Search results

Wednesday, August 9, 2017 @ 02:08 PM gHale

By Jalal Bouhdada
The Industrial Internet of Things (IIoT) is a system of connected devices which brings the potential for significant efficiency gains – and with it, significant risk.

IIoT security is currently at an immature point in its lifecycle, requiring greater attention before it becomes a reliable facet of infrastructure.

A perfect case in point is under the WannaCrypt attack this June, Chernobyl’s nuclear power station suffered disruption with automatic radiation monitoring systems knocked offline, forcing manual use. Furthermore, Industroyer, hailed as the largest threat to industrial environments since Stuxnet, was just revealed as the tailor-made malware targeting Ukraine’s Ukrenergo in 2016.

IIoT Growth: All Eyes on OT
Security Trends on Growth Curve
IIoT Security: A Holistic Approach
Secrets Under Attack: Report

There is no doubt the number and quality of attacks which affect industrial environments are rising, providing a greater challenge for industry to tackle than ever before. The reasons for this lack of security capacity are becoming apparent; attributed either to outdated technologies, unsecured IIoT systems or a simple lack of security best practices.

To date, the focus of the IIoT industry has been on accelerating the pace of innovation, echoing that seen in the consumer IoT sphere.

It is now becoming evident that implementing technology with a focus on productivity alone is a recipe for disaster, and must be tempered with effective security practices.

As with any unsecured technology, short-term benefits such as enhanced productivity and cost reduction will be felt immediately. However, the long-term impact of using such technology far outweighs the initial benefits. Among businesses utilizing Industrial Control Systems (ICS), ineffective cybersecurity practices were found to cost each one up to $498,045 per year.

Rising Cyber Threat
When focusing on industrial systems, attackers are now ready and able to lock down critical technology, motivated by the increased incentive for victims to pay a ransom.

When levied against the cost of a lost batch or plant shut-down, a bitcoin payment becomes trivial in comparison to reduced productivity. While influencing process control is often a more difficult undertaking than locking systems, ransomware can have a highly disruptive impact. Organizations often overestimate their security capabilities. 83 percent of organizations utilizing ICS technology now claim they are prepared to meet cyber attacks head on. Clearly, more must be done with half of businesses globally admitted to suffering between one and five security incidents in 2016.

With hackers deliberately targeting industrial environments for greater likelihood of return on investment, industry is no longer the obscure counterpart to IT technology. While IT security has developed in response to security threats, Operational Technology (OT) has not had the same incentive. Now, with IT threats making the leap to OT systems through networked technology, industry is left to contend with a security threat which has had decades to develop – without the security capacity to tackle that same threat head on.

Cultivating Collaboration
Networking of traditionally non-connected devices brings increased risk not often seen in OT.

Ransomware now presents as comparable a threat to OT systems as that of IT. To encourage the development of secure OT, decision-makers have the opportunity to look beyond immediate efficiency results.

With rising investment into secure IIoT technology, the natural reaction from market leaders will be to create and develop this infrastructure further to meet product demand.

IIoT technology is heavily influenced by its IoT consumer counterpart, with initial security legislation still some time away.

The level and scale of innovation we see in this area does not lend itself to industrial environments.

Instead, industrial specialists must look to integrate a combined approach – one which takes the efficiency benefits provided by IIoT systems, and integrates them with strong, replicable security practices. To ensure maximum long-term benefit, IIoT technology must be designed, built and installed with security integrated across the product lifecycle and throughout the supply chain – a true collaboration between efficiency and security.

Jalal Bouhdada is the founder and principal ICS security consultant for Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment with a focus on process control domain and industrial IT security.

Wednesday, May 10, 2017 @ 12:05 PM gHale

By Jalal Bouhdada
Rising Industrial Internet of Things (IIoT) adoption has led to an increasing convergence between IT (Information Technology) and OT (Operational Technology), and thus, a period of unprecedented productivity potential within industry.

Notably, in 2011, the dollar value of this productivity boost in manufacturing hit $6.1 trillion in “advanced” economies — a huge motivation for further adoption of IIoT technology. This increasing productivity dividend, however, has not been met by a comparable rise in security investment. In 2016, IoT technology was reportedly hacked, on average, within 360 seconds of going online.

Security Trends on Growth Curve
IIoT Security: A Holistic Approach
Secrets Under Attack: Report
ICSJWG: New Reality for Safety, Security

As the use of IIoT technology increases in line with growing productivity benefits, the result is a greater level of cyber risk.

Cyber criminals increasingly see critical infrastructure as a high-value target with the potential for a sizeable windfall. Ransomware attacks once exclusively targeted IT systems due to a lack of legacy technology connectivity. As IT and OT converge, hackers can utilize new attack vectors against under-secured technologies using strategies which were not previously available.

In 2016, ransomware attacks increased by almost 17,000 per cent from the year prior, with 15 percent directly targeting the mechanical and industrial sectors.

Attacks against critical infrastructure now require fewer resources and often less technical know-how to be successful.

IIoT Blurring the Line
The barriers to undertaking successful attacks on critical infrastructure are quickly being broken down.

This shift is characterized through a greater variety of technology available to hackers and the increasing number of attack vectors now available. With the advent of IIoT technology blurring the lines between traditionally disparate technologies and systems, threats are becoming far more effective.

Traditionally, attacks against critical infrastructure would require vast amounts of capital and manpower to succeed. In recent times, however, researchers have been able to exfiltrate passwords and other data through varying the speed of computer fans, granting access to mission critical systems.

Cybercrime-as-a-Service (CaaS), for example, further reduces the barriers to conducting a successful and often lucrative attack. With malware available for purchase online through the dark web, low-skilled hackers can access highly-effective technology, often paying a percentage of their ‘earnings’ to the program creator in return.

Mirai, the world’s largest IoT botnet, was recently available to hire for as little as $7,500. At this cost, 100,000 bots were available to use, allowing non-skilled threat-actors to undertake distributed denial of service (DDoS) attacks against their target of choice.

Security will Increase Profitability
The industrial landscape is changing, and for emerging business models based around IIoT to thrive, the mindset of security as a cost-center must change.

When recognized as a business enabler, security can end up integrated as an essential part of seamless operations — integral to business productivity. In order to fully secure industrial environments, individual businesses must prioritize the “Secure by Design” concept during product development lifecycles and at during new projects.

In addition, the education of staff on security best practices must become a key priority, with this training vital as an essential element of day-to-day activities. This enables staff to better understand the threats affecting their particular work environments, actively mitigating the heightened level of risk experienced in critical infrastructure.

The increase to productivity, and therefore profitability achieved through the IIoT cannot be understated. IIoT technology, however, is still very much in its infancy in terms of development and adoption.

For many organizations, though, it still represents a double-edged sword, one that can provide significant competitive advantage, or expose it to exponentially growing risk. As the barriers to attacking critical infrastructure are broken down through unsecure technology, low-skilled hackers with access to advanced technology become a far greater threat.

To mitigate the damage that can be caused by a successful cyberattack, organizations must now solidify the security of their supply chains, ensure their industrial assets are identified, undertake embedded security assessments, and treat security as a continuous process rather than a product.

Jalal Bouhdada, is the founder and principal Industrial Control System (ICS) security consultant at Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Wednesday, January 18, 2017 @ 12:01 PM gHale

By Jalal Bouhdada
Manufacturing has entered a digital revolution with the advent of Industry 4.0 or the Industrial Internet of Things (IIoT) putting technology at the heart of processes, increasing quality, speed to market and cost-effectiveness.

However, with opportunity and innovations such as plant-wide connectivity, however, comes threat.

The following are a look at the industrial security threats that should be on the agenda of every security professional in 2017:

IIoT and Security: Know What You Seek
Friends or Foes: IIoT and Security
Insecure IIoT More Apparent
IIoT Security: A Holistic Approach

IoT botnets – With an increasing number of unsecured IoT devices, we will likely see a greater number of botnets taking control. The Mirai botnet, for example, harvested the power of half a million devices and has already taken down ISPs, shutting down internet access in Liberia. This botnet is also available as a service for purchase on the dark web. This year, we can expect a perfect storm of connected devices heading for critical infrastructure.

Critical infrastructure in cyberwarfare – Greater reliance on insecure networked technology within critical infrastructure leaves holes for threat actors to exploit and nation states are likely to be some of the first with the sophistication to do so. With the changing geopolitical situation in Europe, the U.S. and the Middle East, there will be a greater number of targeted nation-sponsored attacks. Should a breach be successfully carried out, examples of the resulting impact could include black-outs, transportation chaos and the disruption of water source containment.

Black market exploits for SCADA – With business systems under increasing attack, the larger financial reward from successful hacks will only attract more threat actors. This year will see a greater trade in cyber weapons and SCADA exploits through the dark web. IoT botnets are already for sale, with creators requiring a percentage of the money made from an attack, rather than an upfront payment, reducing any barriers to hacking systems.

APTs targeting SCADA systems – Advanced Persistent Threats (APTs), where attackers gain access to a network and remain undetected for long periods, will increasingly target industrial control system architecture such as SCADA. This could impact physical processes and manipulate systems, with the power to damage equipment or even cause severe damage. What remains to be seen is whether these hacks will end up discovered and mitigated, or remain covert.

Drone-based attacks – Hackers are set to better utilize drone technology to break into the networks of industrial facilities. Through hovering close by or even landing on target buildings, drones can be used to bypass any proximity security in place, successfully tracking keystrokes through wireless keyboards, for example. With increasing convergence, successful attacks on IT systems now may provide hackers the means to target operational technology, resulting in unplanned downtime of critical systems.
Jalal Bouhdada is the founder and principal ICS security consultant for ICS security provider Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Wednesday, November 30, 2016 @ 11:11 AM gHale

By Jalal Bouhdada
Equipment such as sensors, gateways, processors and actuators continuously evolve, communicating with each other via the internet. Due to this fact, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) are quickly becoming a business reality within various industrial sectors.

Currently the IIoT is increasingly closing the gap between IT and operational technology (OT), meaning companies have access to real-time critical data in a cost-effective manner.

Monitoring a Growing Network
ROK: Securing Connected Enterprise
PSUG: Designing a Security Program
IoT Attack Scare: Is Industry Ready?

Enhanced intelligence and fast delivery are key drivers for further investment in IIoT, but as the technology is still in relative infancy, security is a rising concern.

Built in Security
IIoT security requirements are currently in their early stages, as many suppliers’ primary focus remains on the innovative nature and functionality of a product. Security has therefore not been on the agenda of many smart device manufacturers for some time.

That mindset has led to IIoT devices suffering exposure to a wide range of risks. Such risks include distributed denial of service (DDoS) attacks and hackers manipulating data and process values. A prime example of this came about when Applied Risk researchers discovered several flaws in industrial products, which could allow hackers to execute arbitrary code within webpages and modify the settings of vulnerable devices.

The potential ramifications of a breached industrial environment go far beyond the boundaries of cyber space, making it an even greater threat than those seen in traditional IoT networks. This is reflected in the impact on physical processes, as disruption of these can lead to serious consequences such as tripping a plant, overfilling a tank and the release of gas or chemicals. Even more disturbingly, this can result in fatalities, injuries and damage to assets or the environment.

The emergence of IIoT has led to increasing needs and adoption of Internet-enabled devices from various industries. The initial attacks and vulnerabilities discovered should act as a real eye-opener for businesses. These attacks demonstrate the financial and reputational consequences of security not being taken seriously and should also be seen as a wakeup call for industries to address security throughout the lifecycle of these devices. Vendors and suppliers looking to implement security into industrial products from the outset should look at the available security frameworks, such as those from the Industrial Internet Consortium.

Holistic Security Approach
In the grand scheme of things, security should be a holistic process. This means the security of a device should be addressed from the initial phase of a project or initiative. Having the right security requirements as part of the contract and procurement process is hugely important to ensure the supply chain is well controlled. Selecting a product based on the business and technical requirements, backed by the security assessment of the device, is essential to understand a product’s limitations and shortcomings.

With that in mind, businesses can take proactive countermeasures to mitigate risks and function without fear of security-related downtime. This process goes even further once a product is in production to ensure all controls are in place to protect the asset from unauthorized access or tampering. This is an ongoing function that can be supported by technical and procedural controls.

Furthermore, understanding the supply chain and product ecosystem is a complex requirement, entailing a considerable amount of testing. A lot of work can be done to identify physical and logical threats, including testing the embedded security and the integrity of firmware. This can be supported by the review of the Secure Development Lifecycle (SDLC) and application and protocol layers, as well as static code analysis. It is imperative that businesses understand that security should not be considered as an additional function of industrial products, rather it should be thought of as a critical business process to prevent cyberattacks.

Jalal Bouhdada is the founder and principal ICS security consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Wednesday, February 3, 2016 @ 03:02 PM gHale

There are vulnerabilities in products leveraging WirelessHART technology, researchers said.

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The technology is for field devices, which control valves and breakers, collect data from sensors, and monitor industrial environments. The installed base for HART devices is huge throughout the manufacturing automation industry.

GE Fixes SNMP/Web Interface Holes
Sauter Fixes moduWeb Vision Holes
Westermo Updates Switch Vulnerability
Rockwell Fixes PLC Buffer Overflow

Since the security holes it identified have not gone through the patch process, Applied Risk, a company that specializes in securing industrial control systems (ICS), hasn’t disclosed any details.

“Our research team was concerned to find a number of vulnerabilities in various WirelessHART components used across the globe. The majority of plants are unaware of the risks as security assessments at this level have often been overlooked,” said Jalal Bouhdada, founder and principal security consultant for Applied Risk in a published report in The Register.

“The risks this flaw pose reach far beyond financial loss.The loss of production is a significant issue for manufacturers, as are fines from customers if products aren’t delivered on time. The most serious risk, however, is the loss of life in the case of explosions, especially in hazardous environments,” Bouhdada said.

Some of the vendors whose products ended up affected are aware of the issue and are currently working on addressing the problem.

The vulnerable devices are in facilities across the world in various industries, and a majority of the plants using them are unaware of the risks and an attack would likely go undetected due to the lack of active monitoring systems at this level.

Applied Risk developed its own device designed to help manufacturers identify security flaws in the early stages of development.

Tuesday, July 5, 2011 @ 06:07 PM gHale

By combining two previously developed heatproof and waterproof wireless monitors with a newly developed technology, it may soon be possible to work a GPS through a debris-strewn, thick and smoky building. Working together, the three technologies could lead to a life-saving solution.

One device, the Geospatial Location Accountability and Navigation System for Emergency Responders (GLANSER), crams a microwave radio, a lightweight battery, and a suite of navigation devices into a tracking device the size of a paperback book. In the case of a firefighting incident, GLANSER’s signals come in and go out via a small, USB-powered base station plugged into a laptop on the truck. As firefighters move from room to room and floor to floor, the laptop display animates their every step.

HUG: Wireless Offers Safety Protection
Wireless Robust, Machine-Ready
Wireless Power now Possible

A second device, the Physiological Health Assessment System for Emergency Responders (PHASER), can monitor a firefighter’s body temperature, blood pressure, and pulse, relaying these vitals back to the base station. If a firefighter falls or faints, fellow firefighters can race in, quickly find him, and bring him to safety, guided by GLANSER.

Like the first cordless phones, GLANSER and PHASER transmit at 900 MHz—a frequency that can penetrate walls, given a decent-sized transmitter. But because of their portable size, the transmitters are extremely modest. A wall, or in the case of a wildfire a strand of trees, could stop the signals unless relayed by routers.

That presents a challenge.

That is where a self-powered router comes into play. The Department of Homeland Security’s (DHS) Science and Technology Directorate (S&T) is developing a tiny throwaway router, measuring one inch square by ½ inch thick, that’s waterproof and heat-resistant up to 500° F. The Wireless Intelligent Sensor Platform for Emergency Responders (WISPER) contains a two-way digital radio, antenna, and 3-volt lithium cell.

Each firefighter enters a burning building with five routers loaded into a belt-mounted waterproof canister. If a firefighter steps behind concrete or beyond radio range, the base station orders his canister to drop a “breadcrumb.” The dropped routers arrange themselves into a network. If a router accidentally falls down a stairwell or firehosed under a couch, the WISPER network will automatically reconfigure.

To an embattled firefighter, a handful of these smart “breadcrumbs” could spell the difference between life and death.

To extract the most life from the router’s tiny battery, WISPER’s designers turned to a simple, low-power communications protocol, ZigBee. ZigBee is tortoise-slow by design; it trades speed for battery life, telegraphing no more than 100 kilobits per second (kbps)—a rate that’s more than 99 percent slower than WiFi.

“Throw in smoke, firehose mist, stairwells, and walls, and you’re down to maybe 10 kbps. But that’s fast enough to tell an incident commander the whereabouts (via GLANSER) and health (via PHASER) of every firefighter in the blaze,” said Jalal Mapar, WISPER’s project manager in S&T’s Infrastructure Protection and Disaster Management Division. “We’re not streaming video that needs a lot of bandwidth, just vital signs and coordinates.”

Oceanit Laboratories, Inc., of Honolulu, and the University of Virginia’s Department of Computer Science under an S&T Small Business Innovation Research (SBIR) program developed WISPER’s router, dispenser, and tiny USB base station.

In March 2011, Oceanit and UVA demonstrated WISPER for S&T at a FEMA office in Arlington, VA. Simulating a squad of firefighters, three router-toting researchers fanned out, dodging around corners, stepping down stairwells. In test after test, their signals stayed strong, even at a range of 150 feet.

Because the SBIR project is a success, S&T hopes a maker will step forward to produce the routers in volume. Once a commercial entity begins production, S&T’s Test & Evaluation and Standards Office will evaluate a sample product to ensure it meets the stated performance criteria and for consistency. S&T will also set industry standards so that other manufacturers will have a set of specifications for design and performance.