Install messages to an affected device on TCP port 4786. Researchers said they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open.
Tomi Engdahl says:
Schneider Electric Patches 16 Flaws in Building Automation Software
https://www.securityweek.com/schneider-electric-patches-16-flaws-building-automation-software
Schneider Electric informed customers last week that the latest version of its U.motion Builder software patches a total of 16 vulnerabilities, including ones rated critical and high severity.
U.motion is a building automation solution used around the world in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.
Researchers discovered that the Builder software is affected by 16 vulnerabilities, including path traversals and other bugs that can lead to information disclosure, and remote code execution flaws via SQL injection.
A majority of the security holes have been classified as medium severity, but some of them are more serious based on their CVSS score.
Tomi Engdahl says:
Business-Critical Systems Increasingly Hit by Ransomware: Verizon 2018 DBIR
https://www.securityweek.com/business-critical-systems-increasingly-hit-ransomware-verizon-2018-dbir
Ransomware has become the most prevalent type of malware and it has increasingly targeted business-critical systems, according to Verizon’s 2018 Data Breach Investigations Report (DBIR).
The 11th edition of the DBIR is based on data provided to Verizon by 67 organizations, and it covers more than 53,000 incidents and over 2,200 breaches across 65 countries.
According to Verizon, ransomware was found in 39% of cases involving malware. Experts believe ransomware has become so prevalent due to the fact that it’s easy to deploy — even for less skilled cybercriminals — and the risks and costs associated with conducting an operation are relatively small for the attacker.
Cybercriminals have increasingly started using ransomware to target mission-critical systems, such as file servers and databases, which causes more damage to the targeted organization compared to only desktop systems getting compromised.
Tomi Engdahl says:
Critical Infrastructure Threat Is Much Worse Than We Thought
https://www.securityweek.com/critical-infrastructure-threat-much-worse-we-thought
Adversaries Most Likely Want to Acquire a “Red Button” Capability That Can be Used to Shut Down the Power Grid
Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around.
Since the initial alert, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with U.S. and international partners, determined that attacks were already underway and being carried out by unspecified threat actors. The new report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.
The boldest revelation is the decisive manner in which the unspecified “threat actors” are explicitly identified. There is no equivocation; what was once believed to be an amorphous “threat actor” has now been identified as the “Russian Government”.
As for reconnaissance and weaponization, in the original alert DHS identified the then “threat actor” as being interested in website and open source material pertaining to critical infrastructure. The report stated that no compromise was detected. The new alert reneges the “no compromise” statement and provides a very detailed description of how the Russians used malware to compromise industrial control system (ICS) networks. Moreover the use of zero day, APT and backdoor techniques all indicate the sophistication and intent of the activity designed to take over US critical infrastructure.
The breadth of these attacks are not only deeper but also broader than originally thought. Because it is infinitely easier to hack into a trade magazine website than into a critical infrastructure network, the report also notes the use of “watering hole” attacks; architected to compromise machines belonging to ICS personnel that visited popular online news outlets. Once installed this malware could be easily used for account takeovers.
The updated alert also reveals the effort put into exploitation. The October alert stated, “there is no indication that threat actors used Zero Day exploits to manipulate the sites.”
Also new, for the first time, the attackers attempted to cover their tracks, making it much harder to understand exactly what facilities were compromised.
Protecting the Power Grid from Cyber Attacks
One thing that remained static in both reports is the target of the attack: “…campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”
As alarming as the revised alert is, perhaps most glaringly absent is a situational analysis of what the attackers did once they successfully gained access. The updated report only scratches the surface. To date, no detailed technical report – except for Stuxnet in 2010 – has been released detailing that last mile of malware inside of ICS networks, and specifically the damage caused by the attack.
What we can conclude from this new alert is that the Russians have been running a cyber campaign against industrial infrastructures for nearly a decade. Most likely, they and others want to acquire a “Red Button” capability that can be used to shut down the power grid, or cause other infrastructure damage, at some point in the future. Having these capabilities can cause more damage and disruption that a traditional armed conflict and in many cases organizations and nations are less prepared to deal with it.
Tomi Engdahl says:
SirenJack: Hackers Can Remotely Trigger Warning Sirens
https://www.securityweek.com/sirenjack-hackers-can-remotely-trigger-warning-sirens
Researchers at Bastille, a company that specializes in detecting threats through software-defined radio, have uncovered a new method that can be used to remotely hack emergency warning systems.
Sirens are used worldwide to alert the public of natural disasters, man-made disasters, and emergency situations, including tornadoes, hurricanes, floods, volcanic eruptions, nuclear accidents, chemical spills, and terrorist attacks. False alarms can cause widespread panic and annoyance.
Researchers say they have discovered a new attack method that allows hackers to remotely trigger sirens. This type of attack, dubbed SirenJack, is possible due to a vulnerability found in emergency alert systems made by ATI Systems, a company whose products are used by major cities, universities, military facilities, and industrial sites.
According to Bastille, the vulnerability, related to the use of insecure radio protocol controls, was initially found in the system used by the city of San Francisco and later confirmed at a second installation.
Bastille researcher Balint Seeber started analyzing the city’s outdoor public warning system in 2016 after noticing that it had been using RF communications. An analysis of the system showed that commands were sent without being encrypted, allowing a malicious actor to forge commands.
Attackers need to identify the radio frequency used by the targeted siren and send the system a specially crafted message that triggers an alarm.
“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO of Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”
ATI Systems has been made aware of the vulnerability and it has created a patch that adds an additional layer of security to the packets sent over the radio.
ATI noted that its current products no longer use the old control protocols that often allowed malicious actors and pranksters to trigger false alarms.
Tomi Engdahl says:
U.S. Energy Department Offers $25 Million for Cybersecurity Tech
https://www.securityweek.com/us-energy-department-offers-25-million-cybersecurity-tech
The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.
The funding opportunity announcement (FOA) comes from the Office of Electricity Delivery and Energy Reliability’s Cybersecurity for Energy Delivery Systems (CEDS) program and it seeks applications for researching, developing and demonstrating novel approaches to improving cyber resilient energy delivery systems.Energy Department offers $25 million for cybersecurity
“This FOA builds on DOE’s efforts with the private sector toward improving the security of the Nation’s critical energy infrastructure, and reducing the risk of a cyber incident that could disrupt energy delivery,” the DOE said. “It will expand the development and adoption of energy technologies that will help ensure a more secure, resilient, and reliable electricity system.”
In September 2017, the Energy Department announced its intention to invest $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure, including more than $20 million in cybersecurity.
Tomi Engdahl says:
Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it
https://www.securityweek.com/why-mass-transit-could-be-next-big-target-cyber-attacks%E2%80%94and-what-do-about-it
The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next?
1. What Makes Mass Transit So Vulnerable?
SCADA Systems
Supervisory control and data acquisition (SCADA) systems control the physical automation that coordinates mass transit. Some of these systems have been in operation since the 1970s, and needless to say, they were not designed with modern cybersecurity in mind.
Other Legacy Systems
It was revealed by a Department of Homeland Security report, that there is elevated risk in transportation due to the aging infrastructure used across the industry. These legacy systems are not limited to SCADA. The industry as a whole has made the move towards network-enabled “intelligent public transport” (IPT) but has simultaneously been slow to phase out aging systems.
2. Potential for Terrorist and Criminal Attacks
Unlike most industries, where the potential consequences of poor cybersecurity are largely financial or privacy-driven, an attack on a public transit system has the potential to be lethal. Vulnerable SCADA systems could be hijacked by terrorists or cyber-criminals to cause derailing or collisions. While this nightmare scenario has not yet occurred, there have been numerous incidents involving mass transit and other SCADA-dependent industries that paint a clear picture of how it could happen
3. How to Prepare
The consequences of a significant cyber-attack against a mass transit system will go well beyond a few fines and bad publicity. Even when dealing with an attack that only succeeds in stealing data, the American Public Transportation Association (APTA) has warned that it could breach compliance violations under HIPAA, PCI DSS, the Patriot Act, and more. To prevent this, the recommendations provided by the Department of Homeland Security (DHS) and the APTA stress the importance of “defense-in-depth”, meaning multiple layers of security to protect against future attacks. Strong compliance and audit programs are complements to—and not substitutes for—this type of robust multi-layer defense. With the stakes so high, and the volume of incidents on the rise, what more can transit authorities do to minimize the damage?
Identify Critical Assets
Manage Patches and Vulnerabilities
Prepare for the Inevitable
Tomi Engdahl says:
Security Pros at Energy Firms Concerned About ‘Catastrophic’ Attacks
https://www.securityweek.com/security-pros-energy-firms-concerned-about-catastrophic-attacks
Many cybersecurity professionals working in the energy sector are concerned that an attack on their organization’s industrial control systems (ICS) could have “catastrophic” consequences, according to a study conducted recently by Dimensional Research on behalf of security and compliance solutions provider Tripwire.
Of the more than 150 respondents, including IT and OT security professionals in energy and oil and gas companies, 91% say they are worried about the risk of attacks on ICS. Nearly all respondents are very concerned or somewhat concerned about an attack leading to operational shutdowns or downtime that impacts customers.
Tomi Engdahl says:
Advice from the Triton cybersecurity incident
https://www.controleng.com/single-article/advice-from-the-triton-cybersecurity-incident/ff45641b315e192fc76714047a4d488f.html?OCVALIDATE&[email protected]&ocid=101781
Cybersecurity incident: Human errors enabled it, but the Triconex safety controller shut down the plant as designed, say experts with Schneider Electric and ARC Advisory Group. But it’s still a call to action for industry. Have you implemented changes since then?
Breach of an industrial, triple-redundant safety controller should dispel any thought hackers might not care about industrial facilities or that process controls are low-risk cybersecurity targets. All facilities, even if already heeding advice from Schneider Electric and ARC Advisory Group, need to have a response plan in place. The Aug. 4, 2017, cyberattack on a on a Triconex safety system that included the first instance of process safety system-specific malware, dubbed TRITON, was described in a media and analyst lunch on Feb. 13. That triple-redundant safety controller brand is part of the Schneider Electric EcoStruxure Triconex safety instrumented system (SIS). A summary of advice from each expert follows.
Collaborative cybersecurity effort
Peter G. Martin, vice president, innovation, Schneider Electric, said industry is facing a new geo-political climate where malicious actors have unlimited resources to carry out cyber-attacks; it’s time for end users, standards bodies, vendors, and government agencies to collaborate to combat the threat. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaThe industry has a problem; hackers can reach instrumentation. Peter G. Martin, vice president, innovation, Schneider Electric, said a cybersecurity incident that resulted in attackers injecting malware into a safety controller is a call to action for the industry because it heralds a new geopolitical climate where malicious actors have specialized knowledge, as well as unlimited resources, to carry out their cyberattacks. These attacks can reach the instruments in a control system, especially if organizations are not compliant with industry standards, best practices and cybersecurity procedures. That means industry end users, standards bodies, vendors, and government agencies need to come together to combat the threat. The industry shouldn’t think there’s no problem because the equipment performed as it was supposed to by safely shutting down the targeted plant.
Cybersecurity wake-up call
Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, explained that because of how the Triton cyberattack was executed– the attack vector– it is a call to action for everyone associated with this industry. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaMultiple cybersecurity lapses allowed a safety controller breach. Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, said this is an industry call to action. A Triconex controller model 3008, brought to market in 2001 and installed as part of a large automation project in 2007, was affected by a security breach. When the controller picked up an anomaly in the malware the attackers injected into its code, the controller reacted as it was intended: It safely brought the plant to a safe state via a shutdown on Aug. 4, 2017.
Upon being notified of the shutdown, Schneider Electric worked closely with the end user, independent cybersecurity organizations and the U.S. Department of Homeland Security/ICS-CERT and others to investigate the incident. The evidence they gathered indicates multiple security lapses allowed the breach to occur.
Don’t panic; assess risks
Larry O’Brien, vice president research for process automation, ARC Advisory Group, said there are ways to execute a response to and defend against a systemic, multiphase cybersecurity attack. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaReconsider cybersecurity processes, procedures, and training. Larry O’Brien, vice president research for process automation, ARC Advisory Group, said the industry shouldn’t panic, but it should reconsider best practices regarding processes, procedures, and people. There are ways to execute a response to and defend against a systemic, multiphase attack.
In this same incident, the attack(s) breached another vendor’s distributed control system (DCS); so while the shutdown was initiated as designed, it’s better not to suffer a breach and shut down a process.
Other human errors on site, including leaving the controller’s keyswitch in program mode while it was in operation and leaving the controller cabinets unlocked, added significant risk for a cybersecurity attack. To lower the risks of such incidents, customers should continue to apply cybersecurity best practices across their operations
Program mode, cybersecurity standards
Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said leaving a controller key in program position is inexcusable. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaHave any of your controllers been left in program mode?
Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said the Triton attack was not unprecedented. He advised we shouldn’t underestimate the hazards posed by human denial.
Three best practices follow.
Gary Freburger, president, process automation, Schneider Electric, said attacks on industrial systems are an international threat to public safety that can only be addressed and resolved through transparency and collaboration that go beyond borders and competitive interests. C
1. Commit to educate and address people, processes, and technologies with a relentless drive to publish and standardize best practices and share information.
2. Use common standards across all equipment and across multiple providers, with feedback and guidance from those involved.
3. Ensure collaboration through transparency. Don’t say or believe anything is secure. A lot of people are trying to get into these systems. Everyone needs to respond correctly knowing what was done before, to know how to correct it.