Major Windows Outage Affects Millions

A major cybersecurity failure. I have not written about the “Blue Screen of Death” or BSOD since the late 90s and the PC-based control movement. Waking up this morning, that dreaded phrase returned to my mail reads. By now you’ve seen photos of lines at airports and other inconveniences. Someone in my community posted about difficulties finding a ride home from O’Hare in the early morning hours.

It seems an automatic update a security company called Crowdstrike crashed Windows PCs. One pessimist I read said this won’t be the last time something like this happens.

This news item was my first hint from John Ellis News Items (subscription).

 Businesses across the world, from airlines to financial services and media groups, have been hit by a global IT outage, causing massive disruption to a wide range of services and operations. Thousands of workers were unable to log on to their computers on Friday morning, disrupting businesses from finance to healthcare, in what is shaping up to be one of the most widespread IT outages ever. Australian businesses were the first to warn of problems, with the operations of retailers including Woolworths and 7-Eleven hit. Sydney airport said “a global technical outage” had affected its operations. In Europe, airlines and airports warned of disruption. The US Federal Aviation Administration said Delta, United and American Airlines had asked to ground flights due to take off. “I don’t think it’s too early to call it: this will be the largest IT outage in history,” said Troy Hunt, a prominent security consultant, in a social media post. “This is basically what we were all worried about with Y2K, except it’s actually happened this time.” (Source: ft.com)

PR people started sending me quotes from a variety of cybersecurity people.

Commenting on this, Adam Pilton, Senior Cybersecrity Consultant at CyberSmart and former Detective Sergeant investigating cybercrime said:

“At the time of writing IT systems around the world are not operating. This is impacting many businesses and will impact our daily lives.

Currently, we do not know what has happened, there is no suggestion that this is a cyber attack. The belief is that this is a technical issue. Maybe not coincidently, the cyber security company Crowdstrike are having issues too. Time will tell whether these are directly related.

Crowdstrike has stated that they are aware of reports of crashes on Microsoft’s Windows operating system relating to its Falcon sensor.

There are some suggestions that this is two major incidents running simultaneously. A service-wide Azure outage and CrowdStrike Falcon blue screens.

What we are seeing now though are the businesses which have business continuity and incident response plans in place. These businesses are effectively communicating the issues and ensuring their customers are informed.

Society is dependent upon technology and this is why we must have both technical and non-technical controls in place to protect us when issues arise, whether malicious or not.

Social media is ablaze with users reporting that they are unable to work and one user on Reddit even stated they were commenting purely to be part of history on ‘The day that Crowdstrike took out the internet!’

This is very much the point of why all businesses must plan and prepare. As we are seeing, a huge dependency on individual suppliers can take down supply chains.”

And this one:

“Multiple StickmanCyber security engineering and our 24×7/365 security operations teams across the country support reports that this outage is related to a CrowdStrike update. 

“It is our understanding that any business running versions 7.15 and 7.16 are affected by the outage, but 7.17 seems to be ok. We are waiting on official advisory from CrowdStrike on these findings but doing our best to help affected customers. It’s a lesson to always update your software, but obviously this is an extreme example. IT security tools are all designed to ensure that companies can continue to operate in the worst-case scenario of a data breach, so to be the root cause of a global IT outage is an unmitigated disaster.

“Crowdstrike support is offering a workaround to customers. It claims users may be able to fix the issue by booting windows in safe mode or in the Windows Recovery Environment and deleting a file named “C-00000291*.sys”.   

Cybersecurity Breaches Identified as Major Cause of Downtime

Cycles of marketing thought intrigue me. Suddenly PR people are flooding my email inbox with offers to interview CTOs of security companies who wish to comment on how cybersecurity breaches are a major cause of downtime. I chose this one to post for now partly because it’s a new company. I’m also intrigued by how the IT guy from Uber thinks he can disrupt industrial automation.

Oh, and yes, this is yet another survey done by a developer company. It’s the new way to generate media coverage when you don’t have a new product to release. And, yes, I’m an enabler.

In brief:

  • Copia Automation Finds $4.2M Per Hour Lost in Manufacturing from Cybersecurity Breaches and Coding Errors
  • Survey of 200 U.S. executives on the emergence of Industrial DevOps reveals half of all downtime is caused by programming mistakes

Another point. Copia is taking the IT idea of DevOps (see previous blog post) into industrial settings much as HighByte did with DataOps.

Copia Automation, empowering companies to gain end-to-end visibility and control of their operational technology, released its first annual State of Industrial DevOps Report today, the first survey of its kind on the application of information technology (IT) DevOps principles and practices to the industrial sector. The report reveals that industrial coding errors cause manufacturing shutdowns lasting 30 hours on average, costing $4.2M per hour and $126M per shutdown. Half of all downtime is caused by industrial code changes, code confusion, lack of visibility into industrial code, and issues with programmable logic controllers (PLCs). 

The survey highlights significant vulnerabilities in operational technology (OT) — the software and hardware that control industrial equipment. A possible cause for these is ad hoc fixes in industrial programming, with 79% of respondents saying they are commonplace. 

“The cost of downtime minimizes or eliminates the margin between profitability and failure for manufacturers,” said Copia Co-founder and CEO Adam Gluck. “With coding errors and cybersecurity breaches shown as significant causes for downtime, manufacturers need to take every technological measure to protect their bottom line and ensure continuous operations with enhanced productivity. Industrial DevOps delivers the technology and the process-change to do this.”

Next DLP Announces First Security Solution to Automatically Map to MITRE’s Insider Threat Knowledge Base

Cybersecurity updates and news continue to fill my inbox. This one combines the trend toward working together for the common good.

Next DLP (“Next”), a leader in data loss prevention and insider threat solutions, announced that their Reveal Platform is the first Insider Risk Management solution to automatically map detection events to MITRE Engenuity Center for Threat-Informed Defense’s (“Center”) expanded Insider Threat Knowledge Base (ITKB 2.0). The ITKB 2.0 is the first of its kind to offer an evidence-based, multi-organizational, and publicly-available compendium of insider threat tactics, techniques, and procedures (TTPs). This endeavor was developed in partnership between MITRE, Next DLP, CrowdStrike, HCA Healthcare, JPMorgan Chase Bank, N.A., Lloyds Banking Group, Microsoft Corporation and Verizon Business. 

Digital transformation and hybrid workforces have significantly increased the complexity and volume of insider threats organizations face. Legacy solutions often require extensive manual effort to correlate detection events with specific threat behaviors, resulting in delayed responses, potential security breaches, and data leaks. Reveal addresses this challenge head-on by automatically including MITRE’s Techniques, Tactics, and Procedures (TTPs) in its detections, incidents, and analyst case reports. 

“The expansion and refinement of our data repository was made possible by new cases and insights from our dedicated data contributors,” said Suneel Sundar, Director R&D, of the Center. “We’re delighted that Next is leveraging our knowledge of adversary behaviors and capabilities to provide defenders with a better opportunity to detect malicious insiders.”

By incorporating MITRE’s TTPs Reveal delivers a comprehensive narrative of the entire incident lifecycle, from initial reconnaissance and data collection to defense evasion and exfiltration. For the chronically overstretched Security team—a persistent problem given the ongoing security talent shortage—this rich information view maximizes the efficiency of analyst resources, empowering security teams of all sizes to perform at heightened levels.

“With Reveal, and in partnership with MITRE CTID, we are setting a new standard for data protection and insider threat mitigation,” said John Stringer, Head of Product at Next DLP. “By automating the mapping of detections to MITRE’s Insider Threat TTPs, we enhance our clients’ security posture by demonstrating MITRE ATT@CK coverage and significantly reducing the time and resources required to identify, respond to and report on high-impact insider threat activity.”

The MITRE Engenuity Center for Threat-Informed Defense is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Composed of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all. For more information, contact [email protected].  

Honeywell Report Reveals “Silent Residency” Is Driving Escalating Cyber Threat

The 6th Honeywell cybersecurity research concludes that yes, you are being targeted, and maybe not where you expect it. Yes, it is still humans that are the most vulnerable link in the cybersecurity defense Maginot line.

  • New research indicates increasing sophistication of cyber criminals targeting operational technology (OT) and the industrial sector
  • USB devices continue to be leveraged as part of larger cyberattack campaigns aiming to manipulate rather than exploit

New research from Honeywell provides insight into just how dangerous unchecked USB devices can be in operational technology (OT) environments. Honeywell discovered that adversaries are now using USB devices to gain access to industrial control systems, where they can hide and observe operations before launching attacks that leverage the inherent capabilities of the systems, known as “living off the land” (LotL) attacks. These attacks are less dependent on exploiting vulnerabilities and more focused on collecting information, evading detection and manipulating the target systems.

“Targeted cyber-physical attacks are no longer about zero-day exploits that take advantage of an unknown or unaddressed vulnerability. Instead, they are more about silent residency – using LotL attacks to wait until there is an opportune moment to turn a system against itself,” said Micheal Ruiz, vice president of OT cybersecurity for Honeywell.

According to the report, most of the malware detected on USB devices by Honeywell’s Secure Media Exchange could cause loss of view or loss of control of an industrial process, a potentially catastrophic scenario for operators.

The 2024 report is based on the Honeywell Global Analysis, Research and Defense (GARD) team’s tracking and analysis of aggregated cybersecurity threat data from hundreds of industrial facilities globally during a 12-month period.

Several of the report’s additional key findings included:

  • USB devices continue to be used as an initial attack vector into industrial environments, as 51% of malware is designed to spread via USB, a nearly six-fold increase from 9% in 2019.
  • Content-based malware, which uses existing documents and scripting functions maliciously, is on the rise, accounting for 20% of malware.
  • Over 13% of all malware blocked specifically leveraged the inherent capabilities of common documents, such as Word, Excel and PDF documents.
  • Malware can cause significant impact, such as loss of view, loss of control, or system outages in OT environments. 82% of malware is capable of causing disruption to industrial operations.

ISASecure Issues First Security Level 3 Certifications for ISA/IEC 62443 Cybersecurity Standards

I haven’t had word from ISA for quite some time. And especially the cybersecurity certification program. This news concerns GE Power Conversion’s HPCi Controller achieving cybersecurity Security Level 3 certificates of conformance. Congratulations.

The International Society of Automation (ISA) announced that its ISASecure cybersecurity certification program has issued the world’s first Security Level 3 (SL3) certificates of conformance. The ISASecure program certifies conformance to the ISA/IEC 62443 series of internationally recognized automation and control systems cybersecurity standards.

Among the first automation products to achieve this challenging security classification is GE Power Conversion’s HPCi Controller.

“We are pleased to see GE taking a leadership role in securing automation that affects our everyday lives,” said Andre Ristaino, managing director, ISA conformity assessment programs. “Securing products to SL3 surpasses the minimum SL2 needed to defend against intentional cyber attacks.”

The ISASecure SL3 certification provides confidence to GE Power Conversion customers that the HPCi Controller is free of known cybersecurity vulnerabilities and is robust against network attacks, and independently confirms conformance to ISA/IEC 62443-4-2 SL3 security requirements. This is the world’s first ISASecure CSA 1.0.0 Level 3 certification.

Following soon after GE, Bitron Electronics also completed the necessary requirements to pass the SL3 certification evaluation, making Bitron the second supplier to achieve this advanced certification level under the ISASecure certification scheme.

“With two SL3 certifications already complete, these certifications further demonstrate the marketplace’s growing acceptance of the ISASecure ISA/IEC 62443 conformance scheme as the leading certification scheme on the market today,” said Brandon Price, senior principal for industrial cybersecurity at ExxonMobil and ISASecure board chair.

Companies that choose to achieve higher levels of certification understand how to apply the ISA/IEC 62443 standards and recognize the value of protections and assurances they provide to their end-user customers. As the need for advanced security protection grows, ISASecure certifications – recognized and accepted globally – continue to be the most sought-after certification specified by end users.

ISASecure recently published a whitepaper describing the value of securing automation and control systems to SL2 or higher. “The Case for ISA/IEC 62443 Security Level 2 as a Minimum for COTS Components” is available for download on the ISASecure website.

Hexagon and Dragos Partner to Strengthen Industrial Cybersecurity 

More and more companies are developing partnerships to serve customers rather than trying to reinvent the wheel. Hexagon had acquired PAS and its Cyber Integrity solution some years ago. This partnership announced with cybersecurity solution provider Dragos aims to do no less than “revolutionize OT cybersecurity at industrial facilities.”

The technical partnership focuses on integrating the complementary OT cybersecurity capabilities of the Dragos Platform and Hexagon’s PAS Cyber Integrity to provide customers with enhanced inventory data, comprehensive configuration management and superior intrusion detection and threat management to protect businesses operating in multiple critical infrastructure sectors. The collaboration is expected to harness the respective strengths, industry insights and innovative spirit of both Dragos and Hexagon.

“This relationship represents a significant step in forging the future of OT cybersecurity,” said Nick Cappi, vice president of OT Cybersecurity at Hexagon. “Through the integration of technologies, industrial facilities that use Hexagon and Dragos will be in a better position to achieve their security goals. We are excited to work together and collectively solve bigger security challenges for customers.”

The companies will integrate their specialized expertise and capabilities to tackle the unique challenges encountered by owner operators. Together, they aspire to enhance safety, efficiency and productivity, with a goal of revolutionizing how the cybersecurity industry protects industrial infrastructure and valuable assets.

“Hexagon is known for providing forward leaning technology that also prioritizes safety and security, and the partnership with Dragos brings additional value to industrial and critical infrastructure organizations using our technologies,” said Matt Cowell, Global VP of Business Development at Dragos. “The integration between Dragos and Hexagon will leverage our complementary capabilities and respective strengths to provide an integrated approach to managing security across the different layers of the operational environment.”

Follow this blog

Get a weekly email of all new posts.