ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?

http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html

The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”

266 Comments

  1. Tomi Engdahl says:

    Network DoS Attack on PLCs Can Disrupt Physical Processes
    https://www.securityweek.com/network-dos-attack-plcs-can-disrupt-physical-processes

    A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

    A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.

    The security hole, tracked as CVE-2019-10953, has been classified as “high severity” (CVSS score of 7.5) — industrial cybersecurity professionals have often warned that DoS attacks have a much higher impact in the case of industrial systems compared to IT systems.

    https://www.usenix.org/system/files/conference/woot18/woot18-paper-niedermaier.pdf

    Reply
  2. Tomi Engdahl says:

    Säästetäänkö väärässä asiassa? Yksi ala on etenkin kybervakoilun ja sabotaasin kohteena
    https://www.tivi.fi/uutiset/tv/f314c5ea-0ad7-40aa-b045-7c007ac94bd3

    Tietoturvayhtiö F-Secure arvioi tuoreessa selvityksessään, että öljyn hinnan laskeminen on saanut energiayhtiöt etsimään säästökohteita. Toimintojen yhdistäminen voi heikentää toimintaketjujen häiriönsietokykyä ja luoda uusia haavoittuvuuksia. Samaan aikaan suojaukset ovat jääneet ajastaan jälkeen, kun hyökkäykset ovat kehittyneet.

    Reply
  3. Tomi Engdahl says:

    Network DoS Attack on PLCs Can Disrupt Physical Processes
    https://www.securityweek.com/network-dos-attack-plcs-can-disrupt-physical-processes

    A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

    A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.

    You Snooze, You Lose: Measuring PLC Cycle Times under Attacks
    https://www.usenix.org/system/files/conference/woot18/woot18-paper-niedermaier.pdf

    Reply
  4. Tomi Engdahl says:

    https://semiengineering.com/week-in-review-iot-security-auto-43/

    To test or not to test? That’s an appropriate question when it comes to the security of industrial control systems, this analysis notes. IBM Security employs an autonomous team of veteran hackers, known as X-Force Red, to conduct penetration testing of industrial control systems. “When we test legacy ICS environments, we discover many severe vulnerabilities, some of which may have been exposing the system to potential attacks for years and could be easily exploited by an attacker,” IBM’s Simone Riccetti writes.

    Industrial Control Systems Security: To Test or Not to Test?
    https://securityintelligence.com/posts/industrial-control-systems-security-to-test-or-not-to-test/

    Reply
  5. Tomi Engdahl says:

    According to X-Force Red data collected from our vulnerability database, the number of vulnerabilities exposing industrial control systems has increased 83 percent since 2011. This doesn’t only mean that these systems are likely becoming more vulnerable every year; it may also mean that already vulnerable systems are possibly under attack, which would expose issues that were there before and now come to light. Furthermore, the rising awareness of threats to ICS-rich environments is resulting in better documentation of vulnerabilities and flaws.
    https://securityintelligence.com/posts/industrial-control-systems-security-to-test-or-not-to-test/

    Reply
  6. Tomi Engdahl says:

    Over 100 Flaws Expose Buildings to Hacker Attacks
    https://www.securityweek.com/over-100-flaws-expose-buildings-hacker-attacks

    A researcher has discovered over 100 vulnerabilities in building management and access control systems from four major vendors. An attacker can exploit these flaws to gain full control of impacted products and manipulate the systems connected to them.

    Krstic has identified a total of over 100 security holes in these systems to which nearly 50 CVE identifiers have been assigned; some of the issues are variations of the same flaw.

    The vulnerabilities include default and hardcoded credentials, command injection, cross-site scripting (XSS), path traversal, unrestricted file upload, privilege escalation, authorization bypass, clear-text storage of passwords, cross-site request forgery (CSRF), arbitrary code execution, authentication bypass, information disclosure, open redirect, user enumeration, and backdoors.

    Krstic said during his presentation that the flaws could impact up to 10 million people and 30,000 doors at 200 facilities; the estimate is based on product documentation and online information.

    A Shodan search revealed over 2,500 systems that are directly exposed to the internet, many made by Nortek.

    Reply
  7. Tomi Engdahl says:

    Wormable Windows RDS Vulnerability Poses Serious Risk to ICS
    https://www.securityweek.com/wormable-windows-rds-vulnerability-poses-serious-risk-ics

    A critical remote code execution vulnerability patched recently by Microsoft in Windows Remote Desktop Services (RDS) poses a serious risk to industrial environments, experts have warned.

    Microsoft’s Patch Tuesday updates for May 2019 resolve nearly 80 vulnerabilities, including a flaw that can be exploited by malware to go from one device to another similar to how WannaCry spread back in 2017.

    This security hole, tracked as CVE-2019-0708, impacts RDS (formerly Terminal Services) and it allows an unauthenticated attacker to take control of a device without any user interaction. The flaw can be exploited by sending specially crafted requests to the targeted machine’s RDS via the Remote Desktop Protocol (RDP).

    Reply
  8. Tomi Engdahl says:

    Using lean methods to find process improvements
    Be involved in improving the work environment around you.
    https://www.csemag.com/articles/using-lean-methods-to-find-process-improvements/

    How to value-stream map

    Make a sticky note with the name of every task and transfer that happens in your business.

    Place them in sequential order from left to right on a whiteboard.
    Draw a line horizontally on the board under the sticky notes.
    For each sticky note, if the task doesn’t change the finished product, put it below the line.
    Once complete, the notes above the line are tasks that create value, and the tasks below the line do not create value (even if necessary).

    How to do a root-cause analysis

    Start with an assumption of a problem.
    Ask what causes the problem.
    Continue to look for the underlying source of each new problem.

    Once you cannot find any more causes, you have found your root cause.

    Draw lines to make six equal spaces (Landscape, two columns, three rows).

    Fill out the following items, one in each space:

    Background: What is the history of the problem?
    Problem statement: State the problem in the clearest and simplest possible way.
    Goal or future state: What is the ideal resolution to the problem?
    Analysis: This can be your root–cause analysis or, even better, hard data that can be measured to prove the problem statement.
    Proposal: What can be done to move toward the goal or future state?
    Implementation: Who is your team, what do they do, how do they do it and how do we know we’re winning?

    Reply
  9. Tomi Engdahl says:

    ICS / IIoT Market Segmentation Needed So We Can Communicate Effectively
    https://pentestmag.com/ics-iiot-market-segmentation-needed-so-we-can-communicate-effectively/

    There have been many events and data points that show even people knowledgeable in ICS and security are having difficulty communicating together because we have different views and experiences on what an ICS is. The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report. The report stated that “42% of all machines had regular or full-time internet connections”, and base on the other statistics a large percentage of that 42% were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/HMI.

    My initial reaction was, that’s crazy. We see almost no direct Internet access from ICS computers and certainly these computers are not receiving email.

    This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy. There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.

    The answer: a taxonomy of ICS/IIoT is needed.

    The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication. Here are some possible categories:

    Value – what would be the consequence if integrity or availability of the ICS/IIoT is compromised?
    Architecture – classic Purdue model, IoT, classic + cloud, ???2
    Maturity of ICSsec program – huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
    Sector / System Type – This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
    Your category here … this is far from a complete list of possibilities.

    The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS. We need an ICS/IIoT taxonomy.

    Reply
  10. Tomi Engdahl says:

    High-Risk Flaws Found in Process Control Systems From B&R Automation
    https://www.securityweek.com/high-risk-flaws-found-process-control-systems-br-automation

    Researchers from Positive Technologies have discovered several vulnerabilities in APROL industrial process control systems from Austria-based B&R Industrial Automation.

    Reply
  11. Tomi Engdahl says:

    Triton is the world’s most murderous malware, and it’s spreading
    https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

    The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.

    Reply
  12. Tomi Engdahl says:

    The Growing Threat of Drones
    https://www.icscybersecurityconference.com/the-growing-threat-of-drones/

    Drones Are Enabling Various Attacks (Both Cyber and Physical) on Industrial Sites That Historically Were Only Possible in Close Proximity to a Facility or Device

    Reply
  13. Tomi Engdahl says:

    Eight Common OT / Industrial Firewall Mistakes
    https://threatpost.com/waterfall-eight-common-ot-industrial-firewall-mistakes/155061/
    Firewalls are easy to misconfigure. While the security consequences of
    such errors may be acceptable for some firewalls, the accumulated
    risks of misconfigured firewalls in a defense-in-depth OT network
    architecture are generally unacceptable. Most industrial sites deploy
    firewalls as the first line of defense for their Operations Technology
    (OT) / industrial networks. However, configuring and managing these
    firewalls is a complex undertaking. Configuration and other mistakes
    are easy to make. This article explores eight common mistakes that
    firewall administrators make and describes how these mistakes can
    compromise firewall functionality and network security. The lesson
    here though is not “stop making mistakes.” This article also explores
    unidirectional gateway technology as an alternative to our most
    important OT firewalls. Unidirectional gateways provide physical
    protection for industrial operations, rather than merely software
    protection. This means that with a unidirectional gateway, no mistake
    in configuration can impair the protection that the gateway provides
    to the industrial network.

    Reply
  14. Mike johnson says:

    The Distributed Denial of Service (DDoS) attack floods a computer server with traffic to try to take it offline

    https://www.bbc.co.uk/bitesize/guides/z2c8wmn/revision/2

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*