A Different Take on Industrial Cybersecurity

Not too long ago, I received an email from noted cybersecurity guru Eric Byres who told me he was back in the industry after a brief hiatus as an advisor to Verve Industrial. The company didn’t register with me, and I went on to other things.

This week I received a message from an old PR contact who just picked up a new client–you guessed it, Verve Industrial. I agreed to an introductory call to find out more. I didn’t expect to be talking to anyone I knew, so the name didn’t register with me. Should have. I found myself talking with Rick Kaun this week. Now VP Solutions with Verve Industrial, turns out I knew him from previous stints with Matrikon and Honeywell.

The company began life as a SCADA and PLC integrator. The owner progressively noticed security situations and evolved a cybersecurity practice. Considering a way to grow, he took in funding and a new CEO (former McKinsey, but evidently not a bad guy–have to note that, I once worked for a couple of ex-McKinsey guys) and a new CTO. And a new VP Solutions.

The company takes a different strategy for its offering from others. Kaun notes the original solution was to white list devices on the network. To improve on that, many companies went to passive detection solutions.

Verve has an agent-based platform that allows for remote changes to the PLC or SCADA only with a trusted person at the console in the plant. It is compliant with OT topologies yet can talk the security talk with CISO types.

Not only for intrusion prevention, clients who use the system are currently getting 10x production.

I’m not a security expert. It’s just that cybersecurity is a crucial element of good IIoT design. So, here are some bullets to whet your appetite if you are looking for an interesting alternative to your current solution.

Verve Security Center

Benefits:

  • Faster & Lower Cost Deployment
  • Faster Time to Remediation
  • More Efficient Analysis, Reporting, and Audit with Integrated UI
  • Improved Approach to OT Business Risk Management
  • Lower Cost Security Management
  • NO Risk to OT Operations
  • Ability to Leverage Prior Tool Investment

Features:

  • Deeper & more comprehensive asset inventory
  • Faster time to remediation with closed loop vulnerability management
  • Better risk rating with view of vulnerabilities, process criticality plus all user accounts, risky software, network connections in a single risk score
  • Lower security management costs with scaled analysis and playbook development with local OT control over remediation – in same platform
  • Better detection with open-platform data ingestion from multiple OT and IT tool sets

Current solutions do not enable limited OT resources the rapid visibility and response to vulnerabilities and threats they need:

  • Traditional IT tools cannot protect IOT/OT embedded devices with proprietary firmware
  • IT vulnerability scanning tools can damage sensitive IOT/OT systems
  • Tools are siloed by function increasing necessary labor and specialized skills
  • Most OT-specific tools are passive detection only and offer limited remediation capabilities
  • Available solutions are expensive to deploy and manage

A fundamentally different approach to IT/OT security management:

  • Deploy across all IT/OT/IOT systems in minutes with no expensive hardware requirements
  • “Closed-loop” solution from assessment to remediation
  • Faster time to discovery and remediation
  • OT-safe agent/agentless solution for real time vulnerability assessment and end point management
  • Lower total cost of ownership
  • No silos: integrate NIST CSF and other compliance requirements in single platform

Cybersecurity Provides Yet Another Overlap for IT and OT or IioT

It was a typical request to set up an interview for a client, “For years, information technology (IT) and operational technology (OT) have operated as separate entities, but now we are beginning to see a shift within organizations.”

Actually, I have no interest for another “IT/OT Convergence” story. I think that Leader organizations have structured things to bring the groups together. Even the average firms have seen the light. As usual, there’s no hope for the laggards.

The reply bounced back to me. Seems that the take is less the now trite IT/OT Convergence theme and really how the groups are coming together due to risks inherent in some of the wide open IoT networks and devices for cybersecurity breaches.

Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX, told me that board-level concern about risk levels due to cybersecurity breaches in their manufacturing operations have led to directives to the CISO to lead risk assessment and mitigation at the plant level as well as the enterprise level. This leads directly to working with plant operations people.

More data is flowing around manufacturing, but more devices coming online don’t support agents thereby increasing attack surface. This has raised awareness of increased risk including awareness at the board level. Not to mention there have been some some significant cyber attacks including the Norse Hydro ransom ware attack that cost perhaps up to $41 million. Merck was hit with a ransom ware attack. And then there was the Triton attack on safety controllers.

These incidents have alerted boards to huge risk potential leading to directing the CISO to avert such future attacks.

As for specific informatin from CyberX, Neray says it has the only patent on behavior anomaly detection. This allows its system to detect faster, more accurately than peers in industrial security.

CyberX continuously monitors the network looking for something suspicious or unauthorized. But plant people are often suspicious of IT solutions believing IT does not understand the critical nature of not shutting down processes for a reboot. This is where leadership must step up. Neray notes this must be both top-down and bottom-up. The Board and top management must say, “We want you to prioritize security.” The security team must also spend time in the plant explaining the what and why of the system. Building trust only results from face time.

Sometimes a detection points to an equipment issue as well as malware. One example was a plant with new PLCs shutting down intermittently. They called IT. “Did you do something to the network to cause this?” IT looked at the CyberX console and ran the reports of alerts. They noticed that when the PLCs were installed the network was not configured correctly causing the network to be pinged too often. Fix that and the problem was solved. The cybersecurity system can even become a plant controls troubleshooting aid.

Neray pointed to a report published in late 2019 called the Global 2020 IoT/ICS Risk Report. This was an analysis of real-world vulnerabilities garnered from studies of real networks. The study pointed out these problems:

BROKEN WINDOWS: OUTDATED OPERATING SYSTEMS

62% of sites have outdated and unsupported Microsoft Windows boxes such as Windows XP and Windows 2000. Unsupported Windows boxes no longer receive regular security patches from Microsoft. The figure jumps to 71% if we include Windows 7, which reaches end-of-support status in January 2020.

HIDING IN PLAIN SIGHT: UNENCRYPTED PASSWORDS

64% of sites have unencrypted (cleartext) passwords traversing their networks.The reason cleartext is dangerous is because it makes gaining access to restricted systems easy — since these passwords are transmitted “in the clear” and can easily be sniffed. Legacy devices that don’t support modern protocols such as SNMP v3 or SFTP are usually the culprits for leaving passwords in cleartext.

EXCESSIVE ACCESS: REMOTELY ACCESSIBLE DEVICES

54% of sites have devices that can be remotely accessed using standard protocols such as RDP, SSH, and VN. One of the primary attack vectors for ransomware is remote access protocols, which enable attackers to move laterally and expand their presence throughout networks.

CLEAR AND PRESENT DANGER: INDICATORS OF THREATS

22% of sites exhibited indicators of threats. CyberX’s network traffic analysis flags suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices, and known malware such as LockerGoga and EternalBlue.

NOT MINDING THE GAP: DIRECT INTERNET CONNECTIONS

27% of sites analyzed have direct connections to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.

STALE SIGNATURES: NO AUTOMATIC AV UPDATES

66% of sites are not automatically updating their Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX still finds older malware such as WannaCry and Conficker in IoT/ICS networks.

Continual Market Development Pays Off For Process Control Supplier

Continual Market Development Pays Off For Process Control Supplier

I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.

Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.

The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.

In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.

A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.

A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.

A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.

“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”

The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.

“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”

PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

I received a notice from CyberX about a industrial and industrial control phishing scam. It just goes to show that we all need to be continually vigilant and disciplined about attachments and links.

From the CyberX blog:

Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea.

The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks.

For example, the attackers could be stealing proprietary information about industrial equipment designs so they can sell it to competitors and nation-states seeking to advance their competitive posture.

Also, credentials can provide attackers with remote RDP access to IoT/ICS networks, while plant schematics help adversaries understand plant layouts in order to facilitate attacks. Design information can also be used by cyberattackers to identify vulnerabilities in industrial control systems.

The campaign uses spear phishing emails with industrial-themed attachments.

Continual Market Development Pays Off For Process Control Supplier

Project Alvarium from Linux Foundation for Trusted Data

The IoT group that I’ve been working with for the past few years has been absorbed into the OEM group which is carrying on an expanded function. This blog post from Steve Todd, Dell Technologies Fellow, details the development of data confidence work that has been contributed to the open source Linux Foundation to seed Project Alvarium.

Following is a quick summary. Go to the blog for additional information about trusted data work.

A team of Dell Technologies specialists finished building the first-ever Data Confidence Fabric (DCF for short). The prototype code will be contributed to the Linux Foundation to seed Project Alvarium.

For several years, the CTO of the Dell Technologies Edge and IoT business unit has been touting a vision of data monetization. However, it’s hard to monetize untrusted Edge and IoT data. As he likes to say, “It’s midnight. Do you know where your data has been?” 

Enterprise storage systems have delivered trusted data to applications for a long time. We started our initial investigation wondering if these same trust principles could be applied to Edge and IoT ecosystems. Recent developments in data valuationdistributed ledgers, and data marketplaces facilitated everything coming together.

Five Levels of Trust

We started with the EdgeX Foundry chair of the Core Working Group, Trevor Conn. Trevor wrote the first-ever Data Confidence Fabric software using Go Lang, the same programming language EdgeX is written in. His Data Confidence Fabric software registered with EdgeX as a client and began processing simulated device data. The initial confidence score for this data was “0” (no trust was inserted). 

Dell Technologies then hired three computer science interns from Texas A&M to deploy EdgeX and the Data Confidence Fabric software on a Dell Gateway 3000 with a Trusted Platform Module (TPM) chip.

EdgeX was then adjusted to support N-S-E-W authentication by using VMware’s open-source Lightwave technology.

Dell Boomi software was invoked by the Data Confidence Fabric software to gather provenance and appended this metadata to the sensor reading.

The Data Confidence Fabric software then stored the data locally using IPFS (an immutable, open-source storage system). This fourth level of trust insertion gives an application confidence that the data/provenance has not been tampered with. It also has the additional benefit of enabling analytics to access data closer to the source.

The Data Confidence Fabric software then registered the data into VMware’s blockchain (based on the open-sourceProject Concord consensus algorithm). 

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

IoT and Control Systems Soft Targets for Cyber Hackers

Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.

The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.

Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).

Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).

Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.

Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.

Recommendations Focus on Prioritization and Compensating Controls

The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.

Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.

“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.

“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”

Summary of Key Findings

  • Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
  • Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
  • Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
  • Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
  • Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
  • Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.

Follow this blog

Get every new post delivered right to your inbox.