Cybersecurity Attack on an Industrial Safety System

Cybersecurity Attack on an Industrial Safety System

There was evidently a cybersecurity incident spotted yesterday. There was a report on FireEye quoted below. I also received this statement from CyberX. I am not primarily a cybersecurity writer, but this is significant.

“We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker. It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary. Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and TRITON appears to be simply an evolution of those approaches.” Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based industrial cybersecurity firm.

From the FireEye report (see complete analysis on its Website).

Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.

We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:

Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.

TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.

The failure occurred during the time period when TRITON was used.

It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.

The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).

The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.

Cybersecurity Attack on an Industrial Safety System

PAS Announces Investment to Fuel Its Industrial Control System Cybersecurity Business

Keep watching the cybersecurity space for more action.  Already this week, I wrote about two different approaches to industrial cybersecurity. Here is the story of an investment so that a company with history can pivot and go deeper into this market segment.

PAS has been known improving alarm management and control system asset integrity. It has moved aggressively into the cybersecurity area through leveraging existing technology and hiring talent. It has announced a $40 million growth investment by Tinicum, L.P. and certain affiliated funds managed by Tinicum Incorporated (“Tinicum”). Tinicum is a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.

This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product. Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.

“Critical infrastructure is vulnerable to outsider cyber attacks and to malicious or unintended insider actions,” says Trip Zedlitz, partner at Tinicum. “The cyber assets that matter most—the ones primarily responsible for safety and production in power generation plants, chemical facilities, and refineries—are some of the most insecure systems in the industry today. We invested in PAS because they secure this class of endpoints in a way that no other ICS cybersecurity software solution in the market can do, and they help companies comply with a growing regulatory and standards landscape that includes NERC CIP, NIST, and IEC 62443. With a strong management team and the rising global demand for critical infrastructure cybersecurity, we are excited about our investment in PAS.”

Industrial control systems have a responsibility for running critical infrastructure safely and reliably. These systems have traditionally relied on complexity, air gapping, and perimeter-based defenses to remain secure. Such strategies have proven largely unreliable and porous. PAS Cyber Integrity deciphers the complex, proprietary configurations of control systems giving companies complete visibility into critical cyber assets. It also identifies unauthorized changes, exposes vulnerabilities, drives compliance, and helps facilities recover rapidly in the event of a worst-case scenario. Cyber Integrity works across the heterogeneous automation environment, providing enterprise scalability, performance, and platform independence.

“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” says Eddie Habibi, founder and CEO at PAS. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage. The investment from Tinicum enables us to expand our security solutions portfolio, strategically increase our global reach, and continue protecting our customers from an ever-evolving threat landscape.”

Signal Hill served as the exclusive financial advisor to PAS on the transaction. In conjunction with the investment, Plant Automation Services, Inc. (“PAS”) has reorganized under the new name PAS Global, LLC.

Industrial Cyber Security Becomes Increasingly Important

Industrial Cyber Security Becomes Increasingly Important

Cyber Security is always the “elephant in the room” at Industrial Internet of Things (IIoT) and Industrial Control Systems (ICS) conferences.

The latest edition of the ARC Industry Forum in Orlando featured many cyber security firms. Most were monitoring network traffic for anomalies. Some look at other aspects of the system. More firms are pivoting from other emphases into a cyber security firm.

Here are two news items attacking cyber security from totally different angles. One from the enterprise; the other from the lowest level user.

Manage Cyber Security Risks

Deloitte, the enterprise consulting company, announced plans to expand its cyber risk platform for end-to-end industrial control systems (ICS) and operational technologies (OT) security with next generation technology enabled by Dragos, a cybersecurity company focusing on securing ICS and OT networks.

The tactic Deloitte is taking is to monitor emerging cyber threats. Deloitte Risk and Financial Advisory Cyber Risk Services’ end-to-end ICS offering, enabled by Dragos technology, uses a combination of innovative cyber security products and services. This combination brings hunting and reconnaissance capabilities that now allow organizations to look beyond internal data to threat documentation found in external databases. Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.

“Assessing the cyber risks of our clients’ ICS and OT, we see that many organizations are often unprepared for the magnitude of the impact to operational technology and industrial control systems environments” said Ed Powers, principal, Deloitte & Touche LLP, and U.S. leader for Deloitte Risk and Financial Advisory Cyber Risk Services. “A decision to include OT and ICS as a part of a broader cyber risk management program can improve a company’s understanding of the potential damage resulting from a cyberattack and can bolster the efficacy of its cyber risk mitigation strategy.”

The Dragos Platform, Threat Operations Center, and intelligence team form an ecosystem of technology, people, and intelligence to safeguard industrial networks. The Dragos Platform is designed for industrial networks and provides visibility into the environment, detection of threats through behavioral analytics, and the automation of workflows including incident response data collection and analysis.

“There have been pockets of excellence around the community in industrial security leading practices. But the world is facing a more connected infrastructure and a more aggressive threat than we’ve seen in years past,” said Robert M. Lee, chief executive officer, Dragos. “Now is an important time to get the solution correct and that’s what the Dragos and Deloitte cooperation represents.” 

Protecting From USB Device Hacks

We all know about Stuxnet and how it was spread using malware in USB sticks. Well, here is an interesting tactic and new product from Honeywell.

Honeywell Process Solutions (HPS) announced Secure Media Exchange (SMX) to protect facilities against current and emerging USB-borne threats, without the need for complex procedures or restrictions that impact operations or industrial personnel.

Malware spread through USB devices – used by employees and contractors to patch, update and exchange data with onsite control and computer systems – is a key risk for industrial control systems. It was the second leading threat to these systems in 2016, according to BSI publications, and uncontrolled USBs have taken power plants offline, downed turbine control workstations, and caused raw sewage floods, among other industrial accidents.

“Industrial operators often have hundreds or thousands of employees and dozens of contractors on site every day,” said Eric Knapp, Cyber Security chief engineer, HPS. “Many, if not most, of those rely on USB-removable media to get their jobs done. Plants need solutions that let people work efficiently, but also don’t compromise cyber security and, with it, industrial safety.”

Currently, many plants either ban USBs, which is difficult to enforce and significantly reduces productivity, or rely on traditional IT malware scanning solutions, which are difficult to maintain in an industrial control facility and provide limited protection. These solutions fail to protect process control networks against the latest threats, and offer no means to address targeted or zero-day attacks.

“SMX is a great example of Honeywell’s major investments in new industrial cyber security technologies, products, services, and research which further strengthen our ability to secure and protect industrial assets, operations and people,” said Jeff Zindel, vice president and general manager, Honeywell Industrial Cyber Security. “With the continued increase in cyber threats around the world, Honeywell’s industrial cyber security expertise and innovation are needed more than ever for smart industry, IIoT and critical infrastructure protection.”

Honeywell’s SMX was developed by the company’s cyber security experts based on field experience across global industrial sites and feedback from Honeywell User Group customers. Honeywell has one of the largest industrial cyber security research capabilities in the process industry, including an advanced cyber security lab near Atlanta. Honeywell also partners with cyber security leaders, including Microsoft, Intel Security and Palo Alto Networks, among others, to develop new, highly-effective industrial threat detection techniques.

Contractors “check-in” their USB drive by plugging it into an SMX Intelligence Gateway. The ruggedized industrial device analyzes files using a variety of techniques included with Honeywell’s Advanced Threat Intelligence Exchange (ATIX), a secure, hybrid-cloud threat analysis service.

SMX Client Software installed on plant Windows devices provides another layer of protection, controlling which USB devices are allowed to connect, preventing unverified USB removable media drives from being mounted, and stopping unverified files from being accessed. SMX also logs USB device connectivity and file access, providing a valuable audit capability.

“For most plants, the proliferation of removable media and USB devices is unavoidable, but the security risks they bring don’t have to be,” said Knapp. “We know our customers have limited resources to maintain another system, so Honeywell manages SMX for them. SMX never connects to our customers’ process control networks. From a system administration perspective, it’s like it’s not even there.”

Managed and maintained directly by Honeywell, SMX provides the easy and secure solution to USB security in industrial plants. It helps prevent the spread of malware through removable media; stops unverified files being read by Windows hosts; and, through the private ATIX connection, provides continually updated threat information and advanced analytics to help detect advanced, targeted, and zero-day malware.

Cybersecurity Attack on an Industrial Safety System

Data Forgery Protection Defends Critical Industrial Control Systems from Cyber Threats

cybersecurityCyber protection takes on a number of forms. Most everything involves “defense in depth” strategies. I just talked with an Israeli company started by former security agents who has found a different vulnerability and counteracts it. This is the first of three press releases I’ve been sitting on for release today. I guess Nov. 15 is a magic day in the PR world.

APERIO Systems emerged from stealth mode, launching the industry’s first technology that detects artificial manipulations of industrial process data, enabling operators to take real-time corrective action without service disruption to industrial control systems (ICS). From the rate of gas flow at a petroleum refinery, to the temperature and spin rates of turbines in a power plant, or the chlorine level of water supply networks, APERIO Systems’ proprietary Data Forgery Protection (DFP) technology delivers the last line of defense in protecting critical SCADA systems against insider and external threats.

APERIO Systems, already deployed at several sites across EMEA, secured seed funding from a consortium of private investors, including prominent cybersecurity veterans Doron Bergerbest-Eilon, Liran Tancman, and Shlomi Boutnaru. Bergerbest-Eilon is renowned for his role in establishing the agency charged with protecting all critical infrastructure in the State of Israel and is the former director of the security and protection division of the Israel Security Agency (ISA). He is currently the founder, president and CEO of ASERO Worldwide, a security consulting firm. Tancman and Boutnaru, who played key roles in building Israel’s cybersecurity capabilities, founded predictive cybersecurity startup CyActive, which was acquired by PayPal in 2015.

“Current solutions focus on keeping hackers outside critical systems, but attacks like the one that took down the power grid in Ukraine clearly show that sophisticated attackers will eventually penetrate these systems,” said Bergerbest-Eilon. “Once attackers breach a system, they must blind the operators and protection mechanisms by falsifying data in order to inflict severe and long-lasting damage. This entirely new category of Data Forgery Protection (DFP) is the key to keeping our critical infrastructure safe from attacks.”

Industrial control systems (ICS) are generally outdated from a cybersecurity perspective, vulnerable and difficult to patch because mission critical systems cannot be taken offline. While the threat to ICS is growing, critical systems security products on the market today are intrusive, hard to maintain, costly to integrate, and often produce vague and unactionable alerts, which cannot be acted upon by critical utility control rooms.

“Think of APERIO Systems as a polygraph for process data — it detects when your system is lying to you,” said Yevgeni Nogin, CEO of APERIO Systems. “With the unrelenting tenacity of cybercriminals, critical infrastructure breaches are inevitable. By guaranteeing the authenticity and integrity of operational data, APERIO Systems ensures that operators always know what’s really going on, enabling them to react quickly to a breach and take corrective action — making the critical systems resilient to the most dangerous of attacks.”

APERIO Systems’ advanced proprietary algorithms search for the data’s unique fingerprints and validate its authenticity. Any mismatches generate an alert and APERIO Systems pinpoints the attacked equipment and forged process data. Using a sophisticated combination of physics and state-of-the-art machine learning techniques, APERIO Systems reconstructs the real values of the forged operational data and reverts it to its original state in real time — establishing unprecedented operational resilience.

How APERIO Systems Protects

Both internal and external attackers can penetrate the most critical infrastructures, causing severe and long lasting damage. In order to do so, they must hide their malicious activity and deceive plant operators by forging the reported values of critical devices — remaining undetected and preventing timely corrective action. APERIO Systems’ Data Forgery Protection technology immediately exposes forged system readings to safeguard critical control systems and allow quick and effective remediation.

  • APERIO Systems provides:
    Data Forgery Protection (DFP): Validates integrity and authenticity of reported signals to provide operators with true state awareness, enabling them to take corrective action in real time.
  • Process Continuity: Enables trust in the most critical data and provides resilience when attacked.
  • Operational Alerts: Fast, actionable, specific and accurate alerts integrate cybersecurity into operational emergency procedures, allowing operators to mitigate permanent damage.
  • Accurate and Relevant: Alerts operators only when the reported process state does not reflect the plant’s real situation — providing an extremely low false alert rate.
  • Minimized Risk: Passive and non-intrusive system minimizes operational risks, as well as installation and maintenance costs.
  • Counters Insider Threats: Protects the plant’s process continuity from both external and internal actors.

APERIO Systems is led by a veteran executive team with roots in the elite units of the Israel Defense Forces (IDF), as well as top cybersecurity and industrial companies:

  • Yevgeni Nogin, CEO — a graduate of the elite “Talpiot” IDF military academy served over nine years in elite intelligence and R&D units of the IDF, and brings expertise in SCADA systems security.
  • Michael Shalyt, VP Product — a graduate of the “Psagot” IDF academic program and served as leading researcher and team leader in the elite 8200 unit. Prior to joining APERIO Systems, he led the malware research team at Check Point.
  • Itay Baruchi, Head of Algorithms —  served as director of Industrial MRI, where he worked closely with several of the biggest oil and gas drilling companies. Before that, he founded and served as CTO of Pythagoras Solar.
  • Charles Tresser, Chief Scientific Officer —  a world renowned expert in dynamical systems. Tresser is one of the world’s leading experts in chaos theory and formerly Director of Research at IBM and France’s National Center for Scientific Research (CNRS).

Follow this blog

Get a weekly email of all new posts.