ISSSource White Papers

Posts Tagged ‘energy’

Wednesday, September 16, 2015 @ 02:09 PM gHale

Spear phishing campaigns used in advanced persistent threat (APT) attacks and social engineering are gaining a foothold into enterprise systems these days, which is providing a pivot point for bad guys to jump into the industrial control network.

Just this past July, ICS-CERT learned of a spear-phishing campaign by APT attackers that targeted multiple sectors, including chemical, critical manufacturing, energy, and government facilities.

German Steel Mill Attack: Inside Job
Stuxnet Loaded by Iran Double Agents
IT Getting an OT Education
Breaking with Tradition: Secure ICS Hits Industry

“These attacks are not new. The IT space is often used as a vector to get into the OT networks,” said George Wrenn, cyber security officer (CSO) and vice president cyber security at Schneider Electric. “One approach from a couple years back used weaponized PDF files planted on a website to exploit older Windows-based control systems. Attackers will use any and all methods, tools and tactics to get access to ICS systems. The rule is, ‘there are no rules.’”

This latest spear phishing attack involved emails with links that redirected to web sites hosting malicious files that exploited a Zero Day vulnerability (since then patched) in Adobe Flash Player, according to a report in the July-August ICS Monitor.

In previous incidents occurring in early 2014, the same bad guys also used various social engineering tactics and social media to perform reconnaissance and target company employees. In one case, attackers used a social media account to pose as a perspective candidate for employment and opened a dialogue with employees of a critical infrastructure asset owner.

The attackers asked probing questions such as the name of the company’s IT manager and versions of the current running software.

Critical Infrastructure a Target
The growing use of social media, spear phishing and Zero Days just shows how strongly attackers want to get into critical infrastructure networks.

“This was mainly an IT-focused attack that, if they are interested in the ICS, they would have to then pivot onto other systems. Obviously the two cases where this has likely happened is Stuxnet and the German Steel Mill attack of last year,” said Graham Speake, vice president and chief product architect at NexDefense, Inc.

“The Steel Mill definitely seems to have been a case of a phishing email into the business network and then working their way through the firewall (assuming there was one) and into the process side,” Speake said. “The level of knowledge needed would tend to lead me to thinking there was some insider information as well as just getting onto the control network and successfully disabling parts of the process to cause the blast furnace to be unable to shutdown was complicated. Undertaking this without insider knowledge or a very good grasp of process control in general, would probably lead to a more random series of events, and any safety system should be able to bring the system to a safe, controlled shutdown. The number of talks … showing how fragile these systems are, will definitely give rise to an increase in the number of attacks in this area.”

“Social attacks, spear-phishing chief among them, really are the scourge of IT departments. Reason being is they (unwittingly) compromise a very fundamentally trusted asset, the user,” said Dan Schaffer, business development manager, Networking & Security at Phoenix Contact. “And it becomes very complicated to try and either a. stop trusting your users or b. start “whitelisting” all the sites, and only the sites, that IT feels users need to visit. And of course there are a ton of false positives where frustrated users say ‘but I need to go to because they have market data there.’”

“However, (phishing) is a very attractive attack vector, with humans representing, frankly, a pretty tasty vulnerability to the bad guys.”
–Dan Schaffer, Phoenix Contact

In terms of phishing attacks focusing on the ICS side, Schaffer feels there is potential for more in the future.

“I’ve heard of a few (less than 10) accounts from folks in critical infrastructure getting phishing emails, but I don’t believe they were truly spear phishing,” he said. “However, it is a very attractive attack vector, with humans representing, frankly, a pretty tasty vulnerability to the bad guys. I’d be surprised if it doesn’t become more of a problem, but remember true spear phishing takes some work by the bad guys. You need to know a bit about your target in order to craft the proper email.”

Not on the ICS
Just looking at the industrial network, Joel Langill, operational security professional, ICS cyber security expert and founder of feels the attacks had to come from a different system within the enterprise.

“So, it may be true that a particular company in a critical infrastructure sector was victimized by this type of attack; however, it is highly unlikely that this attack actually occurred from within the industrial networks and had a negative impact to operations,” Langill said. “Since these companies must comply with regulations like NERC-CIP for reporting of such incidents, they are being safe and reporting all such incidents – not just those that impact ICS networks and associated assets. I do not see how a spear-phishing attack would occur in the ICS today, unless the network and associated perimeter access control are not properly designed.”

You can talk all day about the attacks the issues, but good common sense in applying security prevention needs to come into play and security experts offered some solid preventative measures.

“The best thing to do is make your ICS systems and operators ‘hard targets,’ training them to avoid these types of blended attack vectors, Wrenn said.

Some measures, however, really focus on the human approach.

“Prevention really requires a non-technical approach,” Schaffer said “Train your users on the signs of an attack; be it phone call or email. Of course keeping anti-malware up to date helps as it will catch the known bad stuff that the hijacked site might try to do, but the ‘known’ list is becoming a smaller and smaller percentage of the bad stuff that is out there.”

For prevention, Langill said just “go Back to basics. I recommend the same things all the time:”
• Physically segment “critical” ICS and “non-critical” business networks – this means separate physical infrastructure and not implementation of VLANs
• Utilize stateful access control mechanisms (firewalls, NGFW, etc.) between these networks that restricted access across these perimeters to the greatest extent possible
• Maintain separate authentication domains between critical and non-critical networks to minimize the chance stolen credentials on one zone can end up used to further exploit another zone
• Further segment critical cyber assets (i.e. PLCs, Panel Displays, etc.) that cannot be secured with traditional methods and implemented zone-based security on the “conduits” into these zones via technologies like IPS, NGFW, etc.
• Implement basic monitoring and event reporting infrastructure so it is possible to have visibility into sensitive networks when/if they end up breached
• Consider implementing “egress” protection on all nodes (when possible) to minimize the ability of a compromised host to be used to further exploit the network

For Speake, it mainly comes down to awareness:
1. Employee awareness – build security into the plans as well as safety
2. The use of email in a control system network should be discouraged as much as possible. At least the direct vector is then eliminated
3. Similarly web access from the control network should be avoided
4. Firewall with a well-controlled ruleset between the business and control network, limiting the connections to the smallest number possible. A unidirectional diode would be better
5. Segmentation of the control network with VLANS and small industrial firewalls would also increase the need to make attack more sophisticated
6. Deploying and IDS or network anomaly tool would also help

Preventative measures, and a disciplined approach will help slow any types of attacks, but as the intensity of attacks continue to rise, so too, must the efforts of security professionals across the board.

“My crystal ball says this ‘there are no rules’ approach will only increase in sophistication as ICS systems become hardened,” Wrenn said.

Monday, May 4, 2015 @ 11:05 AM gHale

In a move to fight off climate change, greenhouse gas emissions must end up cut by 40 percent by 2030 in California, the governor said after issuing an executive order.

The targeted reduction level ties back to 1990 levels and is “the most aggressive benchmark enacted by any government in North America to reduce dangerous carbon emissions,” said California Governor Jerry Brown.

OK Affirms Drilling’s Role in Quakes
Report Shows Chemicals Used in Fracking
Federal Rules Set for Fracking
UT Fracking Site Violations Resolved

California operates the nation’s largest carbon cap and trade system. The state sets an overall limit on carbon emissions and allows businesses to hand in tradeable permits to meet their obligations.

Achieving the new target will require reductions from sectors including industry, agriculture, energy and state and local governments, Brown said.

“I’ve set a very high bar, but it’s a bar we must meet,” Brown told a carbon market conference in downtown Los Angeles.

Brown said the new target will position California as a leader in combating climate change in the United States and internationally.

Brown said he has spoken to leaders in Oregon, Washington and Northeastern states about collaborating with California to cut their output of heat-trapping greenhouse gases. Those states could potentially link to California’s carbon market in future years.

He said he has had similar discussions with leaders in the Canadian provinces of Quebec, British Columbia and Ontario, as well as in Germany, China and Mexico.

Quebec already has links to the California market. Leaders in Ontario this month signaled their intention to join the program.

“This will be a local policy but it will be globally focused,” Brown said.

The plan for how California will achieve the 2030 target will end up hammered out over the next year by the California Air Resources Board (ARB), which oversees the cap-and-trade program.

Wednesday, July 23, 2014 @ 12:07 PM gHale

An OPC scanner that could end up leveraged to launch cyber attacks against critical infrastructure areas is in a variant of the Havex malware, researchers said.

While researchers were investigating a variant of Havex called “Fertger” or “Peacepipe,” this scanner ended up uncovered by FireEye investigators.

Malware Analysis from ICS-CERT
Energy Sector Alert: Dragonfly Attack
Update to ICS Malware Alert
Feds: Malware Focusing on ICS
Malware Targets ICS/SCADA

This variant is the first publicized version of this malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in critical infrastructure, energy and manufacturing sectors, said FireEye Threat Intelligence Analyst Kyle Wilhoit in a blog.

“If an attacker wanted to attack an OPC server, they would need and want details of the OPC servers they were targeting. Having the OPC scan data gives the attacker enough information to start possible next phases of an attack against a SCADA environment,” he said.

Havex is a family of remote-access Trojans used during several attacks on critical infrastructure. It was active for at least the last year and its mission was to pull vast amounts of information from infected machines.

“While Havex itself is a somewhat simple PHP Remote Access Trojan (RAT) that has been analyzed by other sources, none of these have covered the scanning functionality that could impact SCADA devices and other industrial control systems (ICS),” Wilhoit said. “Specifically, this Havex variant targets servers involved in OPC (Object linking and embedding for Process Control) communication, a client/server technology widely used in process control systems (for example, to control water pumps, turbines, tanks, etc.).”

“Since ICS networks typically don’t have a high-level of visibility into the environment, there are several ways to help minimize some of the risks associated with a threat like Havex. First, ICS environments need to have the ability to perform full packet capture ability. This gives incident responders and engineers better visibility should an incident occur.

“Also, having mature incident processes for your ICS environment is important. Being able to have security engineers that also understand ICS environments during an incident is paramount. Finally, having trained professionals consistently perform security checks on ICS environments is helpful. This ensures standard sets of security protocols and best practices are followed within a highly secure environment,” he said.

Havex is just one threat facing critical infrastructure organizations. ICS-CERT urged critical infrastructure companies to check their networks for signs of intrusion following the discovery of a fresh Dragonfly hack campaign earlier in July.

Click here for more information from Wilhoit’s blog.

Friday, July 11, 2014 @ 04:07 PM gHale

If this doesn’t convince all that security is necessary, then nothing will: Almost 70 percent of companies surveyed responsible for the world’s power, water and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past year.

Of the 599 security executives at utility, oil and gas, energy and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year, according to the report conducted by Unisys and the Ponemon Institute. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. Flying in the face of one of the major reasons to users should implement security, a majority of those surveyed said their top business priority is minimizing downtime.

Data Breaches: Not Learning from History
Sounding Off on Internet of Things
BYOD Use Surging; Policy Usage Weak
Breaches Continue Upward Trend

“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”

Only one in six respondents describe their organization’s IT security program or activities as mature. Respondents who reported suffering a data breach within the past year most often attributed these breaches to an internal accident or mistake, and negligent insiders were the most cited threat to company security. Despite these findings, only six percent of respondents said they provide cybersecurity training for all employees.

“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”

The survey also highlighted the concerns many of these executives feel regarding the security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions.

When asked about the likelihood of an attack on their organizations’ ICS or SCADA systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which appears to mean tighter controls and better adoption of standards, along with vigilance, are ingredients to the recipe for success.

Click here for the full report.

Wednesday, April 2, 2014 @ 03:04 PM gHale

Starnes E. Walker will head up the new University of Delaware Cybersecurity Initiative (UDCSI), with a special emphasis on issues facing corporate America

Walker, a physicist with 35 years of leadership experience in research, development and engineering to enhance national security, became the founding director effective April 1.

ICS-CERT Creates Web-based Course
Security Certification Program Expands
Codenomicon joins ISCI
Yokogawa Safety Controller ISASecure

Walker has held senior management positions in the U.S. Departments of Defense, Energy and Homeland Security, as well as industry. He has developed critical programs and aligned strategic systems across the U.S. and around the globe, forging key partnerships with the United Kingdom, Australia, Singapore, Israel, Sweden, the European Union and NATO.

A key focus of Walker’s appointment at UDCSI will be corporate cyber security. According to a 2012 survey of more than 9,600 global business executives by PricewaterhouseCoopers (PwC), CIO and CSO, more than 41 percent of U.S. respondents experienced one or more security incidents during the past year, ranging from financial losses to intellectual property theft.

“With Dr. Walker’s appointment as founding director of our Cybersecurity Initiative, the University of Delaware gains exceptional expertise in an area of urgent concern,” said University Provost Domenico Grasso. “Under Dr. Walker’s leadership, UD will develop new partnerships to advance cyber security education and research and create prominent academic programs at the undergraduate and graduate levels, as well as certificate programs for corporate and government professionals.”

“I am honored to join the University of Delaware and to have this opportunity to help prepare the next generation of leaders who will protect the U.S. against cyber attacks,” Walker said. “UD’s new Cybersecurity Initiative is going to be an all-around ‘win’—for the University, for the State of Delaware, for the nation and for all of the businesses incorporated here and beyond, from the financial sector to the energy sector, and absolutely, for the public.”

The United States has a serious cyber workforce shortage, with only 1,000 skilled specialists in the field when the nation needs as many as 30,000, according to James Gosler, founding director of the CIA’s Clandestine Information Technology Office.

Monday, March 10, 2014 @ 06:03 PM gHale

There is another cyber espionage campaign detected targeting industries including energy, finance, security and defense, and healthcare, researchers said.

Dubbed “Siesta” on account of the periods of dormancy the delivered malware ends up ordered to enter at regular intervals, the campaign starts with malicious emails delivered to the target company’s executives.

Malware Resilient, Tough to Eradicate
Espionage Rootkit has Russian Roots
Xtreme RAT Targets Governments
Energy Sector Under Attack

The “From” email address looks like the email came from another company employee, and the message contains a malicious link the victim should follow.

“The attacker serves the archive under a URL path named after the target organization’s name (http://{malicious domain}/{organization name}/{legitimate archive name}.zip,” the researchers said, and the downloaded file contains an executable masquerading as a PDF document.

“When executed, it drops and opens a valid PDF file, which was most probably taken from the target organization’s website. Along with this valid PDF file, another malicious component is also dropped and executed in the background,” they said.

This malicious component is a backdoor Trojan that connects to (short-lived) C&C servers at previously defined intervals, and to download additional malicious files from a specified URL.

Different malware variants end up used in various campaigns, but they act the same. Another thing that points out to them all being started by the same attacker(s) is the different C&C servers and domains have all been registered by the same registrant (different names, but the same email address: xiaomao{BLOCKED}

“This individual also recently registered 79 additional domains. There are a total of roughly 17,000 domains registered with this same email address,” the researchers discovered, and this obviously points to a concerted effort.

The researchers didn’t say which organizations (and in which countries) ended up hit, and have refrained from sharing full filename and hashes of the malicious files delivered as the investigation is still ongoing.

Monday, July 8, 2013 @ 03:07 PM gHale

Alstom created a mitigation for an improper authorization vulnerability affecting the Alstom Grid MiCOM S1 Agile and S1 Studio Software, according to a report on ICS-CERT.

Keep in mind Alstom Grid MiCOM S1 Studio Software is its own software suite. A user could have MiCOM S1 Studio Software from a different vendor. This mitigation only addresses the Alstom software product. Alstom tested the update to validate that it resolves the vulnerability.

Siemens Scalance Holes Filled
Mitigation for Siemens WinCC Woes
Siemens Updates COMOS Holes
Rush to Fix Medical Device Bug

The following Alstom Grid products suffer from the issue: MiCOM S1 Agile Software, all versions up to and including v1.0.2, and legacy MiCOM S1 Studio Software, all versions.

Successful exploitation of this vulnerability may allow an attacker with read/modify user permissions for the MiCOM S1 file system to affect the availability of the application. Unauthorized attackers can then access the MiCOM S1 executable files. This vulnerability can affect products deployed in the energy, dams, healthcare and public health, water, chemical, and commercial facilities.

Alstom Grid is a global company that maintains offices in the U.S., UK, Canada, Italy, India, Brazil, France, Russia, Saudi Arabia, United Arab Emirates and Singapore.

The affected products, Alstom Grid MiCOM S1 Agile and Studio Software, allows users to configure Alstom Grid’s range of protective relays. According to Alstom, MiCOM S1 Software deploys mainly across the energy sector.

The MiCOM S1 Software does not limit user access to its installed executables to only authenticated administrative users. A malicious user with any level of access to the local system could replace executables within the MiCOM S1 Program Files directory with malicious files. When the MiCOM S1 application runs, the malicious executable could run instead. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality with the local system and a disruption in communications with other connected devices.

In addition, a Windows Service running under LocalSystem is within this directory as well. Replacing the associated executable, in this case, would allow lower privileged users to escalate their privileges to an administrator level on the system.

CVE-2013-2786 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.0.

This vulnerability is not exploitable remotely and cannot suffer exploitation without access to the local system by an authorized user. To date, no known public exploits specifically target this vulnerability. An attacker with a high skill would be able to exploit this vulnerability.

Alstom released MiCOM S1 Agile version v1.0.3 that mitigates the vulnerability by controlling which users can access MiCOM S1 Agile files and services.

A user can get the update by emailing Alstom at the Alstom Grid Contact Centre.

Tuesday, June 18, 2013 @ 04:06 PM gHale

By Gregory Hale
The industry is losing around $400 billion a year in cyber attacks.

“Cyber attacks are an area where users are under invested,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions, during Monday’s keynote at the Honeywell Users Group (HUG) in Phoenix, AZ. “This is something I worry about every day. There needs to be more awareness. There is $400 billion lost a year due to cyber attacks.”

Breach Discovery: 10 Hours
Security Breach Fantasy Land
Botnet Hurt, so are Researchers
P2P Botnets Keep Growing

The idea security is top of mind for Adamczyk truly underscores the dire need for the industry to come to grips with the idea that manufacturing automation users are, for the most part, not prepared when it comes to the potential of facing and fending off a cyber attack.

“I just hope it doesn’t take a crisis for us to start spending (on security solutions),” Adamczyk said.

Safety was also a key element to Adamczyk’s keynote as he said Honeywell was well below the average of safety incidents in the United States, but he feared the U.S. average was going to rise in the wake of safety incidents like the explosion at the fertilizer plant in West, Texas.

“For us process safety is a given,” Adamczyk said. “Our approach to safety is broader though: Integrated safety. All integrated in one seamless package.”

“Safety has plateaued,” he said. “My guess is it will be getting worse than better,” in the wake of the recent safety incidents. “Safety has to be job one.”

While safety and security were important elements to Adamczyk’s talk, he also mentioned other key trends HPS is focusing on like energy, improving relationships with end users, and reiterating Honeywell is more of a full service integrator compared to a hardware provider.

When it comes to producing more energy, Adamczyk said the U.S. is still and importer, but that trend is changing.

“From the 1980s until 2010, there has been a decline in production, but that has changed,” he said. “We are still a net importer of energy, but by 2020 we will be about even and by 2040 we will an exporter by 12 percent.”

Another area the industry is keeping a keen eye on is the aging workforce and the potential for Baby Boomers getting ready to retire and take all the knowledge out the door with them. “By 2020 workers aged 55 and older will be almost 25 percent of the workforce,” he said. That also shows great potential for automation to come in and help alleviate some of the worker crunch.

Adamczyk also spent some time talking about the real key in the industry is about making – and keeping – relationships.

“If we can’t keep a relationship from the beginning of the lifecycle through the end, then we have absolutely failed.”

Archived Entries