https://www.bbc.co.uk/bitesize/guides/z2c8wmn/revision/2

Drones Are Enabling Various Attacks (Both Cyber and Physical) on Industrial Sites That Historically Were Only Possible in Close Proximity to a Facility or Device

The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.

Researchers from Positive Technologies have discovered several vulnerabilities in APROL industrial process control systems from Austria-based B&R Industrial Automation.

There have been many events and data points that show even people knowledgeable in ICS and security are having difficulty communicating together because we have different views and experiences on what an ICS is. The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report. The report stated that “42% of all machines had regular or full-time internet connections”, and base on the other statistics a large percentage of that 42% were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/HMI.

My initial reaction was, that’s crazy. We see almost no direct Internet access from ICS computers and certainly these computers are not receiving email.

This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy. There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.

The answer: a taxonomy of ICS/IIoT is needed.

The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication. Here are some possible categories:

Value – what would be the consequence if integrity or availability of the ICS/IIoT is compromised?
Architecture – classic Purdue model, IoT, classic + cloud, ???2
Maturity of ICSsec program – huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
Sector / System Type – This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
Your category here … this is far from a complete list of possibilities.

The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS. We need an ICS/IIoT taxonomy.

How to value-stream map

Make a sticky note with the name of every task and transfer that happens in your business.

Place them in sequential order from left to right on a whiteboard.
Draw a line horizontally on the board under the sticky notes.
For each sticky note, if the task doesn’t change the finished product, put it below the line.
Once complete, the notes above the line are tasks that create value, and the tasks below the line do not create value (even if necessary).

How to do a root-cause analysis

Start with an assumption of a problem.
Ask what causes the problem.
Continue to look for the underlying source of each new problem.

Once you cannot find any more causes, you have found your root cause.

Draw lines to make six equal spaces (Landscape, two columns, three rows).

Fill out the following items, one in each space:

Background: What is the history of the problem?
Problem statement: State the problem in the clearest and simplest possible way.
Goal or future state: What is the ideal resolution to the problem?
Analysis: This can be your root–cause analysis or, even better, hard data that can be measured to prove the problem statement.
Proposal: What can be done to move toward the goal or future state?
Implementation: Who is your team, what do they do, how do they do it and how do we know we’re winning?

A critical remote code execution vulnerability patched recently by Microsoft in Windows Remote Desktop Services (RDS) poses a serious risk to industrial environments, experts have warned.

Microsoft’s Patch Tuesday updates for May 2019 resolve nearly 80 vulnerabilities, including a flaw that can be exploited by malware to go from one device to another similar to how WannaCry spread back in 2017.

This security hole, tracked as CVE-2019-0708, impacts RDS (formerly Terminal Services) and it allows an unauthenticated attacker to take control of a device without any user interaction. The flaw can be exploited by sending specially crafted requests to the targeted machine’s RDS via the Remote Desktop Protocol (RDP).

A researcher has discovered over 100 vulnerabilities in building management and access control systems from four major vendors. An attacker can exploit these flaws to gain full control of impacted products and manipulate the systems connected to them.

Krstic has identified a total of over 100 security holes in these systems to which nearly 50 CVE identifiers have been assigned; some of the issues are variations of the same flaw.

The vulnerabilities include default and hardcoded credentials, command injection, cross-site scripting (XSS), path traversal, unrestricted file upload, privilege escalation, authorization bypass, clear-text storage of passwords, cross-site request forgery (CSRF), arbitrary code execution, authentication bypass, information disclosure, open redirect, user enumeration, and backdoors.

Krstic said during his presentation that the flaws could impact up to 10 million people and 30,000 doors at 200 facilities; the estimate is based on product documentation and online information.

A Shodan search revealed over 2,500 systems that are directly exposed to the internet, many made by Nortek.