Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

I received a notice from CyberX about a industrial and industrial control phishing scam. It just goes to show that we all need to be continually vigilant and disciplined about attachments and links.

From the CyberX blog:

Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea.

The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks.

For example, the attackers could be stealing proprietary information about industrial equipment designs so they can sell it to competitors and nation-states seeking to advance their competitive posture.

Also, credentials can provide attackers with remote RDP access to IoT/ICS networks, while plant schematics help adversaries understand plant layouts in order to facilitate attacks. Design information can also be used by cyberattackers to identify vulnerabilities in industrial control systems.

The campaign uses spear phishing emails with industrial-themed attachments.

Project Alvarium from Linux Foundation for Trusted Data

Project Alvarium from Linux Foundation for Trusted Data

The IoT group that I’ve been working with for the past few years has been absorbed into the OEM group which is carrying on an expanded function. This blog post from Steve Todd, Dell Technologies Fellow, details the development of data confidence work that has been contributed to the open source Linux Foundation to seed Project Alvarium.

Following is a quick summary. Go to the blog for additional information about trusted data work.

A team of Dell Technologies specialists finished building the first-ever Data Confidence Fabric (DCF for short). The prototype code will be contributed to the Linux Foundation to seed Project Alvarium.

For several years, the CTO of the Dell Technologies Edge and IoT business unit has been touting a vision of data monetization. However, it’s hard to monetize untrusted Edge and IoT data. As he likes to say, “It’s midnight. Do you know where your data has been?” 

Enterprise storage systems have delivered trusted data to applications for a long time. We started our initial investigation wondering if these same trust principles could be applied to Edge and IoT ecosystems. Recent developments in data valuationdistributed ledgers, and data marketplaces facilitated everything coming together.

Five Levels of Trust

We started with the EdgeX Foundry chair of the Core Working Group, Trevor Conn. Trevor wrote the first-ever Data Confidence Fabric software using Go Lang, the same programming language EdgeX is written in. His Data Confidence Fabric software registered with EdgeX as a client and began processing simulated device data. The initial confidence score for this data was “0” (no trust was inserted). 

Dell Technologies then hired three computer science interns from Texas A&M to deploy EdgeX and the Data Confidence Fabric software on a Dell Gateway 3000 with a Trusted Platform Module (TPM) chip.

EdgeX was then adjusted to support N-S-E-W authentication by using VMware’s open-source Lightwave technology.

Dell Boomi software was invoked by the Data Confidence Fabric software to gather provenance and appended this metadata to the sensor reading.

The Data Confidence Fabric software then stored the data locally using IPFS (an immutable, open-source storage system). This fourth level of trust insertion gives an application confidence that the data/provenance has not been tampered with. It also has the additional benefit of enabling analytics to access data closer to the source.

The Data Confidence Fabric software then registered the data into VMware’s blockchain (based on the open-sourceProject Concord consensus algorithm). 

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

IoT and Control Systems Soft Targets for Cyber Hackers

Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.

The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.

Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).

Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).

Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.

Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.

Recommendations Focus on Prioritization and Compensating Controls

The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.

Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.

“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.

“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”

Summary of Key Findings

  • Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
  • Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
  • Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
  • Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
  • Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
  • Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.
Schneider Electric Foxboro and Triconex Innovation Days 2019

Schneider Electric Foxboro and Triconex Innovation Days 2019

I’ve followed Foxboro and Triconex for many years now in my coverage of the process automation business. A great company that, not unlike too many others, suffered now and again with very poor management. The company has now settled in nicely at its home in Schneider Electric and appears to be healthy here.

Much credit must go to Gary Freburger. He provided a steadying hand as the leader before and through the transition, as well as guiding the integration into the new home. He is retiring at the end of the year. I’ve met a number of great leaders and a few stinkers in my 20 years at this side of the business. Gary’s one of the great ones. And his chosen successor (see more below) seems more than up for the task of building on his successes.

Marcotte Succeeds Freburger as Process Automation President

This week’s major announcement revealed that Nathalie Marcotte has been selected to succeed Freburger as president of its Process Automation business, effective Jan. 1, 2020.

Nathalie Marcotte Official Picture  jpg

“After a long, successful industry career, including more than 15 years serving Invensys and Schneider Electric in various senior leadership roles, Gary has decided to retire,” said Peter Herweck, executive vice president, Industrial Automation business, Schneider Electric. “We thank him for his many contributions and his strong legacy of success. We wish him well, and I congratulate Nathalie on her appointment. She brings more than 30 years of industry knowledge, expertise and experience, as well as a long record of success. I look forward to working with her as we build on the success Gary has delivered.”

Since joining the Schneider organization in 1996, Marcotte has held several positions of increasing responsibility, including vice president of Global Performance and Consulting Services; vice president, North America marketing; general manager for the Canadian business; and, prior to her current position, vice president, marketing, Global Systems business. As the company’s current senior vice president, Industrial Automation Services, she is responsible for Schneider Electric’s Services business and offer development, ranging from product support to advanced operations and digital services. She is also responsible for the company’s Global Cybersecurity Services & Solutions business, including the Product Security Office.

“As we move through this transition, it will be business as usual for Schneider Electric and our Process Automation customers,” Marcotte said. “Gary and I are working very closely together to ensure there will be no disruptions to our day-to-day operations. This ensures our customers have the same access to the exceptional people, products and technology they have come to trust and rely on to improve the real-time safety, reliability, efficiency and profitability of their operations.”

“I thank Gary for his many contributions to Schneider Electric and to our industry in general. Under his leadership, our customers, partners and employees have never been better situated to succeed, today and tomorrow,” Marcotte said. “This transition will have no impact on our technology strategy and portfolio roadmap. We remain committed to our continuously-current philosophy, which means never leaving our customers behind. Now, by leveraging the strength of the full Schneider Electric offer, we can take the next step toward enabling an easier, less costly digital transformation for our customers, while keeping them on the path to a safer, more secure and profitable future.”

Following the opening keynotes, I had the opportunity to chat privately with Freburger and Marcotte. Following summarizes a few key takeaways.

Digitalization and Digital Transformation.

These topics were prominently displayed in the ballroom before the keynotes. In fact the welcome and opening presentation were given by Mike Martinez, Director of Digital Transformation Consulting. These are common themes in the industry—in fact, not only process automation, but also at the IT conferences I cover. Each company has its own unique take on the terms, but it still boils down to data, data integrity, databases, and data security. All of which were discussed.

Key Points From the Presidents.

Integration across Schneider Electric. One priority has been working with other business units (and their technologies) across the Schneider Electric portfolio. This could be PLCs and drives, but power is a huge emphasis. Schneider Electric management wants very much for its process automation acquisition to integrate well with its historic electric power business. This is seen as a strategic opportunity. One thought-provoking observation—is the process engineer/electrical engineer divide as serious as the IT/OT divide? No direct answer. But these domains have historically had little to no collaboration. One to watch.

Close working relationship with AVEVA. If you recall, Schneider Electric bundled its various software acquisitions including the ones from Invensys (Wonderware, Avantis) and used them to buy into AVEVA—the engineering software company. Bringing automation and software together was a constant source of pain for Invensys. Schneider Electric dealt with it through a separate company. Along the way, cooperation seems to be better than ever. Marcotte explained to me that Foxboro combines its domain expertise with the more broadly general software platforms to achieve customer values. See for example my previous post on Plant Performance Advisors Suite.

Cybersecurity.  Marcotte has been leading Schneider’s cybersecurity efforts. These are seen as a key part of Schneider Electric’s offer. See especially the establishment of the ISA Global Cybersecurity Alliance. They don’t talk as much about Internet of Things as at other conferences, when I probed more deeply about IT, cybersecurity was again brought up as the key IT/OT collaboration driver.

It’s been a struggle, but the Schneider Electric process automation business (Foxboro and Triconex) seems as strong as ever. And the people here—both internal and customers—are optimistic and energetic. That’s good to see.

Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies

Automotive Cybersecurity Threats–Broader Than You Think

If I would offer you an opportunity to spend $300 and make $50,000 right away with more to come and no additional expense, would you take it? What about downloading a cybersecurity hack for that much off the Dark Web and using it to steal a $50,000 car?

Such a possibility exists Etay Maor, Chief Security Officer of IntSights told me yesterday. His firm, a threat intelligence company focused on enabling enterprises to Defend Forward, released the firm’s new report, Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features. The report identifies the inherent cybersecurity risk and vulnerabilities manufacturers face as the industry matures through a radical transformation towards connectivity.

Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities. Widespread cloud connectivity and wireless technologies enhance vehicle functionality, safety, and reliability but expose cars to hacking exploits. In addition, the pressure to deliver products as fast as possible puts a big strain on the security capabilities of cars, manufacturing facilities, and automotive data.

The two main things that affect hackers’ motivation, regardless of their skills and knowledge are the cost effectiveness of the attack and the value of the information.

Vehicles usually have more complicated attack surfaces to penetrate compared to other options, i.e. attacks against banks or retail shops. That said, the automotive industry still has numerous attack vectors, just as any other industry: needs Phishing, credential leakages, leaked databases, open ports, and services, insider threats, brand security, and more.

Dark Web Forums

In the research, IntSights discovered online shops that sell car hacking tools that appear on the clear web and are easy to find. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles.

“The automotive manufacturing industry is wrought with issues, stemming from legacy systems that can’t be patched to the proliferation of vehicle connectivity and software as consumers demand more integration with personal devices and remote access,” said Maor. “A lack of adequate security controls and knowledge of threat vectors enables attackers to take advantage of easily acquired tools on the dark web to reap financial gain. Automakers need to have a constant pulse on dark web chatter, points of known exposure, and data for sale to mitigate risk.”

Top Vehicle Attack Vectors:

  • Remote Keyless Systems
  • Tire Pressure Monitoring Systems
  • Software and Infotainment Applications
  • GPS Spoofing
  • Cellular Attacks

Other attack vectors explored include:

  • CAN-BUS
  • Attacking Can-BUS
  • Remote Attack Vectors
  • Car Applications
  • Physical Attack Vectors

IntSights has “the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire.” Its cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response.

Data Protection Best Practices White Paper

Data Protection Best Practices White Paper

Standards are useful, sometimes even essential. Standard sizes of shipping containers enable optimum ship loading/unloading. Standard railroad gauges and cars enable standard shipping containers to move from ship to train, and eventually even to tractor/trailer rigs to get products to consumers. 

Designing and producing to standards can be challenging. Therefore the value of Best Practices.

Taking this to the realm of Industrial Internet of Things where data security, privacy and trustworthiness are essential, the Industrial Internet Consortium (IIC) has published the Data Protection Best Practices White Paper. I very much like these collaborative initiatives that help engineers solve real world problems.

Designed for stakeholders involved in cybersecurity, privacy and IIoT trustworthiness, the paper describes best practices that can be applied to protect various types of IIoT data and systems. The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.

I spoke with the lead authors and came away with a sense of the work involved. Following are some highlights.

Failure to apply appropriate data protection measures can lead to serious consequences for IIoT systems such as service disruptions that affect the bottom-line, serious industrial accidents and data leaks that can result in significant losses, heavy regulatory fines, loss of IP and negative impact on brand reputation.

“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, Executive Vice President, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”

Categories of Data to be Protected

Data protection touches on all data and information in an organization. In a complex IIoT system, this includes operational data from things like sensors at a field site; system and configuration data like data exchanged with an IoT device; personal data that identifies individuals; and audit data that chronologically records system activities.

Different data protection mechanisms and approaches may be needed for data at rest (data stored at various times during its lifecycle), data in motion (data being shared or transmitted from one location to another), or data in use (data being processed).

Data Security

“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, Product Manager, Real-Time Innovations (RTI) and one of the paper’s authors. “It also requires a team approach from manufacturing, to development, to deployment and operation of both IoT devices and infrastructure. This white paper covers the best practices for various data security mechanisms, such as authenticated encryption, key management, root of trust, access control, and audit and monitoring.”

Data Integrity

“Data integrity is crucial in maintaining physical equipment protection, preventing safety incidents, and enabling operations data analysis. Data integrity can be violated intentionally by malicious actors or unintentionally due to corruption during communication or storage. Data integrity assurance is enforced via security mechanisms such as cryptographic controls for detection and prevention of integrity violations,” said Apurva Mohan, Industrial IoT Security Lead, Schlumberger and one of the paper’s authors.

Data integrity should be maintained for the entire lifecycle of the data from when it is generated, to its final destruction or archival. Actual data integrity protection mechanisms depend on the lifecycle phase of the data.

Data Privacy

As a prime example of data privacy requirements, the paper focuses on the EU General Data Protection Regulation (GDPR), which grants data subjects a wide range of rights over their personal data. The paper describes how IIoT solutions can leverage data security best practices in key management, authentication and access control can empower GDPR-centric privacy processes.

The Data Protection Best Practices White Paper complements the IoT Security Maturity Model Practitioner’s Guide and builds on the concepts of the Industrial Internet Reference Architecture and Industrial Internet Security Framework.

The Data Protection Best Practices White Paper and a list of IIC members who contributed to it can be found on the IIC website