Search results

Monday, June 12, 2017 @ 04:06 PM gHale

By Gregory Hale
There is a piece of malware believed to have been used in the December Ukraine substation attack that targeted power grids, researchers said.

The malware ended up discovered by ESET, which called it Industroyer. The company also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the attacker that uses it as ELECTRUM.

Attack Group Targets Ukraine
Ukraine Attack: An Insider’s Perspective
Latest Ukraine Power Outage a Hack
Power Out in Ukraine, Cause Unclear

Industroyer is fourth such threat known to the ICS industry. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm the malware was the direct cause of the 2016 power outages in Ukraine’s Kiev region, ESET and Dragos remain confident this is the malware used in the attack.

“The implications of the Crash Override or Industroyer malware are significant,” said Andrea Carcano, co-founder and chief product officer for Nozomi Networks. “Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”

Dragos said the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET said while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Industroyer has been described as a sophisticated modular malware that has several components: A backdoor, a launcher, a data wiper, various tools, and at least four payloads.

These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize.

By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.

In another scenario, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.

The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.

This component also deploys a secondary backdoor disguised as a Trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.

The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.

The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies,” Carcano said. “Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.”

“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure,” said David Zahn, general manager of ICS Cybersecurity at PAS. “In power, we are in denial that a similar attack could happen in the U.S. We also get mired in misconceptions that we are well prepared because of regulation, or (the idea that) squirrels — yes squirrels — are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.

“The latest news about Crash Override is one more wakeup call that we need to become better at the cybersecurity basics which most industrial companies struggle doing today — know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available.

“It’s easy to hit the snooze button and ignore these kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn said. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path.”

Friday, June 9, 2017 @ 05:06 PM gHale

Industrial companies experienced at least one incident in the past 12 months, and the annual cost of an attack can be as high as $500,000, according to a new report.

What is interesting is a majority of those industrial companies said they are well prepared to handle a cyber security incident, according to the report by Kaspersky Lab.

Old OSes Prevalent, Vulnerable to Breaches
IoT Attacks Can Truly Cost a Company
In IoT World, Third Party Risk Huge: Report
Security Sinks with Attack Volume: Report

The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.

A strong majority of the respondents (83 percent) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent said they had a dedicated policy or program in place.

However, half of them have experienced between one and five security incidents in the past year, and one percent said they were hit as many as 25 times.

The potential damage from cybersecurity incidents can be considerable. The consequences of these incidents are often far greater than the associated financial losses and reputational damage. Cybersecurity incidents in an ICS environment can:
• Cost lives
• Have a long-lasting impact on the environment
• Attract fines from regulators, customers or partners who have been put at risk Result in the loss of a product or service as a result of the breach
• Companies can close down completely

“Due to the dynamic nature of cyber-attacks, there are no infallible cybersecurity systems,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, the risk can be greatly reduced by implementing a layered defense involving anomaly detection with machine learning capabilities where a baseline of industrial control systems can be established and any deviations can be alerted and acted upon. Introducing machine learning and artificial intelligence into the ICS environment is key to faster and more efficient processes for securing unique industrial networks. Finally, closely following the NIST framework and best practices can also improve the risk posture of industrial control systems as standardization helps to facilitate peer-validated security architectures, protocols and guidelines.”

The main concern for organizations are conventional malware infections, which also accounted for the highest percentage of actual incidents, according to the report.

Other areas of concern include threats from third-parties, sabotage or other damage caused from the outside, ransomware, and targeted attacks. Many are also concerned about the impact of employee errors or unintentional actions, and sabotage or intentional damage from the inside.

The companies surveyed by Kaspersky said they spent a lot of money dealing with cybersecurity incidents. The average financial loss was roughly $347,000 per year, but organizations with more than 500 employees said they spent nearly $500,000.

These costs include the bill for addressing the consequences of the incident, software upgrades, staff and training.

As for the ICS security measures taken by organizations, two-thirds of respondents said they rely on anti-malware solutions and security awareness training. Roughly half of companies also use intrusion detection and prevention systems, security audits, unidirectional gateways, vulnerability scanning and patch management, asset identification and management, and anomaly detection.

Kaspersky pointed out the move toward more advanced security technologies in favor of the traditional air-gapping is a good sign.

The report shows the main challenges of managing ICS cyber security are related to finding employees with the right skillset and finding reliable partners for implementing security solutions.

Click here to download the “The State of Industrial Cybersecurity 2017” report.

Wednesday, May 31, 2017 @ 02:05 PM gHale

By Heather MacKenzie
The WannaCry ransomware broke onto the world scene May 12 when it infected over 200,000 computers in more than 150 countries.

Thankfully, the impact on critical infrastructure and manufacturing systems was relatively low. While WannaCry’s spread has been curtailed for now, new variants have been reported. Now, however, more than two weeks after the initial attack, this means critical infrastructure operators and manufacturers need to take measures to protect their Industrial Control Systems (ICS) from the WannaCry family of ransomware.

Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available
Updated WannaCry Indicators
Agencies Amassing Zero Days
WannaCry Variants Tougher to Kill
How to Protect Against ‘WannaCry’

Immediate actions start with determining whether your systems are vulnerable by identifying computers and devices running Windows operating systems not updated with the latest security patches. You should also identify any devices communicating with the Windows SMB1 protocol, which is used to propagate the malware. If these situations exist, you need to execute a plan to mitigate and protect against these security weaknesses.

While we can take a deep breath that WannaCry did not shut down essential services such as power systems and water systems, the malware is certainly a very loud wake-up call. Let’s look at what can be done immediately, and over the longer term, to prevent and mitigate ransomware infections to industrial systems.

WannaCry Attack
WannaCry inserts itself into networks using email phishing campaigns and then self-propagates using a Windows SMB1 vulnerability. While OT systems should be protected from threats coming from the IT network, nowadays there are many pathways to industrial networks and incidents of transportation and manufacturing systems being infected with WannaCry have been reported.

To determine whether your ICS is at risk, identify which computers and other devices are running old versions of the Windows operating system. Also, identify which network connections are communicating using SMB1.

A way to do this is to use an ICS asset management and visibility tool which can quickly and automatically identify all assets with their operating systems/version numbers, and identifies all network connections and their communication method. This will focus your attention on the devices that need patching or other remediation measures. If you do not have technology that does this for you, you will need to consult with OT staff or use other manual methods to identify the vulnerable components of your systems.

While patching industrial devices or changing how they communicate has risks, you need to weigh those risks against the risk of what ransomware might do to your ICS. As part of your action plan, know that Microsoft has made available security patches for out-of-date versions of the Windows operating system.

Here are some resources to help you develop your plan (the first link takes you to the Microsoft free security updates):
• Microsoft Update Catalog
• Customer Guidance for WannaCrypt attacks
• Indicators Associated with WannaCry Ransomware
• For technical details on WannaCry and risk management approaches for enterprise networks, see the FireEye article: WannaCry Ransomware Campaign: Threat Details and Risk Management

Based upon the level of risk to your systems and the impact and infection might create, you can consider a range of responses, from a planned patch/test cycle to the more extreme step of temporarily disconnecting OT and IT networks.

Improve resiliency. A foundational ICS security best practice is to have an updated asset inventory that includes information for each device such as its operating system, version number and known vulnerabilities. In the past, obtaining and maintaining this information for large, heterogeneous industrial systems was time consuming and difficult.
Today, there are solutions that do this quickly and automatically. The main point is to take whatever action is necessary for your organization to have a good asset management program, with real-time visibility and query capabilities.

Patch program. industrial systems are notorious for not being patched. There are some good reasons for not doing so, because patching may cause an application or an entire process to stop working. Or, the resource requirements to test and safely implement patches may be constrained. Whatever the reason, WannaCry, is a shout-out to revisit your patching program. Ideally you don’t want to have to explain how a process or manufacturing system was brought to its knees when a patch that would have prevented the problem was available.

Ensure visibility. Like asset management, historically it was very difficult to have comprehensive visibility and monitoring of large industrial networks and the processes they control. Now, there are new solutions that provide real-time industrial network visualization interfaces, including showing network connections, anomalies and the status of process variables.

In the case of WannaCry, such a system would facilitate detection and remediation in several ways:
• Detecting the anomalous DNS request the ransomware uses to verify whether it should continue with the attack or not. An alert should then generate that provides context about the DNS request and PCAP information to help analyze it.
• Identifying any network connections using the Windows SMB1 protocol. WannaCry communicates using this protocol, and by identifying devices using it, defensive decisions can be taken. For example, spread of the malware would be limited by stopping all SMB1 communications.

Review incident response plan. There’s nothing like a fast spreading, real-life malware to test your incident response plan. How well did it work in this case? What could have been improved? Is it time to initiate a process to update the plan? Did alert fatigue plague rapid response? Know that incident correlation and replay features are now available specific to ICS environments that will ease incident management and speed response to major cyber incidents such as those triggered by WannaCry.

In addition, how good are your forensic tools for analyzing cyber incidents? Do you have SIEMs or other solutions in place for identifying OT cybersecurity events and alerting the right people? Do you have tools that provide PCAPs and before/after ICS system snapshots for analyzing events and learning how to prevent them in the future? If not, now is the time to look for solution that give you these capabilities.

Implement standards. A watershed cybersecurity event like WannaCry will certainly draw the attention of executives and likely a review of current ICS security practices. Where does your organization stand with respect to implementing industrial cybersecurity standards like IEC-62443, the NIST framework or NERC CIP?
These standards help you deploy layered security measures (defense-in-depth) that work to stop and contain cyberattacks that, one way or another, get into the OT network.

Awareness and Training. It is an old adage that the weakest security link in an organization is people. WannaCry is widely believed to have entered systems by people clicking on attachments and/or links in phishing emails.

Ongoing training and awareness, tailored for different user groups is essential.

Like the Conficker worm of 2008, WannaCry 2017 should cause most organizations to re-examine their cybersecurity practices and defenses. While critical infrastructure systems and manufacturers were not significantly impacted this time, your organization’s cyber resiliency may need strengthening to defend against future attacks.

Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.

Wednesday, April 26, 2017 @ 12:04 PM gHale

By Thomas Nuth
When it comes to industrial cybersecurity, governments know they need to improve it, industry knows it needs to better understand it and system integrators and automation vendors know they need to offer it.

The truth is while the need for cybersecurity is very apparent, enterprise and industrial networks are still often managed without a cohesive security strategy. And, even after years of being an acknowledged problem, integrated solutions are not in sight.

ICSJWG: New Reality for Safety, Security
ICSJWG: Malware Having ICS Impact
Defense from Tainted Mobile Devices
SANS: Know the Security Mission

What’s the reason? First and foremost, there is a lack of expertise in the workforce. Secondly, today’s technologies have focused on modularized solutions for either the enterprise network or the industrial environment, without paying attention to the integration between the two.

Skills Shortage
Cybersecurity for industrial processes suffer partly due to a skills shortage and a lack of integrated IT/OT solutions.

The reason for the cybersecurity deficiency is largely attributed to a general expertise shortage of skilled workforce. There were more than 209,000 unfilled cybersecurity jobs in the U.S. in 2016, up 75 percent from 2015, according to an article in Forbes. From a global perspective, the number is greater than one million. With the huge demand for cybersecurity professionals, even the world’s largest banks, energy companies, and governments can’t seem to find them.

Forbes also found despite the high unmet demand for cybersecurity talent, the market for cybersecurity solutions is expected to continue its growth from $75 billion in 2015 to $170 billion by 2020. All sectors of the economy will have to find innovative ways to scale the expertise of their limited workforces to bring security to extensively connected systems, operations and networks. Innovative cyber tools must lead the way by automating learning of baseline behaviors, network monitoring, and cybersecurity management so few may do the work of many, for corporate and Industrial Control System (ICS) security.

Siloed Security
While the staggering number of unfilled jobs mentioned in the Forbes article speak for themselves, technology is partially to blame for the cybersecurity deficiency companies and governments face today. This is especially true in non-enterprise sectors such as utilities, oil and gas and industrial manufacturing.

From an industrial and enterprise networking view, cybersecurity ended up addressed from two diverse perspectives. From either direction, cybersecurity has been shortsighted by an approach that limits the focus to the reach of each group’s network domains. The reason for this shortcoming is the industrial automation space (OT) and the enterprise software space (IT) are being forced to connect with one another in terms of solutions delivery, operations management and customer outreach, but security integration has not always followed suit.

Automation, Integration Keys
As the backbone of critical infrastructure, ICSs are ubiquitous in all industries including transportation, water/wastewater, energy to name a few.

With this said, threat management needs to scale to endpoints throughout the industrial network – such as sensors, PLCs, data loggers and HMIs. Furthermore, as the use of desktops, laptops, tablets and smartphones have come into play, the reach of the ICS domain has grown rapidly. A solution that combines automated anomalous detection of ICS security issues, along with proactive threat remediation and containment, is required if security is to scale beyond the OT/IT divide.

When it comes to cybersecurity, less attention needs to be paid to the categorization of OT vs. IT, and more on holistic integration between the two. Leaving ICS without highly-scalable, automated, real-time cybersecurity visibility means our largest industries and government services will continue to be vulnerable to cyber threats.

The good news is automated machine learning and rapid evaluation of data using artificial intelligence is coming into play. These tools meet the needs of securing industrial networks and processes yet integrate with IT security infrastructure to bridge the OT/IT divide.
Thomas Nuth is a product director at Nozomi Networks. He is an expert in industrial networking and enterprise middleware technologies and was the first chair of the Industrial Internet Consortium (IIC) Energy Charter. This is an excerpt from a Nozomi Networks series of blogs.

Wednesday, March 22, 2017 @ 12:03 PM gHale

Nozomi Networks’ SCADAguardian solution architecture.

Nozomi Networks Inc. issued its latest release of SCADAguardian, a cybersecurity risk detection solution.

The release supports operational visibility and ICS cybersecurity with new modules for Asset Management and Vulnerability Assessment.

It also introduces Dynamic Learning for configuration-free deployments. This gives energy utilities, oil and gas operators and manufacturers a solution to monitor control networks for cybersecurity and operational anomalies.

“At Vermont Electric our mission is to provide safe, affordable, and reliable energy services to our members,” said Kris Smith, SCADA and operations engineering manager. “In order to do that, we need both operational visibility and cybersecurity protection for our critical operations systems.”

“Our customers love the way SCADAguardian uses AI (artificial intelligence) and machine learning to deliver effective ICS cybersecurity and anomaly detection,” said Nozomi Networks co-founder and chief product officer, Andrea Carcano. “But, similar to the needs at Vermont Electric, many were asking if we could leverage that functionality to help streamline operational tasks. That’s why we are offering new modules that simplify operations and ultimately improve operational visibility and monitoring for stronger cyber resilience and ICS reliability.”

For industrial operators, tracking assets and knowing their configuration and firmware versions, as well as other attributes, is often a lengthy manual process prone to human error and hard to keep up-to-date. SCADAguardian 17.0 automates asset tracking, keeps information current, and makes it easy to visualize, find and drill down on asset information such as software and hardware versions. Alerts, consolidated into context-aware incidents, notify operators of changes that may indicate a cybersecurity or operational incident.

In addition, the release makes it possible for operators to stay on top of device vulnerabilities, updates and patch requirements. By constantly analyzing industrial network assets against a state-of-the-art repository of ICS vulnerabilities, SCADAguardian saves time and improves cyber resiliency.

When it comes to comprehensive ICS modeling, the new release supports AI and machine learning. Until now, operators had to perform a configuration step in order to switch the system from learning to protection mode. Now learning granularity has increased, so learning, and the switch to protection now happen automatically per node and per network segment. Stable network nodes and segments become protected automatically.

Wednesday, January 18, 2017 @ 02:01 PM gHale
Jacobs and Bedrock inked a deal to sell the Bedrock control system in selected projects.

Jacobs and Bedrock inked a deal to sell the Bedrock control system in selected projects.

Bedrock Automation signed a memorandum of agreement with Jacobs Engineering Group Inc. where both firms will jointly offer secure open automation solutions.

Under the agreement, the companies will pursue selected projects with automation system requirements for potential implementation of the Bedrock Open Secure Automation system.

Kaspersky Launches Security Service
Nozomi Automates ICS Risk Detection
Monitoring a Growing Network
Integrated Tactic to ICS Security

“Our clients are increasingly concerned about both cyber security and advanced automation and we have been creating innovative service packages to meet these needs,” said Jacobs’ Mission Solutions Chief Technology Officer Dr. Tommy Gardner. “Bedrock Automation has excellent experience and superior designs in this area. I am impressed with their comprehensive background and knowledge in the industrial DCS and PLC arena.”

The Bedrock control system employs its patented Black Fabric Cybershield architecture, which provides an intrinsic cyber secure automation platform to protect user hardware, software and applications.

“Jacobs is taking a leadership role in integrating the next generation of information and automation technologies for its clients,” said Bedrock Automation President Bob Honor. “We see this as a tremendous opportunity to bring our technology and our vision of holistic cyber security to a much larger audience.”

Monday, January 16, 2017 @ 03:01 PM gHale

Kaspersky Lab launched a security intelligence service able to handle enterprise incident response and cybersecurity forensics capabilities.

This 24/365 web service helps businesses analyze digital evidence in light of a security incident and obtain the insights needed to speed up detection and remediation.

Nozomi Automates ICS Risk Detection
Monitoring a Growing Network
Integrated Tactic to ICS Security
Integrated Approach to Protecting ICS

Detection and response are some of the most time-critical activities on the agenda of security operations centers (SOCs) in organizations around the world, and both require reliable security intelligence. Based on validated security intelligence data, Kaspersky Threat Lookup provides a tool for enterprises to improve their incident response and forensics; offering reliable, aggregated, retrospective and global insight on the latest threats, as well as legitimate objects.

More than 4,000 business representatives worldwide, conducted by Kaspersky Lab and B2B International in 2016, time is the crucial factor in incident detection and response, according to a survey.

The survey findings show enterprises pay more than double in recovery costs if they are unable to detect a security breach in a short amount of time.

The average recovery cost of a breach that is undetected for a week or more is over $1 million, while instantly discovered incidents cost an average of $400,000 to mitigate, almost half of the overall industry average.

Kaspersky Threat Lookup is a solution that corporate IT security teams can leverage to accelerate their incident response and forensic capabilities. Once suspicious indicators such as IP address, URL or file hash have been identified by a corporate IT security officer, they can be entered into the Kaspersky Threat Lookup service web interface. In return, users receive information about potential threats and receive global insights that can help them identify an attack in progress.

Kaspersky Lab’s security intelligence is collected from various sources, including Kaspersky Lab’s security network, spam traps, botnet monitoring initiatives and web crawlers. More importantly, that data is constantly being cross-checked by Kaspersky Lab’s own research team and automatically correlated.

The solution offers corporate security officers contextual intelligence capabilities, enabling them to quickly investigate the source of the problem, distinguish between potentially malicious and benign actions, and obtain data for fast and efficient incident investigation. Kaspersky Threat Lookup allows SOC operators to prioritize and act efficiently in the typical scenario of hundreds and thousands alerts received every day.

Friday, January 13, 2017 @ 05:01 PM gHale

A draft update to the Framework for Improving Critical Infrastructure Cybersecurity—also known as the Cybersecurity Framework is available.

Providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the goal of the updated framework is to further develop the National Institute of Standards and Technology’s (NIST) voluntary guidance to organizations on reducing cybersecurity risks.

Medical Security Looks to NIST Framework
Medical Device Vulnerability Mitigated
ICSJWG: Security in Perspective
Nozomi Automates ICS Risk Detection

The Cybersecurity Framework published in February 2014 following a collaborative process involving industry, academia and government agencies, as directed by a presidential executive order.

The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the critical infrastructure, such as bridges and the electric power grid, but the framework has been widely adopted by many types of organizations across the country and around the world.

The 2017 draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback since the release of framework version 1.0, and integrates comments from the December 2015 Request for Information as well as comments from attendees at the Cybersecurity Framework Workshop 2016.

“We wrote this update to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the cybersecurity framework. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

To assist users wanting to apply the framework to cyber supply chain risk management, the authors developed a vocabulary so all organizations working together on a project can clearly understand cybersecurity needs. Examples of cyber supply chain risk management include a small business selecting a cloud service provider or a federal agency contracting with a system integrator to build an IT system.

In the renamed and revised “Identity Management and Access Control” category, the draft clarifies and expands the definitions of the terms “authentication” and “authorization.” Authors also added and defined the related concept of “identity proofing.”

“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” Barrett said. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” he added.

The deadline to send comments on the draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 is April 10. Please send comments to Cyberframework.

Tuesday, January 10, 2017 @ 04:01 PM gHale

By Suzanne B. Schwartz
Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.

The industry now has advice from the Food and Drug Administration (FDA) across this product continuum with the release of a final guidance on the postmarket management of medical device cybersecurity. It joins an earlier final guidance on medical device premarket cybersecurity issued in October 2014.

Medical Device Vulnerability Mitigated
Medication Safety Software Hole Fixed
ICSJWG: Security in Perspective
Nozomi Automates ICS Risk Detection

To understand why such guidance is so important for patients, caregivers and the medical device community, we need to take a step back and look at how cybersecurity fits into the medical device ecosystem.

In today’s world of medical devices connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.

Security Lifecycle
The best way to combat these threats is for manufacturers to consider cybersecurity throughout the total product lifecycle of a device. In other words, manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Today’s postmarket guidance recognizes today’s reality – cybersecurity threats are real, ever-present, and continuously changing. In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.

With this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices. Central to these recommendations is FDA’s belief medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks.

This means manufacturers should, among other things:
• Have a way to monitor and detect cybersecurity vulnerabilities in their devices
• Understand, assess and detect the level of risk a vulnerability poses to patient safety
• Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
• Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can end up exploited and cause harm

This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.

NIST Framework
In addition, it is paramount for manufacturers and stakeholders across the entire ecosystem to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: To identify, protect, detect, respond and recover. It is only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security.

This is clearly not the end of what FDA will do to address cybersecurity. We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed.

Digital connections power great innovation—and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.

Suzanne B. Schwartz, M.D., M.B.A., is the Food and Drug Administration’s associate director for science and strategic partnerships, at the Center for Devices and Radiological Health. This article was obtained via ICS-CERT.

Monday, January 9, 2017 @ 05:01 PM gHale

Relative industry newcomer, Nozomi Networks released the latest version of SCADAguardian, which allows engineers and operators to protect against cybersecurity attacks, monitor processes and manage ICS environments.

Last year, 295 critical infrastructure attacks ended up reported to the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) division of the US Department of Homeland Security, according to its annual report. But everyone knows that is just the tip of the iceberg.

Monitoring a Growing Network
Integrated Tactic to ICS Security
Integrated Approach to Protecting ICS
Analytics through Network Monitoring

Concerns about ICS vulnerabilities and incidents continue to grow as attacks increased from only a few each year to an incident every day.

“In the United States and globally the security of systems that control electric power, water, and oil & gas are at risk and need the most advanced technologies possible to protect operations from disruption,” said 451 Research Analyst Christian Renaud.

Launched in 2013, Nozomi Networks applied advanced machine learning and behavior detection to ICS networks. Its flagship product, SCADAguardian, monitors more than 50,000 industrial devices in dozens of multinational customer sites spanning oil & gas, electric utilities, manufacturing and transportation. One operator is Enel, a multinational energy company and a leading integrated electricity and gas operators.

Scadaguardian brings users:

ICS Cybersecurity: Allows users to rapidly detect cyber incidents and process anomalies. Nozomi Networks bridges automation, machine learning and network behavior analytics with ICS cybersecurity for deep detection of ICS risks and rapid prevention or mitigation of impacts. SCADAguardian’s Time Machine capabilities provides network and process snapshots to support forensic investigations and compliance reporting. It also provides capabilities to help with response and remediation. SCADAguardian supports Zero Day detection, integration with firewalls and SIEMs, ICS incident alerting and notification; and end-to-end detection of attack activities, from recognizance, to command-and-control, to malicious actions.

Operational Visibility: Users can monitor processes. It supports real-time process monitoring and baselining with high granularity. Non-intrusive real-time mapping, monitoring and visualization provide immediate insights for faster troubleshooting and remediation of IT and operational issues without impacting industrial processes.

SCADAguardian enhancements include:
• Incident management that automatically aggregates multiple alerts and messages into incidents, using intelligent correlation heuristics. Instead of receiving multiple alerts that need to be associated to their logical cause, SCADAguardian groups those alerts by incident, providing an explanation of the cause, and making it more actionable for the operator. Operators can easily manage their networks at a level that makes the most sense.
• Customizable portable dashboards that simplify and streamline the standardization of corporate policy, security monitoring, and operational reporting across plants, entities, and even industries. Not only can industrial operators share and standardize dashboards between their plants, system integrators and resellers can also incorporate SCADAguardian’s dashboards into the compliance or operational services they sell.
• Time machine allows operators to compare a complete model of their plant and process at two different times in order to understand and visualize changes in the ICS environment with the highest possible context and granularity. This functionality is now fully integrated and seamlessly available throughout SCADAguardian to improve analysis and remediation of alerts and incidents.
• Performance optimization delivers a 20x improvement on response times giving customers instantaneous answers to complex ad-hoc queries and assertions along with compliance checks against NIST or NERC that are continuous and in real-time.