Search results

Tuesday, March 19, 2019 @ 12:03 PM gHale

OT visibility provider, Nozomi Networks Inc., launched its Nozomi Networks Labs, which will focus on sharing its own research and collaborate with partners, peers, universities, government and institutional researchers.

The goal behind the lab to provide the ICS cyber security community with the information, tools and guidance that can help reduce cyber threats to industrial and critical national infrastructure.

RELATED STORIES
Schneider Partners with Encryption Provider
Dragos Deals for NexGen
Palo Alto Deals for SOAR Provider
Tool Streamlines Threat Intelligence

As an example of these efforts, Nozomi Networks also said Radamsa – an open source fuzzing tool for testing software – accepted and integrated a set of Nozomi Networks Labs code contributions that make it faster and easier to test the security of ICS device software with its open source fuzzing tool. The updated version of the tool is available now on GitLab.

“Today marks the formal launch and a more concentrated effort for Nozomi Networks Labs,” said Nozomi Networks Co-founder and CTO Moreno Carullo. “Over the last few years our researchers have participated in standards development, contributed more than a dozen responsible vulnerability disclosures, and delivered actionable research and tools on Triton and GreyEnergy.”

Nozomi Networks Labs current and future programs include:
• ICS malware research and tools
• Responsible disclosure of ICS vulnerabilities
• Standards bodies participation
• ICS and IT expert staff support for Nozomi Networks client organizations
• Collaboration with partners on threat intelligence and ICS data analytics
• Support for and/or participation in ICS cyber security research conducted by universities, institutions and government bodies
• Peer collaboration on joint research initiatives with individual security researchers

“Research, community collaboration and giving back have always been part of Nozomi Networks’ DNA,” said Co-founder and Chief Product Officer Andrea Carcano. “Nozomi Networks Labs will allow us to make an even greater contribution to the ICS cyber security community.”

Wednesday, February 20, 2019 @ 11:02 AM gHale

By Alessandro Di Pinto
It’s important for those defending critical and industrial infrastructure to share knowledge and stay up-to-date on malware tradecraft.

With that in mind, when the GreyEnergy Advanced Persistent Threat (APT) ended up unveiled by ESET last year, I put my reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network. ESET researchers said GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers for espionage and reconnaissance purposes.

A new research paper provides a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). This investigation is a more detailed analysis, with the deepest investigation done on the packer, an executable that decrypts and decompresses another executable inside itself.

RELATED STORIES
SOC Central: Combining IT, OT
Managing Risk and Protecting Reputation
Russian Cyberattacks on Critical Infrastructure
17 Zero Days Cleared in OPC UA

This is a summary of the techniques used by the packer to conceal its true functionality. In addition for those wanting more detail, click here to register for the full research paper entitled, “GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis.”

‘Packer’ Executable Concealed
When someone opens the Word document contained in the GreyEnergy phishing email, and clicks on “Enable Content,” malicious code is downloaded from a remote location.

The downloaded file is an executable which I suspected was a “packer,” i.e. an executable which contains one or more executables compressed and encrypted. While sometimes used legitimately to protect intellectual property, packers are also used by threat actors to hide malware.

As I investigated the suspected packer executable, I found it was built using several anti-analysis techniques:

Junk code – Unnecessary code that has no impact on the suspected packer’s code, and whose purpose is to confuse the reverse engineer. GreyEnergy contains a massive amount of junk code.

Overlapping instructions – GreyEnergy uses JMP instructions that function as overlapping instructions, where the same sequence of bytes can be interpreted as different instructions, depending on the exact byte in which execution starts.

JMP-based execution code – The execution flow of the suspected GreyEnergy packer is almost completely based on the use of JMP instructions, instead of sequential instructions. This makes it very hard to identify the true executable, hidden in a sea of junk code. Furthermore, the binary file of the suspected packer appeared to have overlay data. This is data appended at the end of the file that includes an additional executable component, and is decrypted during run-time.

Entropy – This is an assessment of a file’s randomness. Using one measure of entropy, with a scale of 0 to 8, where results of 7 or more indicate encryption, GreyEnergy has a score of 7.994. This is a strong indicator overlay data is encrypted.

Malware Revealed
After assessing the above aspects of the malware, I had a strong suspicion that I was dealing with a packer, but lacked solid proof. I decided to switch to a dynamic analysis approach to order to speed up the investigation. I then discovered several interesting attributes of the suspected packer file:

Hardcoded imports – The WinAPIs called by the suspected packer are not contained in the PE import table, but loaded at runtime and pushed ono the stack using a mov instruction, without any kind of obfuscation technique.

String overwrite – The suspected packer overwrites all strings with zeros, after the strings have been loaded into memory.

By now, there are multiple indicators that strongly suggest the binary is a packer:
• Apparently encrypted overlay
• Anti-analysis techniques
• APIs manually resolved by parsing the PE header
• Strings hardcoded inside the code and overwritten with 0x00s after use

Accessing the overlay
– The malware uses a series of steps to identify where the overlay starts and the exact size of its own executable, and allocates space for itself inside the memory. Analysis reveals exactly how the malware identifies the right offset for the overlay.

Decryption algorithm – The malware uses a custom algorithm to hide its malicious components. When the decryption algorithm is applied, it is clear the data contains an executable. However, there are several unexpected bytes between the recognized patterns, indicating the data is not yet complete. I suspected that the data is compressed somehow.

Decompression algorithm – My suspicion is quickly confirmed, and after decompression, the new buffer contains a valid Portable Executable (PE) header.

Original entry point (OEP) – Next the packer points to the uncompressed buffer, parses the PE header and iterates all sections again. Once it accesses the overlay data, a second PE header is revealed, which is the real malicious component (backdoor), waiting to be installed inside the victim’s systems.

It’s now possible to identify two specific components from the unpacked data – the dropper and the backdoor.

The suspected packer executes the dropper in-memory without storing it inside the filesystem. This step confirms the binary is a packer, because it has just demonstrated all the primary characteristics of packers.

The flow executed by the Packer includes decryption and decompression of the Dropper and Backdoor.
Source: Nozomi Networks

Stealthy Infection
Once complete, my analysis showed the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure the infection would go unnoticed.

Based on how well the malware disguises itself once it infects a system, the best way for industrial organizations to protect themselves from the GreyEnergy APT is to train employees on the dangers of email phishing campaigns, including how to recognize malicious emails and attachments.

In addition, critical infrastructure networks should always be monitored with dedicated cyber security systems to proactively detect threats present on the network.

As a direct outcome of this analysis, I developed tools to help analysts dissect this piece of malware. The GreyEnergy Yara Module, is high-performing code for compiling with the Yara engine. It adds a new keyword that determines whether a file processed by Yara is the GreyEnergy packer or not.

This tool, combined with the previously published GreyEnergy Unpacker (a Python script that automatically unpacks the dropper and the backdoor, extracting them onto a disk), saves other security analysts the reverse engineering work.

Alessandro Di Pinto is a security researcher at Nozomi Networks. He is an Offensive Security Certified Professional (OSCP) with a background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) certification, which recognizes technologists with the skills and knowledge to reverse engineer malware and conduct forensic investigations.

Friday, February 15, 2019 @ 03:02 PM gHale

TÜV Rheinland and visibility provider Nozomi Networks inked a global partnership mainly focused on manufacturing plant operators, energy and utility companies, transportation and transit system operators.

Now in its fifth generation of technology, Nozomi Networks solutions are in 1,000 installations spanning energy, manufacturing, mining, transportation, utilities and critical infrastructure.

RELATED STORIES
Security Providers Unite in Deal
CyberX Earns Patent for ICS Risk Analytics
Radware Deals for Bot Mitigation Firm
Schneider, Transpara In Real-Time Monitoring Pact

TÜV Rheinland and Nozomi Networks are collaborating to improve the detection and remediation time of cybersecurity threats that target operational technology infrastructure.

“Organizations have invested in maturing cybersecurity posture around their IT infrastructure and enterprise applications focusing on getting visibility and control,” said Anish Srivastava, president and chief executive of TUV Rheinland OpenSky. “OT security is rapidly becoming a critical dimension of a cybersecurity program to maintain a safe, secure and reliable operating environment, where our partnership with Nozomi Networks will allow us to enhance our industrial cybersecurity solutions portfolio and deliver services that will better equip our clients to detect and monitor cyber threats in their OT environment, and ultimately improve the safety of their operations.”

Cybersecurity standards for industrial control systems emphasize that systems operators should have cybersecurity monitoring solutions in place. Organizations operating industrial facilities need to monitor, detect and mitigate cybersecurity attacks to maintain the safety, integrity and availability of their plants.

TÜV Rheinland’s Industrial Network Cybersecurity Risk Assessment service enables organizations to identify cybersecurity risks across end users’ industrial networks and operational technology which Nozomi brings to the table.

Last month at the Davos, World Economic Forum summit cybersecurity was high on the radar and recognized as one of the biggest challenges facing chief executives and political leaders around the world. There is also a warning that a failure to adequately protect against cyberattacks, could cost the global economy if such cyberattacks could shut down critical infrastructure and manufacturing plants.

A study released by TÜV Rheinland surveying how industrial organizations protect their operational technology (OT) assets from cyberattacks shows there is significant ground to be covered when it comes to securing OT assets.

Lack of concern toward OT cybersecurity was evident with 40 percent of respondents stating they had never assessed the risks posed by cyberattacks on their operational technology. In addition, 34 percent were not aware of the extent to which these risks were investigated. In addition, only one in five companies has tailored its measures for cybersecurity to operational technology.

Wednesday, February 6, 2019 @ 03:02 PM gHale

Nozomi Networks Inc. is now offering its solutions for real-time cyber security and OT network visibility on the Ruggedcom multi-service platform from Siemens AG.

The consolidated solution provides industrial operators and cyber security teams with a rugged networking and switching platform that includes industrial cyber security capabilities built-in. Users can gain computing and cyber security functionality, while reducing rackspace and streamlining procurement and installation productivity.

The solution embeds Nozomi Networks’ SCADAguardian ICS cyber security solution into the Ruggedcom RX1500 multi-service platform that includes the Ruggedcom Application Processing Engine (Ruggedcom APE).

Wednesday, January 23, 2019 @ 07:01 PM gHale

By Gregory Hale
There are plenty of ways to get from point a to point b in this world, but when it comes to cybersecurity, having a plan and knowing what is at risk, what truly needs the most protection and understanding the potential outcome is paramount.

Just ask John Cusimano, vice president of cybersecurity at aeSolutions and Andrew Bochman, senior grid strategist at Idaho National Laboratory, as the two security experts explored the strengths and benefits of conducting a Cyber Process Hazard Analysis (CyberPHA) or Consequence-driven Cyber-informed Engineering (CCE) process at the S4x19 conference in Miami Beach last week.

RELATED STORIES
S4: RF Controllers, a Simple Attack
S4: Warning Signs Before Triton Attack
S4: Security Journey Just Beginning
S4: Schneider, Nozomi Ink Partner Pact

One form of understanding risk is a simple equation: Risk = likelihood x consequence. However, in the ICS world, security experts spend a great deal of effort in risk reduction, but not a large effort in cutting down on consequences.

“In a CyberPHA we leverage processes we had around process safety to bring it into cybersecurity,” Cusimano said. “How do we decide on what consequences could be caused by cyber and drill down on how that could happen. No one person in a facility will understand threats and consequences, it takes a team.”

In a CyberPHA, the user can:
• Document the system
• Conduct a vulnerability assessment
• Partition the system
• Conduct a risk assessment
• Create mitigation planning

“We identify the worst case consequences and understand how that could happen,” Cusimano said. “That presents a nice picture of an attack scenario.”

In a CyberPHA it is possible to create a systematic approach to assessing ICS cyber risk, he said. Most of the assessment is based on the IEC 62443-3-2 “Security Risk Assessment and System Design” approach. In addition, it leverages established process safety management methods along with integrating multiple engineering disciplines. In the end, it delivers at risk-ranked mitigation plan.

Benefits of the CyberPHA are integration with process risk management provides management with consistent ranking of risk, Cusimano said. In addition, it creates a cross-functional team approach that encourages collaboration, practical solution and buy in.

It also satisfies IEC 61511 SIS security requirements and establishes a baseline to measure improvement, document and justify decisions. It also raises cybersecurity awareness. There is also a proven track record as Cusimano said it has been successfully applied to hundreds of ICSes since 2013.

Bochman, in turn talked about Consequence-driven Cyber-informed Engineering. The goal with this approach, is the change the way engineers, operators and senior leaders understand and mitigate cyber risks in their most critical systems and processes.

“When you are charged with protecting a large enterprise, we don’t treat things individually,” Bochman said. “You have to protect the whole thing. You need to find the handful of functions you need to protect.”

In his approach, Bochman said there are four steps:
1. Consequence prioritization, which determines the crown jewels that need protection
2. System of systems breakdown
3. Consequence-based targeting, which gives a kill chain analysis
4. Mitigations and protections, which gives kill chain mitigations

This is a disciplined approach to evaluate complex systems, make determinations about what must be fully safeguarded, and apply proven engineering strategies to isolate and protect industry’s most critical assets.

When it comes to securing critical infrastructure, Bochman said “disruption is OK, destruction I just can’t handle.”

Wednesday, January 23, 2019 @ 05:01 PM gHale

By Gregory Hale
Using a simple replay attack and a digital watch using radio frequency (RF), it is possible to take control of a crane at manufacturing or construction facility, researchers said.

That is because RF technology is being used in operations to control various industrial machines, but the lack of security in communication protocols could lead to production sabotage, system control, and unauthorized access, said Stephen Hilt, senior threat researcher at Trend Micro and Jonathan Andersson, manager of the advanced security research at Trend Micro Research in a session at the S4x19 conference in Miami Beach, FL, last week.

RELATED STORIES
S4: Warning Signs Before Triton Attack
S4: Security Journey Just Beginning
S4: Schneider, Nozomi Ink Partner Pact
Safety, Physical, Cyber Security Triangle Converging

Hilt and Andersson said there are five types of potential attacks:
1. Replay attack, where the attacker records RF packets and replays them to obtain basic control of the machine
2. Command injection, where the attacker knowing the RF protocol, he or she can arbitrarily and selectively modify RF packets to completely control the machine
3. E-Stop abuse, where the attacker can replay e-stop (emergency stop) commands indefinitely to engage a persistent denial-of-service (DoS) condition
4. Malicious repairing, where the attacker can clone a remote controller or its functionality to hijack a legitimate one
5. Malicious reprogramming and remote attack vectors, where the attacker “Trojanizes” the firmware running on the remote controllers to obtain persistent, full remote control

“We were able to control cranes in a very easy kind of attack,” the researchers said in an interview.

Compromising the security of industrial remotes and machines would require transmission protocol know-how and the right tools, Trend Micro researchers said in a paper on the subject.

Launching a replay attack or e-stop abuse, for instance, would need only an appropriate device that costs a few hundred U.S. dollars, they said. Meanwhile, attacks such as command injection, malicious re-pairing, and malicious reprogramming could require target equipment, which can cost from a hundred to a few thousand U.S. dollars. Attacker motivations may vary, but ultimately, significant business impact such as financial losses, system unavailability, and operator injuries could come into play as safety-critical machinery is involved.

In a testing of the attack, researchers were able to place an antenna on the roof of a car and from inside they were able to detect signals from a transmitter on the field that was 300 meters away. A casual attacker with no advanced skills whatsoever equipped with a software-defined radio (SDR) can record a command and replay it under risky conditions. An attacker equipped with signal amplifiers and professional antennas could extend the range to several kilometers.

Industrial radio remote controllers have higher replacement costs and longer service life spans. This means that vulnerabilities can persist for years, if not for decades. During the research, they found industrial remote controllers that had been deployed in production for more than 15 years.

Industrial devices are also relatively more difficult to promptly patch because some of them are deployed in isolation, left undisturbed until one gets worn out and needs replacement. Some companies that use industrial radio remotes may even expect patching to interfere with business continuity and add up to operational costs.

“All the companies that intended to patch have patched their products,” Andersson said. The catch is, however, while patches are available, when, and how, will end users patch the devices?

The Trend Micro researchers recommended applying timely patches to prevent attackers from taking advantage of vulnerabilities to get into systems.

Trend Micro released a research paper entitled, “A Security Analysis of Radio Remote Controllers for Industrial Applications” for a more indepth look at thje threats to industrial radio remote controllers.

Wednesday, January 16, 2019 @ 02:01 PM gHale

By Gregory Hale
There were signs of an impending security issue was imminent months before the Triton safety system attack on a Saudi Arabian refinery, a researcher revealed Tuesday.

“What isn’t publicly known is there was an additional outage in June 2017 on a Saturday evening where there was a skeleton crew working,” said Julian Gutmanis, during a Tuesday talk at the S4x19 conference in Miami. Gutmanis is a security researcher initially brought in by the victim organization once the attack had been discovered.

RELATED STORIES
S4: Security Journey Just Beginning
S4: Schneider, Nozomi Ink Partner Pact
Safety, Physical, Cyber Security Triangle Converging
Oil Giant Attacked to Steal Money

In the Triton event, a Saudi Arabian refinery suffered a shutdown of its facility in August 2017 and the controllers of a targeted Schneider Electric Triconex safety system failed safe.

During an initial investigation after the August incident, security professionals noticed there were some suspicious things going on and that is when they found the Triton malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. The attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.

In Gutmanis’ talk, he mentioned in the June incident, one safety controller ended up affected, but no one really could figure out the issue, so the company pulled the controller out and sent it in to Schneider to conduct a diagnostic safety check.

At that point, “nothing surprising was identified,” Gutmanis said.

“The next outage was on August 4 – a Friday where multiple controllers were affected; six controllers went down,” he said.

Investigation Begins
At the time, the distributed control system (DCS) was still reflecting normal operations. The engineers came out to investigate. They reviewed Windows event logs and identified unexpected RDP sessions. At this point the vendor, whom Gutmanis did not name, recommended actions on the impacted systems.

That is when Gutmanis’ team kicked off an investigation. They conducted typical incident response activities, and it didn’t take long to understand they had to expand the scope of the investigation. They then started a timeline of events.

Some of the initial findings included:
• Python scripts were created in the engineering workstation in close proximity to the August outage, which was the Triton malware
• Unknown programs were running in the affected controllers’ memory
• There was poor configuration of the DMZ which allowed attackers to pivot to the control network
• Communications to engineering workstation traced through pivot points to the organization’s perimeter

There was then an escalation in the investigation where the researchers found the entire environment was thought to be compromised where extremely complex attack tools were identified and traced to a remote attacker.

Safety System Compromise
In addition, the found the integrity of the emergency shut down system (ESD) was compromised, and could not be trusted. Also the incident response team provided the safety system vendor attack tools for analysis. The team also recommended a full compromise assessment across the entire organization.

At that point, the team went into containment mode. They surmised recent incidents having an impact on the region focused on system destruction and disruption, but not yet reaching the OT environment. They also found what they said were suspected beacons identified from the control network. There were considerations made regarding potential for a “time bomb” style attack. Also, actions were taken to isolate the systems, with significant considerations regarding emergency manual shutdown procedures. The eradication event included multiple parties across entire IT/OT environments.

“The target got lucky,” Gutmanis said. “The outages were not intended. While the target was lucky, it was still expensive for them.”

In his post op thoughts, Gutmanis said it was unclear where support demarcations and staff movement resulted in security holes, plus the scope of the initial investigation was insufficient which allowed the attackers another two months to tune their tools.

“There was many places that this incident could have been prevented, identified or stopped earlier,” Gutmanis said.

Security Culture
In addition, the victim needs to ensure a proper security culture is maintained within the plant environment. Also, it should “ensure support demarcation roles and responsibilities are well defined.

Other thoughts Gutmanis shared were:
• You should properly deploy, audit and monitor your defense
• Understand communication flows within your network and look for anomalies
• Make sure you and your vendors are on the same page
• Get help before you need it

As a result of the report at S4x19, Schneider Electric officials released a statement:
“In light of new claims made at S4x19, we recount our response to the Triton incident, which occurred on August 4, 2017.

“We deployed a support engineer to the site within four hours of the end user’s request. Thereafter, our on-site experts conducted a comprehensive analysis. Once they determined the incident to be cybersecurity-related, they turned the investigation over to the end user, who hired FireEye for attack eviction and site remediation. FireEye worked directly with the end user, and at the end user’s request, Schneider Electric communicated only with FireEye. At every step, we have cooperated fully with the end user, FireEye and the U.S. Department of Homeland Security, with coordination from the U.S. Federal Bureau of Investigation.

“We continue to be open and transparent about the incident to learn from Triton and to help the broader goal of worldwide cyberattack prevention.”

Wednesday, January 16, 2019 @ 11:01 AM gHale

By Gregory Hale
Security in the industrial control environment has come a long way, there is no doubt, but the reality is with all the awareness, all the technology advances, all the attacks, the industry is just beginning.

“You have made progress since 2015, said Dale Peterson, founder and chief executive of Digital Bond and founder of ICS-related S4 conference during his keynote address Monday at the S4x19 conference in Miami. “We are 18 years from 9/11 and you would like to think we are at the summit, but in 2019 we are just starting our journey.”

RELATED STORIES
S4: Schneider, Nozomi Ink Partner Pact
Safety, Physical, Cyber Security Triangle Converging
Oil Giant Attacked to Steal Money
Supply Chain Security, a Charter Requirement

While it may seem like progress is slow, and industry users and vendors have been slow to move forward in adapting and adopting technologies and new practices, Peterson looks at the evolving ICS environment a bit differently.

“Success will come in a way different than you will expect,” he said. “We are at the beginning. We have come through security by obscurity and denial, where people would say this will never happen to us.”

This new year follows up on what Peterson called “2018 was the year of cyber hygiene.”

That was where asset owners were testing systems to meet cyber hygiene standards.

The issue, Peterson said, is end users are “having a hard time implementing cyber hygiene.”

While they are trying to clean up systems and make them run more efficiently, attacks are still ongoing.

“We are falling behind.,” he said “Attacks are increasing. (Attackers) know to go after safety systems to cause events.”

That part of the equation is relatively new, but Peterson asked, “What happens when criminals figure out how to make money? That is when it will really take off. This is all occurring faster, and we are falling behind.”

Just trying to get a grasp of what is going on over an entire network that is increasing its connectivity, while also fending off intentional and unintentional attacks from insiders or nation states, while also asking for more funding to get to a certain level of security, while trying to figure out when to install the latest patches, it is easy to flail away doing the same thing and using the same approach. That all may work, but in the end, it will start to consume security professionals.

“That is why we have to have a new way to do (security),” Peterson said. “We need to ask better questions.”

Wednesday, January 16, 2019 @ 09:01 AM gHale

By Gregory Hale
Schneider Electric signed a global partnership agreement with network monitoring provider, Nozomi Networks.

Schneider will collaborate with Nozomi to provide users in the industrial manufacturing and critical infrastructure segments advanced anomaly detection, vulnerability assessment and other cybersecurity solutions and services, helping them to control, prevent and mitigate risks to their operations and business performance.

RELATED STORIES
Safety, Physical, Cyber Security Triangle Converging
Oil Giant Attacked to Steal Money
Supply Chain Security, a Charter Requirement
ROK: Security’s ‘Tower of Babel’

The pact allows Schneider to respond more aggressively to immediate demand for effective, operational technology cybersecurity services, solutions and expertise in oil and gas, power, building automation and other industrial sectors.

“This agreement helps mitigate the challenges by the threat vector moving forward,” said Gary Williams, senior director cybersecurity service offer leader at Schneider Electric at the S4x19 conference in Miami. “We have a trusted partner that can mitigate risks moving forward that can give you an early indication of something that is happening.”

Schneider will offer Nozomi Networks’ advanced solutions for industrial control system cyber resiliency and real-time operational visibility to customers worldwide.

“Nozomi is now part of the Schneider EcoStructure,” Williams said.

EcoStruxure is Schneider’s open, interoperable, IoT-enabled system architecture and platform. EcoStruxure leverages advancements in IoT, mobility, sensing, cloud, analytics and cybersecurity.

Schneider will combine its EcoStruxure IIoT solutions with Nozomi’s SCADAguardian platform for increased visibility, including:
• Advanced ICS Cybersecurity Solutions: The bundled solution will deliver network visibility and OT cybersecurity industry operators require in one, comprehensive and highly scalable solution. Nozomi Networks SCADAguardian solution provides accurate asset discovery, superior threat detection and flexible and scalable deployment options.
• Nozomi Networks Certified Consultants: Schneider consultants around the world will train as certified Nozomi Networks engineers, scaling to support clients throughout their cybersecurity solution implementation, and providing OT threat hunting and forensic analysis.
• SCADAguardian Live in Schneider Sites: Schneider customers can experience Nozomi’s real-time operational visibility and cybersecurity solutions via live threat scenarios running in Schneider sites around the world.

On top of the network monitoring capabilities, Nozomi is also providing its threat intelligence services, said Chet Namboodri, vice president of Alliances & Business Development at Nozomi Networks at the S4 conference.

“I hear about (users) fear of cyber compromise because of rapidly increasing cyber threats,” Namboodri said. “At the same time, they’re working to digitally transform their businesses, which unfortunately makes their industrial systems more vulnerable.”

Nozomi offers passive monitoring, but also provides active monitoring capabilities, which more users as starting to ask for.

Its SCADAguardian Advanced (SGA) leverages Nozomi’s passive-only discovery and analysis, and incorporates active capabilities, giving operators the option to discover and monitor a specific and more complete set of ICS data.

“We have had the capability to offer active monitoring for about five years, but the industry is now asking for it,” Namboodri said.

Tuesday, December 18, 2018 @ 03:12 PM gHale

By Heather MacKenzie
With the responsibility to keep their companies ahead of all enterprise-wide threats, CIOs or CISOs certainly feel the increased pressure. Oftentimes these security leaders “grow up” in IT-centered roles, leaving them to feel they’ve got threat detection and response under control.

But, what about the operational technology (OT) side of the company?

If operational disruptions or theft of intellectual property aren’t keeping them up at night, they should be. The absence of OT from the digital risk management mix frustrates CEOs and board members alike. That’s because industrial cyber risks continue to increase.

RELATED STORIES
Managing Risk and Protecting Reputation
Russian Cyberattacks on Critical Infrastructure
17 Zero Days Cleared in OPC UA
Attack Group Targets Healthcare, Manufacturing

A key part of the solution is simple: An IT/OT SOC.

For companies with an existing security operations center (SOC), no matter the model, OT systems can be integrated into the mandate of its existing function. We highly recommend this integrated approach – and the good news is there is a straightforward way to include industrial threat oversight.

Combined Approach
A SOC is a team, sometimes working at a dedicated facility, whose primary role is to manage and mitigate cybersecurity threats. This team of security analysts and engineers monitors network and device activity to identify and thwart issues. As a result, they protect the business and its sensitive data, plus ensure compliance with industry and government rules.

SOCs can take many forms – from virtual to co-managed to a dedicated, in-house function.

Choosing the right model will depend on a company’s needs and resources. Many companies are opting for a SOC over other options as they strive for more control over security monitoring and how they handle threat mitigation.

But, these SOCs often only include IT systems. As threats to OT systems intensify, there are several key reasons to add in OT and evolve into an integrated, enterprise-wide SOC. They include:
Faster. By monitoring all systems in a centralized SOC, there’s less risk for communication breakdowns between separate OT and IT teams. You also eliminate the likelihood of incidents being dropped when passed between teams for handling
Cheaper. Instead of having two SOCs – one for IT and one for OT – it’s far more cost-effective to combine the two under one umbrella with shared resources, technology and facilities.
Better. To properly protect OT systems, it takes IT skills and OT knowledge. Many teams find it easier to train IT people on OT sensitivities than to train OT people on IT cybersecurity skills. This is easier to accomplish with a unified SOC.
Broader. For full, integrated visibility to threats, an IT/OT SOC delivers the complete situational awareness needed to protect both the business and industrial sides of the organization.

“Organizations with both IT and OT struggle with the coexistence of two separate security and risk management functions. This leads to a dispersed view on the overall operational risk the organization is facing,’ said Gartner in its “How to Organize Security and Risk Management in a Converged IT/OT Environment” report last year.

“In a continuously evolving threat landscape, a single established security and risk management function is better-positioned to address these threats across both IT and OT. A single leader of this function can also be held accountable for the organization’s overall digital risk. As an added benefit, scarce security resources can now be deployed to address both IT and OT,” the report said.

IT/OT SOC Transition
While choosing to move to an enterprise-level SOC is an important choice, it will take time and thought to execute. OT systems come with security challenges that are unique. Meeting OT’s security needs will require a deeper knowledge and understanding by the overarching SOC team.

Before beginning a transition, consider and discuss how to tackle these three critical areas:
• Technology – It’s important to ensure any solutions or software meet OT’s specific requirements and can also integrate seamlessly into the existing IT SOC infrastructure. Both are equally important. A gap on either side will create barriers to a successful transition.
• People Resources – An enterprise-level SOC is going to need people who specialize in industrial These new team members might work out of the company’s dedicated facility, or they could be part of a virtual or extended team. No matter how it’s resourced or staffed, expert industrial and OT knowledge will be a necessity. One way to keep costs down and avoid issues with sourcing quality staff is to keep the team members at one physical location and provide the appropriate cross-training.
• Accountability – The only way to truly bring IT and OT together into one SOC is to create a culture of unity, starting from the top down. First, it will be important to have the teams report to one leader – the person ultimately responsible for companywide cyber risk – and to share common goals and KPIs. Then, as teams begin to merge, they should go through exercises to get to know one another and understand the others’ priorities and challenges. The more quickly they can work seamlessly as a team, with speed and agility, the more successful the IT/OT SOC will be at achieving its goals and delivering business value.

Cyber Resiliency
A IT/OT SOC is a forward-thinking way to address and mitigate cyber risks companywide.

A combined structure taps into the individual strengths of IT and OT team members, ultimately creating a faster, comprehensive and more cost-effective approach to digital risk management.

We believe this approach is not just a trend, but the future norm.
Heather MacKenzie is an ICS Cybersecurity Specialist at Nozomi Networks. She has worked in industrial cybersecurity since 2008. She helps OT/IT teams responsible for industrial control networks understand cyber risks.