Search results

Wednesday, October 11, 2017 @ 04:10 PM gHale

Nozomi Networks inked a partnership pact with FireEye to provide ICS visibility across IT and OT environments.

“Adversaries are increasingly targeting critical infrastructure around the world and operators are prioritizing cybersecurity for industrial control systems and other types of operational technology,” said FireEye CTO Grady Summers. “After extensive review, we chose Nozomi Networks because their platform provides … capabilities which allow us to detect anomalies and proactively hunt for threats within industrial environments.” 

Organizations in industries from energy to manufacturing are becoming increasingly reliant on the interconnection between information technology networks and industrial control systems. Connectivity between these systems introduces new risks and challenges for those looking to manage them with a single enterprise-wide security solution.

FireEye’s solutions for critical infrastructure and industrial control systems offer an integrated suite of security services from initial assessment to outsourced management.

With FireEye, organizations can develop and manage enterprise-wide security programs designed to ensure operational continuity of their most critical assets. With expanded visibility through the Nozomi technology integration, users can increase visibility and improve detection and response capabilities.

Tuesday, September 26, 2017 @ 03:09 PM gHale

By Gregory Hale
Manufacturing is in plain sight for bad guys planning a cyberattack or cyberespionage, a new report found.

And why not, for the most part manufacturing remains low hanging fruit for anyone wanting to get in and abscond with data, money, or intellectual property.

ARC-SANS: Security Education for Industry
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise

The scope and diversity of cyber threats to manufacturers have grown from Stuxnet or Shamoon-like attacks to the relatively frequent ransomware risks.

Beyond malware attacks on industrial firms, cyberattacks on manufacturers can include efforts to corrupt data, steal intellectual property, sabotage equipment, and disable networks. The motives and impacts vary widely,  but all such cyberattacks cost time and money to firms and their customers. These growing cyberattacks pose increasing risks to economies and societies at large.

The report said there is a critical need for U.S. government and industry to build an effective cybersecurity framework to safeguard against a future major attack on the U.S. manufacturing industry.

The report, entitled “Cybersecurity for Manufacturers,” came from the Computing Research Association’s Computing Community Consortium (CCC) and MForesight, a federally-funded consortium for the U.S. manufacturing industry.

While cyberattacks still most often target high profile sectors such as financial services, public administration, and utilities, manufacturing as an industry is a significant target.

“In the past, the manufacturing sector has been concerned about cyberattacks that aim to extract intellectual property such as engineering information, formulas, or other proprietary data that might be the target of industrial espionage,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, recent attacks on a wide range of industries have raised concern about the resiliency and reliability of the supply chain that is critical to manufacturing operations and to other aspects of national security, such as military equipment and supplies. Now manufacturers have joined the ranks of other critical infrastructure industries taking steps to secure not only their intellectual property, but also their operational systems and industrial control systems (ICS) that comprise the foundation of production line operations. Leading edge companies are using technologies that apply artificial intelligence and machine learning for real-time detection and response to cyber-attacks. The frequency and sophistication of cyberattacks targeting manufacturing is likely to accelerate. Fortunately, the latest technological advances are giving manufacturers the tools to help detect and remediate their operations amid an escalating threat landscape.”

The scale and variety of cyberattacks on U.S. manufacturers have been growing in recent years and are quickly approaching a critical level.

The lack of recognition of the threat may represent the greatest risk of cybersecurity failure for U.S. manufacturers, since they are the targets of nearly half the known global cyberattacks on manufacturing, the report found.

Manufacturers are often the targets of cyber-espionage attacks that sought to steal intellectual property (IP) and trade secrets.

Citing research done by Symantec, the report found more than half of successful IP thefts involved state-affiliated actors, and 57 percent of these attacks had their origins in China—although detection of Chinese-origin malware has fallen following a 2015 cyber agreement signed between the United States and China.

There are no simple solutions, but the report discussed a few options:
• Manufacturers need trusted third-party partners, and there’s space for the creation of a new public-private partnership focused on manufacturing supply chain cybersecurity.
• Public and private partners can expand and coordinate manufacturing cybersecurity “boot camps” to boost awareness of best practices and train key manufacturing personnel to mitigate risks.
• There is a need for R&D investment in solving near-term security challenges and seizing opportunities, including: Automated risk assessment tools, tools to audit the extent of attacks, robust parts and data validation.
• There’s also need for long-term research investments  like the creation of “security reference architectures” for manufacturing. This means working to define Information Technology and Operational Technology functions as well as consistent standards and integration requirements for diverse players and system “touchpoints.”
• Information-sharing matters. An Information Security Advisory Council (ISAC) or similar body could facilitate fault-free, anonymous sharing on incidents, threats, vulnerabilities, best practices, and solutions. Existing ISACs provide useful models.

Thursday, September 21, 2017 @ 02:09 PM gHale

Iran seems to be a hotbed of cyber espionage activity as researchers linked one group focusing on aerospace and energy companies.

The group, which security firm FireEye is calling APT33, has been linked to the Iranian government and in existence for at least four years and is now targeting companies in the U.S., Saudi Arabia and South Korea.

ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise
Fighting FUD from DC

Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production, FireEye researchers said in a blog post, written by Jaqueline O’Leary, Josiah Kimble, Kelli Vanderlee, and Nalani Fraser.

“APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea,” the researchers said. “APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.”

The attackers focused on a U.S. aerospace company, a Saudi Arabian business with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals.

In addition, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” the researchers said.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.

“The emergence of the Iranian hacker group APT33 reinforces the concerns of cybersecurity stakeholders that have been highlighted in the 2017 SANS Survey, regarding the fact that this hacking group seems to be state-funded and is actively targeting industrial networks using conventional IT network channels,” said Edgard Capdevielle, chief executive of Nozomi Networks. “In the case of APT33, the group attacks their targets using job recruitment phishing emails aimed at the aerospace industry. While the geo-political motivations of APT33 are targeted against Saudi Arabian interests for now, global aerospace and energy organizations should take notice of APT33’s methods of attack to implement proper detection and remediation strategies.”

According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.

“We assess an actor using the handle “xman_1365_x” may have been involved in the development and potential use of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples,” the researchers said.

In short, FireEye researchers said the attackers were seeking information to help the government’s various causes.

“Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries,” the researchers said. “Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor. APT33’s use of multiple custom backdoors suggests that they have access to some of their own development resources, with which they can support their operations, while also making use of publicly available tools. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.

Tuesday, August 8, 2017 @ 05:08 PM gHale

A new reference to support a workforce capable of meeting an organization’s cybersecurity needs just released from the National Initiative for Cybersecurity Education (NICE).

Special Publication 800-181, the NICE Cybersecurity Workforce Framework, provides organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by category, specialty area, and work role.

NIST Guidance on Assessing Risk
‘Cybersecuring’ Internet of Things
Electronic Authentication Guidelines Release
Securing Wireless Infusion Pumps

It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

The NICE Cybersecurity Workforce Framework (NICE Framework) improves communication about how to identify, recruit, develop, and retain cybersecurity talent. It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

It also provides a superset of cybersecurity knowledge, skills, and abilities (KSAs) and tasks for each work role. The NICE Framework supports consistent organizational and sector communication for cybersecurity education, training, and workforce development.

“The first draft of the National Institute of Standards and Technology (NIST)  National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework will help critical infrastructure companies like oil and gas, power, water, manufacturing etc., to accelerate its hiring practices to close the skills gap in cybersecurity,” said Edgard Capdevielle, chief executive at Nozomi Networks. “They will now be able to articulate cybersecurity roles, area of specialty, category of work, and describe the knowledge, skills, and abilities of cybersecurity professionals that are needed. While it will take time to expand the workforce, new technologies are being applied that use Machine Learning (ML) and artificial intelligence (AI) to automate aspects of cybersecurity monitoring and detection.  In areas of cybersecurity specialization such as industrial control systems where a cyberattack could have catastrophic effects, the combo of training and automation are speeding efforts to combat and remediate cyberattacks.”

The concept for the NICE Framework began before the establishment of NICE and grew out of the recognition the cybersecurity workforce in the public and private sectors could not be defined and assessed.

To address this challenge, more than 20 departments and agencies, the private sector, and academia came together to provide a common understanding of cybersecurity work. The common understanding developed has been expressed in two previous version of the NICE Framework and has evolved with further engagement between the government, private sector, and academia.

The audience for the framework are:
Employers — To help define their cybersecurity workforce, identify critical gaps in cybersecurity staffing, and create position descriptions consistent with national language.
Current and future cybersecurity workers — To help explore tasks and work roles and assist with understanding the KSAs being valued by employers for in-demand cybersecurity jobs and positions. Staffing specialists and guidance counselors are also enabled to use the NICE Framework as a resource to support these employees or job seekers.
Training and certification providers — To help current and future members of the cybersecurity workforce gain and demonstrate the KSAs.
Education providers — To help develop curriculum, certificate or degree programs, and research that cover the KSAs and tasks described.
Technology providers — To identify cybersecurity Work Roles and specific Tasks and KSAs associated with services and hardware or software products they supply.

Click here to view the publication.

Tuesday, August 8, 2017 @ 04:08 PM gHale

By Thomas Nuth
In the last decade market and cost pressures have driven significant technological advances in automation and industrial connectivity across all aspects of petroleum extraction, pipeline transport and refining.

While technological advances are delivering business benefits, systems now end up exposed to more cyber risks than ever before.

WannaCry: Revisit (or Create) ICS Security Plan
Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available

Yet, according to a 2017 survey by the Ponemon Institute, the deployment of cybersecurity measures in the oil and gas industry isn’t keeping pace with the growth of digitalization in operations.

In fact, 35 percent of respondents in the Ponemon survey rate their organization’s OT cyber readiness as high while 61 percent said their organization’s industrial control systems (ICS) protection and security is not adequate.

One way to overcome the ICS cybersecurity gap is to utilize next generation technology that leverages machine learning and artificial intelligence (AI) to deal with system complexity and deliver immediate benefits.

Here are two cases of how a passive ICS anomaly detection and monitoring solution secures pipeline networks.

While the oil and gas sector, including pipeline operators, are embracing technological advancements, risks from cyber threats are outpacing cybersecurity measures.

Efficiency of Equipment Commissioning
Quality assurance and quality control (QA/QC) is big business — and a big undertaking for oil and gas operations teams.

Typically, within the command structure between DCS/SCADA, each controller and endpoint must be tested under various process stress-factors and reported in a full-loop test. For example, a test engineer must command a valve to turn a certain percentage under various operational circumstances and record the impact on latency, availability, failure risk etc. This must be done in compliance with various regulations and the results reported.

If a network or device is added into the DCS/SCADA, the process must be repeated. This is arduous and resource-intensive; even more so for remote pipeline networks. However, a passive industrial cybersecurity and operational visibility solution deployed in the industrial network makes these processes more efficient.

How? Let’s first take a step back and explain how the solution is deployed and works:
• Passive ICS cybersecurity modules are deployed in the industrial network by being attached to mirror or SPAN ports of networking equipment at key segment points.
• The modules copy network traffic to themselves for rapid learning and analysis.
• No out-of-network data is added to the ICS network, and production is not impacted. There is no impact on latency, no risk of intrusion and no risk of network downtime.
• The ICS cybersecurity appliance leverages machine learning and AI techniques to rapidly analyze huge volumes of network communication and process variable data that are extremely difficult to evaluate any other way.
• This “smart” data analysis is used to model the pipeline system, and develop process and security profiles specific to it.
• Once baselines are established, high speed behavioral analytics are used to constantly monitor it.
• The result is the rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities.

In the commissioning scenario, new devices added to the network are quickly identified and highlighted in dashboards and reports using a central management console. Device information such as location, protocols, connections, manufacturer and model number is all available from the remote location.

A test engineer can check device performance by running queries and monitoring the values of process variables against established baselines to detect anomalies. This improves operator productivity and shortens the time to deployment of new equipment.

Schematic showing the deployment of passive ICS security modules at various oil and gas sites. Real-time anomaly detection data and monitoring information from these sites can be monitored at central controls rooms or SOCs.

How to Improve ICS Cybersecurity
Good ICS cybersecurity solutions provide operators the ability to monitor networks and security risks across multiple site locations. This is important for achieving robust cybersecurity monitoring and operational excellence in any large-scale oil and gas control endeavor.

Typically, this is achieved with a multi-tiered ICS cybersecurity approach whereby geo-distributed networks with passive ICS cybersecurity appliances link together with a centralized console or virtual interface. This allows offsite, centralized, real-time monitoring of cyber threats and risks, anomalous changes to pipeline flow variables and network communication irregularities.

If cyber risks or new nodes end up detected, field operations and centralized control can work in concert to identify, evaluate and consistently improve operations and mitigate risk. This is directly applicable to pipeline networks where small changes in traffic flows or device behavior could indicate a cyber threat or potential point of failure.

An enterprise-ready passive ICS cybersecurity solution allows OT and IT users alike to clone useful dashboards and network queries for use on new appliances. Items like table views, compliance metrics and report templates are quickly duplicated and achieve a unified approach to ICS security and operational management. Device and network traffic can easily compare from site to site, significantly reducing mitigation, troubleshooting and forensic efforts.

Cybersecurity Gap
To deal with the challenges of increasing digitization and cyber risks, oil and gas operators need to be aware of how new technology solutions can help. Passive ICS anomaly detection tools can utilize machine learning and AI to quickly learn complex pipeline systems and monitor them in real-time.

This solution is non-intrusive, simple to deploy, and immediately starts providing useful, actionable information that reduces cyber risks and improves operational efficiency.

Furthermore, with flexible data aggregation available via the enterprise-ready CMC, real-time cybersecurity and operational visibility is available across decentralized and geographically dispersed operations.
Thomas Nuth is global director, product and solutions technology at Nozomi Networks. This was an excerpt from a Nozomi Networks blog.

Monday, July 10, 2017 @ 05:07 PM gHale

While they have been going on for a little bit, attacks gaining news lately focused on energy facilities in the U.S. used an approach called template injection, researchers said.

While attacks against energy companies like nuclear plants are nothing new, they did garner some attention when The New York Times obtained a joint report issued by the Department of Homeland Security and the FBI warning of cyberattacks targeting manufacturing plants, nuclear power stations and other energy facilities in the U.S. and elsewhere.

Ransomware Attack Part II
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack

The attacks hit the business and administrative side of systems at least a dozen power firms in the United States, including the Wolf Creek nuclear facility in Kansas.

The campaign has been active since at least May and an initial investigation showed the techniques used by the hackers were similar to ones associated with a Russia-linked threat actor tracked as Crouching Yeti, Energetic Bear and Dragonfly, according to the FBI/DHS report the Times obtained.

“The U.S. has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by 7 from a risk management point of view,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks said. “While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections that warrant the use of real-time anomaly detection and machine learning. Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning helps to harden the security that guards industrial control systems.”

The FBI/DHS alert said the attackers sent malicious emails to senior industrial control engineers in an effort to deliver malware designed to harvest credentials and allow them to access the targeted organization’s network.

Researchers at Cisco Talos viewed these attacks and found some of the malicious Word documents used by the hackers to gain access to the targeted organization’s network. The attacks focused on critical infrastructure firms around the world, but the primary targets appear to be the United States and Europe.

The malicious documents, disguised as resumes and environmental reports, don’t rely on traditional methods, such as VBA macros or other embedded scripts, to deliver malware, the researchers said. Instead, when the victim opens the phony document, while the Word application is in progress of launching, a template file is loaded from an attacker-controlled SMB server.

Loading the template file in what is known as a template injection attack allowed the attackers to silently harvest SMB credentials.

Wednesday, June 28, 2017 @ 02:06 PM gHale

By Gregory Hale
Industrial sites, along with other industries, are undergoing an attack from a new version of ransomware that is being called quite a few different names, but is infecting networks in countries across the globe.

Petya ransomware, which is what it is mainly called, encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in Server Message Block (SMB).

WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack
WannaCry: Time to Implement Holistic Security

Chris Da Costa, global operations cyber security manager at Air Products and Chemicals said during a presentation at the Siemens Automation Summit 2017 in Boca Raton, FL, Wednesday, he had a meeting coming up after his talk regarding how his company is protected against this latest assault.

“Version 2 of WannaCry is on the loose,” Da Costa said. “A large pharmaceutical company was shut down. I am going back to talk to the team to understand what we have to do.”

This malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly in only about 64 countries.

Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning, the account had received around $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.

Some of the victims so far are the Ukrainian government, its National Bank and biggest power companies, also airports and metro services in the country are also feeling the effect.

“The Ukraine continues to be in the cross-hairs of persistent cyber attackers,” said Edgard Capdevielle, chief executive of Nozomi Networks. “Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing.”

Companies Fall Victim
Shipping company A.P. Moller-Maersk reported a computer systems outage on Tuesday which it said could be a global issue.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation,” Maersk said on Twitter.

A Maersk spokeswoman said the cause of the breakdown was not yet known, but that it could extend across the company’s global operations.

Russia’s top oil producer Rosneft said Tuesday its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.

The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems, said Patrick McBride from Claroty in a blog post.

More Severe
Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:
• Impact on ICS Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible-effectively bricking the machine. This means any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
• Propagation: Petya’s propagation capabilities surpass those of WanaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.

McBride also said the mitigation steps are similar to those used in WannaCry. Patch the following CVEs, he said: CVE-2017-0199 and CVE-2017-0144.

McBride added some additional protection and recovery steps:
• Block SMB & WMI port 135, 139, 445,1024-1035 TCP – if possible
1. NOTE: Some ICS software relies on these services so this can impact operations.
2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
• Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues – for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
• Check logs for IOCs below
• If infected:
1. Try to avoid reboot. Shutdown –a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
2. Try not to format the encrypted systems but rather get its image for use in recovery steps.

Need Protection
“Although details are still emerging, one thing is clear, attacks such as these do not discriminate between geography or industry,” said David Zahn, GM of ICS Cybersecurity at PAS. “Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues. 

“Prima facie, the motive behind this attack looks financial. But, were the motivation different, we’d face a much more serious situation today. Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety,” Zahn said. “Compromising these systems could impact the environment, cause injury, or disrupt production. It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted.”

New Era of Attacks
“It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack,” said Bryan Singer, director of security services at IOActive. “For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say ‘that can’t happen to us’ any more.”

“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing Eternal Blue to spread to other systems before encrypting files and demanding payment,” Singer said. “One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.”

“If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1,” said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. “SMB is a protocol used often in the industrial networks. Therefore, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them.”

Monday, June 12, 2017 @ 04:06 PM gHale

By Gregory Hale
There is a piece of malware believed to have been used in the December Ukraine substation attack that targeted power grids, researchers said.

The malware ended up discovered by ESET, which called it Industroyer. The company also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the attacker that uses it as ELECTRUM.

Attack Group Targets Ukraine
Ukraine Attack: An Insider’s Perspective
Latest Ukraine Power Outage a Hack
Power Out in Ukraine, Cause Unclear

Industroyer is fourth such threat known to the ICS industry. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm the malware was the direct cause of the 2016 power outages in Ukraine’s Kiev region, ESET and Dragos remain confident this is the malware used in the attack.

“The implications of the Crash Override or Industroyer malware are significant,” said Andrea Carcano, co-founder and chief product officer for Nozomi Networks. “Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”

Dragos said the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET said while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Industroyer has been described as a sophisticated modular malware that has several components: A backdoor, a launcher, a data wiper, various tools, and at least four payloads.

These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize.

By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.

In another scenario, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.

The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.

This component also deploys a secondary backdoor disguised as a Trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.

The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.

The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies,” Carcano said. “Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.”

“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure,” said David Zahn, general manager of ICS Cybersecurity at PAS. “In power, we are in denial that a similar attack could happen in the U.S. We also get mired in misconceptions that we are well prepared because of regulation, or (the idea that) squirrels — yes squirrels — are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.

“The latest news about Crash Override is one more wakeup call that we need to become better at the cybersecurity basics which most industrial companies struggle doing today — know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available.

“It’s easy to hit the snooze button and ignore these kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn said. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path.”

Friday, June 9, 2017 @ 05:06 PM gHale

Industrial companies experienced at least one incident in the past 12 months, and the annual cost of an attack can be as high as $500,000, according to a new report.

What is interesting is a majority of those industrial companies said they are well prepared to handle a cyber security incident, according to the report by Kaspersky Lab.

Old OSes Prevalent, Vulnerable to Breaches
IoT Attacks Can Truly Cost a Company
In IoT World, Third Party Risk Huge: Report
Security Sinks with Attack Volume: Report

The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.

A strong majority of the respondents (83 percent) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent said they had a dedicated policy or program in place.

However, half of them have experienced between one and five security incidents in the past year, and one percent said they were hit as many as 25 times.

The potential damage from cybersecurity incidents can be considerable. The consequences of these incidents are often far greater than the associated financial losses and reputational damage. Cybersecurity incidents in an ICS environment can:
• Cost lives
• Have a long-lasting impact on the environment
• Attract fines from regulators, customers or partners who have been put at risk Result in the loss of a product or service as a result of the breach
• Companies can close down completely

“Due to the dynamic nature of cyber-attacks, there are no infallible cybersecurity systems,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, the risk can be greatly reduced by implementing a layered defense involving anomaly detection with machine learning capabilities where a baseline of industrial control systems can be established and any deviations can be alerted and acted upon. Introducing machine learning and artificial intelligence into the ICS environment is key to faster and more efficient processes for securing unique industrial networks. Finally, closely following the NIST framework and best practices can also improve the risk posture of industrial control systems as standardization helps to facilitate peer-validated security architectures, protocols and guidelines.”

The main concern for organizations are conventional malware infections, which also accounted for the highest percentage of actual incidents, according to the report.

Other areas of concern include threats from third-parties, sabotage or other damage caused from the outside, ransomware, and targeted attacks. Many are also concerned about the impact of employee errors or unintentional actions, and sabotage or intentional damage from the inside.

The companies surveyed by Kaspersky said they spent a lot of money dealing with cybersecurity incidents. The average financial loss was roughly $347,000 per year, but organizations with more than 500 employees said they spent nearly $500,000.

These costs include the bill for addressing the consequences of the incident, software upgrades, staff and training.

As for the ICS security measures taken by organizations, two-thirds of respondents said they rely on anti-malware solutions and security awareness training. Roughly half of companies also use intrusion detection and prevention systems, security audits, unidirectional gateways, vulnerability scanning and patch management, asset identification and management, and anomaly detection.

Kaspersky pointed out the move toward more advanced security technologies in favor of the traditional air-gapping is a good sign.

The report shows the main challenges of managing ICS cyber security are related to finding employees with the right skillset and finding reliable partners for implementing security solutions.

Click here to download the “The State of Industrial Cybersecurity 2017” report.

Wednesday, May 31, 2017 @ 02:05 PM gHale

By Heather MacKenzie
The WannaCry ransomware broke onto the world scene May 12 when it infected over 200,000 computers in more than 150 countries.

Thankfully, the impact on critical infrastructure and manufacturing systems was relatively low. While WannaCry’s spread has been curtailed for now, new variants have been reported. Now, however, more than two weeks after the initial attack, this means critical infrastructure operators and manufacturers need to take measures to protect their Industrial Control Systems (ICS) from the WannaCry family of ransomware.

Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available
Updated WannaCry Indicators
Agencies Amassing Zero Days
WannaCry Variants Tougher to Kill
How to Protect Against ‘WannaCry’

Immediate actions start with determining whether your systems are vulnerable by identifying computers and devices running Windows operating systems not updated with the latest security patches. You should also identify any devices communicating with the Windows SMB1 protocol, which is used to propagate the malware. If these situations exist, you need to execute a plan to mitigate and protect against these security weaknesses.

While we can take a deep breath that WannaCry did not shut down essential services such as power systems and water systems, the malware is certainly a very loud wake-up call. Let’s look at what can be done immediately, and over the longer term, to prevent and mitigate ransomware infections to industrial systems.

WannaCry Attack
WannaCry inserts itself into networks using email phishing campaigns and then self-propagates using a Windows SMB1 vulnerability. While OT systems should be protected from threats coming from the IT network, nowadays there are many pathways to industrial networks and incidents of transportation and manufacturing systems being infected with WannaCry have been reported.

To determine whether your ICS is at risk, identify which computers and other devices are running old versions of the Windows operating system. Also, identify which network connections are communicating using SMB1.

A way to do this is to use an ICS asset management and visibility tool which can quickly and automatically identify all assets with their operating systems/version numbers, and identifies all network connections and their communication method. This will focus your attention on the devices that need patching or other remediation measures. If you do not have technology that does this for you, you will need to consult with OT staff or use other manual methods to identify the vulnerable components of your systems.

While patching industrial devices or changing how they communicate has risks, you need to weigh those risks against the risk of what ransomware might do to your ICS. As part of your action plan, know that Microsoft has made available security patches for out-of-date versions of the Windows operating system.

Here are some resources to help you develop your plan (the first link takes you to the Microsoft free security updates):
• Microsoft Update Catalog
• Customer Guidance for WannaCrypt attacks
• Indicators Associated with WannaCry Ransomware
• For technical details on WannaCry and risk management approaches for enterprise networks, see the FireEye article: WannaCry Ransomware Campaign: Threat Details and Risk Management

Based upon the level of risk to your systems and the impact and infection might create, you can consider a range of responses, from a planned patch/test cycle to the more extreme step of temporarily disconnecting OT and IT networks.

Improve resiliency. A foundational ICS security best practice is to have an updated asset inventory that includes information for each device such as its operating system, version number and known vulnerabilities. In the past, obtaining and maintaining this information for large, heterogeneous industrial systems was time consuming and difficult.
Today, there are solutions that do this quickly and automatically. The main point is to take whatever action is necessary for your organization to have a good asset management program, with real-time visibility and query capabilities.

Patch program. industrial systems are notorious for not being patched. There are some good reasons for not doing so, because patching may cause an application or an entire process to stop working. Or, the resource requirements to test and safely implement patches may be constrained. Whatever the reason, WannaCry, is a shout-out to revisit your patching program. Ideally you don’t want to have to explain how a process or manufacturing system was brought to its knees when a patch that would have prevented the problem was available.

Ensure visibility. Like asset management, historically it was very difficult to have comprehensive visibility and monitoring of large industrial networks and the processes they control. Now, there are new solutions that provide real-time industrial network visualization interfaces, including showing network connections, anomalies and the status of process variables.

In the case of WannaCry, such a system would facilitate detection and remediation in several ways:
• Detecting the anomalous DNS request the ransomware uses to verify whether it should continue with the attack or not. An alert should then generate that provides context about the DNS request and PCAP information to help analyze it.
• Identifying any network connections using the Windows SMB1 protocol. WannaCry communicates using this protocol, and by identifying devices using it, defensive decisions can be taken. For example, spread of the malware would be limited by stopping all SMB1 communications.

Review incident response plan. There’s nothing like a fast spreading, real-life malware to test your incident response plan. How well did it work in this case? What could have been improved? Is it time to initiate a process to update the plan? Did alert fatigue plague rapid response? Know that incident correlation and replay features are now available specific to ICS environments that will ease incident management and speed response to major cyber incidents such as those triggered by WannaCry.

In addition, how good are your forensic tools for analyzing cyber incidents? Do you have SIEMs or other solutions in place for identifying OT cybersecurity events and alerting the right people? Do you have tools that provide PCAPs and before/after ICS system snapshots for analyzing events and learning how to prevent them in the future? If not, now is the time to look for solution that give you these capabilities.

Implement standards. A watershed cybersecurity event like WannaCry will certainly draw the attention of executives and likely a review of current ICS security practices. Where does your organization stand with respect to implementing industrial cybersecurity standards like IEC-62443, the NIST framework or NERC CIP?
These standards help you deploy layered security measures (defense-in-depth) that work to stop and contain cyberattacks that, one way or another, get into the OT network.

Awareness and Training. It is an old adage that the weakest security link in an organization is people. WannaCry is widely believed to have entered systems by people clicking on attachments and/or links in phishing emails.

Ongoing training and awareness, tailored for different user groups is essential.

Like the Conficker worm of 2008, WannaCry 2017 should cause most organizations to re-examine their cybersecurity practices and defenses. While critical infrastructure systems and manufacturers were not significantly impacted this time, your organization’s cyber resiliency may need strengthening to defend against future attacks.

Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.