Posts Tagged ‘energy’
Wednesday, July 29, 2015 @ 10:07 AM gHale
A cyber espionage group called Black Vine is targeting multiple industries including energy, aerospace and healthcare, researchers said.
The most prominent attack came to light last year when healthcare provider, Anthem, suffered a breach and over 80 million records ended up stolen. That attack came to light when an administrator noticed multiple queries running from the account, but someone else had executed the queries. That discovery of the database queries soon led Anthem to realize that it was under attack from an advanced cyber espionage group.
The breach, conducted by Black Vine, was only one of several targeted campaigns, which spread across multiple industries, according to a report by security provider Symantec. Since 2012, Black Vine has conducted targeted attacks against multiple industries, including the energy, aerospace, and healthcare sectors.
The group, in existence since 2012, uses advanced custom-developed malware, Zero Day exploits, and other tactics, techniques and procedures (TTPs) typically associated with highly capable, organized attackers, the Symantec report said.
Symantec went on to study Black Vine’s known attacks since 2012. Connecting multiple Black Vine campaigns over time not only shows the group’s previous operations, but also demonstrates how the attackers have rolled with the times.
After researching Black Vine’s attacks over time, Symantec identified the following key findings:
• Black Vine is responsible for carrying out cyber espionage campaigns against multiple industries, including energy, aerospace, and healthcare.
• Black Vine conducts watering-hole attacks targeting legitimate energy- and aerospace-related websites to compromise the sites’ visitors with custom malware.
• Black Vine appears to have access to the Elderwood framework, used to distribute Zero Day exploits among threat groups that specialize in cyber espionage.
• Black Vine uses custom-developed malware and has resources to frequently update and modify its malware to avoid detection.
Symantec research found Black Vine is an attack group with working relationships with multiple cyber espionage groups. The group has solid funding, well organized, and consists of at least a few members, some of which may have a past or present association with a China-based IT security organization called Topsec.
Over the course of the Black Vine investigation, Symantec identified a number of targeted companies across several verticals. They found analysis of attack data alone is misleading because of Black Vine’s attack vectors. Black Vine frequently conducts watering-hole attacks, which is when a legitimate website ends up compromised by an attacker and forced to serve malware to visitors of the website.
As a result, an analysis of compromised computers alone does not portray an accurate picture of Black Vine’s targeting objectives, Symantec said. Instead, it showed the industries with the highest infection rates of Black Vine’s malware.
To further determine Black Vine’s intended target industries, Symantec assessed the companies who own the affected websites. Symantec also investigated attacks conducted by Black Vine which didn’t involve watering-hole attacks. After assessing multiple attack verticals, Symantec believes Black Vine’s primary targeted industries have been aerospace and healthcare. It is likely that other affected industries may have been secondary targets.
Black Vine’s targets are across several regions, based on the IP address locations of the compromised computers. The vast majority of affected companies are in the U.S., followed by China, Canada, Italy, Denmark, and India.
Black Vine used three variants of malware throughout the years known as Hurix, Sakurel, and Mivast. All three variants originated from one malware family likely created and updated by the same author or developer, Symantec said. Each variant ended up updated to add features and re-hashed to avoid detection.
In a number of attacks, the malware ended up delivered onto the victim’s computer after Black Vine has exploited a Zero Day vulnerability primarily through watering-hole attacks. The Zero Day exploits used in these attacks went out via the Elderwood distribution framework.
The goal of all analyzed Black Vine campaigns has been cyber espionage.
Click here for the full report.
Monday, May 4, 2015 @ 11:05 AM gHale
In a move to fight off climate change, greenhouse gas emissions must end up cut by 40 percent by 2030 in California, the governor said after issuing an executive order.
The targeted reduction level ties back to 1990 levels and is “the most aggressive benchmark enacted by any government in North America to reduce dangerous carbon emissions,” said California Governor Jerry Brown.
California operates the nation’s largest carbon cap and trade system. The state sets an overall limit on carbon emissions and allows businesses to hand in tradeable permits to meet their obligations.
Achieving the new target will require reductions from sectors including industry, agriculture, energy and state and local governments, Brown said.
“I’ve set a very high bar, but it’s a bar we must meet,” Brown told a carbon market conference in downtown Los Angeles.
Brown said the new target will position California as a leader in combating climate change in the United States and internationally.
Brown said he has spoken to leaders in Oregon, Washington and Northeastern states about collaborating with California to cut their output of heat-trapping greenhouse gases. Those states could potentially link to California’s carbon market in future years.
He said he has had similar discussions with leaders in the Canadian provinces of Quebec, British Columbia and Ontario, as well as in Germany, China and Mexico.
Quebec already has links to the California market. Leaders in Ontario this month signaled their intention to join the program.
“This will be a local policy but it will be globally focused,” Brown said.
The plan for how California will achieve the 2030 target will end up hammered out over the next year by the California Air Resources Board (ARB), which oversees the cap-and-trade program.
Wednesday, July 23, 2014 @ 12:07 PM gHale
An OPC scanner that could end up leveraged to launch cyber attacks against critical infrastructure areas is in a variant of the Havex malware, researchers said.
While researchers were investigating a variant of Havex called “Fertger” or “Peacepipe,” this scanner ended up uncovered by FireEye investigators.
This variant is the first publicized version of this malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in critical infrastructure, energy and manufacturing sectors, said FireEye Threat Intelligence Analyst Kyle Wilhoit in a blog.
“If an attacker wanted to attack an OPC server, they would need and want details of the OPC servers they were targeting. Having the OPC scan data gives the attacker enough information to start possible next phases of an attack against a SCADA environment,” he said.
Havex is a family of remote-access Trojans used during several attacks on critical infrastructure. It was active for at least the last year and its mission was to pull vast amounts of information from infected machines.
“While Havex itself is a somewhat simple PHP Remote Access Trojan (RAT) that has been analyzed by other sources, none of these have covered the scanning functionality that could impact SCADA devices and other industrial control systems (ICS),” Wilhoit said. “Specifically, this Havex variant targets servers involved in OPC (Object linking and embedding for Process Control) communication, a client/server technology widely used in process control systems (for example, to control water pumps, turbines, tanks, etc.).”
“Since ICS networks typically don’t have a high-level of visibility into the environment, there are several ways to help minimize some of the risks associated with a threat like Havex. First, ICS environments need to have the ability to perform full packet capture ability. This gives incident responders and engineers better visibility should an incident occur.
“Also, having mature incident processes for your ICS environment is important. Being able to have security engineers that also understand ICS environments during an incident is paramount. Finally, having trained professionals consistently perform security checks on ICS environments is helpful. This ensures standard sets of security protocols and best practices are followed within a highly secure environment,” he said.
Havex is just one threat facing critical infrastructure organizations. ICS-CERT urged critical infrastructure companies to check their networks for signs of intrusion following the discovery of a fresh Dragonfly hack campaign earlier in July.
Click here for more information from Wilhoit’s blog.
Friday, July 11, 2014 @ 04:07 PM gHale
If this doesn’t convince all that security is necessary, then nothing will: Almost 70 percent of companies surveyed responsible for the world’s power, water and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past year.
Of the 599 security executives at utility, oil and gas, energy and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year, according to the report conducted by Unisys and the Ponemon Institute. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. Flying in the face of one of the major reasons to users should implement security, a majority of those surveyed said their top business priority is minimizing downtime.
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”
Only one in six respondents describe their organization’s IT security program or activities as mature. Respondents who reported suffering a data breach within the past year most often attributed these breaches to an internal accident or mistake, and negligent insiders were the most cited threat to company security. Despite these findings, only six percent of respondents said they provide cybersecurity training for all employees.
“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”
The survey also highlighted the concerns many of these executives feel regarding the security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions.
When asked about the likelihood of an attack on their organizations’ ICS or SCADA systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which appears to mean tighter controls and better adoption of standards, along with vigilance, are ingredients to the recipe for success.
Click here for the full report.
Wednesday, April 2, 2014 @ 03:04 PM gHale
Starnes E. Walker will head up the new University of Delaware Cybersecurity Initiative (UDCSI), with a special emphasis on issues facing corporate America
Walker, a physicist with 35 years of leadership experience in research, development and engineering to enhance national security, became the founding director effective April 1.
Walker has held senior management positions in the U.S. Departments of Defense, Energy and Homeland Security, as well as industry. He has developed critical programs and aligned strategic systems across the U.S. and around the globe, forging key partnerships with the United Kingdom, Australia, Singapore, Israel, Sweden, the European Union and NATO.
A key focus of Walker’s appointment at UDCSI will be corporate cyber security. According to a 2012 survey of more than 9,600 global business executives by PricewaterhouseCoopers (PwC), CIO and CSO, more than 41 percent of U.S. respondents experienced one or more security incidents during the past year, ranging from financial losses to intellectual property theft.
“With Dr. Walker’s appointment as founding director of our Cybersecurity Initiative, the University of Delaware gains exceptional expertise in an area of urgent concern,” said University Provost Domenico Grasso. “Under Dr. Walker’s leadership, UD will develop new partnerships to advance cyber security education and research and create prominent academic programs at the undergraduate and graduate levels, as well as certificate programs for corporate and government professionals.”
“I am honored to join the University of Delaware and to have this opportunity to help prepare the next generation of leaders who will protect the U.S. against cyber attacks,” Walker said. “UD’s new Cybersecurity Initiative is going to be an all-around ‘win’—for the University, for the State of Delaware, for the nation and for all of the businesses incorporated here and beyond, from the financial sector to the energy sector, and absolutely, for the public.”
The United States has a serious cyber workforce shortage, with only 1,000 skilled specialists in the field when the nation needs as many as 30,000, according to James Gosler, founding director of the CIA’s Clandestine Information Technology Office.
Tuesday, June 18, 2013 @ 04:06 PM gHale
By Gregory Hale
The industry is losing around $400 billion a year in cyber attacks.
“Cyber attacks are an area where users are under invested,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions, during Monday’s keynote at the Honeywell Users Group (HUG) in Phoenix, AZ. “This is something I worry about every day. There needs to be more awareness. There is $400 billion lost a year due to cyber attacks.”
The idea security is top of mind for Adamczyk truly underscores the dire need for the industry to come to grips with the idea that manufacturing automation users are, for the most part, not prepared when it comes to the potential of facing and fending off a cyber attack.
“I just hope it doesn’t take a crisis for us to start spending (on security solutions),” Adamczyk said.
Safety was also a key element to Adamczyk’s keynote as he said Honeywell was well below the average of safety incidents in the United States, but he feared the U.S. average was going to rise in the wake of safety incidents like the explosion at the fertilizer plant in West, Texas.
“For us process safety is a given,” Adamczyk said. “Our approach to safety is broader though: Integrated safety. All integrated in one seamless package.”
“Safety has plateaued,” he said. “My guess is it will be getting worse than better,” in the wake of the recent safety incidents. “Safety has to be job one.”
While safety and security were important elements to Adamczyk’s talk, he also mentioned other key trends HPS is focusing on like energy, improving relationships with end users, and reiterating Honeywell is more of a full service integrator compared to a hardware provider.
When it comes to producing more energy, Adamczyk said the U.S. is still and importer, but that trend is changing.
“From the 1980s until 2010, there has been a decline in production, but that has changed,” he said. “We are still a net importer of energy, but by 2020 we will be about even and by 2040 we will an exporter by 12 percent.”
Another area the industry is keeping a keen eye on is the aging workforce and the potential for Baby Boomers getting ready to retire and take all the knowledge out the door with them. “By 2020 workers aged 55 and older will be almost 25 percent of the workforce,” he said. That also shows great potential for automation to come in and help alleviate some of the worker crunch.
Adamczyk also spent some time talking about the real key in the industry is about making – and keeping – relationships.
“If we can’t keep a relationship from the beginning of the lifecycle through the end, then we have absolutely failed.”
Friday, June 7, 2013 @ 03:06 PM gHale
Security services continues to move forward in consolidation mode as SilverSky acquired the managed security services division of StillSecure.
The Milford, CT-based security firm, formerly known as Perimeter E-Security, built out managed security services in recent years. The firm said the StillSecure division will add new log archiving capabilities and a web application firewall service. SilverSky has about 95 clients in the financial services, retail, healthcare, energy, critical infrastructure and manufacturing sectors with a deal size of more than $25,000, according to Forrester Research. The company said it has 6,000 customers.
In addition to bringing on about 40 people, including eight security engineers, SilverSky will also add Superior, CO-based StillSecure’s two security operation centers located in Denver and Ft. Lauderdale, FL. StillSecure has about 30 clients with a deal size of greater than $25,000, according to Forrester.
SilverSky CTO Andrew Jaquith pledged the company’s full support of current StillSecure customers and channel partners. The two StillSecure locations will increase redundancy for SilverSky’s operations, Jaquith said. Integration of back-end operations should take about six months. Merging the sales and account teams should take about 30 days.
“We’re not looking to do anything radical that would make current StillSecure customers unhappy,” Jaquith said. “We are bringing their security operations and engineering and sales resources. There will be a fair amount of continuity with the staff.”
SilverSky’s business consists of mainly direct sales, while StillSecure sales have been nearly 100 percent through the channel. SilverSky’s managed security services currently provide network monitoring, security information event management and unified threat management systems. The company can support firewall, IDS/IPS and VPN remote user access services as part of a UTM package or on an a la carte basis. SilverSky will continue to offer cloud-based email security and its Secure Cloud Exchange service for Microsoft Exchange.
SilverSky announcement is one in a wave of mergers and acquisitions in recent months associated with managed security services.
Deloitte last week acquired Vigilant, Inc., a consulting and managed services provider specializing in security monitoring and threat intelligence. The company will operate under the Vigilant by Deloitte brand. Vigilant’s customer base consists of 1,000 global clients, mainly in the financial sector. Meanwhile Chicago-based security firm Trustwave also dealt for SecureConnect, an Eden Prairie, MN-based security services provider that focused its services on providing PCI compliance and network security for clients in the hospitality industry.