http://securityaffairs.co/wordpress/60013/hacking/ics-cybersecurity.html
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.
Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”
266 Comments
Tomi Engdahl says:
Old RF Protocols Expose Cranes to Remote Hacker Attacks
https://www.securityweek.com/old-rf-protocols-expose-cranes-remote-hacker-attacks
A team of researchers from Japan-based cybersecurity firm Trend Micro has analyzed the communication mechanisms used by cranes and other industrial machines and discovered serious vulnerabilities that can make it easy for malicious actors to launch remote attacks.
Cranes, hoists, drills and other heavy machinery used in the manufacturing, construction, transportation and mining sectors often rely on radio frequency (RF) controllers. These systems include a transmitter that sends out commands via radio waves, and a receiver that interprets those commands.
Tomi Engdahl says:
Researchers Create PoC Malware for Hacking Smart Buildings
https://www.securityweek.com/researchers-create-poc-malware-hacking-smart-buildings
Researchers at IoT security company ForeScout have created a piece of malware to demonstrate how malicious actors could remotely hack into smart buildings.
Smart buildings have become increasingly common. They rely on building automation systems – including sensors, controllers and actuators – to control heating, ventilation, air conditioning, lighting, surveillance, elevators, and access.
The automation systems that power smart buildings are similar to industrial control systems (ICS), but ForeScout warns that their security should be handled differently given that building automation systems are much more open and interconnected compared to ICS. Furthermore, when it comes to the threats targeting these systems, the final payload is much easier to deliver in the case of building systems as the physical processes involved are less complicated.
Tomi Engdahl says:
Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers
https://www.securityweek.com/hackers-can-abuse-legitimate-features-hijack-industrial-controllers-expert
Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns.
Programmable logic controllers (PLCs) allow users to control and monitor physical processes in industrial environments. While these types of devices are known to have vulnerabilities, including ones that could be leveraged to create a dangerous worm, researchers have shown in the past that malicious actors may also be able to abuse legitimate PLC features to achieve their goals.
Roee Stark, a senior software engineer at industrial cybersecurity firm Indegy, has now demonstrated another type of attack that only leverages legitimate features. The expert has analyzed PLCs made by Rockwell Automation and found that certain Common Industrial Protocol (CIP) commands can be abused for malicious purposes.
Tomi Engdahl says:
Malware Built to Hack Building Automation Systems
Researchers dig into vulnerabilities in popular building automation systems, devices.
https://www.darkreading.com/vulnerabilities—threats/malware-built-to-hack-%20building-automation-systems/d/d-id/1333671
S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.
Tomi Engdahl says:
Flaws in Omron HMI Product Exploitable via Malicious Project Files
https://www.securityweek.com/flaws-omron-hmi-product-exploitable-malicious-project-files
Tomi Engdahl says:
Murtoyritykset havahduttivat suomalaiset vesihuoltoyhtiöt kyberuhkiin: “käytössä paljon vanhaa teknologiaa”
https://www.tivi.fi/Kaikki_uutiset/murtoyritykset-havahduttivat-suomalaiset-vesihuoltoyhtiot-kyberuhkiin-kaytossa-paljon-vanhaa-teknologiaa-6756627
Tomi Engdahl says:
To Improve Critical Infrastructure Security, Bring IT and OT Together
https://securityintelligence.com/to-improve-critical-infrastructure-security-bring-it-and-ot-together/
As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.
Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.
Until security becomes a priority, industrial organizations will remain soft targets for threat actors.
Tomi Engdahl says:
Proactive management of plant cybersecurity
https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/
A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
The inward-looking plant control system is giving way to a wider and flatter network architecture, which requires a different cybersecurity focus. Operations technology (OT) is undergoing a sea change in goals, structure, and management—as is information technology (IT) with the integration of the plant control system with the business systems. This is making it necessary to manage enormous data flows inside the plant.
Tomi Engdahl says:
Thousands of industrial refrigerators can be remotely defrosted, thanks to default passwords
https://techcrunch.com/2019/02/08/industrial-refrigerators-defrost-flaw/?sr_share=facebook&utm_source=tcfbpage
Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost.
More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems.
Tomi Engdahl says:
Proactive management of plant cybersecurity
A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/
Tomi Engdahl says:
Siemens Warns of Critical Remote-Code Execution ICS Flaw
https://threatpost.com/siemens-critical-remote-code-execution/141768/
The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.
One of the flaws affecting SICAM 230 is rated critical, with a CVSS v.3 score of 10: CVE-2018-3991 allows a specially crafted TCP packet sent to port 22347/tcp to cause a heap overflow, potentially leading to remote code-execution.
Another, CVE-2018-3990, has a CVSS score of 9.3. It allows a specially crafted I/O request packet to cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege-escalation.
Other flaws of note amid the 16 advisories include three denial-of-service vulnerabilities with a CVSS v3.0 score of 7.5 in the EN100 Ethernet Communication Module and SIPROTEC 5 relays.
Tomi Engdahl says:
Network kit biz Phoenix takes heat as flaws may leave industrial control system security in ashes
Oil, gas, maritime systems affected by latest bug findings
https://www.theregister.co.uk/2019/02/11/phoenix_switch_flaws/
Companies running a popular brand of industrial Ethernet switch are being advised to update their firmware ASAP following a series of bug disclosures.
Security house Positive Technologies took credit today for the discovery of six CVE-listed security vulnerabilities in the Phoenix Contact FL Switch 3xxx, 4xxx, and 48xx industrial control switches. The flaws are addressed in firmware versions 1.35 or newer.
Tomi Engdahl says:
ICS/SCADA Attackers Up Their Game
https://www.darkreading.com/threat-intelligence/ics-scada-attackers-up-their-game/d/d-id/1333893
“The threats are getting worse,” says Robert M. Lee, CEO and
co-founder of Dragos, whose company this week published its annual
findings on ICS threats and engagements with its industrial clients in
2018. “But people are being really proactive about this. And maybe
it’s not communitywide and we have to reach more, but you’ve got some
real forward-leaning companies that are pushed into the right
direction.”. Report at
https://dragos.com/wp-content/uploads/yir-ics-vulnerabilities-2018.pdf.
The biggest shift is their using so-called “living off the land”
methods, though not in the same way attackers operate in IT networks.
It’s not their using Remote Desktop Protocol (RDP)-type attacks, for
example, but instead employing native industrial protocols, Lee says.
“These are things enterprise security would not detect,” he says.
Tomi Engdahl says:
Germany sees big rise in security problems affecting infrastructure
https://www.reuters.com/article/us-germany-cybersecurity-idUSKCN1Q60CS
Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking.
The Welt am Sonntag weekly had reported on Sunday that Germany had learned of 157 hacker attacks on critical infrastructure companies in the second half of 2018 compared to 145 attacks in the whole of the previous year.
Tomi Engdahl says:
Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
https://threatpost.com/hacker-capsize-ship-sea/142077/
Capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.
With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), the question becomes, what could an adversary do with that access?
“If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.
Tomi Engdahl says:
Serious Flaws in WibuKey DRM Impact Siemens Products
https://www.securityweek.com/serious-flaws-wibukey-drm-impact-siemens-products
Siemens has informed customers that some of its products are affected by recently disclosed vulnerabilities affecting the WibuKey digital rights management (DRM) solution from Wibu Systems.
Cisco Talos revealed in December that the WibuKey DRM has three vulnerabilities that can lead to information disclosure, privilege escalation, and remote code execution. Cisco noted at the time that WibuKey is used by many applications, including the V-Ray image rendering software, the ArchiCAD architectural design software, and the Straton industrial automation software.
It turns out that Siemens also uses WibuKey for some of its products, including SICAM 230, a process control and monitoring system designed for the energy sector, and the SIMATIC WinCC Open Architecture (OA) human-machine interface (HMI) product.
Tomi Engdahl says:
Got Critical Infrastructure? Then You Should Know How To Protect It
https://www.securityweek.com/got-critical-infrastructure-then-you-should-know-how-protect-it
Both IT and OT Teams Should be Able to Quickly Access and Analyze all Data Relevant to Their Needs
Tomi Engdahl says:
Tripwire Launches Industrial Cybersecurity Assessment Service
https://www.securityweek.com/tripwire-launches-industrial-cybersecurity-assessment-service
Belden-owned Tripwire on Monday announced the availability of two new assessment services designed to help enterprises and industrial organizations find potentially dangerous vulnerabilities in their systems.
One of the new services, Industrial Cybersecurity Assessment, provides experts who can discover vulnerabilities in industrial control system (ICS) environments and determine if they can actually be exploited and if they pose a significant risk.
Tomi Engdahl says:
ICS/SCADA Attackers Up Their Game
https://www.darkreading.com/threat-intelligence/ics-scada-attackers-up-their-game/d/d-id/1333893
With attackers operating more aggressively and stealthily, some industrial network operators are working to get a jump on the threats
In nearly 40% of the incident response (IR) engagements conducted by Dragos in 2018, the attacker had been inside the network for more than a year. About one-fourth of its IR engagements were to determine whether a cyberattack was the cause of an outage or other event.
Even so, only about 20% to 30% of ICS organizations in North America today use real-time network monitoring to detect and thwart attacks, according to Lee. That’s the main security best practice recommended for ICS/SCADA organizations, and North America is actually ahead of other regions in adopting it.
https://dragos.com/wp-content/uploads/yir-ics-vulnerabilities-2018.pdf
Tomi Engdahl says:
Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software
https://www.securityweek.com/rockwell-automation-patches-critical-dosrce-flaw-rslinx-software
Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution.
Tomi Engdahl says:
Many Vulnerabilities Discovered in Moxa Industrial Switches
https://www.securityweek.com/many-vulnerabilities-discovered-moxa-industrial-switches
Over a dozen vulnerabilities, including ones classified as critical, have been found by Positive Technologies researchers in EDS and IKS switches made by industrial networking solutions provider Moxa. The vendor has released patches and mitigations that should address the flaws.
The impacted industrial switches have been used worldwide, particularly in the energy, critical manufacturing, and transportation sectors, according to ICS-CERT.
Five security holes have been identified by Positive Technologies employees in EDS-405A, EDS-408A, and EDS-510A switches. The list includes the storage of passwords in plain text, the use of predictable session IDs, the lack of encryption for sensitive data, the lack of mechanisms for preventing brute-force attacks, and flaws that can be exploited to cause a denial-of-service (DoS) condition.
https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01
Tomi Engdahl says:
Got Critical Infrastructure? Then You Should Know How To Protect It
https://www.securityweek.com/got-critical-infrastructure-then-you-should-know-how-protect-it
Tomi Engdahl says:
Dragos Acquires NexDefense, Releases Free ICS Assessment Tools
https://www.securityweek.com/dragos-acquires-nexdefense-releases-free-ics-assessment-tools
Industrial cybersecurity firm Dragos on Monday announced the acquisition of NexDefense, a company that specializes in visibility technology for industrial control systems (ICS), and the launch of free ICS security assessment tools.
Tomi Engdahl says:
Learn how to use the ISA/IEC 62443 Standard to keep hackers out of your Industrial Control Systems with ISA’s IC32E cybersecurity training.
Tomi Engdahl says:
Shamoon malware destroys data at Italian oil and gas company
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/
About a tenth of Saipem’s IT infrastructure infected with infamous data-wiping Shamoon malware.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Norsk Hydro, one of the world’s largest producers of aluminum, has shut down several metal extrusion plants as it deals with a ransomware attack
Aluminum producer switches to manual operations after ransomware infection
UPDATE: Cyber-attack identified as LockerGoga ransomware infection.
https://www.zdnet.com/article/aluminium-producer-switches-to-manual-operations-after-extensive-cyber-attack/
Norsk Hydro, one of the world’s largest aluminium producers, revealed today that it “became victim of an extensive cyber-attack” that crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference.
News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges.
“Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas,” the company said. “IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Norsk Hydro: Hydro subject to cyber-attack
https://newsweb.oslobors.no/message/472389
Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas. IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.
Tomi Engdahl says:
Industrial Cybersecurity Firm Nozomi Launches Research Department
https://www.securityweek.com/industrial-cybersecurity-firm-nozomi-launches-research-department
While this is the formal launch of its research department, Nozomi has already conducted detailed analysis of some major threats targeting industrial control systems (ICS), including the GreyEnergy and Triton/Trisis malware families. The company has also created and released some tools that may be useful to defenders.
In the past year, Nozomi says it has also identified and reported over a dozen vulnerabilities affecting ICS products, including flaws that can lead to safety incidents or disruptions to production.
Tomi Engdahl says:
Aluminum Giant Norsk Hydro Hit by Ransomware
https://www.securityweek.com/aluminum-giant-norsk-hydro-hit-ransomware
Norwegian metals and energy giant Norsk Hydro, one of the world’s biggest aluminum producers, has been hit by a ransomware attack that has impacted operations, forcing the company to resort to manual processes.
Tomi Engdahl says:
Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator
https://www.securityweek.com/schneider-electric-working-patch-flaw-triconex-tristation-emulator
A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.
The vulnerability, discovered by a researcher from industrial cybersecurity firm Applied Risk, can be exploited to cause a DoS condition on an emulated controller by sending it specially crafted Triconex System Access Application (TSAA) packets over the network on UDP port 1500.
Tomi Engdahl says:
Mitä tapahtuu SCADA-hunajapurkilla?
https://medium.com/@combitech/mitä-tapahtuu-scada-hunajapurkilla-d44c1cb93958
Internetiin kytketyt teollisuuden automaatiojärjestelmät ovat loistavia maaleja. Usein niissä ei ole käyttäjän tunnistusta eikä viestien salausta eli kuka tahansa verkossa oleva voi käskyttää laitteita. Jatkuvasti käynnissä olevia järjestelmiä ei ole myöskään ehditty päivittää sitten 80-luvun.
Tomi Engdahl says:
Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives
Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.
“The bug corrupts the CIP daemon in a way that some values returned by the devices are corrupted. It also prevents any new connection to be established with the device,” Merle explained.
Tomi Engdahl says:
One in two industrial computers hit by cyberattacks
https://www.itproportal.com/features/one-in-two-industrial-computers-hit-by-cyberattacks/
Almost every other Industrial Control System (ICS) computer was attacked by malware last year, new research has revealed.
A report by Kaspersky Lab warned that the threat is rising, as in 2018, 47.2 per cent of machines were attacked, compared to 44 per cent the year before.
Vietnam, Algeria and Tunisia were the countries most affected by this rising threat. On the other end of the spectrum are Ireland, Switzerland and Denmark.
Tomi Engdahl says:
Nearly Half of ICS Devices Protected by Kaspersky Targeted in 2018
https://www.securityweek.com/nearly-half-ics-devices-protected-kaspersky-targeted-2018
Tomi Engdahl says:
20% of Industrial Control Systems Affected by Critical Vulnerabilities
https://www.bleepingcomputer.com/news/security/20-percent-of-industrial-control-systems-affected-by-critical-vulnerabilities/
Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7 which are designated to security issues of high or critical risk levels, with 20% of vulnerable ICS devices being impacted by critical security issues.
Tomi Engdahl says:
Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives
Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/liikenne-ja-viestintavirasto-traficom-kartoittaa-suojaamattomia
Tomi Engdahl says:
Malware in Smart Factories: Top Security Threats to Manufacturing Environments
https://blog.trendmicro.com/trendlabs-security-intelligence/malware-in-smart-factories-top-security-threats-to-manufacturing-environments/
Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study
https://www.securityweek.com/long-equipment-life-cycles-expose-manufacturing-industry-attacks-study
Tomi Engdahl says:
Active vs. Passive Monitoring: No Longer an Either-Or Proposition
https://www.securityweek.com/active-vs-passive-monitoring-no-longer-either-or-proposition
Most experienced security professionals have heard the axiom, “You can’t protect what you can’t see.” It’s admittedly a truism for cybersecurity… obviously the more you know and understand about your environment, the better equipped you are to detect and investigate suspicious behavior. But it also leads to a classic security conundrum: how do you implement discovery and monitoring in your environment while preserving operational stability? The question has driven a long-running debate in security circles: active vs. passive scanning, which approach is better for endpoint discovery and anomaly detection? Veteran security professionals are well-acquainted with the two options, but I frequently speak with operational personnel who are less familiar and primarily concerned with the potential negative impact on the operational technology (OT) process
Passive monitoring silently analyzes network traffic through a span port or tap to identify endpoints and traffic patterns. It creates no additional network traffic and has virtually no risk of disrupting critical processes by interacting directly with endpoints.
Active monitoring works by sending test traffic into the network and polling endpoints with which it comes into contact. Active monitoring can be very effective in gathering basic profile information such as device name, IP and MAC address, NetFlow or syslog data, as well as more granular configuration data such as make and model, firmware versions, installed software/versions and OS patch levels. By sending packets directly to endpoints, active scanning can be faster in collecting data, but this also increases the risk of endpoint malfunction by pushing incompatible queries to them or saturating smaller networks with traffic. And active scanning typically does not monitor the network 24/7, so it may not detect transient endpoints or devices in listen-only mode.
Tomi Engdahl says:
Malware in Smart Factories: Top Security Threats to Manufacturing Environments
https://blog.trendmicro.com/trendlabs-security-intelligence/malware-in-smart-factories-top-security-threats-to-manufacturing-environments/
Tomi Engdahl says:
Rethink the organization’s structure
Cyber-physical environments will change what managers do.
https://www.controleng.com/articles/rethink-the-organizations-structure/
According to a 2019 white paper by the World Economic Forum (WEC) and McKinsey & Co., manufacturers adopting Industry 4.0 can scale their businesses two ways:
Though operational excellence and production system innovations; or
By entering new markets.
This thesis is supported by other McKinsey research. According to a 2016 study, nearly 90 percent of surveyed companies believe that Industry 4.0 innovations would help them improve their competitive positions and operational effectiveness. Eighty percent of U.S. companies think Industry 4.0 would allow new competitors from other industries to enter their markets.
The authors proposed a framework based on smart, cyber-physical systems that connect equipment, software and people. The framework is based on the following four pillars:
1. Interconnection. The systems connect people, machines, sensors, devices and software through IIoT and allow communication among them.
2. Information transparency. Data collected through interconnection must be available to operators for decision-making.
3. Technical assistance. The intent is twofold: a) to shift low-value tasks from people to cyber-physical systems, and b) for systems to arm personnel with analyses and information for timely, effective decisions.
4. Decentralized decisions. Systems make decisions and take actions autonomously.
In one common approach to Industry 4.0 adoption, many consulting and advisory firms advocate a proof-of-concept approach where a quick win demonstrating value incentivizes teams to expand Industry 4.0 to other functional areas.
This approach assumes that an implementing company is either testing with a non-strategic initiative, such as energy management, or that it otherwise has a well-built foundation. If the underlying data, process and technology architecture is strong, it makes sense to test a closed cyberphysical loop. In contrast, if a company foundation is shaky, a proof-of-concept is probably premature.
In our case example, the fuel company didn’t have a strong foundation. Its data was inaccurate, its processes manual and inefficient. Its systems didn’t meet its needs. As a result, the company’s cyber environment is incapable of mirroring its physical environment, let alone optimizing it.
The company needs to first build a strong foundation by:
Architecting an environment that spans enterprise resources planning, manufacturing execution system and distributed control system environments with the IIoT, business intelligence and Big Data warehousing;
Properly implementing those solutions; and
Assuring that the cyber-world mirrors the physical world through system adoption and disciplined business processing.
Once it builds this foundation, the company can wade into a strategy-driving Industry 4.0 proof-of-concept project.
Tomi Engdahl says:
Manufacturing and process facility trends: Cybersecurity
https://www.controleng.com/articles/manufacturing-and-process-facility-trends-cybersecurity/
Technology update: Cybersecurity remains a key concern for manufacturing and process facilities as explained in the media session at ARC Forum 2019.
Tomi Engdahl says:
TXOne Networks Unveils First Industrial Cybersecurity Product
https://www.securityweek.com/txone-networks-unveils-first-industrial-cybersecurity-product
TXOne Networks, a joint venture between cybersecurity firm Trend Micro and industrial networking solutions provider Moxa, this week unveiled its first product, an industrial intrusion prevention system (IPS).
Trend Micro and Moxa announced the launch of TXOne Networks in November 2018. The new company focuses on industrial internet of things (IIoT) security and it will offer gateways, endpoint agents and network segmentation solutions designed to help organizations secure, control and monitor equipment and operational technology (OT).
Tomi Engdahl says:
ROCKWELL AUTOMATION MALWARE REPORT
https://cyberx-labs.com/resources/rockwell-automation-malware-report/
Researchers from our Industrial Threat Intelligence team have revealed a remote code execution vulnerability in the Allen-Bradley MicroLogix family of controllers from Rockwell Automation
Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/
Tomi Engdahl says:
Most OT Organizations Hit by Damaging Cyberattacks: Survey
https://www.securityweek.com/most-ot-organizations-hit-damaging-cyberattacks-survey
A majority of organizations that have operational technology (OT) infrastructure experienced at least one damaging cyberattack in the past two years, according to a survey conducted by Ponemon Institute and Tenable.
Tomi Engdahl says:
Triton Hackers Focus on Maintaining Access to Compromised Systems: FireEye
https://www.securityweek.com/triton-hackers-focus-maintaining-access-compromised-systems-fireeye
The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the incident and the company has been tracking the threat ever since.
FireEye revealed on Wednesday that it recently responded to another attack carried out by the Triton group against a critical infrastructure facility.
The cybersecurity firm says it has come across several custom tools used by the threat actor, including ones designed for credential harvesting (SecHack, WebShell), remote command execution (NetExec), and several backdoors based on OpenSSH, Bitvise, PLINK and Cryptcat. The attackers have also relied on widely available tools, such as Mimikatz.
FireEye, which previously linked Triton to a research institute owned by the Russian government, pointed out that disruptive attacks aimed at industrial environments take a lot of preparation.
In one attack analyzed by the company, the attackers had been present in the target’s network for nearly a year before gaining access to an engineering workstation in charge of safety instrumented systems (SIS).
Tomi Engdahl says:
90% of Infrastructure Security Pros Have Been Hacked in the Last Two Years
https://www.designnews.com/design-hardware-software/90-infrastructure-security-pros-have-been-hacked-last-two-years/213044111660594?ADTRK=UBM&elq_mid=8200&elq_cid=876648
According to a report commissioned by Tenable, 62% of respondents said their organizations have suffered multiple attacks.
Tomi Engdahl says:
TRITON Attacks Underscore Need for Better Defenses
https://www.darkreading.com/vulnerabilities—threats/triton-attacks-underscore-need-for-better-defenses/d/d-id/1334418
As attackers focus on cyber-physical systems, companies must improve their visibility into IT system compromises as well as limit actions on operational-technology networks, experts say.
Security experts have a warning for critical-infrastructure companies: The group behind the TRITON attack on industrial control systems is not unique.
After revealing last week that the same set of tools used by the TRITON attackers were also found in a second victim’s network, security services firm FireEye stressed that attackers are likely in the networks of some of the facilities that are home to the 18,000 Triconex safety systems installed in plants worldwide.
“The reason we published this information is that we believe this is happening elsewhere,” says Nathan Brubaker, senior manager of cyber threat analysis at FireEye. “We found them twice, and that is not very likely considering how many targets there are in the world. There is a decent chance they are in other systems.”
Tomi Engdahl says:
LockerGoga: Ransomware Targeting Critical Infrastructure
https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure.html
Discovered early this year, LockerGoga is a new ransomware family that has been detected attacking industrial companies, severely compromising their operations. The file-encrypting malware’s entrance to the scene began when it was allegedly involved in attacking an engineering consulting firm based in France. Just two weeks ago, it made headlines again for crippling the operations of the an international manufacturer. And shortly thereafter, two American chemical companies were also reported to have been hit by the same malware.
Tomi Engdahl says:
SAS 2019: Triton ICS Malware Hits A Second Victim
https://threatpost.com/triton-ics-malware-second-victim/143658/
In only the second known attack of the Russia-linked malware, which shut down an oil refinery in 2017, another Mideast target has been hit.
SINGAPORE – The Triton malware, which first came to light after a disruptive critical-infrastructure attack on Saudi oil giant Petro Rabigh in 2017, has found a second victim.
Tomi Engdahl says:
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility.