Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.
Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance. Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.
The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective. As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs. This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”
Cyber security challenges for practitioners
Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.
With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:
- Lack of overall visibility of ICS vulnerabilities
Vulnerability exploits are under reported
- False sense of security in many ICS environments
- More disclosures than capacity to investigate
- Limited visibility into ICS vulnerabilities and risks
- Vulnerability investigation is manual and research-intensive
- Limited visibility into vulnerability remediation effectiveness
- Manual, inconsistent patch management
And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:
“ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”
Link to How Mocana Protects graphic on Dropbox.
Yet more cyber attacks in the news
Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”
The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.
The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction.
The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Meanwhile, here is another defense
Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.
Here is the latest news from Bedrock Automation.
It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
- Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
- Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
- System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
- Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
- Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost. Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.
Keep watching the cybersecurity space for more action. Already this week, I wrote about two different approaches to industrial cybersecurity. Here is the story of an investment so that a company with history can pivot and go deeper into this market segment.
PAS has been known improving alarm management and control system asset integrity. It has moved aggressively into the cybersecurity area through leveraging existing technology and hiring talent. It has announced a $40 million growth investment by Tinicum, L.P. and certain affiliated funds managed by Tinicum Incorporated (“Tinicum”). Tinicum is a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.
This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product. Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.
“Critical infrastructure is vulnerable to outsider cyber attacks and to malicious or unintended insider actions,” says Trip Zedlitz, partner at Tinicum. “The cyber assets that matter most—the ones primarily responsible for safety and production in power generation plants, chemical facilities, and refineries—are some of the most insecure systems in the industry today. We invested in PAS because they secure this class of endpoints in a way that no other ICS cybersecurity software solution in the market can do, and they help companies comply with a growing regulatory and standards landscape that includes NERC CIP, NIST, and IEC 62443. With a strong management team and the rising global demand for critical infrastructure cybersecurity, we are excited about our investment in PAS.”
Industrial control systems have a responsibility for running critical infrastructure safely and reliably. These systems have traditionally relied on complexity, air gapping, and perimeter-based defenses to remain secure. Such strategies have proven largely unreliable and porous. PAS Cyber Integrity deciphers the complex, proprietary configurations of control systems giving companies complete visibility into critical cyber assets. It also identifies unauthorized changes, exposes vulnerabilities, drives compliance, and helps facilities recover rapidly in the event of a worst-case scenario. Cyber Integrity works across the heterogeneous automation environment, providing enterprise scalability, performance, and platform independence.
“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” says Eddie Habibi, founder and CEO at PAS. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage. The investment from Tinicum enables us to expand our security solutions portfolio, strategically increase our global reach, and continue protecting our customers from an ever-evolving threat landscape.”
Signal Hill served as the exclusive financial advisor to PAS on the transaction. In conjunction with the investment, Plant Automation Services, Inc. (“PAS”) has reorganized under the new name PAS Global, LLC.
SCADA devices and networks remain a prime target for cyber attacks. Everything I’ve written has approached cybersecurity from a different angle. This is the first solution that has come my way that uses a deception approach.
Attivo Networks announced Dec. 7, 2015 a release of its deception-based Attivo BOTsink solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world. Cyberattacks on these targets can and have resulted in disruption of critical local, regional, and national government and commercial infrastructures. As a result, when they are breached, the impact on societies they serve stands to be catastrophic.
According to a study by the Pew Internet and American Life Project, 60 percent of the technology experts interviewed believe that a major cyberattack will happen. The damages to property and ensuing theft will amount tens of billions of dollars, and the loss of life will be significant.
Scalable SCADA protection
“We are proud to be the first in the industry to provide customers a globally scalable, deception-based threat detection solution for SCADA protection,” emphasizes Tushar Kothari, CEO of Attivo Networks. “Many of our customers from the energy industry have requested the extension of our Attivo Deception Platform into their production and manufacturing control networks so they can get real-time visibility and the ability to promptly identify and remediate infected devices. As one stated, ‘a breach on those networks can be catastrophic and Attivo wants to do everything we can to prevent a disaster or risk to lives.”
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker.
Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
“Industrial systems have increasingly come under scrutiny from both attackers and defenders,” said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Situational awareness is the focus of the ICS-ISAC and its membership, including the ability for asset owners to detect and respond to incidents on their systems.”
These devices generally have long lifecycles creating an exposed environment driven by equipment that is less hardened and patches made infrequently. Additionally, because of their critical functions, SCADA devices cannot be taken offline frequently or for any length of time. This, along with costs that can run into the millions for every hour the network is offline, has made patching very difficult, often as infrequent as once a year, leaving many industrial facilities open to attacks. These risks are quite large considering these devices are found everywhere in electrical facilities, food processing, manufacturing, on-board ships, transportations and more.
“Companies operating in critical infrastructures like energy, utilities, nuclear, oil and gas know that they are not only vulnerable to the same security issues faced by most enterprises, they have the added enticement as a rich target for cyber terrorism,” stated Tony Dao, Director Information Technology, Aspect Engineering Group. “They recognize that securing their industrial control processes is not only critical to them, but to the institutions they serve. A loss would not only have repercussions throughout their economic sector but throughout the entire economy.”
The vulnerabilities begin with the use of default passwords, hard-coded encryption keys, and a lack of firmware updates, which pave the way for attackers to gain access and take control of industrial devices. Traditional perimeter-based solutions are designed to detect attacks on these devices by looking for suspicious attack behavior based on known signature patterns. SCADA supervisory systems are computers running normal Windows operating systems and are susceptible to zero day attacks, in which there are no known signatures or software patches. Several vulnerabilities also exist in the standard and proprietary protocols within Logic Controllers. Popular protocols include MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control).
Attivo Networks takes a different approach to detecting cyber attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of BOTs and advanced persistent threats (APTs) that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through the Attivo Central Manager, which provides global central device management and threat intelligence dashboards and reporting.
“To a significant degree, the growing security problems impacting industrial control systems have originated from the fact that ICSs are increasingly less and less isolated from outside networks and systems, and ICSs are now more susceptible and vulnerable to attacks,” comments Ruggero Contu, Research Director at Gartner in his Market Trends: Industrial Control System Security, 2015 report. “At the heart of this change is the demand to integrate enterprise IT systems to operational technology, and for remote connectivity.”
Check out this whiter paper. Dynamic Deception for Industrial Automation and Control Systems