http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.
Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”
266 Comments
Tomi Engdahl says:
Understanding industrial control systems security basics
https://www.controleng.com/single-article/understanding-industrial-control-systems-security-basics/c9a78f9f00dd6209b36325e0f9ec9197.html
Cover story: It’s critical to implement an in-depth cybersecurity plan to help protect industrial control systems (ICSs) against a cyber attack. Identify threats, vulnerabilities, standards, and documents.
An industrial control system (ICS) is a general term used for any distributed control system (DCS), programmable logic controller (PLC), supervisory control and data acquisition (SCADA) or any automation system used in industrial environments that includes critical infrastructures. ICS security is designed to protect the system from any interference either intentional or unintentional, which may lead to unintended ICS operations.
Industrial control system security
ICS security can be very broadly categorized as cybersecurity. Though the word “cybersecurity” implies the intention is to look at only the “internet” connection, that is not the case when it comes to ICS environments.
The necessity of ICS security is sought after even more now that the number of threats has increased. Regulations are being enforced and companies have a legal, moral, and financial obligation to limit the risk. IEC 61511:2016- Functional Safety- Safety instrumented systems for the process industry sector also demands security assessments on safety instrumented system (SIS) design in control systems.
Because of the recent outcry over cyberattacks, ICS security has received more attention as a necessity to protect against external hackers. However, cybersecurity is one part of ICS security; threats against modern control systems come in many forms.
Identify threats
Identify ICS security vulnerabilities
Security standards for ICSs
Some of the main standards are:
ISA99 – Industrial Automation and Control Systems Security /IEC 62443 series of standards
The National Institute for Standards Technology (NIST) SP 800-82 – Guide to Industrial Control Systems Security standard
The North American Electric Reliability Council CIP series of standards.
The following are other industry and sector-specific standards:
The American Petroleum Institute (API) 1164 – Pipeline SCADA Security
Chemical Sector Cyber Security Program
American Water Works Association (AWWA) G430-09 Security Practices for Operation and Management.
A proper risk assessment should occur to suit the organization’s needs. The risk assessment may include:
The plan
The test environment
Metrics and documentation.
Tools such as implementing a virtual private network (VPN), an intrusion detection system (IDS), and a paired firewall with a demilitarized zone (DMZ) are tools to use to strengthen the network against threats. Firewall programming needs to start with “deny all” access and permit access to specific IP address TCP/UDP ports later on.
Tomi Engdahl says:
Data center infrastructure often an overlooked security risk: Report
http://www.cablinginstall.com/articles/pt/2018/04/data-center-infrastructure-often-an-overlooked-security-risk-report.html?cmpid=enl_cim_cim_data_center_newsletter_2018-04-24&pwhid=e8db06ed14609698465f1047e5984b63cb4378bd1778b17304d68673fe5cbd2798aa8300d050a73d96d04d9ea94e73adc417b4d6e8392599eabc952675516bc0&eid=293591077&bid=2078269
Maria Korolov of Data Center Knowledge notes that “in the rush to secure networks, servers, and endpoint devices many organizations overlook the risks hidden in the physical infrastructure necessary to keep data centers operating. Power supplies, heating and cooling systems, even security systems themselves can all be entry points for both determined threat actors and casual attackers who scan the internet for insecure access points. One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.”
Data Center Infrastructure, the Often-Overlooked Security Risk
http://www.datacenterknowledge.com/security/data-center-infrastructure-often-overlooked-security-risk
Power supplies, cooling systems, even security systems themselves can all be entry points for attackers.
One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.
“The bad guys are going after anything that’s open and available,” said Bob Hunter, founder and CEO at AlphaGuardian Networks.
Take, for example, rack power distribution units. Since data center administrators need to know what’s going on with the power to their servers, the PDUs typically offer either local or remote monitoring, but the security on these systems is extremely weak.
Hackers can get in and hijack systems for ransom, or, more frequently and insidiously, keep their access a secret in order to steal data or compute cycles.
Network segmentation is a good security principle, he added, but it only serves to slow down attackers, not stop them completely.
“Segmentation is a speed bump,” he said. “In the Target break, the building management system was on a physically separate network from the data itself, so they had to jump from one to the other. It took a while to do that, but at the end of the day, they were able to do it.”
And the people responsible for infrastructure security are often busy with other tasks, such as maintaining data center operations, he added.
“To add additional complexity, the industrial control systems were not designed with security in mind,” said Niall Browne, CSO at Domo, a business intelligence company. “They often have default passwords and have not been patched in years, as the manufacturer was slow to release upgrades, or the customer was hesitant to deploy them for fear of causing a service interruption to critical functions.”
“The customer leaves their back doors open and gets hacked; that can shut down the entire data center eventually.”
It’s one of the biggest vulnerabilities in the data center, Hunter said.
“Everyone wants remote access to the PDUs, because they want to remotely reboot their PDUs if the server goes down,” he said.
Ponemon Institute recently released a survey of risk professionals, in which 97 percent said that unsecured internet-enabled devices could be catastrophic for their organizations.
“If it has an IP address, it can be hacked and needs to be secured,” said Mike Jordan, senior director at consulting firm The Santa Fe Group. “You can slap an IP address on anything these days. Data center infrastructure is no exception, and it makes subcontracting support of data center infrastructure like HVAC, security cameras, and power management more compelling.”
However, only 9 percent of survey respondents said they were fully aware of all the physical devices in their environment that were connected to the internet.
Tomi Engdahl says:
Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks
https://www.securityweek.com/internet-exposure-flaws-put-industrial-safety-controllers-risk-attacks
SINGAPORE — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Researchers have discovered a potentially serious vulnerability in industrial safety controllers and a significant number of the impacted devices are directly exposed to the Internet, making it easy for malicious actors to launch attacks and possibly cause damage.
Safety systems are designed to prevent incidents in industrial environments by restoring processes to a safe state or shut them down if parameters indicate a potentially hazardous situation. While these devices play an important role in ensuring physical safety, they can and have been targeted by malicious hackers. The best example is the Triton/Trisis/Hatman attack, which leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.
Researchers at industrial cybersecurity firm Applied Risk have analyzed safety controllers from several major vendors, including Siemens, ABB, Rockwell Automation’s Allen Bradley, Pilz, and Phoenix Contact.
The research is ongoing, but they have identified a denial-of-service (DoS) flaw that may affect several products.
The security hole can be leveraged to cause the device to enter a DoS condition by sending it a specially crafted TCP packet. Specifically, the attack relies on EtherNet/IP, one of the most widely used industrial network protocols.
All impacted vendors have been informed. Rockwell Automation, which has assigned CVE-2017-9312 to this vulnerability, is expected to release a patch and an advisory sometime in May.
Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people.
Tomi Engdahl says:
Defense in Depth
Defense in depth is defined in the Schneider Electric white paper, “Practical Overview of Implementing IEC 62443 Security Levels in Industrial Control Applications,” as the coordinated use of security countermeasures to protect the integrity of information assets in a network. The following are the six steps required to implement a defense in depth strategy, according to Schneider Electric.
Create a Security Plan – The most important step in the overall defense in depth process involves creating a security plan. In the security plan, personnel create a detailed audit of all of the equipment connected to the industrial control network, map how the equipment is connected, review the security configuration of equipment, and assess potential system vulnerabilities. The security plan includes the impacts of products, architectures, people, and corporate processes. A completed security plan is required before any additional steps can be taken to improve system security. Otherwise, the personnel may think a system is secure without being cognizant of potential attack vectors.
Separate Networks – Once a detailed network map is created in the security plan, networks can be separated by a major function. An example would be dividing a network into an enterprise, plant, process, and field zones. All conduits between the zones should be identified.
Perimeter Protection – In this step, conduits between zones are properly protected. An important part in this step includes securing remote access.
Network Segmentation – In this step, zones created in step two can be divided into smaller zones based on location or function. The perimeters of these segmented zones are protected. It is important to note that the security level assigned to each zone can vary. For example, the security level tied to equipment in a monitoring role can be set to Level 1, while the security level ascribed to a safety system can be set to Level 3. The level of each segmented zone does not have to be same as its neighbors.
Device Hardening – Adding features to ICS devices to improve their ability withstand a cyberattack. This reduces the likelihood that network elements will be compromised should a hacker gain access to a network.
Monitor and Update – Actively monitoring the network activity to detect potential threats, and patch products as new software/ firmware is made available to address vulnerabilities or to add security features.
Sources:
http://scnavigator.avnet.com/article/april-2018/building-effective-cyber-hygiene-into-the-connected-supply-chain/
https://www.schneider-electric.com/en/download/document/998-20186845/
Tomi Engdahl says:
Cyber Risks in Additive Manufacturing Threaten to Unravel the Digital Thread
http://scnavigator.avnet.com/article/april-2018/cyber-risks-in-am-threaten-to-unravel-the-digital-thread/
Wherever data and information are transmitted, used, or accessed, companies must anticipate that someone, somewhere may try to exploit those data and information for personal gain, or to inflict harm or damage. For organizations deploying additive manufacturing (AM) technology, acknowledging this sad reality is not just a business imperative, but potentially a true matter of life and death.
AM is one area where cyber risk poses an especially significant danger. Potential uses for AM span numerous industries as a way to address supply chain challenges associated with unpredictable inventory and expensive-to-produce parts in remote locations. However, the very nature of additive manufacturing technology-with its reliance on digital data files and connectivity to transmit them-leaves it open to significant security exposures, from product malfunctions to intellectual property theft and brand risk, along with other new threats conventional manufacturers may not face.
The data generated about an object during the AM design and production processes, for example, can be considerable, generating a strand of information that runs through the AM object’s lifespan known as the “digital thread”.
“To maintain the integrity of the AM supply chain, organizations must recognize that the intrinsic value of their business may be shifting from the end product to the information that enables that end product.”
Tomi Engdahl says:
Threat intelligence is a critical organizational need
https://www.plantengineering.com/single-article/threat-intelligence-is-a-critical-organizational-need/3e297e86bde11f5c4c5ac32790a72b1f.html
Cover story: Continuous threat intelligence collection, analysis, and optimization can help organizations improve cybersecurity measures.
Facility owners should define what they hope to achieve from threat intelligence; including:
Types of alerts needed
Vendor news
How intelligence is collected, reported and communicated to relevant stakeholders
Analysis process
How threat intelligence would be used.
Tomi Engdahl says:
Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks
https://www.securityweek.com/internet-exposure-flaws-put-industrial-safety-controllers-risk-attacks
Tomi Engdahl says:
Microsoft Unveils New Solution for Securing Critical Infrastructure
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure
Microsoft last week unveiled Trusted Cyber Physical Systems (TCPS), a new solution designed to help protect critical infrastructure against modern cyber threats.
Microsoft provided the recent Triton and NotPetya attacks as examples of significant threats hitting critical infrastructure. Triton was used in a highly targeted campaign aimed at an organization in the Middle East, while NotPetya disrupted the operations of several major companies, with many reporting losses of hundreds of millions of dollars.
Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems.
Cyber-physical systems (CPS) are referred to as Internet-of-Things (IoT) in an industrial context. TCPS is based on four main principles: separating critical from non-critical operations through hardware isolation; ensuring that the code responsible for critical operations can be audited; the ability of each component to process data only from trustworthy sources and each component being able to attest its trustworthiness to other components; and reducing the attack surface by reducing the number of trusted entities.
One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements (e.g. chip on a credit card), Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.
TEE offers several advantages from a security viewpoint, including the fact that code running in a TEE is small and thus has a minimal attack surface, the code is considered trusted, all the data is encrypted, and the TEE hardware ensures that software running outside the trusted environment cannot break in.
Tomi Engdahl says:
Schneider Electric Development Tools Affected by Critical Flaw
https://www.securityweek.com/schneider-electric-development-tools-affected-critical-flaw
Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products.
InduSoft Web Studio is a toolset designed for developing human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions, and InTouch Machine Edition is an HMI/SCADA development tool that can be used for both advanced applications and small-footprint embedded devices. The products are used worldwide in the manufacturing, oil and gas, water and wastewater, automotive, building automation, and renewable energy sectors.
“The vulnerability is similar to CVE-2017-14024 in that it involves calling mbstowcs() in TCPServer.dll. However, this new vulnerability leverages command 50 instead of command 49. The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234,” Tenable explained.
Tomi Engdahl says:
Vlad that’s over: Remote code flaws in Schneider Electric apps whacked
Putin the patch, critical infrastructure firms warned
https://www.theregister.co.uk/2018/05/02/security_firm_uncovers_zeroday_exploit_in_critical_infrastructure_software/
Infosec researchers at Tenable Security have unearthed a remote code execution flaw in critical infrastructure software made by energy management multinational Schneider Electric.
The vulnerability could have allowed miscreants to control underlying critical infrastructure systems, researchers said.
The apps affected – used widely in oil and gas, water and other critical infrastructure facilities – were InduSoft Web Studio and InTouch Machine Edition.
Tomi Engdahl says:
Microsoft Unveils New Solution for Securing Critical Infrastructure
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure
Microsoft last week unveiled Trusted Cyber Physical Systems (TCPS), a new solution designed to help protect critical infrastructure against modern cyber threats.
Microsoft provided the recent Triton and NotPetya attacks as examples of significant threats hitting critical infrastructure. Triton was used in a highly targeted campaign aimed at an organization in the Middle East, while NotPetya disrupted the operations of several major companies, with many reporting losses of hundreds of millions of dollars.
Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems.
Cyber-physical systems (CPS) are referred to as Internet-of-Things (IoT) in an industrial context. TCPS is based on four main principles: separating critical from non-critical operations through hardware isolation; ensuring that the code responsible for critical operations can be audited; the ability of each component to process data only from trustworthy sources and each component being able to attest its trustworthiness to other components; and reducing the attack surface by reducing the number of trusted entities.
One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements (e.g. chip on a credit card), Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.
Tomi Engdahl says:
Siemens Patches DoS Flaws in Medium Voltage Converters
https://www.securityweek.com/siemens-patches-dos-flaws-medium-voltage-converters
Siemens has released updates for many of its SINAMICS medium voltage converters to address two remotely exploitable denial-of-service (DoS) vulnerabilities.
According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors.Siemens patches two DoS vulnerabilities in SINAMICS medium voltage converters
The more serious of the flaws, identified as CVE-2017-12741 and classified “high severity,” can be exploited to cause a DoS condition by sending specially crafted packets to the device on UDP port 161.
Tomi Engdahl says:
‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK
https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk
A threat actor has been targeting business and industrial control networks at electric utilities in the United States and United Kingdom, according to industrial cybersecurity firm Dragos.
The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analyzing Dragonfly attacks.
According to Dragos, a report published by the DHS in October 2017 combined Dragonfly attacks with Allanite activity.
Allanite leverages phishing and watering hole attacks to gain access to targeted networks. The group does not use any malware and instead relies on legitimate tools often available in Windows, Dragos says.
In July 2017, US officials told the press that the hackers had not gained access to operational networks, but Dragos confirmed third-party reports that Allanite did in fact harvest information directly from ICS networks.
Dragos believes with moderate confidence that the threat actor gains access to industrial systems in an effort to obtain information needed to develop disruptive capabilities and be ready in case it decides to cause damage. However, the security firm says the group has yet to actually cause any disruption or damage.
Tomi Engdahl says:
Advice from the Triton cybersecurity incident
https://www.controleng.com/single-article/advice-from-the-triton-cybersecurity-incident/ff45641b315e192fc76714047a4d488f.html
Cybersecurity incident: Human errors enabled it, but the Triconex safety controller shut down the plant as designed, say experts with Schneider Electric and ARC Advisory Group. But it’s still a call to action for industry. Have you implemented changes since then?
Breach of an industrial, triple-redundant safety controller should dispel any thought hackers might not care about industrial facilities or that process controls are low-risk cybersecurity targets. All facilities, even if already heeding advice from Schneider Electric and ARC Advisory Group, need to have a response plan in place. The Aug. 4, 2017, cyberattack on a on a Triconex safety system that included the first instance of process safety system-specific malware, dubbed TRITON, was described in a media and analyst lunch on Feb. 13. That triple-redundant safety controller brand is part of the Schneider Electric EcoStruxure Triconex safety instrumented system (SIS). A summary of advice from each expert follows.
Cybersecurity wake-up call
Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, explained that because of how the Triton cyberattack was executed– the attack vector– it is a call to action for everyone associated with this industry. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaMultiple cybersecurity lapses allowed a safety controller breach. Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, said this is an industry call to action. A Triconex controller model 3008, brought to market in 2001 and installed as part of a large automation project in 2007, was affected by a security breach. When the controller picked up an anomaly in the malware the attackers injected into its code, the controller reacted as it was intended: It safely brought the plant to a safe state via a shutdown on Aug. 4, 2017.
Upon being notified of the shutdown, Schneider Electric worked closely with the end user, independent cybersecurity organizations and the U.S. Department of Homeland Security/ICS-CERT and others to investigate the incident. The evidence they gathered indicates multiple security lapses allowed the breach to occur.
A remote attacker, through a corporate system, logged onto a machine and was playing with code. An individual made an error not specific to the controller and exposed it to remote access through Microsoft XP [no longer supported] software. Practices outlined in controller documentation, and in the IEC 62443 series of standards on industrial automation and control systems (IACS) from the ISA99 Industrial Automation and Control Systems Security committee, if followed, would have prevented the breach.
Don’t panic; assess risks
Larry O’Brien, vice president research for process automation, ARC Advisory Group, said there are ways to execute a response to and defend against a systemic, multiphase cybersecurity attack. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaReconsider cybersecurity processes, procedures, and training. Larry O’Brien, vice president research for process automation, ARC Advisory Group, said the industry shouldn’t panic, but it should reconsider best practices regarding processes, procedures, and people. There are ways to execute a response to and defend against a systemic, multiphase attack.
In this same incident, the attack(s) breached another vendor’s distributed control system (DCS); so while the shutdown was initiated as designed, it’s better not to suffer a breach and shut down a process.
Other human errors on site, including leaving the controller’s keyswitch in program mode while it was in operation and leaving the controller cabinets unlocked, added significant risk for a cybersecurity attack. To lower the risks of such incidents, customers should continue to apply cybersecurity best practices across their operations, as well as always implement the instructions vendors provide within their systems documentation. For example, a recommended practice is to dedicate a laptop for use with the DCS and not let anyone else or anything connect to it.
Schneider Electric’s open and helpful response to this incident has been applauded and should be a blueprint for other vendors’ responses because this won’t be the last incident.
What’s the attraction for hackers? By reprograming the DCS and the safety system, attackers can push the plant into an unsafe state without those at the plant and the safety system realizing it. That means if an incident occurred, the expected result, i.e., the safety system shutting down the plant, wouldn’t happen. Idaho National Labs demonstrated such a DCS spoofing event at least 10 years ago.
Program mode, cybersecurity standards
Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said leaving a controller key in program position is inexcusable. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaHave any of your controllers been left in program mode?
Three best practices follow.
Gary Freburger, president, process automation, Schneider Electric, said attacks on industrial systems are an international threat to public safety that can only be addressed and resolved through transparency and collaboration that go beyond borders and competitive interests. Courtesy: Mark T. Hoske, Control Engineering, CFE Media1. Commit to educate and address people, processes, and technologies with a relentless drive to publish and standardize best practices and share information.
2. Use common standards across all equipment and across multiple providers, with feedback and guidance from those involved.
3. Ensure collaboration through transparency. Don’t say or believe anything is secure. A lot of people are trying to get into these systems. Everyone needs to respond correctly knowing what was done before, to know how to correct it.
Tomi Engdahl says:
Understanding industrial control systems security basics
https://www.controleng.com/single-article/understanding-industrial-control-systems-security-basics/c9a78f9f00dd6209b36325e0f9ec9197.html
Cover story: It’s critical to implement an in-depth cybersecurity plan to help protect industrial control systems (ICSs) against a cyber attack. Identify threats, vulnerabilities, standards, and documents.
Tomi Engdahl says:
Security
Hacking train Wi-Fi may expose passenger data and control systems
Researcher finds security hotspots on some rail networks
https://www.theregister.co.uk/2018/05/11/train_wifi_hackable_on_some_networks/
Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers’ credit card information, according to infosec biz Pen Test Partners this week.
The research was conducted over several years, said Pen Test’s Ken Munro. “In most cases they are pretty secure, although whether the Wi-Fi works or not is another matter,” he added.
But in a handful of cases Munro was able to bridge the wireless network to the wired network and find a database server containing default credentials, enabling him to access the credit card data of customers paying for the Wi-Fi, including the passenger’s name, email address and card details.
He said he was not aware of any incidents of networks being compromised but warned in the worst-case scenario it might be possible for miscreants to take control of the train. “It might be possible, and this is speculation, to lock the braking system.”
Munro refused to name the operators affected by the weak security set-up – the vulnerabilities still exist.
Part of the problem is a lack of segregation between the Wi-Fi networks.
Hacking train passenger Wi-Fi
https://www.pentestpartners.com/security-blog/hacking-train-passenger-wi-fi/
Tomi Engdahl says:
Security Gaps Remain as OT, IT Converge
https://www.securityweek.com/security-gaps-remain-ot-it-converge
The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices — and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.
The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.
Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet’s senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: “IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler.”
https://www.fortinet.com/blog/industry-trends/fortinet-is-a-preferred-partner-for-securing-ics-scada-systems.html
Tomi Engdahl says:
Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
https://www.securityweek.com/severe-dos-flaw-discovered-siemens-simatic-plcs
Siemens informed customers on Tuesday that some of its SIMATIC S7-400 CPUs are affected by a high severity denial-of-service (DoS) vulnerability.
SIMATIC S7-400 is a family of programmable logic controllers (PLCs) designed for process control in industrial environments. The product is used worldwide in the automotive, mechanical equipment manufacturing, building engineering, steel, power generation and distribution, chemical, warehousing, food, and pharmaceutical sectors.
Siemens discovered that these devices fail to properly validate S7 communication packets, allowing a remote attacker to trigger a DoS condition that causes the system to enter DEFECT mode and remain so until it’s manually restarted.
Tomi Engdahl says:
Critical Code Execution Flaws Patched in Advantech WebAccess
https://www.securityweek.com/critical-code-execution-flaws-patched-advantech-webaccess
Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.
Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.
Tomi Engdahl says:
Understanding the convergence of IT and OT
https://www.controleng.com/single-article/understanding-the-convergence-of-it-and-ot/bf2d3ec1764b8679638866145475830e.html
Information technology (IT) and operations technology (OT) are converging to improve manufacturing operations, that can offer benefits such as improved productivity and security.
Learning from IT/OT challenges
IT and OT have different backgrounds, but their conjoined applicability arises from the IIoT. However, there are two key challenges for both parties including retentive control of systems and machines and employee safety.
Sound security solutions should be in place with features including:
Identifying and authenticating all devices and machines: All devices within the system, be it within the plant or on the field, should be ensured. Only approved devices and systems should communicate with each other. This would lessen the risk of hacking, insertion of rogue and untrusted devices into the network, and mitigate unwarranted control of any systems or machines.
Encryption: Encrypting all communications between IT/OT devices would ensure privacy of the data being relayed.
Data integrity: Ensuring the integrity of the data generated from these systems is a high priority. Though smart analytics are a major driver in IIoT adoption, these are worthless if the data is inaccurate.
Manufactured goods also contain embedded software or firmware. Enabling the remote upgradation of these softwares and firmwares would ensure their integrity.
The future of IT/OT
There are plenty of opportunities going forward, as more devices start to join the IIoT network. The converging IT/OT will offer out-of-the-box integration solutions for plant automation, asset management and manufacturing execution systems with IT apps such as supply chain and enterprise resource planning (ERP) apps at the enterprise level and provide analytics. If the present trends continue, it is very likely that the separation between OT and IT would fade until they become potentially one and the same.
To ensure this, it’s vital both sides consider the other’s expertise and point-of-view and work together toward the the same goals of providing optimal security and productivity.
Tomi Engdahl says:
Defending Industrial Control Systems with Tripwire
https://www.tripwire.com/solutions/industrial-control-systems/defending-industrial-control-systems-with-tripwire-register/?referredby=hirschmann/
Threats to Industrial Control Systems (ICS) are increasing—a reality that ICS-centric industries have begun to recognize. As a response to the growing need for protection from cyberattacks, the Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) and the National Security Agency (NSA) have published Seven Steps to Effectively Defend Industrial Control Systems, a paper aimed at providing practical steps organizations can take to protect their infrastructure.
Tripwire is uniquely positioned to help organizations defend their Industrial Control Systems.
Tomi Engdahl says:
Critical Flaws Patched in Phoenix Contact Industrial Switches
https://www.securityweek.com/critical-flaws-patched-phoenix-contact-industrial-switches
Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.
Tomi Engdahl says:
Finding common ground for IT/OT convergence
https://www.controleng.com/single-article/finding-common-ground-for-itot-convergence/a2a0dda75da62e752ca2cde610e0f918.html
Finding a common understanding between information technology (IT) and operations technology (OT) means avoiding a lot of issues with overall facility operations.
Tomi Engdahl says:
Why IIoT Security Is So Difficult
https://semiengineering.com/why-iiot-security-is-so-difficult/
A fragmented market and ecosystem mean it will take at least five years to get security to a meaningful level.
Despite the high risk of a market filled with billions of at least partially unprotected devices, it is likely to take five years or more to reach a “meaningful” level of security in the Industrial IoT.
The market, which potentially includes every connected device with an integrated circuit, is fragmented into vertical industries, specialty chips, and filled with competing OEMs, carriers, integrators, networking providers. There are so many pieces, in fact, that it is difficult to dovetail all of them into a workable number of best practices and standards specifications, according to Richard Soley, executive director of the Industrial Internet Consortium and chairman and CEO of the Object Management Group.
One of the biggest hurdles is unifying all the various factions involved in the Industrial IoT behind a relatively small, well-defined set of definitions of what security actually is and how to get chipmakers to build it into their products consistently.
“A lot of it’s already pretty standard, so that shouldn’t be too bad”
The market for microcontrollers is very fragmented, which is part of the reason Arm introduced its Platform Security Architecture (PSA) program last October. The company provides open-source software and higher-level APIs to make it easier for developers to write trusted code, according to Neil Parris, director of products for Arm’s IoT Device IP business unit.
“We’re writing documentation with suggested recipes of what needs to go into a PSA chip for various security levels,”
“The hardware is different for every vendor,”
Intel’s Enhanced Privacy ID and Arm’s PSA are ways to build basic security into silicon before the chips or IP are incorporated into larger chipsets. Microsoft’s Azure Sphere announcement in February addressed similar issues, but on such a narrow, platform-dependent basis.
“The cheapest thing would be to integrate security inside the chip – design in a root of trust, key material, crypto accelerator and key essential security services, spending on what package it’s a part of, and you have something to provide a root of trust that takes up a tiny fraction of a square millimeter,”
Bigger problems
There are more hurdles to cross than simply getting chipmakers to make IoT devices boot securely, however.
The most obvious problem from a customer perspective is the inability of most organizations to see or identify an average of 40% of the devices on their networks, or know what they’re doing from moment to moment, according to Lumeta, a security monitoring firm whose analysis of the IoT infrastructure of 200 organizations was an important part of Cisco’s 2018 Annual CyberSecurity Report, released in February.
Once a device is connected to the Internet, however, the idea that a device can remain protected goes out the window and the technical staff becomes responsible for investigating potential security risks in each piece of software and at each layer of the communications stack
CyberX also found that:
• 60% of industrial organizations allow passwords to cross OT networks unencrypted;
• 50% run no antivirus software;
• 82% use remote-management protocols that are vulnerable to digital reconnaissance;
• And three out of four reported using at least one controller running a version of Windows for which Microsoft no longer provides patches.
Only 8.5% of industrial organizations responding to a survey said they were “very ready” to address cybersecurity
“In a typical IT environment you can shut things down or block ports to respond to something you don’t like,” Hanna said. “In an OT environment, if you block a port you may not be able to see the pressure level inside a vessel. You often can’t do a port scan of OT systems. Many of them will crash if you scan them for vulnerabilities. And in OT, having a backup to take over if the primary fails doesn’t make sense. Attackers are now going after the safety systems, as well as destabilizing the main system. So you start out thinking you have suspenders and a belt, and they’ve cut them both so you’re not protected at all.”
“Security has become a regular point of discussion with customers at conferences,”
Tomi Engdahl says:
Hardcoded Credentials Expose Yokogawa Controllers to Attacks
https://www.securityweek.com/hardcoded-credentials-expose-yokogawa-controllers-attacks
Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.
Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.
The flaw is tracked as CVE-2018-10592 and it has been rated critical by both ICS-CERT and Yokogawa itself. The issue was discovered by VDLab, an industrial cybersecurity lab set up by Chinese companies Venustech and Dongfang Electric.
The vendor patched the vulnerability with the release of version R4.10. Customers have been advised to update the firmware on their devices and also implement overall security measures to protect their systems.
Tomi Engdahl says:
Trends 2018: Critical infrastructure attacks on the rise
https://www.welivesecurity.com/2018/05/30/trends-2018-critical-infrastructure-attacks/?
Healthcare sectors, critical manufacturing, food production and transportation also said to be targets for cybercriminals
Cyberthreats to critical infrastructure jumped into the headlines in 2017, starting with a Reuters report in January that a recent power outage in Ukraine “was a cyber-attack”. In last year’s Trends report we said that we expected infrastructure attacks to “continue to generate headlines and disrupt lives in 2017”. Sadly, we were right, and unfortunately, I have to say that the same trend is likely to continue in 2018 for reasons outlined in this update. It should be noted that critical infrastructure is more than just the power grid and includes the defense and healthcare sectors, critical manufacturing and food production, water, and transportation.
Tomi Engdahl says:
Hardcoded Credentials Expose Yokogawa Controllers to Attacks
https://www.securityweek.com/hardcoded-credentials-expose-yokogawa-controllers-attacks
Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.
Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.
Tomi Engdahl says:
Interconnectivity Has Put ICS Environments in Cyber Risk Crosshairs
https://www.securityweek.com/interconnectivity-has-put-ics-environments-cyber-risk-crosshairs
Tell any IT professional that the computer running the electrical grid has not been updated in 20 years, or that the machine that controls operations in the bottling plant was last tuned up when Y2K was still being planned, and they will look at you like you are crazy. They simply will not believe you. Why? Because information technology (IT) and operational technology (OT) approaches to operations are polar opposites. While IT is predicated on innovation and security, OT is more about letting systems run reliably, with as little change as possible. The chasm between IT and OT is wide and deep, but not for much longer.
Tomi Engdahl says:
Triton ICS Malware Developed Using Legitimate Code
https://www.securityweek.com/triton-ics-malware-developed-using-legitimate-code
The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.
Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.Triconex controller targeted by Triton ICS malware
FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.
The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.
It’s unclear how the attackers obtained the hardware and software they used to test the malware.
A Totally Tubular Treatise on TRITON and TriStation
https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html
Tomi Engdahl says:
Pwned with ’4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
How Shamoon and Stuxnet et al ran riot
https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/
Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.
A presentation at last week’s BSides conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.
The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.
Historically everything was “air-gapped” but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring
Godfrey explained that security has never been a design criteria for industrial control kit and this hasn’t changed with the advent of IoT in the domain of SCADA systems. As a result, issues such as default hard-coded credentials and lack of encryption abound.
Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98
“Industrial control setups certainly don’t have the maturity of enterprise environments,”
Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more.
Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.
INSINIA has developed a device that automatically scans networks and shuts down components. The “weaponised” Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can “kill industrial processes with only four lines of code”, according to Godfrey.
The wider security community has recognised the risk posed to industrial control systems from malware in the wake of high-profile attacks such as the Shamoon assault on Saudi Aramco and the BlackEnergy attacks on electricity distribution facilities in Ukraine.
The famous Stuxnet attack on Iran’s uranium-enrichment facilities
large number of industrial control systems exposed to the internet, which are easily found using Shodan, the search engine for the IoT.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8141-etndigi-tutki-haavoittuvuutesi-ennen-hakkereita
https://issuu.com/etndigi/docs/etndigi1_2018?e=33517312/62248876
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/06/25/lisaa-turvaa-automaattijarjestelmiin/
Tomi Engdahl says:
Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
https://www.securityweek.com/rockwell-patches-flaw-affecting-safety-controllers-several-vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products.
The vulnerability is tracked by Rockwell as CVE-2017-9312 and it has been classified as “high severity” with a CVSS score of 8.6. CompactLogix 5370 L1, L2 and L3, and Armor CompactLogix 5370 L3 small controllers, and Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 L3 safety controllers running firmware version 30.012 and prior are affected. The security hole has been patched with the release of version 31.011.
https://www.securityweek.com/internet-exposure-flaws-put-industrial-safety-controllers-risk-attacks
Tomi Engdahl says:
Industrial IoT: Protecting the Physical World from Cyber Attacks
https://www.securityweek.com/industrial-iot-protecting-physical-world-cyber-attacks
The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers. Companies are now able to automate tasks through a connected network spanning devices, applications and control systems. This includes things as simple as smart lighting in an office building to more industrial applications, like self-driving mining equipment or robotics.
A recent survey from McKinsey found that 98 percent of business leaders report including industrial IoT initiatives in their strategic road maps. Those same respondents believed that key executives have recognized industrial IoT’s value, with nearly half reporting that company leaders either strongly supported or were directly engaged in industrial IoT initiatives.
The benefits from industrial IoT seem clear, but these advancements have not come without risk. Connected devices have been associated with poor security and attackers are targeting them to get access to and infiltrate otherwise well-defended networks. Industrial IoT in the enterprise expands the threat landscape by opening up new vulnerabilities that can be exploited across endpoints, applications, cloud infrastructure and networks.
Tomi Engdahl says:
Six best practices for implementing and securing IIoT products
https://www.controleng.com/single-article/six-best-practices-for-implementing-and-securing-iiot-products/7c679f4159ef16d7a6b88d5dc8f4d508.html?OCVALIDATE=
The practice of “securing by design” can help companies protect against potential cyber attacks on Industrial Internet of Things (IIoT) products.
1. Secure interfaces: Insecure interfaces can result in data manipulation, loss, or corruption; lack of accountability; denial of access; or complete device takeover.
2. Update software and firmware regularly: It is crucial IIoT devices perform updates regularly to protect against the latest threats, and that cryptographic checks are implemented to ensure updates come from a trusted source.
3. Control access: Strong passwords, the protection of credentials, and separation of roles must be ensured to prevent compromising a device or a user account.
4. Secure the network: Only necessary ports should be available and exposed. Insecure network services may be susceptible to a variety of attacks, including denial of service (DoS), which renders a device inaccessible.
5. Eliminate backdoors: No IIoT device should have undocumented backdoors or hidden functions that an attacker could exploit.
6. Configure for security: Attackers often exploit a lack of granular permissions to access data or controls. Security hardening, encryption of data in transit, and logging security events can counter this risk.
Tomi Engdahl says:
You Know You’re at Risk, Now What?
https://www.securityweek.com/you-know-youre-risk-now-what
1. Acknowledge the reality. You already understand that your OT environment is essential to your operations, but you must also recognize those networks carry strategic importance to the adversary
2. Ask the tough questions. Driving change in your organization starts with asking some hard questions, and may very well lead to some uncomfortable answers. Who has the responsibility and accountability to monitor and protect the ICS networks? Are the right security and operational teams collaborating? Have those teams even met to discuss the ICS cyber strategy?
3. Identify your blind spots. The absence of evidence is not the same as evidence of absence of malicious actors in your networks. Don’t assume that because systems are operating, there are no underlying security issues.
4. Cover the basics, again. Start improving the organization’s visibility and understanding of risks to the OT environment – even if you cannot address them all in the short term. Audit your network segmentation. I believe really solid segmentation is one of the most important things asset owners can do to protect their OT environment.
5. Make your OT networks visible. One of the most fundamental issues preventing many companies from effectively securing their OT environments is a lack of visibility into the structure of their ICS networks.
6. Expand your IR and governance. You must manage cyber risk holistically and that means applying the same monitoring, managing, and reporting rigor to both your OT and IT environments. The first priority is to ensure there is an individual accountable for the security of OT systems. It can’t be just anyone, it has to be someone who already has, or can engender the respect of the operations teams, and someone who can push things forward. Cybersecurity has always been “a journey, not a destination,”
7. Educate your executives and board on the impact of a potential breach. Related to step 6, as the leaders of the company, your board and executive staff have a legal responsibility to manage risk to the business. But, while visibility of industrial cyber risk is increasing every day, many business leaders still don’t know what they don’t know.
Tomi Engdahl says:
Russian DragonFly hackers accessed electrical utilities control rooms in lengthy campaign
https://www.scmagazine.com/russian-dragonfly-hackers-accessed-electrical-utilities-control-rooms-in-lengthy-campaign/article/782880/
The Russian DragonFly APT group, which last year broke into air-gapped networks run by U.S. electric utilities in a likely ongoing campaign that victimized hundreds, accessed the providers’ control rooms where they could have caused blackouts and other damage.
The group, which also goes by Energetic Bear, used phishing and waterhole attacks to gain access to supplier networks, nick credentials and then access the utilities, the Wall Street Journal cited Department of Homeland Security (DHS) as confirming.
“Hackers, including state-sponsored Russian hackers, exploit the weakest link in the security chain – the people. “
Tomi Engdahl says:
Reconnaissance, Lateral Movement Soar in Manufacturing Industry
https://www.securityweek.com/reconnaissance-lateral-movement-soar-manufacturing-industry
An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.
The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.
The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.
Tomi Engdahl says:
Flaws in Siemens Tool Put ICS Environments at Risk
https://www.securityweek.com/flaws-siemens-tool-put-ics-environments-risk
Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.
The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.
Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.
One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code.
Tomi Engdahl says:
Electric utilities use red-teaming, AI to prepare for advanced threats
https://www.cyberscoop.com/electric-utilities-use-red-teaming-ai-to-prepare-for-advanced-threats/
The U.S. electric industry has responded to a steady stream of cyberthreats with more rigorous red-teaming and by using artificial intelligence, utility executives said.
“We’re penetrating our own system to ensure that we are moving the envelope,” said Brian Harrell, Duke Energy Corp.’s managing director of enterprise protective services. “We’re trying to find the vulnerabilities before anyone else does.”
“Just yesterday I [was] having a six-hour conversation with the FBI about somebody trying to penetrate our system,” Harrell said Friday at an event at George Washington University’s (GWU) Center for Cyber and Homeland Security. “These are the kinds of things that are happening on a day in and day out basis.”
In March, the Department of Homeland Security warned that Russian government hackers had targeted the energy sector, among others, in a two-year campaign that collected information on industrial control systems (ICS) used in the sector.
Outsourcing is an option
Big power companies like Duke Energy and PG&E can run their own in-house intelligence organizations, with analysts picking apart threat data. The smaller electric cooperatives serving rural communities across the country, however, tend to lack the resources to do that.
For example, smaller companies frequently try to “‘dual hat’ their control systems people and tell them – you also need to perform these cybersecurity tasks, but often there is a skills gap,” Marty Edwards, an industrial cybersecurity expert, told CyberScoop.
“The good news is that you no longer need to try and do all this in-house,” added Edwards, who is managing director of the Automation Federation. “There are plenty of boutique cybersecurity consulting companies that specialize in ICS and operational technology – and you should bring them in to see what they can find.”
Tomi Engdahl says:
Ensuring Your Industrial Wireless Systems Are Safely Deployed
https://www.securityweek.com/ensuring-your-industrial-wireless-systems-are-safely-deployed
Finding a competitive edge in heavy industries and manufacturing today is as much about digitization and data analytics as it is about bringing new products and services to market.
The Industrial Internet of Things (IIoT) has rapidly evolved from competitive advantage to a must have, and one way that companies can help speed up deployment of IIoT technologies is by embracing wireless.
Just as WiFi and the cell network made it easier to put relevant technology in the hands of the office worker, industrial wireless solutions are becoming a vital part of connecting machines to a network. This is more controversial than someone unfamiliar with the sector might think. Historically, industrial controls systems (ICS) and the like have been strictly wired environments for a very important purpose: reliability and security.
In the case of safety systems, wireless connectivity simply isn’t appropriate even now in some instances.
The pros and cons of industrial wireless
From a security point of view these factors are not easy to evaluate: by their nature, wireless interfaces increase the attack surface for threat actors looking to exploit such systems. The risk of attackers who attempt to break into systems for the purposes of installing malware or stealing or altering data are very real. New threats which can eavesdrop, take control or sabotage IIoT networks are emerging almost daily.
Compounding the concern, there’s plenty of evidence that companies aren’t yet well enough prepared to deploy IIoT securely. A recent report published by UK manufacturers’ organisation EEF revealed that some 48% of members surveyed had been affected by a cybersecurity incident, many of which went on to suffer financial loss or disruption to their businesses as a result. Yet it also found that 45% of those surveyed did not believe that they had the ability to engage in appropriate risk assessment, and 12% had no process measures in place at all to deal with a threat.
There are other sectors which may be in even worse shape. A recent report by the World Economic Forum found that 48% of mining operators believed they would be unable to even identify a sophisticated cyber-attack, let alone prevent it. Industrial wireless systems, then, are an essential opportunity, but they should never be deployed without a thorough assessment of potential risks, alongside adequate measures to mitigate against them.
Deploying industrial wireless safely
Standards are, for once, ahead of practice. The WirelessHART and ISA100 wireless communications protocols have been developed specifically for ICS, automation and sensors, and have been widely adopted by vendors over the last eight or nine years. Both WirelessHART and ISA100 are very robust standards, designed for high availability and resilience to interference, which utilise strong encryption to protect the theft of data in transit, and integrity checking mechanisms that when applied correctly reduce the risk of data tampering too.
Both WirelessHART and ISA100 offer a great deal of reassurance to industrial organizations that their deployments will be secure. Even with these strong frameworks in place, however, companies need to exercise a degree of caution. Any security protocol is only as dependable as its implementation allows, and solutions must be suitable to their applications.
Poor implementation, for example, could leave vulnerabilities that allow threat actors to manipulate sensor data in transit without detection, in turn giving the appearance that machinery is operating within acceptable parameters no matter what. Given the inherent danger of industrial environments, vendor-backed guarantees that communications between IIoT devices is secure should not be taken at face value.
For example, communications between wireless devices may be robustly protected, but poor configuration can leave vulnerabilities between gateways and SCADA networks. These require appropriate testing and security hardening to ensure proper network segmentation is in place between critical ICS devices and other services.
In the US, the National Institute of Standards and Technology (NIST) has recently published its Guide to Industrial Wireless Systems Deployments
NISTs guidelines are thorough and include advice on testing reboot times for devices and conducting risk assessments for the intrinsic safety of a system in the event of a failure or attack on the wireless network.
Tomi Engdahl says:
Three steps for performing an ICS security audit
https://www.controleng.com/single-article/three-steps-for-performing-an-ics-security-audit/607bb973b870198449b6599b28af6d4a.html?OCVALIDATE=
Companies looking to protect an industrial control system (ICS) should audit their assets, network, and data flows to better determine how safe a system is, and what more needs to be done.
The threat landscape for industrial automation and Industrial Internet of Things (IIoT) systems is evolving as connectivity between disparate devices and networks grows. It is crucial that organizations plan and execute effective defense-in-depth (DID) strategies and invest in the continued evaluation and adjustment of their security measures.
According to Symantec’s 2018 Internet Security Threat Report, there’s been a 29% increase in industrial control system (ICS) related vulnerabilities over the past year. Given the valuable and safety-critical processes these systems connect and control, security breaches can have expensive, wide-reaching and dangerous implications.Malicious actors have several options for attack once they gain access to an ICS. These include loss of view, manipulated view, denial of control, manipulation of control- and finally-loss of control. These attacks can result in varying consequences that range from minimal interruption to dangerous failures and extended outages. Regardless of initial impact or severity, an unauthorized entry provides opportunity for damage to a company’s bottom line-through downtime, loss of intellectual property, and/or loss of market share-and to the safety of its employees and the general public.
1. Inventory the assets
While it seems simple, most operators do not have a complete view of the assets they need to protect, such as programmable logic controllers (PLCs), human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, and others. Categorize assets into classes with common properties and understand the data attributes of each asset. This exercise is a critical starting point because if companies don’t know what they need to protect, they won’t be able to protect it.
2. Inventory the network
Asset inventory will enable companies to understand the physical assets that are connected to the network. The next step involves understanding how those assets are connected through networking architecture and configuration. Understanding the paths data can take shows how an attacker could get access to this data. A physical and logical map of the enterprise’s network will set companies up for success in the third step of the security audit.
3. Inventory the data flows
Understanding data flows is critical. Because many protocols used in industrial automation do not have options for securing traffic, many attacks can be executed without any exploit-simply by having access to the network and understanding the protocol. Understanding the port, protocol, end-points, and timing requirements (deterministic or not) can enable understanding of where data needs to flow over the network assets identified in step 2.
With these steps complete, there is knowledge of assets, how they are connected, and how data flows across the network to and from each end-point. To get in, attackers would have to violate one of these three known domains. They would need to:
Add a new asset to the network
Modify the network configuration to gain access to various layers of the network
Manipulate an existing device to talk with a new end-point and create a new data flow.
Tomi Engdahl says:
Implementing a cybersecurity strategy for cloud-based SCADA
https://www.controleng.com/single-article/implementing-a-cybersecurity-strategy-for-cloud-based-scada/d07c9be1fa2eb241fae91590360db7e5.html?OCVALIDATE=
It’s critical to have the proper framework and cybersecurity measures in place to help prevent cyber attacks for cloud-based deployments of supervisory control and data acquisition (SCADA) systems.
Supervisory control and data acquisition (SCADA) in the cloud offers the potential for greater flexibility, scalability, and certainty. It also promises the ability to massively reduce capital expenditure, provide predictable costs, accelerate implementation, and quickly accommodate changes when adding or altering assets. As a more efficient deployment model, cloud-based SCADA is designed to reduce barriers to entry across many industries.
With cloud-based SCADA, there is no need for a control or backup center. Users can leverage the cloud infrastructure from their preferred service provider and move from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model. Eight to 10 months for a SCADA project can be reduced to a few weeks. Also, users can start with fewer assets and add or remove them as needed. In addition, software versions are always kept current. Benefits are continually being proven in the industry.
For example, a project for a crude oil and natural gas exploration and production company in Canada used offsite SCADA to bring over 300 wells online within one month of signing the order.
Cloud-based SCADA and cybersecurity
Cloud-based SCADA can offer a reliable and secure approach. On-site resources and expertise can be supplemented by remote support, continual monitoring and automatic updates provided by the service provider. In many ways, the design of communications is similar to topics considered in earlier SCADA systems, however now it is more important to have a solid cyber-secure design.
The issue of cybersecurity is critical in such systems as the number of threats to industrial control systems (ICSs) is growing.
Those that are successful, meanwhile, have demonstrated the risks are far from theoretical. Examples include:
The Sandworm hackers caused blackouts for more than half a million people in the Ukraine in 2016—after targeting the U.S.
The Shamoon virus crippled tens of thousands of computers at Middle Eastern energy companies in 2012, and resurfaced four years later.
The WannaCry ransomware spread across the globe last year and affected more than one-third of the U.K.’s National Health Service trusts-and not just hospital computer systems, but medical equipment such as MRI scanners and blood testing devices, as well.
More than half of industrial facilities have experienced some form of cybersecurity incident, and three quarters expect an attack on their industrial control system (ICS), according to Kaspersky Lab.
Challenges with cybersecurity
Figure 3: Example of a secure cloud system architecture. Courtesy: Honeywell Industrial Cyber SecurityThere are two key dangers in terms of cybersecurity when it comes to cloud-based SCADA.
First, cybersecurity measures are ignored or inadequately addressed. Unsecured connections through satellite or radio communication provide hackers with an opportunity to target the remote site and hack into the cloud or SCADA system. Every unsecured valve site, for example, becomes a significant source of vulnerability.
Second, the risks are overstated to the extent that businesses are put off from cloud deployment. That would not only mean they miss out on the benefits cloud-based SCADA has in terms of efficiency, which would have a potentially bigger cumulative impact on the industry, but over the long-term than any of the cyber attacks that have occurred. It would also be unlikely—because of the shortage of skills and in-house resources to address cyber risks—to improve a businesses’ security.
That’s clear when attack vectors are considered, how breaches occur, and how malware or hackers get in. Hackers exploit common vulnerabilities including:
Unsecured points of connectivity to the ICS environment, with multiple equipment and system vendors given access.
External or business network security being compromised.
Employees and contractors falling victim to phishing or spearphishing attacks or through their laptops, phones, smart watches, IoT devices, or removable media.
Securing access points
SCADA data is essentially benign information. The system collects and displays data from programmable logic controllers (PLCs) or remote terminal units (RTUs). It is essentially one-way traffic, providing a view of the facility’s status. It is not a control function. Security is important when looking at cloud-based SCADA, but it is not an insurmountable challenge.
The numbers of these access points and the lack of central oversight and control lead to a variety of problems including:
Partial data availability on assets and events
No proper hardening
No proper monitoring, nor governance
No proper planning and accountability around cybersecurity.
Centralized cybersecurity
The key to cloud-based SCADA is security in the cloud—centralizing security through a cloud-based security center and communication center
This security center can handle the authentication of connections, ensuring they are valid before allowing access to the communication server. The communications server, meanwhile, undertakes the authentication with a virtual security engine (VSE) located at each plant or site. The VSE also can initiate a connection with the communication server from the remote site and can be automated to occur at specified intervals or times so the server doesn’t have to constantly be connected.
All communications from these plants or sites pass through a secure tunnel, using port 443, with transport layer security (TLS) encryption, and a firewall rule can be enforced for all remote connections. This provides a distributed architecture with secure tunnels from operations to remote sites.
Tomi Engdahl says:
High-Severity Flaws Patched in Schneider Electric Products
https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/
Tomi Engdahl says:
Cybercriminals Changing Tactics as Seen in First Half Report
https://blog.trendmicro.com/trend-micro-2018-midyear-security-roundup/
Any organization that supports critical infrastructure needs to look at how to harden up their ICS/SCADA networks as we’re starting to see threat actors looking to perform destructive attacks versus simply doing reconnaissance and testing capabilities when compromising these networks. As our Zero Day Initiative is finding out, vulnerabilities within the applications and devices in this sector are increasing and, more worrying, we’re not seeing quick patching of the vulnerabilities by the affected vendors. This will likely change as the vendors are made more accountable for fixing their bugs, but until then providers of critical infrastructure need to build improved patching processes, like the use of virtual patching at the network and host layers.
Tomi Engdahl says:
Germany concerned about possible ‘sleeper’ cyber sabotage
https://www.reuters.com/article/us-germany-security/germany-concerned-about-possible-sleeper-cyber-sabotage-idUSKCN1LK1DX
BERLIN (Reuters) – A growing number of countries can hack into private computer networks and install malicious software to sabotage another country’s infrastructure, Germany’s domestic spy chief said.
But intelligence officials are increasingly worried about so-called “cyber bombs” that could be planted in the network of an unsuspecting company and detonated later .
Tomi Engdahl says:
Endpoints a Top Security Concern for Industrial Organizations: IIoT Survey
https://www.securityweek.com/endpoints-top-security-concern-industrial-organizations-iiot-survey
Actively Checking Device Integrity Can Detect Changes that Evade IP-based Monitoring
The SANS Institute recently published a research study of Industrial IoT (IIoT) security. The survey polled more than 200 security professionals from energy, utility, oil and gas, and manufacturing organizations. Among the key findings, the majority of respondents reported they are more concerned about endpoint device security, than network security. Another interesting takeaway, less than 5% of those in operational technology (OT) roles said they were confident in their company’s ability to secure these new infrastructures. Both OT and IT respondents cited they lack appropriate IIoT monitoring capabilities.
According the report’s authors: “The closer someone is to the IIoT systems, the greater the recognition of a challenging reality. The individuals probably the most knowledgeable about IIoT implementation, the OT team, appear the least confident in their organization’s ability to secure these devices, while company leadership and management, including department managers, appear the most assured.”
Concerns about endpoint security in industrial environments, especially among OT personnel, are being driven by the demise of the traditional air gapping of OT infrastructures. A full 32% of organizations surveyed said they have IIoT devices connected directly to Internet, bypassing traditional ICS security layers. The threat of external attacks reaching OT networks is no longer science fiction; it is happening now.
Case in point, the Department of Homeland Security recently revealed that hackers working for Russia have breached the control rooms of U.S. electric utilities where they could have caused blackouts.
With industrial threats now a reality, OT personnel are becoming keenly aware of the shortcomings they face in securing ICS devices. Among those surveyed, less than 30% have OT-specific monitoring capabilities, while 72% rely on IP suites to control, configure and collect device data. Without visibility into changes made to device configurations, software and patch levels, it’s virtually impossible to detect an attack until it’s too late. IP suites can monitor network traffic, but not the integrity of controllers.
Tomi Engdahl says:
Menacing Malware Shows the Dangers of Industrial System Sabotage
https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage
Tomi Engdahl says:
Flaw in Schneider PLC Allows Significant Disruption to ICS
https://www.securityweek.com/flaw-schneider-plc-allows-significant-disruption-ics
A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).
The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.
The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.
According to Schneider, all Modicon M221 controllers running firmware versions prior to 1.6.2.0, which includes a patch for the issue, are impacted.
Tomi Engdahl says:
Malware on ICS Increasingly Comes From Internet: Kaspersky
https://www.securityweek.com/malware-ics-increasingly-comes-internet-kaspersky
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.
According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.
An overall increase in malicious activity has led to attack attempts against 41.2% of the industrial control systems (ICS) protected by the security firm, which represents an increase of nearly 5 percentage points compared to the first half of 2017. Kaspersky detected 18,000 malware samples belonging to more than 2,500 families in that period.