by Gary Mintchell | Dec 15, 2017 | Automation, Safety, Security
There was evidently a cybersecurity incident spotted yesterday. There was a report on FireEye quoted below. I also received this statement from CyberX. I am not primarily a cybersecurity writer, but this is significant.
“We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker. It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary. Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and TRITON appears to be simply an evolution of those approaches.” Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based industrial cybersecurity firm.
From the FireEye report (see complete analysis on its Website).
Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.
TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.
The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.
We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:
Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.
The failure occurred during the time period when TRITON was used.
It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.
The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).
The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.
by Gary Mintchell | Sep 26, 2017 | Automation, Security
Inductive Automation included a number of partner companies in its Ignition Community Conference last week in Folsom, CA. Among these companies was Bedrock Automation. I’ve written about Bedrock before a few times. This trip I was looking at its display when its CEO in disguise appeared.
Why it matters: Cyber security is at the top of everyone’s mind these days. Bedrock Automation has designed a system to be secure from all parts of the supply chain.
Albert Rooyakkers, founder/CEO/CTO, was wearing a hat and sunglasses and I walked right past him. However, he came over and gave me his usual high energy explanation of the entire Bedrock system.
Bedrock Automation builds an industrial control system (PLC) that was designed from the beginning with security in mind. Not just cyber security, but also security from tampering, lightning, high-energy electromagnetic interference, and more.
Intrinsic Security begins with Strong Cryptography, then adds Secure Components, Component Anti Tamper, Secure Firmware, Secure Communications, and Module Anti Tamper.
The metal construction showcases the secure construction, just as does the design of the I/O modules and communication with the controller (no insecure backplane).
Public Key Infrastructure
Rooyakkers always gives me the deep dive into Public Key Infrastructure which leads to Hardware Root of Trust—the essential element of security in the product.
Use of asymmetric cryptography for authentication and key exchange is the basis of secure e-commerce. In the internet context, there is a critical additional piece, a root of trust at the center of an exchange. This is called Certificate Authority. Key pairs, certificates, a root of trust and interoperable algorithms together form a Public Key Infrastructure (PKI) which includes the infrastructure and policies to manage and maintain the trust. Some of the building blocks include:
• Signatures
• Transport Layer Security
• X.509 Certificates
• Certificate Chain of Trust
• Root Certificate Authority
Until now PKI has not been implemented in industrial control systems. Bedrock Automation embeds the Hardware Root of Trust in the control system. It is designed from the ground up with security in mind.
Bedrock Automation has always gone to market with systems integrators—a strategy that fits with Inductive Automation. In many remote control and SCADA systems, the two form a perfect pair.
by Gary Mintchell | Jul 19, 2017 | Security
Industrial Security. Especially the cyber kind. My inbox attracts several messages each day.
Last July I began to think that people were ignoring me. Few press releases, announcements, interviews. It was a quiet time.
I really don’t have any list of product announcements or new companies. But I thought that I’d pass along an awareness to pay attention to your cyber security risks, policies, mitigations, and counter measures.
Most of the announcements have come in the guise of “our CEO can address the new threats on industrial control systems”.
Remember when there were 3-4 places to go for industrial cyber security help?
Not so. These days there are many. The interesting ones to watch are several from Israel founded by former Israeli army intelligence officers.
There is a product and/or strategy to fit every conceivable type of threat. Part of your risk analysis needs to be a thorough evaluation of all the new ideas and companies.
Unfortunately, the number one risk continues to be people. Your people. Usually it’s carelessness. For example last winter I was in a conversation with two security product marketing managers for a large company. Each had just been slapped on the wrist (or something) for clicking on a link in a bogus email. It is just so easy.
Clicking links, opening files, not being careful with Flash, inserting USB drives, letting a contractor take a laptop home…
Most companies have policies on terminated employees–whether through downsizing or due to cause. You need to treat people with respect. Even someone terminated for cause doesn’t need a quite public “perp walk.”
However, you do need to make sure there is no network access after termination. IT must move in and change passwords immediately. Check out remote network access they might have.
I am no expert, but I have experience with employees and common sense. Be careful, take your time, think it through.
Protect those assets.
by Gary Mintchell | Apr 14, 2017 | Security
Keep watching the cybersecurity space for more action. Already this week, I wrote about two different approaches to industrial cybersecurity. Here is the story of an investment so that a company with history can pivot and go deeper into this market segment.
PAS has been known improving alarm management and control system asset integrity. It has moved aggressively into the cybersecurity area through leveraging existing technology and hiring talent. It has announced a $40 million growth investment by Tinicum, L.P. and certain affiliated funds managed by Tinicum Incorporated (“Tinicum”). Tinicum is a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.
This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product. Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.
“Critical infrastructure is vulnerable to outsider cyber attacks and to malicious or unintended insider actions,” says Trip Zedlitz, partner at Tinicum. “The cyber assets that matter most—the ones primarily responsible for safety and production in power generation plants, chemical facilities, and refineries—are some of the most insecure systems in the industry today. We invested in PAS because they secure this class of endpoints in a way that no other ICS cybersecurity software solution in the market can do, and they help companies comply with a growing regulatory and standards landscape that includes NERC CIP, NIST, and IEC 62443. With a strong management team and the rising global demand for critical infrastructure cybersecurity, we are excited about our investment in PAS.”
Industrial control systems have a responsibility for running critical infrastructure safely and reliably. These systems have traditionally relied on complexity, air gapping, and perimeter-based defenses to remain secure. Such strategies have proven largely unreliable and porous. PAS Cyber Integrity deciphers the complex, proprietary configurations of control systems giving companies complete visibility into critical cyber assets. It also identifies unauthorized changes, exposes vulnerabilities, drives compliance, and helps facilities recover rapidly in the event of a worst-case scenario. Cyber Integrity works across the heterogeneous automation environment, providing enterprise scalability, performance, and platform independence.
“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” says Eddie Habibi, founder and CEO at PAS. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage. The investment from Tinicum enables us to expand our security solutions portfolio, strategically increase our global reach, and continue protecting our customers from an ever-evolving threat landscape.”
Signal Hill served as the exclusive financial advisor to PAS on the transaction. In conjunction with the investment, Plant Automation Services, Inc. (“PAS”) has reorganized under the new name PAS Global, LLC.
by Gary Mintchell | Apr 10, 2017 | Automation, Security
Cyber Security is always the “elephant in the room” at Industrial Internet of Things (IIoT) and Industrial Control Systems (ICS) conferences.
The latest edition of the ARC Industry Forum in Orlando featured many cyber security firms. Most were monitoring network traffic for anomalies. Some look at other aspects of the system. More firms are pivoting from other emphases into a cyber security firm.
Here are two news items attacking cyber security from totally different angles. One from the enterprise; the other from the lowest level user.
Manage Cyber Security Risks
Deloitte, the enterprise consulting company, announced plans to expand its cyber risk platform for end-to-end industrial control systems (ICS) and operational technologies (OT) security with next generation technology enabled by Dragos, a cybersecurity company focusing on securing ICS and OT networks.
The tactic Deloitte is taking is to monitor emerging cyber threats. Deloitte Risk and Financial Advisory Cyber Risk Services’ end-to-end ICS offering, enabled by Dragos technology, uses a combination of innovative cyber security products and services. This combination brings hunting and reconnaissance capabilities that now allow organizations to look beyond internal data to threat documentation found in external databases. Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.
“Assessing the cyber risks of our clients’ ICS and OT, we see that many organizations are often unprepared for the magnitude of the impact to operational technology and industrial control systems environments” said Ed Powers, principal, Deloitte & Touche LLP, and U.S. leader for Deloitte Risk and Financial Advisory Cyber Risk Services. “A decision to include OT and ICS as a part of a broader cyber risk management program can improve a company’s understanding of the potential damage resulting from a cyberattack and can bolster the efficacy of its cyber risk mitigation strategy.”
The Dragos Platform, Threat Operations Center, and intelligence team form an ecosystem of technology, people, and intelligence to safeguard industrial networks. The Dragos Platform is designed for industrial networks and provides visibility into the environment, detection of threats through behavioral analytics, and the automation of workflows including incident response data collection and analysis.
“There have been pockets of excellence around the community in industrial security leading practices. But the world is facing a more connected infrastructure and a more aggressive threat than we’ve seen in years past,” said Robert M. Lee, chief executive officer, Dragos. “Now is an important time to get the solution correct and that’s what the Dragos and Deloitte cooperation represents.”
Protecting From USB Device Hacks
We all know about Stuxnet and how it was spread using malware in USB sticks. Well, here is an interesting tactic and new product from Honeywell.
Honeywell Process Solutions (HPS) announced Secure Media Exchange (SMX) to protect facilities against current and emerging USB-borne threats, without the need for complex procedures or restrictions that impact operations or industrial personnel.
Malware spread through USB devices – used by employees and contractors to patch, update and exchange data with onsite control and computer systems – is a key risk for industrial control systems. It was the second leading threat to these systems in 2016, according to BSI publications, and uncontrolled USBs have taken power plants offline, downed turbine control workstations, and caused raw sewage floods, among other industrial accidents.
“Industrial operators often have hundreds or thousands of employees and dozens of contractors on site every day,” said Eric Knapp, Cyber Security chief engineer, HPS. “Many, if not most, of those rely on USB-removable media to get their jobs done. Plants need solutions that let people work efficiently, but also don’t compromise cyber security and, with it, industrial safety.”
Currently, many plants either ban USBs, which is difficult to enforce and significantly reduces productivity, or rely on traditional IT malware scanning solutions, which are difficult to maintain in an industrial control facility and provide limited protection. These solutions fail to protect process control networks against the latest threats, and offer no means to address targeted or zero-day attacks.
“SMX is a great example of Honeywell’s major investments in new industrial cyber security technologies, products, services, and research which further strengthen our ability to secure and protect industrial assets, operations and people,” said Jeff Zindel, vice president and general manager, Honeywell Industrial Cyber Security. “With the continued increase in cyber threats around the world, Honeywell’s industrial cyber security expertise and innovation are needed more than ever for smart industry, IIoT and critical infrastructure protection.”
Honeywell’s SMX was developed by the company’s cyber security experts based on field experience across global industrial sites and feedback from Honeywell User Group customers. Honeywell has one of the largest industrial cyber security research capabilities in the process industry, including an advanced cyber security lab near Atlanta. Honeywell also partners with cyber security leaders, including Microsoft, Intel Security and Palo Alto Networks, among others, to develop new, highly-effective industrial threat detection techniques.
Contractors “check-in” their USB drive by plugging it into an SMX Intelligence Gateway. The ruggedized industrial device analyzes files using a variety of techniques included with Honeywell’s Advanced Threat Intelligence Exchange (ATIX), a secure, hybrid-cloud threat analysis service.
SMX Client Software installed on plant Windows devices provides another layer of protection, controlling which USB devices are allowed to connect, preventing unverified USB removable media drives from being mounted, and stopping unverified files from being accessed. SMX also logs USB device connectivity and file access, providing a valuable audit capability.
“For most plants, the proliferation of removable media and USB devices is unavoidable, but the security risks they bring don’t have to be,” said Knapp. “We know our customers have limited resources to maintain another system, so Honeywell manages SMX for them. SMX never connects to our customers’ process control networks. From a system administration perspective, it’s like it’s not even there.”
Managed and maintained directly by Honeywell, SMX provides the easy and secure solution to USB security in industrial plants. It helps prevent the spread of malware through removable media; stops unverified files being read by Windows hosts; and, through the private ATIX connection, provides continually updated threat information and advanced analytics to help detect advanced, targeted, and zero-day malware.
