Search results

Tuesday, August 8, 2017 @ 05:08 PM gHale

A new reference to support a workforce capable of meeting an organization’s cybersecurity needs just released from the National Initiative for Cybersecurity Education (NICE).

Special Publication 800-181, the NICE Cybersecurity Workforce Framework, provides organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by category, specialty area, and work role.

RELATED STORIES
NIST Guidance on Assessing Risk
‘Cybersecuring’ Internet of Things
Electronic Authentication Guidelines Release
Securing Wireless Infusion Pumps

It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

The NICE Cybersecurity Workforce Framework (NICE Framework) improves communication about how to identify, recruit, develop, and retain cybersecurity talent. It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

It also provides a superset of cybersecurity knowledge, skills, and abilities (KSAs) and tasks for each work role. The NICE Framework supports consistent organizational and sector communication for cybersecurity education, training, and workforce development.

“The first draft of the National Institute of Standards and Technology (NIST)  National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework will help critical infrastructure companies like oil and gas, power, water, manufacturing etc., to accelerate its hiring practices to close the skills gap in cybersecurity,” said Edgard Capdevielle, chief executive at Nozomi Networks. “They will now be able to articulate cybersecurity roles, area of specialty, category of work, and describe the knowledge, skills, and abilities of cybersecurity professionals that are needed. While it will take time to expand the workforce, new technologies are being applied that use Machine Learning (ML) and artificial intelligence (AI) to automate aspects of cybersecurity monitoring and detection.  In areas of cybersecurity specialization such as industrial control systems where a cyberattack could have catastrophic effects, the combo of training and automation are speeding efforts to combat and remediate cyberattacks.”

The concept for the NICE Framework began before the establishment of NICE and grew out of the recognition the cybersecurity workforce in the public and private sectors could not be defined and assessed.

To address this challenge, more than 20 departments and agencies, the private sector, and academia came together to provide a common understanding of cybersecurity work. The common understanding developed has been expressed in two previous version of the NICE Framework and has evolved with further engagement between the government, private sector, and academia.

The audience for the framework are:
Employers — To help define their cybersecurity workforce, identify critical gaps in cybersecurity staffing, and create position descriptions consistent with national language.
Current and future cybersecurity workers — To help explore tasks and work roles and assist with understanding the KSAs being valued by employers for in-demand cybersecurity jobs and positions. Staffing specialists and guidance counselors are also enabled to use the NICE Framework as a resource to support these employees or job seekers.
Training and certification providers — To help current and future members of the cybersecurity workforce gain and demonstrate the KSAs.
Education providers — To help develop curriculum, certificate or degree programs, and research that cover the KSAs and tasks described.
Technology providers — To identify cybersecurity Work Roles and specific Tasks and KSAs associated with services and hardware or software products they supply.

Click here to view the publication.

Tuesday, August 8, 2017 @ 04:08 PM gHale

By Thomas Nuth
In the last decade market and cost pressures have driven significant technological advances in automation and industrial connectivity across all aspects of petroleum extraction, pipeline transport and refining.

While technological advances are delivering business benefits, systems now end up exposed to more cyber risks than ever before.

RELATED STORIES
WannaCry: Revisit (or Create) ICS Security Plan
Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available

Yet, according to a 2017 survey by the Ponemon Institute, the deployment of cybersecurity measures in the oil and gas industry isn’t keeping pace with the growth of digitalization in operations.

In fact, 35 percent of respondents in the Ponemon survey rate their organization’s OT cyber readiness as high while 61 percent said their organization’s industrial control systems (ICS) protection and security is not adequate.

One way to overcome the ICS cybersecurity gap is to utilize next generation technology that leverages machine learning and artificial intelligence (AI) to deal with system complexity and deliver immediate benefits.

Here are two cases of how a passive ICS anomaly detection and monitoring solution secures pipeline networks.

While the oil and gas sector, including pipeline operators, are embracing technological advancements, risks from cyber threats are outpacing cybersecurity measures.

Efficiency of Equipment Commissioning
Quality assurance and quality control (QA/QC) is big business — and a big undertaking for oil and gas operations teams.

Typically, within the command structure between DCS/SCADA, each controller and endpoint must be tested under various process stress-factors and reported in a full-loop test. For example, a test engineer must command a valve to turn a certain percentage under various operational circumstances and record the impact on latency, availability, failure risk etc. This must be done in compliance with various regulations and the results reported.

If a network or device is added into the DCS/SCADA, the process must be repeated. This is arduous and resource-intensive; even more so for remote pipeline networks. However, a passive industrial cybersecurity and operational visibility solution deployed in the industrial network makes these processes more efficient.

How? Let’s first take a step back and explain how the solution is deployed and works:
• Passive ICS cybersecurity modules are deployed in the industrial network by being attached to mirror or SPAN ports of networking equipment at key segment points.
• The modules copy network traffic to themselves for rapid learning and analysis.
• No out-of-network data is added to the ICS network, and production is not impacted. There is no impact on latency, no risk of intrusion and no risk of network downtime.
• The ICS cybersecurity appliance leverages machine learning and AI techniques to rapidly analyze huge volumes of network communication and process variable data that are extremely difficult to evaluate any other way.
• This “smart” data analysis is used to model the pipeline system, and develop process and security profiles specific to it.
• Once baselines are established, high speed behavioral analytics are used to constantly monitor it.
• The result is the rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities.

In the commissioning scenario, new devices added to the network are quickly identified and highlighted in dashboards and reports using a central management console. Device information such as location, protocols, connections, manufacturer and model number is all available from the remote location.

A test engineer can check device performance by running queries and monitoring the values of process variables against established baselines to detect anomalies. This improves operator productivity and shortens the time to deployment of new equipment.

Schematic showing the deployment of passive ICS security modules at various oil and gas sites. Real-time anomaly detection data and monitoring information from these sites can be monitored at central controls rooms or SOCs.

How to Improve ICS Cybersecurity
Good ICS cybersecurity solutions provide operators the ability to monitor networks and security risks across multiple site locations. This is important for achieving robust cybersecurity monitoring and operational excellence in any large-scale oil and gas control endeavor.

Typically, this is achieved with a multi-tiered ICS cybersecurity approach whereby geo-distributed networks with passive ICS cybersecurity appliances link together with a centralized console or virtual interface. This allows offsite, centralized, real-time monitoring of cyber threats and risks, anomalous changes to pipeline flow variables and network communication irregularities.

If cyber risks or new nodes end up detected, field operations and centralized control can work in concert to identify, evaluate and consistently improve operations and mitigate risk. This is directly applicable to pipeline networks where small changes in traffic flows or device behavior could indicate a cyber threat or potential point of failure.

An enterprise-ready passive ICS cybersecurity solution allows OT and IT users alike to clone useful dashboards and network queries for use on new appliances. Items like table views, compliance metrics and report templates are quickly duplicated and achieve a unified approach to ICS security and operational management. Device and network traffic can easily compare from site to site, significantly reducing mitigation, troubleshooting and forensic efforts.

Cybersecurity Gap
To deal with the challenges of increasing digitization and cyber risks, oil and gas operators need to be aware of how new technology solutions can help. Passive ICS anomaly detection tools can utilize machine learning and AI to quickly learn complex pipeline systems and monitor them in real-time.

This solution is non-intrusive, simple to deploy, and immediately starts providing useful, actionable information that reduces cyber risks and improves operational efficiency.

Furthermore, with flexible data aggregation available via the enterprise-ready CMC, real-time cybersecurity and operational visibility is available across decentralized and geographically dispersed operations.
Thomas Nuth is global director, product and solutions technology at Nozomi Networks. This was an excerpt from a Nozomi Networks blog.

Monday, July 10, 2017 @ 05:07 PM gHale

While they have been going on for a little bit, attacks gaining news lately focused on energy facilities in the U.S. used an approach called template injection, researchers said.

While attacks against energy companies like nuclear plants are nothing new, they did garner some attention when The New York Times obtained a joint report issued by the Department of Homeland Security and the FBI warning of cyberattacks targeting manufacturing plants, nuclear power stations and other energy facilities in the U.S. and elsewhere.

RELATED STORIES
Ransomware Attack Part II
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack

The attacks hit the business and administrative side of systems at least a dozen power firms in the United States, including the Wolf Creek nuclear facility in Kansas.

The campaign has been active since at least May and an initial investigation showed the techniques used by the hackers were similar to ones associated with a Russia-linked threat actor tracked as Crouching Yeti, Energetic Bear and Dragonfly, according to the FBI/DHS report the Times obtained.

“The U.S. has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by 7 from a risk management point of view,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks said. “While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections that warrant the use of real-time anomaly detection and machine learning. Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning helps to harden the security that guards industrial control systems.”

The FBI/DHS alert said the attackers sent malicious emails to senior industrial control engineers in an effort to deliver malware designed to harvest credentials and allow them to access the targeted organization’s network.

Researchers at Cisco Talos viewed these attacks and found some of the malicious Word documents used by the hackers to gain access to the targeted organization’s network. The attacks focused on critical infrastructure firms around the world, but the primary targets appear to be the United States and Europe.

The malicious documents, disguised as resumes and environmental reports, don’t rely on traditional methods, such as VBA macros or other embedded scripts, to deliver malware, the researchers said. Instead, when the victim opens the phony document, while the Word application is in progress of launching, a template file is loaded from an attacker-controlled SMB server.

Loading the template file in what is known as a template injection attack allowed the attackers to silently harvest SMB credentials.

Wednesday, June 28, 2017 @ 02:06 PM gHale

By Gregory Hale
Industrial sites, along with other industries, are undergoing an attack from a new version of ransomware that is being called quite a few different names, but is infecting networks in countries across the globe.

Petya ransomware, which is what it is mainly called, encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in Server Message Block (SMB).

RELATED STORIES
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack
WannaCry: Time to Implement Holistic Security

Chris Da Costa, global operations cyber security manager at Air Products and Chemicals said during a presentation at the Siemens Automation Summit 2017 in Boca Raton, FL, Wednesday, he had a meeting coming up after his talk regarding how his company is protected against this latest assault.

“Version 2 of WannaCry is on the loose,” Da Costa said. “A large pharmaceutical company was shut down. I am going back to talk to the team to understand what we have to do.”

This malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly in only about 64 countries.

Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning, the account had received around $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.

Some of the victims so far are the Ukrainian government, its National Bank and biggest power companies, also airports and metro services in the country are also feeling the effect.

“The Ukraine continues to be in the cross-hairs of persistent cyber attackers,” said Edgard Capdevielle, chief executive of Nozomi Networks. “Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing.”

Companies Fall Victim
Shipping company A.P. Moller-Maersk reported a computer systems outage on Tuesday which it said could be a global issue.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation,” Maersk said on Twitter.

A Maersk spokeswoman said the cause of the breakdown was not yet known, but that it could extend across the company’s global operations.

Russia’s top oil producer Rosneft said Tuesday its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.

The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems, said Patrick McBride from Claroty in a blog post.

More Severe
Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:
• Impact on ICS Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible-effectively bricking the machine. This means any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
• Propagation: Petya’s propagation capabilities surpass those of WanaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.

McBride also said the mitigation steps are similar to those used in WannaCry. Patch the following CVEs, he said: CVE-2017-0199 and CVE-2017-0144.

McBride added some additional protection and recovery steps:
• Block SMB & WMI port 135, 139, 445,1024-1035 TCP – if possible
1. NOTE: Some ICS software relies on these services so this can impact operations.
2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
• Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues – for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
• Check logs for IOCs below
• If infected:
1. Try to avoid reboot. Shutdown –a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
2. Try not to format the encrypted systems but rather get its image for use in recovery steps.

Need Protection
“Although details are still emerging, one thing is clear, attacks such as these do not discriminate between geography or industry,” said David Zahn, GM of ICS Cybersecurity at PAS. “Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues. 

“Prima facie, the motive behind this attack looks financial. But, were the motivation different, we’d face a much more serious situation today. Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety,” Zahn said. “Compromising these systems could impact the environment, cause injury, or disrupt production. It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted.”

New Era of Attacks
“It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack,” said Bryan Singer, director of security services at IOActive. “For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say ‘that can’t happen to us’ any more.”

“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing Eternal Blue to spread to other systems before encrypting files and demanding payment,” Singer said. “One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.”

“If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1,” said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. “SMB is a protocol used often in the industrial networks. Therefore, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them.”

Monday, June 12, 2017 @ 04:06 PM gHale

By Gregory Hale
There is a piece of malware believed to have been used in the December Ukraine substation attack that targeted power grids, researchers said.

The malware ended up discovered by ESET, which called it Industroyer. The company also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the attacker that uses it as ELECTRUM.

RELATED STORIES
Attack Group Targets Ukraine
Ukraine Attack: An Insider’s Perspective
Latest Ukraine Power Outage a Hack
Power Out in Ukraine, Cause Unclear

Industroyer is fourth such threat known to the ICS industry. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm the malware was the direct cause of the 2016 power outages in Ukraine’s Kiev region, ESET and Dragos remain confident this is the malware used in the attack.

“The implications of the Crash Override or Industroyer malware are significant,” said Andrea Carcano, co-founder and chief product officer for Nozomi Networks. “Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”

Dragos said the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET said while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Industroyer has been described as a sophisticated modular malware that has several components: A backdoor, a launcher, a data wiper, various tools, and at least four payloads.

These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize.

By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.

In another scenario, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.

The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.

This component also deploys a secondary backdoor disguised as a Trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.

The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.

The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

“After years of working closely with global power generators, we have seen that network communications across grids are usually very stable and that once baselined, it’s possible to detect anomalies,” Carcano said. “Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.”

“There seems an undercurrent of surprise or reactionary concern when we hear details on how bad actors are advancing sophisticated means to attack critical infrastructure,” said David Zahn, general manager of ICS Cybersecurity at PAS. “In power, we are in denial that a similar attack could happen in the U.S. We also get mired in misconceptions that we are well prepared because of regulation, or (the idea that) squirrels — yes squirrels — are more likely to bring down power than a hacker. The problem is that nation states have a plan, squirrels do not.

“The latest news about Crash Override is one more wakeup call that we need to become better at the cybersecurity basics which most industrial companies struggle doing today — know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available.

“It’s easy to hit the snooze button and ignore these kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn said. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path.”

Friday, June 9, 2017 @ 05:06 PM gHale

Industrial companies experienced at least one incident in the past 12 months, and the annual cost of an attack can be as high as $500,000, according to a new report.

What is interesting is a majority of those industrial companies said they are well prepared to handle a cyber security incident, according to the report by Kaspersky Lab.

RELATED STORIES
Old OSes Prevalent, Vulnerable to Breaches
IoT Attacks Can Truly Cost a Company
In IoT World, Third Party Risk Huge: Report
Security Sinks with Attack Volume: Report

The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.

A strong majority of the respondents (83 percent) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent said they had a dedicated policy or program in place.

However, half of them have experienced between one and five security incidents in the past year, and one percent said they were hit as many as 25 times.

The potential damage from cybersecurity incidents can be considerable. The consequences of these incidents are often far greater than the associated financial losses and reputational damage. Cybersecurity incidents in an ICS environment can:
• Cost lives
• Have a long-lasting impact on the environment
• Attract fines from regulators, customers or partners who have been put at risk Result in the loss of a product or service as a result of the breach
• Companies can close down completely

“Due to the dynamic nature of cyber-attacks, there are no infallible cybersecurity systems,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, the risk can be greatly reduced by implementing a layered defense involving anomaly detection with machine learning capabilities where a baseline of industrial control systems can be established and any deviations can be alerted and acted upon. Introducing machine learning and artificial intelligence into the ICS environment is key to faster and more efficient processes for securing unique industrial networks. Finally, closely following the NIST framework and best practices can also improve the risk posture of industrial control systems as standardization helps to facilitate peer-validated security architectures, protocols and guidelines.”

The main concern for organizations are conventional malware infections, which also accounted for the highest percentage of actual incidents, according to the report.

Other areas of concern include threats from third-parties, sabotage or other damage caused from the outside, ransomware, and targeted attacks. Many are also concerned about the impact of employee errors or unintentional actions, and sabotage or intentional damage from the inside.

The companies surveyed by Kaspersky said they spent a lot of money dealing with cybersecurity incidents. The average financial loss was roughly $347,000 per year, but organizations with more than 500 employees said they spent nearly $500,000.

These costs include the bill for addressing the consequences of the incident, software upgrades, staff and training.

As for the ICS security measures taken by organizations, two-thirds of respondents said they rely on anti-malware solutions and security awareness training. Roughly half of companies also use intrusion detection and prevention systems, security audits, unidirectional gateways, vulnerability scanning and patch management, asset identification and management, and anomaly detection.

Kaspersky pointed out the move toward more advanced security technologies in favor of the traditional air-gapping is a good sign.

The report shows the main challenges of managing ICS cyber security are related to finding employees with the right skillset and finding reliable partners for implementing security solutions.

Click here to download the “The State of Industrial Cybersecurity 2017” report.

Wednesday, May 31, 2017 @ 02:05 PM gHale

By Heather MacKenzie
The WannaCry ransomware broke onto the world scene May 12 when it infected over 200,000 computers in more than 150 countries.

Thankfully, the impact on critical infrastructure and manufacturing systems was relatively low. While WannaCry’s spread has been curtailed for now, new variants have been reported. Now, however, more than two weeks after the initial attack, this means critical infrastructure operators and manufacturers need to take measures to protect their Industrial Control Systems (ICS) from the WannaCry family of ransomware.

RELATED STORIES
Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available
Updated WannaCry Indicators
Agencies Amassing Zero Days
WannaCry Variants Tougher to Kill
How to Protect Against ‘WannaCry’

Immediate actions start with determining whether your systems are vulnerable by identifying computers and devices running Windows operating systems not updated with the latest security patches. You should also identify any devices communicating with the Windows SMB1 protocol, which is used to propagate the malware. If these situations exist, you need to execute a plan to mitigate and protect against these security weaknesses.

While we can take a deep breath that WannaCry did not shut down essential services such as power systems and water systems, the malware is certainly a very loud wake-up call. Let’s look at what can be done immediately, and over the longer term, to prevent and mitigate ransomware infections to industrial systems.

WannaCry Attack
WannaCry inserts itself into networks using email phishing campaigns and then self-propagates using a Windows SMB1 vulnerability. While OT systems should be protected from threats coming from the IT network, nowadays there are many pathways to industrial networks and incidents of transportation and manufacturing systems being infected with WannaCry have been reported.

To determine whether your ICS is at risk, identify which computers and other devices are running old versions of the Windows operating system. Also, identify which network connections are communicating using SMB1.

A way to do this is to use an ICS asset management and visibility tool which can quickly and automatically identify all assets with their operating systems/version numbers, and identifies all network connections and their communication method. This will focus your attention on the devices that need patching or other remediation measures. If you do not have technology that does this for you, you will need to consult with OT staff or use other manual methods to identify the vulnerable components of your systems.

While patching industrial devices or changing how they communicate has risks, you need to weigh those risks against the risk of what ransomware might do to your ICS. As part of your action plan, know that Microsoft has made available security patches for out-of-date versions of the Windows operating system.

Here are some resources to help you develop your plan (the first link takes you to the Microsoft free security updates):
• Microsoft.com: Microsoft Update Catalog
• Microsoft.com: Customer Guidance for WannaCrypt attacks
• US-Cert.gov: Indicators Associated with WannaCry Ransomware
• For technical details on WannaCry and risk management approaches for enterprise networks, see the FireEye article: WannaCry Ransomware Campaign: Threat Details and Risk Management

Based upon the level of risk to your systems and the impact and infection might create, you can consider a range of responses, from a planned patch/test cycle to the more extreme step of temporarily disconnecting OT and IT networks.

Improve resiliency. A foundational ICS security best practice is to have an updated asset inventory that includes information for each device such as its operating system, version number and known vulnerabilities. In the past, obtaining and maintaining this information for large, heterogeneous industrial systems was time consuming and difficult.
Today, there are solutions that do this quickly and automatically. The main point is to take whatever action is necessary for your organization to have a good asset management program, with real-time visibility and query capabilities.

Patch program. industrial systems are notorious for not being patched. There are some good reasons for not doing so, because patching may cause an application or an entire process to stop working. Or, the resource requirements to test and safely implement patches may be constrained. Whatever the reason, WannaCry, is a shout-out to revisit your patching program. Ideally you don’t want to have to explain how a process or manufacturing system was brought to its knees when a patch that would have prevented the problem was available.

Ensure visibility. Like asset management, historically it was very difficult to have comprehensive visibility and monitoring of large industrial networks and the processes they control. Now, there are new solutions that provide real-time industrial network visualization interfaces, including showing network connections, anomalies and the status of process variables.

In the case of WannaCry, such a system would facilitate detection and remediation in several ways:
• Detecting the anomalous DNS request the ransomware uses to verify whether it should continue with the attack or not. An alert should then generate that provides context about the DNS request and PCAP information to help analyze it.
• Identifying any network connections using the Windows SMB1 protocol. WannaCry communicates using this protocol, and by identifying devices using it, defensive decisions can be taken. For example, spread of the malware would be limited by stopping all SMB1 communications.

Review incident response plan. There’s nothing like a fast spreading, real-life malware to test your incident response plan. How well did it work in this case? What could have been improved? Is it time to initiate a process to update the plan? Did alert fatigue plague rapid response? Know that incident correlation and replay features are now available specific to ICS environments that will ease incident management and speed response to major cyber incidents such as those triggered by WannaCry.

In addition, how good are your forensic tools for analyzing cyber incidents? Do you have SIEMs or other solutions in place for identifying OT cybersecurity events and alerting the right people? Do you have tools that provide PCAPs and before/after ICS system snapshots for analyzing events and learning how to prevent them in the future? If not, now is the time to look for solution that give you these capabilities.

Implement standards. A watershed cybersecurity event like WannaCry will certainly draw the attention of executives and likely a review of current ICS security practices. Where does your organization stand with respect to implementing industrial cybersecurity standards like IEC-62443, the NIST framework or NERC CIP?
These standards help you deploy layered security measures (defense-in-depth) that work to stop and contain cyberattacks that, one way or another, get into the OT network.

Awareness and Training. It is an old adage that the weakest security link in an organization is people. WannaCry is widely believed to have entered systems by people clicking on attachments and/or links in phishing emails.

Ongoing training and awareness, tailored for different user groups is essential.

Like the Conficker worm of 2008, WannaCry 2017 should cause most organizations to re-examine their cybersecurity practices and defenses. While critical infrastructure systems and manufacturers were not significantly impacted this time, your organization’s cyber resiliency may need strengthening to defend against future attacks.

Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.

Wednesday, April 26, 2017 @ 12:04 PM gHale

By Thomas Nuth
When it comes to industrial cybersecurity, governments know they need to improve it, industry knows it needs to better understand it and system integrators and automation vendors know they need to offer it.

The truth is while the need for cybersecurity is very apparent, enterprise and industrial networks are still often managed without a cohesive security strategy. And, even after years of being an acknowledged problem, integrated solutions are not in sight.

RELATED STORIES
ICSJWG: New Reality for Safety, Security
ICSJWG: Malware Having ICS Impact
Defense from Tainted Mobile Devices
SANS: Know the Security Mission

What’s the reason? First and foremost, there is a lack of expertise in the workforce. Secondly, today’s technologies have focused on modularized solutions for either the enterprise network or the industrial environment, without paying attention to the integration between the two.

Skills Shortage
Cybersecurity for industrial processes suffer partly due to a skills shortage and a lack of integrated IT/OT solutions.

The reason for the cybersecurity deficiency is largely attributed to a general expertise shortage of skilled workforce. There were more than 209,000 unfilled cybersecurity jobs in the U.S. in 2016, up 75 percent from 2015, according to an article in Forbes. From a global perspective, the number is greater than one million. With the huge demand for cybersecurity professionals, even the world’s largest banks, energy companies, and governments can’t seem to find them.

Forbes also found despite the high unmet demand for cybersecurity talent, the market for cybersecurity solutions is expected to continue its growth from $75 billion in 2015 to $170 billion by 2020. All sectors of the economy will have to find innovative ways to scale the expertise of their limited workforces to bring security to extensively connected systems, operations and networks. Innovative cyber tools must lead the way by automating learning of baseline behaviors, network monitoring, and cybersecurity management so few may do the work of many, for corporate and Industrial Control System (ICS) security.

Siloed Security
While the staggering number of unfilled jobs mentioned in the Forbes article speak for themselves, technology is partially to blame for the cybersecurity deficiency companies and governments face today. This is especially true in non-enterprise sectors such as utilities, oil and gas and industrial manufacturing.

From an industrial and enterprise networking view, cybersecurity ended up addressed from two diverse perspectives. From either direction, cybersecurity has been shortsighted by an approach that limits the focus to the reach of each group’s network domains. The reason for this shortcoming is the industrial automation space (OT) and the enterprise software space (IT) are being forced to connect with one another in terms of solutions delivery, operations management and customer outreach, but security integration has not always followed suit.

Automation, Integration Keys
As the backbone of critical infrastructure, ICSs are ubiquitous in all industries including transportation, water/wastewater, energy to name a few.

With this said, threat management needs to scale to endpoints throughout the industrial network – such as sensors, PLCs, data loggers and HMIs. Furthermore, as the use of desktops, laptops, tablets and smartphones have come into play, the reach of the ICS domain has grown rapidly. A solution that combines automated anomalous detection of ICS security issues, along with proactive threat remediation and containment, is required if security is to scale beyond the OT/IT divide.

When it comes to cybersecurity, less attention needs to be paid to the categorization of OT vs. IT, and more on holistic integration between the two. Leaving ICS without highly-scalable, automated, real-time cybersecurity visibility means our largest industries and government services will continue to be vulnerable to cyber threats.

The good news is automated machine learning and rapid evaluation of data using artificial intelligence is coming into play. These tools meet the needs of securing industrial networks and processes yet integrate with IT security infrastructure to bridge the OT/IT divide.
Thomas Nuth is a product director at Nozomi Networks. He is an expert in industrial networking and enterprise middleware technologies and was the first chair of the Industrial Internet Consortium (IIC) Energy Charter. This is an excerpt from a Nozomi Networks series of blogs.

Wednesday, March 22, 2017 @ 12:03 PM gHale

Nozomi Networks’ SCADAguardian solution architecture.

Nozomi Networks Inc. issued its latest release of SCADAguardian, a cybersecurity risk detection solution.

The release supports operational visibility and ICS cybersecurity with new modules for Asset Management and Vulnerability Assessment.

It also introduces Dynamic Learning for configuration-free deployments. This gives energy utilities, oil and gas operators and manufacturers a solution to monitor control networks for cybersecurity and operational anomalies.

“At Vermont Electric our mission is to provide safe, affordable, and reliable energy services to our members,” said Kris Smith, SCADA and operations engineering manager. “In order to do that, we need both operational visibility and cybersecurity protection for our critical operations systems.”

“Our customers love the way SCADAguardian uses AI (artificial intelligence) and machine learning to deliver effective ICS cybersecurity and anomaly detection,” said Nozomi Networks co-founder and chief product officer, Andrea Carcano. “But, similar to the needs at Vermont Electric, many were asking if we could leverage that functionality to help streamline operational tasks. That’s why we are offering new modules that simplify operations and ultimately improve operational visibility and monitoring for stronger cyber resilience and ICS reliability.”

For industrial operators, tracking assets and knowing their configuration and firmware versions, as well as other attributes, is often a lengthy manual process prone to human error and hard to keep up-to-date. SCADAguardian 17.0 automates asset tracking, keeps information current, and makes it easy to visualize, find and drill down on asset information such as software and hardware versions. Alerts, consolidated into context-aware incidents, notify operators of changes that may indicate a cybersecurity or operational incident.

In addition, the release makes it possible for operators to stay on top of device vulnerabilities, updates and patch requirements. By constantly analyzing industrial network assets against a state-of-the-art repository of ICS vulnerabilities, SCADAguardian saves time and improves cyber resiliency.

When it comes to comprehensive ICS modeling, the new release supports AI and machine learning. Until now, operators had to perform a configuration step in order to switch the system from learning to protection mode. Now learning granularity has increased, so learning, and the switch to protection now happen automatically per node and per network segment. Stable network nodes and segments become protected automatically.

Wednesday, January 18, 2017 @ 02:01 PM gHale
Jacobs and Bedrock inked a deal to sell the Bedrock control system in selected projects.

Jacobs and Bedrock inked a deal to sell the Bedrock control system in selected projects.

Bedrock Automation signed a memorandum of agreement with Jacobs Engineering Group Inc. where both firms will jointly offer secure open automation solutions.

Under the agreement, the companies will pursue selected projects with automation system requirements for potential implementation of the Bedrock Open Secure Automation system.

RELATED STORIES
Kaspersky Launches Security Service
Nozomi Automates ICS Risk Detection
Monitoring a Growing Network
Integrated Tactic to ICS Security

“Our clients are increasingly concerned about both cyber security and advanced automation and we have been creating innovative service packages to meet these needs,” said Jacobs’ Mission Solutions Chief Technology Officer Dr. Tommy Gardner. “Bedrock Automation has excellent experience and superior designs in this area. I am impressed with their comprehensive background and knowledge in the industrial DCS and PLC arena.”

The Bedrock control system employs its patented Black Fabric Cybershield architecture, which provides an intrinsic cyber secure automation platform to protect user hardware, software and applications.

“Jacobs is taking a leadership role in integrating the next generation of information and automation technologies for its clients,” said Bedrock Automation President Bob Honor. “We see this as a tremendous opportunity to bring our technology and our vision of holistic cyber security to a much larger audience.”