I am not a cybersecurity expert. But I get to read many reports, news, and research. Media attention focuses on Internet-based attacks. Social engineering through people still seems to be the best way to break in. Now there is current research validating the threats that come through removable media. Your policies, procedures, training in this area remain one of the most crucial walls of protection you can have.
According to a report released August 16, 2022 by Honeywell, the threat of USB-borne malware continues to be a serious concern. Data from the 2022 Honeywell Industrial Cybersecurity USB Threat Report indicates that 52% of threats were specifically designed to utilize removable media, up from 32% the previous year and more than double the 19% reported in the 2020 study, clearly indicating that the threats designed to use removable media have reached a dangerously high level.
Now in its fourth year, the Honeywell Industrial Cybersecurity USB Threat Report shows a clear trend: cybersecurity threats continue to be more prominent and more potent. According to the report, threats designed to establish remote access capabilities remained steady at 51%, while the number of threats designed specifically to target industrial control systems increased slightly year over year, up from 30% to 32%. At the same time, the malware was more capable of causing a disruption to industrial control systems, climbing to 81% compared to 79% the previous year.
The current report was based on aggregated cybersecurity threat data from hundreds of industrial facilities globally during a 12-month period. Along with USB attacks, the research highlights that Trojans remain a top concern because of their potential to cause severe disruption to industrial infrastructure, comprising 76% of the malware detected.
“This year’s report indicates that adversaries are deliberately leveraging removable media as an initial attack vector to establish remote connectivity, exfiltrate data, and establish command and control,” said Jeff Zindel, vice president and general manager, Honeywell Connected Enterprise Cybersecurity. “It’s now painfully clear that USB removable media are being used to penetrate industrial/OT environments, and that organizations must adopt formal programs to defend against this type of threat to avoid costly disruptions.”
For the fourth year in a row, the threats attempting to enter industrial/OT environments have continued to increase in sophistication and frequency with USB-borne malware clearly being leveraged as part of larger cyberattack campaigns. Hackers are taking advantage of USB removable media to circumvent network defenses and bypass the air gaps upon which many of these facilities depend upon for protection. Continued diligence is necessary to defend against the growing USB threat and strong USB security controls are highly recommended.
Honeywell’s Secure Media Exchange (SMX) is designed to provide advanced threat detection for critical infrastructure by monitoring, better protecting and logging use of removable media throughout industrial facilities. The Honeywell Forge Cybersecurity Suite is designed to monitor for vulnerabilities such as open ports and the presence of USB security controls to strengthen endpoint and network security, while also providing better cybersecurity compliance.
Cybersecurity continues its strong flow through my news feed. This interesting piece concerns Dragos launching a resource to help industrial asset owners and operators build their OT cybersecurity programs.
Dragos announced the launch of its new Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), a cybersecurity resource designed for industrial asset owners and operators to help them build their OT cybersecurity programs, improve their security postures, and reduce OT risk.
Delivered via the OT-CERT portal, member organizations will have free access to OT cybersecurity best practices, cybersecurity maturity assessments, training, workshops, tabletop exercises, webinars, and more. In addition, OT-CERT will coordinate with OEMs regarding disclosures for vulnerabilities discovered by Dragos threat intelligence researchers, as well as cyber threats detected by Dragos targeted at the OEMs’ products. OEM partnerships are critical to coordinated vulnerability disclosures and effective threat response to protect and support industrial infrastructure in the escalating cyber threat environment.
Dragos OT-CERT addresses a serious gap in securing industrial infrastructure: the lack of OT-specific resources readily available to the industrial infrastructure community. The gap is especially critical among small and medium sized businesses that often have limited expertise and resources to address ICS/OT cybersecurity risks. According to Gartner, “Organizations continue to face acute and growing shortages of OT security skills to foster and support IT/OT integration, and securely support digital transformation efforts.”
Want to join?
Organizations of all sizes are eligible for OT-CERT membership. Larger organizations will benefit from free resources such as OT best-practices blogs and OT vulnerability disclosures from Dragos’s industry-leading Threat Intelligence team. Dragos OT-CERT will also aid large companies by helping to improve the security posture of smaller organizations in their supply chain that can pose a risk to their business operations.
In launching this new resource, Dragos partnered with the National Association of Manufacturers, which represents 14,000 manufacturing companies in every industrial sector and supports them through a focus on both cyber threat identification and proactive security practices that are critical to making the entire supply chain more secure.
Initial Dragos OT-CERT partners include the National Association of Manufacturers, Emerson, Rockwell Automation, and four Information Sharing and Analysis Centers: E-ISAC (electricity), ONG-ISAC (oil and natural gas), DNG-ISAC (downstream natural gas), and WaterISAC.
[Updated with correct name spelling.] Manufacturing companies began a digital journey decades ago. I began a digital project in 1978. Digital is one thing. Connectivity is another. My customer in 1994 told me he would never allow a wire from a PLC to anything else (other than I/O of course) as long as he was the controls leader. By 1999 he was retired and the plant had some connected controllers.
He was right, though. The concern was risk. And that was before anyone knew anything about cybersecurity. But there was risk of someone breaking in and messing with the program and settings.
And risk was a key word as I was introduced to BT, a networking and IT company, through an interview with global manufacturing lead Jose Gastey. He told me connected boxes leads to risks and liability. There is a constant tension between efficient services and risk. This was my introduction to BT. I had not interviewed anyone from there before.
Three Key Words, Connectivity, Collaboration, Cybersecurity
Gastey told me, “BT as a company had to change. The question was how to provide security around data that customers expect us to transmit for them. Last year BT invested in Safe Security. We can talk about financial risk alongside risk of data loss and hacking.”
Manufacturing has made tremendous investments in digital technologies and connectivity. That come with a risk. According to the 2021 NTT Global Threat Intelligence Report, threat actors have made manufacturing one of the five most targeted industries seven times over the last nine years. Cyber-espionage, data theft and other types of digital attacks have become the norm rather than the exception.
BT industry sales representatives have an additional security tool in their toolbox of solutions for their clients. The Safe Security SAFE (‘Security Assessment Framework for Enterprises’) platform allows organisations to take a health check of their existing defences and understand their likelihood of suffering a major cyber attack.
SAFE is unique in calculating a financial cost to customers’ risks and giving actionable insight on the steps that can be taken to address them. The platform ultimately enables organisations to surgically target gaps in their defences, and already protects multiple Fortune 500 companies and governments around the world.
Sustainability, 5G and Ecosystem
Before leaving the briefing, Gastey told me about two other BT emphases of interest to manufacturing—sustainability and 5G/WiFi6 networks.
“Sustainability adds another layer,” said Gastey. BT has joined with Cisco and Global Data to compile data about global sustainability. In this context, the focus here is reduction of energy consumption.
BT works with private 5G and WiFi6. Gastey says scaling is crucial element. “Engineers install 5G in a plant,” he says, “and business managers say, this is great. Now, roll out to 200 plants. But that is hard. There are too many differences from plant to plant. Solving scaling is a big problem.”
I received this news late last week, Tuesday, July 19, Dragos and Emerson announced a partnership to strengthen ICS/OT cybersecurity and protect the critical infrastructure of industrial processes at the plant floor.
Emerson is a major industrial control system and software supplier while Dragos provides cybersecurity solutions above the device level. Emerson’s representatives typically interact with a company’s operation technology (OT) personnel. Dragos representatives forge close ties with the CISO team or other IT-oriented functions.
Why does this partnership make sense? I talked with Dan Schaffer, Dragos Sr. Business Development Manager, to gain an insight.
He told me OEMs have close ties to the operation technology side of a company, while cybersecurity companies maintain close ties to parts of the IT side. While most companies have succeeded in fostering environments bringing the two groups together, OT and IT inevitably have different pain points. Bringing a partnership of OEM and Security companies to the conversation adds value to the customer.
Schaffer pointed to an earlier partnership between the two companies through the Ovation water/wastewater business. This partnership adds DeltaV to the mix greatly expanding markets that can be served. Having Dragos validated on DeltaV provides more confidence for customers.
The partnership, among other things, includes a deep technology integration that will improve threat detection and response across the entire industrial OT environment and add Dragos Platform capabilities hyper-focused on DeltaV DCS-specific ICS networks.
This from the press release:
With this agreement expansion, Emerson has validated the Dragos Platform within its DeltaVTM distributed control system (DCS) providing organizations with greatly enhanced ICS/OT cybersecurity. This extended agreement builds on the initial global agreement between Dragos and Emerson to protect industrial control systems and operational technologies for power producers and water utilities to now include organizations in dozens of industries including oil and gas, chemical, petrochemical, food and beverage, pharmaceutical, pulp and paper, metals and mining, and others.
Emerson has agreements with cybersecurity companies at the end point. Here is a description of what this partnership brings.
The Dragos OT Security Platform is focused on reducing cyber risk to industrial environments. It provides visibility into assets and vulnerabilities, detects cyber threats to industrial systems, and enables efficient response through forensic investigation and OT-specific playbooks.
Speaking of those playbooks—Schaffer mentioned them in our conversation. They reminded me of descriptions within the book The Checklist Manifesto: How to Get Things Right by Atul Gawande. Indeed, there are similarities. They are similar to the books pilots of commercial airlines refer to in emergencies to remember critical steps for recovering control. Operators seldom see cyber attacks. When they do, such a guide would be invaluable.
OK, I could use scare tactics like a mass market “journalist” talking about Russia and threats nuclear warfare. On the other hand, how would the control system on your critical infrastructure withstand a high altitude nuclear electromagnetic pulse (EMP) blast?
If you are using a controller from Bedrock Automation, this video documents tests of high voltage EMP resistance. Independent test lab certifies that the Bedrock OSA control platform and power supplies can survive repeated high voltage electromagnetic pulse (EMP) blasts
The video documents independent test procedure by which Bedrock’s Open Secure Automation (OSA) platforms have achieved compliance with U.S. Military Standard 461 (MIL-STD-461G) for electromagnetic pulse resistance. The system withstood repeated electromagnetic pulse blasts per the RS105 test, equivalent to what a high-altitude nuclear EMP detonation might deliver.
As defined by the RS105 Test Criteria, National Technical Systems, Inc., a leading independent provider of qualification testing, inspection, and certification solutions, subjected the Bedrock systems under test to a total of 67 EMP strikes in X, Y, and Z orientations. The 67 strikes are part of the test, starting at 50% (25,000 volts/m) and the last 5 strikes are at the full 50,000 volts/m.
Although surviving electrical blasts of 50,000 volts/m was required to meet the standard, the testing team maxed out the test chamber at 107,000 volts/m and the Bedrock systems under test survived multiple rapid strikes and remained operational.
Emerson’s acquisitions have moved it more firmly into discrete manufacturing operations. This news of a new programmable automation controller family of products manages to combine benefits of control, automation, industrial Internet of Things (IIoT), analytics while “minimizing the need for specialized software engineering talent.” Automation suppliers have been on a fervent journey toward providing products that are easier to use for talent-strapped customers. It also brings in current requirements for security and open protocols.
Emerson, a global software, technology and engineering leader, announced the release of its PACSystems RSTi-EP CPE 200 programmable automation controllers (PAC). CPE 200 controllers will deliver large programmable logic controller (PLC) capability in a small, cost-effective, IIoT-ready form factor so machine manufacturers do not need to sacrifice performance for price.
Providing features that help speed time to use, the CPE 200 series offers security-by-design, open programming, and open communications built in to simplify connectivity to external analytics software platforms while reducing cost and complexity for OEMs and end users.
“Gaining competitive edge in today’s marketplace means having the flexibility to connect to the wide array of equipment end users employ as part of their proprietary processes, and supporting secure, open connectivity to allow easy access to on-premises and cloud-hosted analytics platforms,” said Jeff Householder, president of Emerson’s machine automation solutions business. “The CPE 200 series controllers take advantage of Emerson’s cybersecure-by-design architecture, common programming capabilities, and IIoT readiness to provide options currently missing in legacy compact PLCs.”
The controllers offer open communications through native, pre-licensed support for OPC UA Secure and other common industrial protocols for flexible connectivity over high-speed Gigabit Ethernet. IEC 61131 programming languages and C, the world’s most popular and easiest-to-use programming language, help engineers write and run the high-performance algorithms that enable proprietary production strategies and advanced automation technologies.