by Gary Mintchell | Jul 24, 2024 | Automation, Security
A cybersecurity in action warning. In April 2024, FrostyGoop, an ICS malware, was discovered in a publicly available malware scanning repository. FrostyGoop can target devices communicating over Modbus TCP to manipulate control, modify parameters, and send unauthorized command messages. Modbus TCP is a commonly used protocol across all industrial sectors.
The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared details with Dragos about a cyber attack that impacted a municipal district energy company in Ukraine in January 2024. At the time of the attack, this facility fed over 600 apartment buildings, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures. Dragos assessed that FrostyGoop and internet-exposed ICS devices facilitated this attack.
Telling manufacturers that their technology systems are vulnerable to attack happens so often as to be almost trite. Yet, new vulnerabilities emerge with the regularity of a heartbeat. This attack perpetrated through Modbus TCP was detected in Ukraine.
This brief provides a strategic summary of information on this OT threat and attack as reported in Dragos WorldView threat intelligence, with clear guidance for OT asset owners and operators.
Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.
Dragos discovered the FrostyGoop ICS Malware in April 2024. FrostyGoop is the ninth known ICS malware. This malware can interact directly with industrial control systems (ICS) in operational technology (OT) environments using the Modbus protocol, a standard ICS protocol used across all industrial sectors and organizations worldwide.
Additionally, the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos about a disruptive cyber attack on a district energy company in Ukraine, which resulted in a two-day loss of heating to customers. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions – taking almost two days to remediate the issues. Dragos assesses that FrostyGoop was likely used in this attack. An associated FrostyGoop configuration file contained the IP address of an ENCO control device, leading Dragos to assess with moderate confidence that FrostyGoop was used to target ENCO controllers through Modbus TCP port 502 open to the internet.
We want to express our gratitude to the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), for its continued commitment to collaborative intelligence sharing and for allowing us to report on the disruptive OT incident impacting communities in Lviv, Ukraine.
Dragos leaves us with a summary of recommended guidance:
- Identify impacted assets. Access your Asset Inventory and search for ENCO control servers and devices communicating over Modbus.
- Look for potential malicious behavior. Review the FrostyGoop-specific dashboard to determine if related detections and IOCs have been triggered.
- Perform a retrospective search for potential malicious behavior across your SiteStore forensics for signs of past activity involving this malware.
by Gary Mintchell | Jul 23, 2024 | Automation, Generative AI, News
Honeywell commissioned Wakefield Research to survey AI leaders around the world. The online research, which was conducted from April 22 through May 2, 2024, involved 1,600 executives in 12 global markets (US, Brazil, Canada, China, France, Germany, India, Japan Mexico, United Kingdom, Kingdom of Saudi Arabia, and United Arab Emirates.) Each respondent works at a company with at least 1,000 employees that is currently using AI to automate processes and tasks. All respondents are influencers or decision makers related to the use of AI within their departments or across their organizations.
This research includes the construction industry.
Here are a few out-takes.
Surveys of people using AI, rather than those just thinking about it, seem to be pushing aside thoughts of AI as evil. People are learning to use the various forms of the technology—as humans always have.
According to AI leaders in the construction industry, the top benefits of implementing industrial AI include:
- Improved job satisfaction – 51%
- More time for skills development – 49%
- Less manual work – 44%
- More creative thinking – 44%
Forms of artificial intelligence including machine learning have powered software for many years. Here are some updated examples:
AI-enabled buildings can help reduce power consumption, which accounts for approximately 37% of global CO2 emissions, while supported by other solutions to reduce overall energy use.
Sometimes it is downright scary what C-Suite occupants think about technology. The survey included these nuggets.
C-Suite Insight: AI leaders agree with AI’s potential as 94% expect their organization to expand the use of AI beyond its initial implementation. Even though a little more than a third (37%) of respondents expressed concern that their C-Suite does not fully understand AI, they and almost all of their peers (94%) said their corporate leadership is all in.
This finding should not surprise any of us who have worked in an organization for longer than a week.
Uneven Readiness: Uncertainty shows up in discussions of capital costs. Nearly half (48%) of respondents report they are constantly having to justify or request sufficient resources to implement AI plans. At the same time, two-thirds (63%) say a quarter of more of their equipment isn’t properly enabled for AI compatibility, yet most (59%) plan to let non-AI compatible equipment run through its lifespan before replacement.
Of course we are still in the early stages. We will be until it is no longer a buzz word—just another tool we use.
Still Early Stages: Just 17% of those surveyed have launched their initial plans for AI, and many are still in the scaling (43%) or prototyping (12%) stages. Why? Potentially, because it’s expensive. Most AI leaders (74%) believe that their organizations will replace non-AI-compatible equipment, but only 41% of them will do so early to maximize the benefits from AI. The other 33% will wait out the lifespan of legacy equipment.
Everyone I talk with is concerned with workers lacking skills. Of course, even though many say that “people are our greatest asset”, pay rates do not seem to reflect that. I wonder what the people who work there actually think.
Upskilling and Reskilling Workers: With a growing skills gap and the retirement wave of the baby boom generation, employers increasingly rely on AI to bridge the gap. Nearly two-thirds (64%) of respondents to our research cited increasing worker efficiency and productivity as AI’s most promising use in their organizations.
At the same time, a quarter of those surveyed agree that people are their company’s greatest asset (25%). So, it makes sense that when looking at implementing AI, benefiting employees was top of mind. AI leaders say the technology will enhance flexibility (16%) as a key benefit for workers, along with improving efficiency and productivity (52%) and streamlining hiring and training (17%).
by Gary Mintchell | Jul 19, 2024 | News, Security
A major cybersecurity failure. I have not written about the “Blue Screen of Death” or BSOD since the late 90s and the PC-based control movement. Waking up this morning, that dreaded phrase returned to my mail reads. By now you’ve seen photos of lines at airports and other inconveniences. Someone in my community posted about difficulties finding a ride home from O’Hare in the early morning hours.
It seems an automatic update a security company called Crowdstrike crashed Windows PCs. One pessimist I read said this won’t be the last time something like this happens.
This news item was my first hint from John Ellis News Items (subscription).
Businesses across the world, from airlines to financial services and media groups, have been hit by a global IT outage, causing massive disruption to a wide range of services and operations. Thousands of workers were unable to log on to their computers on Friday morning, disrupting businesses from finance to healthcare, in what is shaping up to be one of the most widespread IT outages ever. Australian businesses were the first to warn of problems, with the operations of retailers including Woolworths and 7-Eleven hit. Sydney airport said “a global technical outage” had affected its operations. In Europe, airlines and airports warned of disruption. The US Federal Aviation Administration said Delta, United and American Airlines had asked to ground flights due to take off. “I don’t think it’s too early to call it: this will be the largest IT outage in history,” said Troy Hunt, a prominent security consultant, in a social media post. “This is basically what we were all worried about with Y2K, except it’s actually happened this time.” (Source: ft.com)
PR people started sending me quotes from a variety of cybersecurity people.
Commenting on this, Adam Pilton, Senior Cybersecrity Consultant at CyberSmart and former Detective Sergeant investigating cybercrime said:
“At the time of writing IT systems around the world are not operating. This is impacting many businesses and will impact our daily lives.
Currently, we do not know what has happened, there is no suggestion that this is a cyber attack. The belief is that this is a technical issue. Maybe not coincidently, the cyber security company Crowdstrike are having issues too. Time will tell whether these are directly related.
Crowdstrike has stated that they are aware of reports of crashes on Microsoft’s Windows operating system relating to its Falcon sensor.
There are some suggestions that this is two major incidents running simultaneously. A service-wide Azure outage and CrowdStrike Falcon blue screens.
What we are seeing now though are the businesses which have business continuity and incident response plans in place. These businesses are effectively communicating the issues and ensuring their customers are informed.
Society is dependent upon technology and this is why we must have both technical and non-technical controls in place to protect us when issues arise, whether malicious or not.
Social media is ablaze with users reporting that they are unable to work and one user on Reddit even stated they were commenting purely to be part of history on ‘The day that Crowdstrike took out the internet!’
This is very much the point of why all businesses must plan and prepare. As we are seeing, a huge dependency on individual suppliers can take down supply chains.”
And this one:
“Multiple StickmanCyber security engineering and our 24×7/365 security operations teams across the country support reports that this outage is related to a CrowdStrike update.
“It is our understanding that any business running versions 7.15 and 7.16 are affected by the outage, but 7.17 seems to be ok. We are waiting on official advisory from CrowdStrike on these findings but doing our best to help affected customers. It’s a lesson to always update your software, but obviously this is an extreme example. IT security tools are all designed to ensure that companies can continue to operate in the worst-case scenario of a data breach, so to be the root cause of a global IT outage is an unmitigated disaster.
“Crowdstrike support is offering a workaround to customers. It claims users may be able to fix the issue by booting windows in safe mode or in the Windows Recovery Environment and deleting a file named “C-00000291*.sys”.
by Gary Mintchell | Jul 11, 2024 | Automation, Robots
FANUC America has expanded its footprint to over 2 million square feet and has created over 400 jobs since 2019
The amount of news emanating from the traditional robotic companies amazes me. I thought this market was mature. Evidently FANUC doesn’t think so. This news concerns additional investment in its Detroit-area facility. I couldn’t make the trip this week to witness the event, although I would have liked to have been there.
FANUC America, the global leader in robotics and automation systems, today officially unveiled its new 650,000 square foot West Campus facility in Auburn Hills, Michigan. The West Campus represents a $110 million investment built on 67 acres of land.
“This major expansion represents our growth strategy in the U.S. and our steadfast commitment to the future of the automation and robotics industry,” said Mike Cicco, President and CEO, FANUC America. “
Since 2019, FANUC America has invested over $187 million including a 461,000-square-foot North Campus facility in 2019, and new headquarter facilities in Mexico and Canada in 2023.
FANUC America’s investment will continue with the renovation of a former law school on the site of the company’s West Campus that will soon become the FANUC Academy, an advanced automation customer training center.
The expansion increases the footprint in Michigan to over 2 million square feet and is part of FANUC America’s strategic investment plan to support and advance industrial automation in North America. FANUC America’s industry growth and customer demand has created over 400 jobs in Michigan since 2019. The West Campus provides advanced product manufacturing and customized automation systems and includes warehouse space for over 6,000 quick delivery robots and tens of thousands of parts.
After completion of the new FANUC Academy and other infrastructure projects, FANUC America will have invested over $250 million in North America, fortifying its position as an industry trailblazer.
by Gary Mintchell | Jul 10, 2024 | Automation, Process Control
Just when I realized there had been no news for quite a while from the major automation suppliers this news from Emerson came my way. The news concerns expanding DeltaV Automation Platform with the DeltaV Version 15 Feature Pack 2 update for its distributed control system (DCS). With so few new plants under construction, making upgrades easier becomes an important goal for developers. Especially so for transitioning from legacy competitive systems.
The release empowers users to transition to a DeltaV DCS from more third-party control systems, expands support for Ethernet device networks, and reduces the complexity of state-based control implementations.
“DeltaV Version 15 Feature Pack 2 provides users new functionality, capabilities and enhancements to further expand seamless data and I/O integration as well as applications to more easily modernize their operations, improve connectivity and collaboration, and lock in operational excellence,” said Claudio Fayad, vice president of technology for Emerson’s process systems and solutions business.
One of the most common barriers to control system modernization is the high cost and labor requirements of transitioning I/O. DeltaV IO.Connect, which lets users replace legacy control systems with modern DeltaV software and controllers while leaving legacy I/O infrastructure in place, now supports multiple third-party control systems.
Plants can now transition to a modern DeltaV control system from the most common third-party systems right away—immediately reaping the benefits of modern control—and transition their I/O infrastructure gradually, on their own schedule, to minimize downtime and risks.
Ethernet-based, high speed, data rich device networks continue to gain popularity across the automation landscape and will only accelerate as Advanced Physical Layer extends the application range in process and hybrid industries. With this latest release, the DeltaV control system has increased the types of data as well as the diagnostic capabilities of the wide range of supported Ethernet-based communication protocols including PROFINET, EtherNet/IP, OPC UA, and Modbus TCP. These enhancements advance the solid foundation of DeltaV automation to exchange increasing volume and variety of data from the next generation of field device networks.
State-based control is a key enabler as many plants drive toward autonomous and semi-autonomous operations to reduce downtime and minimize safety risk. With DeltaV Version 15 Feature Pack 2, engineering and operations teams now have more options for how state-based control sequences execute when operations dictate a change in logic. This optional behavior enables safe and reliable operations while improving the flexibility and maintainability of state-based logic. To improve operator situational awareness the watch area capability of DeltaV Live has also been enhanced to persist as operators navigate between displays.
by Gary Mintchell | Jul 9, 2024 | Manufacturing IT, News, Operations Management, Security, Software
Cycles of marketing thought intrigue me. Suddenly PR people are flooding my email inbox with offers to interview CTOs of security companies who wish to comment on how cybersecurity breaches are a major cause of downtime. I chose this one to post for now partly because it’s a new company. I’m also intrigued by how the IT guy from Uber thinks he can disrupt industrial automation.
Oh, and yes, this is yet another survey done by a developer company. It’s the new way to generate media coverage when you don’t have a new product to release. And, yes, I’m an enabler.
In brief:
- Copia Automation Finds $4.2M Per Hour Lost in Manufacturing from Cybersecurity Breaches and Coding Errors
- Survey of 200 U.S. executives on the emergence of Industrial DevOps reveals half of all downtime is caused by programming mistakes
Another point. Copia is taking the IT idea of DevOps (see previous blog post) into industrial settings much as HighByte did with DataOps.
Copia Automation, empowering companies to gain end-to-end visibility and control of their operational technology, released its first annual State of Industrial DevOps Report today, the first survey of its kind on the application of information technology (IT) DevOps principles and practices to the industrial sector. The report reveals that industrial coding errors cause manufacturing shutdowns lasting 30 hours on average, costing $4.2M per hour and $126M per shutdown. Half of all downtime is caused by industrial code changes, code confusion, lack of visibility into industrial code, and issues with programmable logic controllers (PLCs).
The survey highlights significant vulnerabilities in operational technology (OT) — the software and hardware that control industrial equipment. A possible cause for these is ad hoc fixes in industrial programming, with 79% of respondents saying they are commonplace.
“The cost of downtime minimizes or eliminates the margin between profitability and failure for manufacturers,” said Copia Co-founder and CEO Adam Gluck. “With coding errors and cybersecurity breaches shown as significant causes for downtime, manufacturers need to take every technological measure to protect their bottom line and ensure continuous operations with enhanced productivity. Industrial DevOps delivers the technology and the process-change to do this.”
