by Gary Mintchell | Aug 5, 2019 | Internet of Things, Security
Cybersecurity is in the news more often than violence or politics, its seems. Last week I received two important pieces of news—both reported below. The first details vulnerabilities found in VxWorks—the most widely used Real-Time Operating System forming the foundation for process control. The other news concerns a survey of executives that shows continued cyber attacks on industrial systems.
Zero Day Vulnerabilities
Enterprise IoT security company, Armis, announced the discovery of 11 zero-day vulnerabilities, 6 critical, that affect Wind River® VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.
VxWorks, the leading real-time operating system (RTOS), is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
URGENT/11 includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.
The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.
Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.
Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.
Operational Downtime is the Most Common Impact of IoT-Focused Cyberattacks
As connectivity in the Industrial Internet of Things (IIoT) promises to transform the manufacturing and production industry, new research by Irdeto underlines the importance of cybersecurity, revealing that 79% of manufacturing and production organizations surveyed have experienced an IoT-focused cyberattack in the past year. This finding demonstrates the importance of cybersecurity as IoT devices proliferate across the critical infrastructure of these organizations, to ensure that the potential business benefits of IoT can be realized safely.
The Irdeto Global Connected Industries Cybersecurity Survey of 220 security decision makers in organizations in this sector (700 respondents in total) found that of the organizations that were hit by an attack, operational downtime (47%), compromised customer data (35%) and compromised end-user safety (33%) were the most common impacts. These findings clearly point to a direct bearing on revenue as well as health safety challenges presented by unsecured IoT devices.
The research also suggests that these organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure, but do not necessarily have everything they need to address them. The most prominent vulnerabilities within manufacturing and production organizations were in mobile devices and apps (46%). This was followed by the IT network (41%) and the software used by the organization (40%) – which if referring to the OT equipment software which runs of the factory floor, could be hugely problematic.
However, despite this awareness, 92% of respondents feel their organization does not have everything it needs to address cybersecurity challenges. 44% state that their organization needs to implement a more robust security strategy. This is followed by a need for additional expertise/skills within the organization to address all aspects of cybersecurity (42%) and a need for more effective cybersecurity tools (37%).
This is compounded by the finding that, in the manufacturing sector, a total of 91% of manufacturers and 96% of users of IoT devices state that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. Failure to address these challenges could prove costly with the average financial impact as a result of an IoT-focused cyberattack in the manufacturing space identified as more than $280,000 USD, according to the survey.
“While the benefits of IoT may be in abundance in manufacturing and industrial environments, this connectivity also increases the attack surface and these findings demonstrate that there is an awareness of the cybersecurity challenges and impacts within the industry, but potentially a need to rethink strategies to mitigate the impact of potential cyberattacks,” said Mark Hearn, Director of IoT Security and Business Development, Irdeto. “Whatever the nature of the threat, industrial and manufacturing organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors, and work with trusted advisors to safely embrace connectivity in their manufacturing process.”
As organizations fight to keep pace with the cybersecurity challenges in the manufacturing sector, they do have several security measures in place, but have often not implemented enough layers into their security strategy. 21% of organizations surveyed do not currently have software protection technologies implemented, while 39% do not have mobile app protection implemented, despite identifying mobile devices and apps as the greatest source of vulnerabilities. In addition, only 50% make security part of the product design lifecycle process.
However, the majority of organizations that don’t already have these measures in place, state that they plan to implement them in the next year. In addition, 99% of the manufacturing organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that attitudes towards IoT security are changing for the better.
“As the manufacturing industry embraces IoT technology it’s clear that there are many cybersecurity challenges that must be addressed, but the industry attitude towards cybersecurity is on the right track,” added Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “As the scope of connected manufacturing grows, the opportunities and the risks are magnified and it is imperative that organizations upskill and implement robust cybersecurity strategies to ensure they mitigate the threat and safely take advantage of the benefits that IoT can bring.”
by Gary Mintchell | Dec 22, 2017 | Automation, News, Security
Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.
Cyber security
Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance. Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.
The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective. As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs. This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”
Cyber security challenges for practitioners
Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.
With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:
- Lack of overall visibility of ICS vulnerabilities
Vulnerability exploits are under reported
- False sense of security in many ICS environments
- More disclosures than capacity to investigate
- Limited visibility into ICS vulnerabilities and risks
- Vulnerability investigation is manual and research-intensive
- Limited visibility into vulnerability remediation effectiveness
- Manual, inconsistent patch management
HatMan Malware
And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:
“ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”
Link to How Mocana Protects graphic on Dropbox.
Yet more cyber attacks in the news
Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”
The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.
The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction.
The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Meanwhile, here is another defense
Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.
Here is the latest news from Bedrock Automation.
It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
- Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
- Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
- System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
- Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
- Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost. Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.
by Gary Mintchell | Apr 14, 2017 | Security
Keep watching the cybersecurity space for more action. Already this week, I wrote about two different approaches to industrial cybersecurity. Here is the story of an investment so that a company with history can pivot and go deeper into this market segment.
PAS has been known improving alarm management and control system asset integrity. It has moved aggressively into the cybersecurity area through leveraging existing technology and hiring talent. It has announced a $40 million growth investment by Tinicum, L.P. and certain affiliated funds managed by Tinicum Incorporated (“Tinicum”). Tinicum is a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.
This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product. Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.
“Critical infrastructure is vulnerable to outsider cyber attacks and to malicious or unintended insider actions,” says Trip Zedlitz, partner at Tinicum. “The cyber assets that matter most—the ones primarily responsible for safety and production in power generation plants, chemical facilities, and refineries—are some of the most insecure systems in the industry today. We invested in PAS because they secure this class of endpoints in a way that no other ICS cybersecurity software solution in the market can do, and they help companies comply with a growing regulatory and standards landscape that includes NERC CIP, NIST, and IEC 62443. With a strong management team and the rising global demand for critical infrastructure cybersecurity, we are excited about our investment in PAS.”
Industrial control systems have a responsibility for running critical infrastructure safely and reliably. These systems have traditionally relied on complexity, air gapping, and perimeter-based defenses to remain secure. Such strategies have proven largely unreliable and porous. PAS Cyber Integrity deciphers the complex, proprietary configurations of control systems giving companies complete visibility into critical cyber assets. It also identifies unauthorized changes, exposes vulnerabilities, drives compliance, and helps facilities recover rapidly in the event of a worst-case scenario. Cyber Integrity works across the heterogeneous automation environment, providing enterprise scalability, performance, and platform independence.
“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” says Eddie Habibi, founder and CEO at PAS. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage. The investment from Tinicum enables us to expand our security solutions portfolio, strategically increase our global reach, and continue protecting our customers from an ever-evolving threat landscape.”
Signal Hill served as the exclusive financial advisor to PAS on the transaction. In conjunction with the investment, Plant Automation Services, Inc. (“PAS”) has reorganized under the new name PAS Global, LLC.
by Gary Mintchell | Dec 7, 2015 | Automation, News, Security
SCADA devices and networks remain a prime target for cyber attacks. Everything I’ve written has approached cybersecurity from a different angle. This is the first solution that has come my way that uses a deception approach.
Attivo Networks announced Dec. 7, 2015 a release of its deception-based Attivo BOTsink solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world. Cyberattacks on these targets can and have resulted in disruption of critical local, regional, and national government and commercial infrastructures. As a result, when they are breached, the impact on societies they serve stands to be catastrophic.
According to a study by the Pew Internet and American Life Project, 60 percent of the technology experts interviewed believe that a major cyberattack will happen. The damages to property and ensuing theft will amount tens of billions of dollars, and the loss of life will be significant.
Scalable SCADA protection
“We are proud to be the first in the industry to provide customers a globally scalable, deception-based threat detection solution for SCADA protection,” emphasizes Tushar Kothari, CEO of Attivo Networks. “Many of our customers from the energy industry have requested the extension of our Attivo Deception Platform into their production and manufacturing control networks so they can get real-time visibility and the ability to promptly identify and remediate infected devices. As one stated, ‘a breach on those networks can be catastrophic and Attivo wants to do everything we can to prevent a disaster or risk to lives.”
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker.
Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
Situational awareness
“Industrial systems have increasingly come under scrutiny from both attackers and defenders,” said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Situational awareness is the focus of the ICS-ISAC and its membership, including the ability for asset owners to detect and respond to incidents on their systems.”
These devices generally have long lifecycles creating an exposed environment driven by equipment that is less hardened and patches made infrequently. Additionally, because of their critical functions, SCADA devices cannot be taken offline frequently or for any length of time. This, along with costs that can run into the millions for every hour the network is offline, has made patching very difficult, often as infrequent as once a year, leaving many industrial facilities open to attacks. These risks are quite large considering these devices are found everywhere in electrical facilities, food processing, manufacturing, on-board ships, transportations and more.
“Companies operating in critical infrastructures like energy, utilities, nuclear, oil and gas know that they are not only vulnerable to the same security issues faced by most enterprises, they have the added enticement as a rich target for cyber terrorism,” stated Tony Dao, Director Information Technology, Aspect Engineering Group. “They recognize that securing their industrial control processes is not only critical to them, but to the institutions they serve. A loss would not only have repercussions throughout their economic sector but throughout the entire economy.”
The vulnerabilities begin with the use of default passwords, hard-coded encryption keys, and a lack of firmware updates, which pave the way for attackers to gain access and take control of industrial devices. Traditional perimeter-based solutions are designed to detect attacks on these devices by looking for suspicious attack behavior based on known signature patterns. SCADA supervisory systems are computers running normal Windows operating systems and are susceptible to zero day attacks, in which there are no known signatures or software patches. Several vulnerabilities also exist in the standard and proprietary protocols within Logic Controllers. Popular protocols include MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control).
Deception technology
Attivo Networks takes a different approach to detecting cyber attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of BOTs and advanced persistent threats (APTs) that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through the Attivo Central Manager, which provides global central device management and threat intelligence dashboards and reporting.
“To a significant degree, the growing security problems impacting industrial control systems have originated from the fact that ICSs are increasingly less and less isolated from outside networks and systems, and ICSs are now more susceptible and vulnerable to attacks,” comments Ruggero Contu, Research Director at Gartner in his Market Trends: Industrial Control System Security, 2015 report. “At the heart of this change is the demand to integrate enterprise IT systems to operational technology, and for remote connectivity.”
Check out this whiter paper. Dynamic Deception for Industrial Automation and Control Systems
