Posts Tagged ‘energy’

Wednesday, April 2, 2014 @ 03:04 PM gHale

Starnes E. Walker will head up the new University of Delaware Cybersecurity Initiative (UDCSI), with a special emphasis on issues facing corporate America

Walker, a physicist with 35 years of leadership experience in research, development and engineering to enhance national security, became the founding director effective April 1.

ICS-CERT Creates Web-based Course
Security Certification Program Expands
Codenomicon joins ISCI
Yokogawa Safety Controller ISASecure

Walker has held senior management positions in the U.S. Departments of Defense, Energy and Homeland Security, as well as industry. He has developed critical programs and aligned strategic systems across the U.S. and around the globe, forging key partnerships with the United Kingdom, Australia, Singapore, Israel, Sweden, the European Union and NATO.

A key focus of Walker’s appointment at UDCSI will be corporate cyber security. According to a 2012 survey of more than 9,600 global business executives by PricewaterhouseCoopers (PwC), CIO and CSO, more than 41 percent of U.S. respondents experienced one or more security incidents during the past year, ranging from financial losses to intellectual property theft.

“With Dr. Walker’s appointment as founding director of our Cybersecurity Initiative, the University of Delaware gains exceptional expertise in an area of urgent concern,” said University Provost Domenico Grasso. “Under Dr. Walker’s leadership, UD will develop new partnerships to advance cyber security education and research and create prominent academic programs at the undergraduate and graduate levels, as well as certificate programs for corporate and government professionals.”

“I am honored to join the University of Delaware and to have this opportunity to help prepare the next generation of leaders who will protect the U.S. against cyber attacks,” Walker said. “UD’s new Cybersecurity Initiative is going to be an all-around ‘win’—for the University, for the State of Delaware, for the nation and for all of the businesses incorporated here and beyond, from the financial sector to the energy sector, and absolutely, for the public.”

The United States has a serious cyber workforce shortage, with only 1,000 skilled specialists in the field when the nation needs as many as 30,000, according to James Gosler, founding director of the CIA’s Clandestine Information Technology Office.

Monday, March 10, 2014 @ 06:03 PM gHale

There is another cyber espionage campaign detected targeting industries including energy, finance, security and defense, and healthcare, researchers said.

Dubbed “Siesta” on account of the periods of dormancy the delivered malware ends up ordered to enter at regular intervals, the campaign starts with malicious emails delivered to the target company’s executives.

Malware Resilient, Tough to Eradicate
Espionage Rootkit has Russian Roots
Xtreme RAT Targets Governments
Energy Sector Under Attack

The “From” email address looks like the email came from another company employee, and the message contains a malicious link the victim should follow.

“The attacker serves the archive under a URL path named after the target organization’s name (http://{malicious domain}/{organization name}/{legitimate archive name}.zip,” the researchers said, and the downloaded file contains an executable masquerading as a PDF document.

“When executed, it drops and opens a valid PDF file, which was most probably taken from the target organization’s website. Along with this valid PDF file, another malicious component is also dropped and executed in the background,” they said.

This malicious component is a backdoor Trojan that connects to (short-lived) C&C servers at previously defined intervals, and to download additional malicious files from a specified URL.

Different malware variants end up used in various campaigns, but they act the same. Another thing that points out to them all being started by the same attacker(s) is the different C&C servers and domains have all been registered by the same registrant (different names, but the same email address: xiaomao{BLOCKED}

“This individual also recently registered 79 additional domains. There are a total of roughly 17,000 domains registered with this same email address,” the researchers discovered, and this obviously points to a concerted effort.

The researchers didn’t say which organizations (and in which countries) ended up hit, and have refrained from sharing full filename and hashes of the malicious files delivered as the investigation is still ongoing.

Monday, July 8, 2013 @ 03:07 PM gHale

Alstom created a mitigation for an improper authorization vulnerability affecting the Alstom Grid MiCOM S1 Agile and S1 Studio Software, according to a report on ICS-CERT.

Keep in mind Alstom Grid MiCOM S1 Studio Software is its own software suite. A user could have MiCOM S1 Studio Software from a different vendor. This mitigation only addresses the Alstom software product. Alstom tested the update to validate that it resolves the vulnerability.

Siemens Scalance Holes Filled
Mitigation for Siemens WinCC Woes
Siemens Updates COMOS Holes
Rush to Fix Medical Device Bug

The following Alstom Grid products suffer from the issue: MiCOM S1 Agile Software, all versions up to and including v1.0.2, and legacy MiCOM S1 Studio Software, all versions.

Successful exploitation of this vulnerability may allow an attacker with read/modify user permissions for the MiCOM S1 file system to affect the availability of the application. Unauthorized attackers can then access the MiCOM S1 executable files. This vulnerability can affect products deployed in the energy, dams, healthcare and public health, water, chemical, and commercial facilities.

Alstom Grid is a global company that maintains offices in the U.S., UK, Canada, Italy, India, Brazil, France, Russia, Saudi Arabia, United Arab Emirates and Singapore.

The affected products, Alstom Grid MiCOM S1 Agile and Studio Software, allows users to configure Alstom Grid’s range of protective relays. According to Alstom, MiCOM S1 Software deploys mainly across the energy sector.

The MiCOM S1 Software does not limit user access to its installed executables to only authenticated administrative users. A malicious user with any level of access to the local system could replace executables within the MiCOM S1 Program Files directory with malicious files. When the MiCOM S1 application runs, the malicious executable could run instead. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality with the local system and a disruption in communications with other connected devices.

In addition, a Windows Service running under LocalSystem is within this directory as well. Replacing the associated executable, in this case, would allow lower privileged users to escalate their privileges to an administrator level on the system.

CVE-2013-2786 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.0.

This vulnerability is not exploitable remotely and cannot suffer exploitation without access to the local system by an authorized user. To date, no known public exploits specifically target this vulnerability. An attacker with a high skill would be able to exploit this vulnerability.

Alstom released MiCOM S1 Agile version v1.0.3 that mitigates the vulnerability by controlling which users can access MiCOM S1 Agile files and services.

A user can get the update by emailing Alstom at the Alstom Grid Contact Centre.

Tuesday, June 18, 2013 @ 04:06 PM gHale

By Gregory Hale
The industry is losing around $400 billion a year in cyber attacks.

“Cyber attacks are an area where users are under invested,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions, during Monday’s keynote at the Honeywell Users Group (HUG) in Phoenix, AZ. “This is something I worry about every day. There needs to be more awareness. There is $400 billion lost a year due to cyber attacks.”

Breach Discovery: 10 Hours
Security Breach Fantasy Land
Botnet Hurt, so are Researchers
P2P Botnets Keep Growing

The idea security is top of mind for Adamczyk truly underscores the dire need for the industry to come to grips with the idea that manufacturing automation users are, for the most part, not prepared when it comes to the potential of facing and fending off a cyber attack.

“I just hope it doesn’t take a crisis for us to start spending (on security solutions),” Adamczyk said.

Safety was also a key element to Adamczyk’s keynote as he said Honeywell was well below the average of safety incidents in the United States, but he feared the U.S. average was going to rise in the wake of safety incidents like the explosion at the fertilizer plant in West, Texas.

“For us process safety is a given,” Adamczyk said. “Our approach to safety is broader though: Integrated safety. All integrated in one seamless package.”

“Safety has plateaued,” he said. “My guess is it will be getting worse than better,” in the wake of the recent safety incidents. “Safety has to be job one.”

While safety and security were important elements to Adamczyk’s talk, he also mentioned other key trends HPS is focusing on like energy, improving relationships with end users, and reiterating Honeywell is more of a full service integrator compared to a hardware provider.

When it comes to producing more energy, Adamczyk said the U.S. is still and importer, but that trend is changing.

“From the 1980s until 2010, there has been a decline in production, but that has changed,” he said. “We are still a net importer of energy, but by 2020 we will be about even and by 2040 we will an exporter by 12 percent.”

Another area the industry is keeping a keen eye on is the aging workforce and the potential for Baby Boomers getting ready to retire and take all the knowledge out the door with them. “By 2020 workers aged 55 and older will be almost 25 percent of the workforce,” he said. That also shows great potential for automation to come in and help alleviate some of the worker crunch.

Adamczyk also spent some time talking about the real key in the industry is about making – and keeping – relationships.

“If we can’t keep a relationship from the beginning of the lifecycle through the end, then we have absolutely failed.”

Friday, June 7, 2013 @ 03:06 PM gHale

Security services continues to move forward in consolidation mode as SilverSky acquired the managed security services division of StillSecure.

The Milford, CT-based security firm, formerly known as Perimeter E-Security, built out managed security services in recent years. The firm said the StillSecure division will add new log archiving capabilities and a web application firewall service. SilverSky has about 95 clients in the financial services, retail, healthcare, energy, critical infrastructure and manufacturing sectors with a deal size of more than $25,000, according to Forrester Research. The company said it has 6,000 customers.

IBM gets Deeper into Cloud
Blue Coat Deals for Analytics Firm
McAfee Deals for Stonesoft
ABB Deals for Gas Analyzer Firm

In addition to bringing on about 40 people, including eight security engineers, SilverSky will also add Superior, CO-based StillSecure’s two security operation centers located in Denver and Ft. Lauderdale, FL. StillSecure has about 30 clients with a deal size of greater than $25,000, according to Forrester.

SilverSky CTO Andrew Jaquith pledged the company’s full support of current StillSecure customers and channel partners. The two StillSecure locations will increase redundancy for SilverSky’s operations, Jaquith said. Integration of back-end operations should take about six months. Merging the sales and account teams should take about 30 days.

“We’re not looking to do anything radical that would make current StillSecure customers unhappy,” Jaquith said. “We are bringing their security operations and engineering and sales resources. There will be a fair amount of continuity with the staff.”

SilverSky’s business consists of mainly direct sales, while StillSecure sales have been nearly 100 percent through the channel. SilverSky’s managed security services currently provide network monitoring, security information event management and unified threat management systems. The company can support firewall, IDS/IPS and VPN remote user access services as part of a UTM package or on an a la carte basis. SilverSky will continue to offer cloud-based email security and its Secure Cloud Exchange service for Microsoft Exchange.

SilverSky announcement is one in a wave of mergers and acquisitions in recent months associated with managed security services.

Deloitte last week acquired Vigilant, Inc., a consulting and managed services provider specializing in security monitoring and threat intelligence. The company will operate under the Vigilant by Deloitte brand. Vigilant’s customer base consists of 1,000 global clients, mainly in the financial sector. Meanwhile Chicago-based security firm Trustwave also dealt for SecureConnect, an Eden Prairie, MN-based security services provider that focused its services on providing PCI compliance and network security for clients in the hospitality industry.

Wednesday, May 22, 2013 @ 07:05 PM gHale

3S created an update for a denial-of-service (DoS) vulnerability in its CODESYS Gateway application, according to a report on ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, discovered by Nicholas Miles who has tested the update and validates that it resolves the vulnerability, could cause a DoS condition and may also allow the possibility of remote execution of arbitrary code.

Mitsubishi ActiveX Vulnerability
TURCK Fixes Gateway Bugs
Wonderware Mitigates Server Holes
RuggedCom Updates ROS Fix

The Gateway-Server is a third-party component found in multiple control systems manufacturer’s products.

CODESYS Gateway, Version suffers from this issue.

This product also sees use in products sold by other vendors. Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.

If exploited, an attacker could use this vulnerability to remotely cause a DoS with a system crash within the Gateway server application. Remote execution of arbitrary code may also be possible.

According to the 3S-Smart Software Solutions GmbH Web site, CODESYS sees use in virtually all sectors of the automation industry by manufacturers of industrial controllers or intelligent automation devices, by end users in many different industries, or by system integrators who offer automation solutions with CODESYS.

This vulnerability affects products primarily found in the energy, critical manufacturing, and industrial automation industries.

The vulnerability is the result of a referencing memory previously freed by the process. This condition commonly causes a system crash and may also present the possibility for execution of arbitrary code.

CVE-2013-81733 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target this vulnerability, but an attacker with a low skill would be able to exploit this vulnerability.

3S produced a patch available for download from the 3S CODESYS Download page.

Thursday, May 2, 2013 @ 05:05 PM gHale

This is the classic glass is half full or half empty: The number of serious vulnerabilities per website fell for the third year in a row, but the average website carried 56 holes in 2012, new research showed.

Half full or half empty? Yes, 56 is better than the 79 flaws per website reported in 2011, and it is quite an improvement on the 230 vulnerabilities per site reported in 2010, according to statistics compiled by WhiteHat Security researchers Jeremiah Grossman, Matt Johansen, and Gabriel Gumbs and based upon data gathered from tens of thousands of websites.

Malware Costs Consumers $4B a Year
‘Cyber risk Intelligence’ for Total Security
Firms Don’t Budget to Protect IP
Manufacturing Most Attacked Industry

If you really look at it, if WhiteHat Security’s sample is indicative of the whole Internet, then 86 percent of sites on the Web contain at least one serious vulnerability.

WhiteHat defines serious vulnerabilities as “those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”

Sixty-one percent of the vulnerabilities uncovered by WhiteHat researchers eventually ended up resolved, though it took, on average, 193 days – or more than half a year — to move from vulnerability detection to resolution.

On the other hand, 18 percent the sites they examined spent fewer than 30 days vulnerable. For the mathematically challenged, this means that 82 percent of websites spent somewhere between 31 and 365 days of last year vulnerable to at least one serious flaw. Thirty-three percent of all the websites in the report were vulnerable every day of 2012.

Entertainment and media sites were the best about resolving vulnerabilities in a timely fashion. Government and gaming sites followed closely behind entertainment and media sites. Education, healthcare, and insurance websites were slowest to plug holes. Gaming, telecommunications, and energy sector sites fixed the highest percentage of their vulnerabilities while non-profits, social networks, gaming, and food and beverage companies were the worst about supplying patches for their bugs.

Information technology and energy sector sites stood out in the report as the two industries that actually had more vulnerabilities per site in 2012 than 2011. IT took tops with an average 114 vulnerabilities per site – narrowly beating out retail sites, which contained 110 vulnerabilities on average. Despite persistent accusations of inefficiency, Government sites contained the fewest vulnerabilities followed closely by banking sites, with eight and 12 per respectively. Banks, traditionally the best sector as far as vulnerability remediation goes, did a poor job with that this year, fixing only slightly more than half of the bugs they encountered.

Among the sites analyzed by WhiteHat, every manufacturing, education, energy, government, and food and beverage website had at least one serious vulnerability.

The top ten most common vulnerability classes uncovered by WhiteHat in 2012 were information leakage in 55 percent of sites, cross-site scripting in 53 percent, content spoofing in 33 percent, cross-site forgery requests in 26 percent, brute force in 26 percent, fingerprinting in 23 percent, insufficient transport layer protection in 22 percent, session fixation in 14 percent, URL redirector abuse in 13 percent, and insufficient authorization in 11 percent. SQL injection vulnerabilities are no longer among the top ten most common types of vulnerabilities.

Wednesday, May 1, 2013 @ 06:05 PM gHale

Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Thomas Nuth
Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February is just one indication of the importance attached to this issue.

What’s also interesting is the change in focus of this discussion. The key question has changed from an interested “Why do we need to secure our industrial network?” to a frantic “How do we do it?”

Securing SCADA: Compensating Controls
Making Patching Work for SCADA, ICS
Good, Bad and Ugly of SCADA, ICS Patching
SCADA Security: Open Phishing Season

U.S. intelligence chiefs have said cyber attacks have replaced terrorism as the primary security threat. And they are taking these threats very seriously. For example, on March 12, U.S. General Keith Alexander testified to Congress regarding an announcement made by the Pentagon Cyber Command. This announcement outlined a plan to create 13 teams, by the fall of 2015, charged with the national defense against large scale cyber attacks that could knock out domestic electric power infrastructures.

Paying the Price
So who are the cyber-attackers targeting?

To answer this question, we can refer to the Mandiant Report, an annual report compiled from hundreds of advanced threat investigations.

According to the Mandiant Report, transportation, energy and manufacturing are in the top ten most targeted industries for cyber attacks. If there was any deliberation about it before, industrial cyber security is now without a doubt an international security topic.

The costs of these cyber attacks are staggering — and difficult to estimate.

For example, the 2012 Cost of Cyber Crime Study from the Ponemon Institute put the cost of cyber attacks within the USA at $8.9 billion in 2012. However, according to the Foreign Policy National Security Newsletter, “more recent estimates have put the cost of theft as high as $338 billion per year.” We think the second number is high, but the fact remains — poor security is getting expensive. And a large portion of this total loss is incurred within the industrial automation and energy sectors.

Over a Year of Access
Built for reliability and stability rather than security, industrial infrastructure networks have long been easy targets for malware attacks. City and regional infrastructures depend on reliable access to energy and sound transportation systems. In a very real sense, all infrastructures are built upon the industrial infrastructure base. The concept of the ‘network of everything’ that futurists and city-planning commissions have spoken about optimistically for years has arrived.

But they forgot one thing: Industrial security.

According to Mandiant, 416 days is the median number of days advanced attackers have access to networks before they are detected. Yes, you read that correctly. 416 days. Imagine the damage that can be done in 416 days.

This much is certain then –there are current cyber threats that are yet undiscovered.

Industrial infrastructures are growing in size and complexity. And it’s all too clear traditional enterprise IT solutions have not been successful at safeguarding them from cyber attack. They do not meet the best-practice deep-packet inspection capability in the field, nor do they place an emphasis on zone protection network segmentation. As well, they tend to focus on preventing loss of confidential information, rather than what really matters in the industrial world – reliability and integrity of the system.

In the process automation sector alone, we typically find six to eight auxiliary networks outside of the central distributed control system (DCS). These auxiliaries can include the Safety Instrumented System (SIS), Sequence of Events (SOE), Analysis Management Data Acquisition Systems (AMDAS), Plant Information Management Systems (PIMS), Vibration Monitoring Systems, Position Location Systems, Alarm Management Systems, Fire and Gas Systems, and Building Automation Systems. As well, most companies now have some form of remote support for each of these systems.

The reach and scope of industrial IT networking has increased mobility, efficiency and operational safety. However, without proper security considerations, these growing networks only increase the vulnerability to cyber threats.

Securing SCADA, ICS
It’s evident there’s no simple solution to securing our critical infrastructure. It’s going to take time and careful planning. A combination of best practices, utilizing technologies designed for industrial security, and focused effort is the only way to mitigate the risk of attacks on industrial systems.

It is important that staff is familiar with industrial security standards. We recommend the ISA/IEC 62443 (formerly ISA99) standard. Major oil and gas and chemical companies such as Exxon, Dow and DuPont are using it and we have repeatedly seen its strategies used successfully in the field.

Particular industries also have their own standards – the North American power industry’s NERC CIP, for example.

At Tofino Security, we have developed, in partnership with exida, our own best practice for ensuring good security. To read the details about this process, download the “7 Steps to ICS and SCADA Security” white paper.

Look for technology solutions designed specifically for the plant floor, rather than for standard IT systems. Seek robust technologies that integrate with industrial network management systems. Deploy firewalls that secure industrial protocols, and practice Defense in Depth with zone-level security.

Last but not least, let’s not forget the importance of teamwork. IT and engineering teams must collaborate to ensure that best practices are in place and that innovative advances to security are developed and deployed.

Regardless of whether your organization is a critical infrastructure provider, or whether your enterprise has one or many industrial networks, securing your networks has never been more important.
Thomas Nuth, BA and MBA is a product manager at Hirschmann Automation and Control. Click here to read the full version of the Practical SCADA Security blog.

Monday, March 25, 2013 @ 10:03 AM gHale

Filling in the gap left by retiring Baby Boomers is really becoming a problem as the United States isn’t producing enough qualified workers to meet the future needs of the mining and energy sectors, from coal digging and gas drilling to solar and wind power, a new report said.

The report, released by the National Research Council, urges new partnerships to tackle the problem of retiring Boomers. That includes a retooling of higher education to produce more young people competent in science, technology, engineering and math.

Online Security Career Portal
Summer Cyber Institute a Success
Automated Testing of SCADA Protocols
DHS, IAEA Ink Collaboration Pact

The report predicts a “bright present and future” for energy and mining jobs, with continuing demand for workers and good pay for those hired. But it said some industries already face labor shortages and others soon will because the nation’s colleges and universities aren’t cranking out graduates with the skills that growing companies need.

Federal Mine Safety and Health Administration data, for example, show 46 percent of the workforce will be eligible to retire within five years, but there are too few younger workers in the pipeline to replace them.

The oil and gas industry, meanwhile, has a workforce that’s currently concentrated at both the older and younger ends of the spectrum, the report said, “creating a gap in experience and maturity” in between and making it difficult to replace retiring leadership.

The report recommends several wide-ranging solutions, including outreach efforts to improve both the public’s understanding and perception of energy-producing industries such as oil and gas.

Negative perception driven by concern over pollution, environmental damage and health issues, it notes, “dissuades some from pursuing careers.”

It also notes universities are seeing a faculty shortage that could affect oil and gas, mining and geothermal employers.

“Unless this is corrected,” the report said, “the nation risks losing its capacity to provide new science and engineering professionals for the workforce.”

The independent, nonprofit National Research Council is the main operating agency of the National Academy of Sciences. The nearly 400-page document ended up authored by 14 experts from universities, government and the private sector.

It warns the higher education community the traditional routes to degrees “do not adequately align” with industries’ needs and notes “they are increasingly not affordable and accessible” for prospective students.

Community colleges are proving to be the best vehicle for delivering the technician-level, skills-based education the energy and mining industries need, the report said, offering programs ranging from one-year certifications to two-year associate’s degrees.

Schools and employers should form more partnerships like those, the report said, and federal agencies should consider more research funding to schools to help drive technological innovation and develop faculty.

Monday, March 18, 2013 @ 05:03 PM gHale

Almost 66 percent of organizations learn about a breach after hearing about it from an external source, a new report said.

While companies are getting better at identifying targeted attacks on their own, it takes a company, on average, 243 days before discovering an attack, during which the criminals can freely roam their networks, according to the “M-Trends 2013: Attack the Security Gap” study from security firm Mandiant.

The report focuses on advanced persistent threats (APTs) which attackers use penetrate organizations and steal sensitive information. That number, though, dropped by 173 days compared to the previous year.

New Wave: Risk-Based Security
Survey: Database Security too Complex
Stolen Corporate Data at Highest Levels
Mobile Number Harvesting Tool

It’s interesting to note the use of outsourced service providers is also problematic for cyber security. Attackers are taking advantage of the relationship between the targeted company and outsourced business processes such as finance, accounting and HR.

To make their attacks more efficient, cybercriminals collect large quantities of data related to system administration guides, processing methodologies and network infrastructure. This allows them to navigate their victims’ networks faster.

While China always stands accused of cyber spying on the U.S., Mandiant did say the top three industries repeatedly targeted by the country are aerospace, energy and pharmaceuticals.

“We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination,” said Grady Summers, vice president at Mandiant.

“It’s not enough for companies to ask ‘Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’”

Archived Entries