Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.
The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.
Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).
Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).
Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.
Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.
Recommendations Focus on Prioritization and Compensating Controls
The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.
Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.
“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.
“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”
Summary of Key Findings
- Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
- Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
- Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
- Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
- Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
- Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.
Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.
Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance. Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.
The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective. As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs. This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”
Cyber security challenges for practitioners
Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.
With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:
- Lack of overall visibility of ICS vulnerabilities
Vulnerability exploits are under reported
- False sense of security in many ICS environments
- More disclosures than capacity to investigate
- Limited visibility into ICS vulnerabilities and risks
- Vulnerability investigation is manual and research-intensive
- Limited visibility into vulnerability remediation effectiveness
- Manual, inconsistent patch management
And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:
“ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”
Link to How Mocana Protects graphic on Dropbox.
Yet more cyber attacks in the news
Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”
The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.
The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction.
The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Meanwhile, here is another defense
Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.
Here is the latest news from Bedrock Automation.
It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
- Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
- Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
- System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
- Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
- Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost. Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.
SCADA devices and networks remain a prime target for cyber attacks. Everything I’ve written has approached cybersecurity from a different angle. This is the first solution that has come my way that uses a deception approach.
Attivo Networks announced Dec. 7, 2015 a release of its deception-based Attivo BOTsink solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world. Cyberattacks on these targets can and have resulted in disruption of critical local, regional, and national government and commercial infrastructures. As a result, when they are breached, the impact on societies they serve stands to be catastrophic.
According to a study by the Pew Internet and American Life Project, 60 percent of the technology experts interviewed believe that a major cyberattack will happen. The damages to property and ensuing theft will amount tens of billions of dollars, and the loss of life will be significant.
Scalable SCADA protection
“We are proud to be the first in the industry to provide customers a globally scalable, deception-based threat detection solution for SCADA protection,” emphasizes Tushar Kothari, CEO of Attivo Networks. “Many of our customers from the energy industry have requested the extension of our Attivo Deception Platform into their production and manufacturing control networks so they can get real-time visibility and the ability to promptly identify and remediate infected devices. As one stated, ‘a breach on those networks can be catastrophic and Attivo wants to do everything we can to prevent a disaster or risk to lives.”
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker.
Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
“Industrial systems have increasingly come under scrutiny from both attackers and defenders,” said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Situational awareness is the focus of the ICS-ISAC and its membership, including the ability for asset owners to detect and respond to incidents on their systems.”
These devices generally have long lifecycles creating an exposed environment driven by equipment that is less hardened and patches made infrequently. Additionally, because of their critical functions, SCADA devices cannot be taken offline frequently or for any length of time. This, along with costs that can run into the millions for every hour the network is offline, has made patching very difficult, often as infrequent as once a year, leaving many industrial facilities open to attacks. These risks are quite large considering these devices are found everywhere in electrical facilities, food processing, manufacturing, on-board ships, transportations and more.
“Companies operating in critical infrastructures like energy, utilities, nuclear, oil and gas know that they are not only vulnerable to the same security issues faced by most enterprises, they have the added enticement as a rich target for cyber terrorism,” stated Tony Dao, Director Information Technology, Aspect Engineering Group. “They recognize that securing their industrial control processes is not only critical to them, but to the institutions they serve. A loss would not only have repercussions throughout their economic sector but throughout the entire economy.”
The vulnerabilities begin with the use of default passwords, hard-coded encryption keys, and a lack of firmware updates, which pave the way for attackers to gain access and take control of industrial devices. Traditional perimeter-based solutions are designed to detect attacks on these devices by looking for suspicious attack behavior based on known signature patterns. SCADA supervisory systems are computers running normal Windows operating systems and are susceptible to zero day attacks, in which there are no known signatures or software patches. Several vulnerabilities also exist in the standard and proprietary protocols within Logic Controllers. Popular protocols include MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control).
Attivo Networks takes a different approach to detecting cyber attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of BOTs and advanced persistent threats (APTs) that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through the Attivo Central Manager, which provides global central device management and threat intelligence dashboards and reporting.
“To a significant degree, the growing security problems impacting industrial control systems have originated from the fact that ICSs are increasingly less and less isolated from outside networks and systems, and ICSs are now more susceptible and vulnerable to attacks,” comments Ruggero Contu, Research Director at Gartner in his Market Trends: Industrial Control System Security, 2015 report. “At the heart of this change is the demand to integrate enterprise IT systems to operational technology, and for remote connectivity.”
Check out this whiter paper. Dynamic Deception for Industrial Automation and Control Systems
Industrial Control Systems (ICS) Cybersecurity risks have become so public that CEOs and Board members are sponsoring projects within their companies and raising visibility of the issue.
PAS Inc. CEO Eddie Habibi and General Manager of Cybersecurity and CMO David Zahn shared that news with me during a conversation this week regarding the release of a new version of PAS Cyber Integrity (5.0).
They further pointed out that this high-level visibility serves to push the long-promised IT/OT integration and cooperation into more meaningful relationships.
A final point concerned approaches to ICS cybersecurity. Most companies and consultants focus on the networking access side of the equation. PAS also looks at such automation assets as patch management, inventory management, and workflow.
The latest release of Cyber Integrity boasts enhanced support for workflows and security policies, automating a closed-loop patch management process, and provides enhanced dashboard capabilities. Says the company’s press release, “Cyber Integrity helps companies better mitigate operational risk from malicious attacks or inadvertent control system changes through automated inventory management, patch management, change management, and backup and recovery.”
“Patch management for today’s control systems lack critical capabilities required to help industrial organizations meet cybersecurity best practices and regulatory standards,” says Peter Reynolds, Senior Analyst at ARC Advisory Group. “Among other issues, plants often have poor visibility into which assets require patching; lack integrated processes that drive testing, implementation, or mitigation; and cannot easily access auditable evidence of a patch management process. ARC supports the development of solutions such as PAS Cyber Integrity that are designed to address these types of patch management issues in mission-critical industrial environments.”
Cyber Integrity works across the heterogeneous control environment found in plants providing enterprise scalability and performance. It enables industrial companies to:
- Gather and maintain an accurate inventory of IT and OT cyber assets,
- Automate patch processes throughout the enterprise,
- Monitor for unauthorized change to cyber asset configurations, and
- Implement a program for system backup and recovery.
The latest release also includes an entirely new dashboard that makes it easier for end users to process actionable information, as well as for management to quickly understand the state of ICS cybersecurity.
“The great contradiction within ICS cybersecurity is that the assets most valuable to plant operations and safety are often the most vulnerable,” says David Zahn, Chief Marketing Officer and General Manager of the Cybersecurity Business Unit at PAS. “Inventory management and change management are essential components of a cybersecurity strategy that address this contradiction. By offering patch management within Cyber Integrity, we now provide cybersecurity and operations professionals the ability to identify, address, and audit a process that had traditionally fallen short. Along with our new dashboard, workflow, and policy capabilities, companies have everything they need to harden ICS cybersecurity and streamline compliance efforts.”
Further information can be found on the PAS blog:
“Is Your House In Order?”
“The Risk of Not Knowing”
“What Happens When You Get That Call?”
Industrial Control Systems cybersecurity discussions often spill over from trade press to mainstream media. An incident in a large plant leads to economic and human consequences drawing interest from the big media companies.
A company called NexDefense formed an ICS Cybersecurity Fellows Program. Together with NexDefense, the Fellows will help educate and raise awareness of contemporary cybersecurity issues facing industry’s critical control systems that tirelessly operate in critical infrastructure facilities around the world.
In addition, Eric Byres, co-founder and former chief technology officer of Tofino Security (acquired by Belden Inc. in 2011) and leading expert in the field of process control and SCADA system cybersecurity, joins NexDefense as a strategic technology advisor and Senior Fellow to help further develop the company’s technology offerings and raise the attention level of cyber risks affecting industry.
“The NexDefense Industrial Cybersecurity Fellows Program assembles highly recognizable and well respected industrial security practitioners, consultants and advisors and allows each to speak as part of a larger cohesive unit,” said Doug Wylie, CISSP, vice president product marketing and strategy at NexDefense. “We are privileged to bring together some of the great cybersecurity minds of industry, each of whom share a common objective with NexDefense to expand business and community visibility and recognition of important security trends, emerging risks and techniques that can help to counteract threats to the safety and operational integrity of many industrial control systems.”
Members of the NexDefense Fellows Program will independently share their professional perspectives on security topics relevant to the ICS industry, including how security risks to industrial control systems can be reduced or avoided altogether through whitepapers, articles, blogs, social media and speaking engagements sponsored by NexDefense.
Joining the Fellows program are four highly reputable industrial cybersecurity authorities, each of whom continue to have a positive and meaningful affect on industry and provide control system owners and operators and the public at large with expert perspectives on cybersecurity for automation and control systems:
Eric Byres, SCADA and ICS Security Product Visionary, President Byres Security Consulting, ISA Fellow, Co-Founder and former CTO of Tofino Security—“Every digital system on which we depend has become an integral part of our connected world. This is especially true for the many industrial control systems (ICS) that produce power, move clean water and manufacture goods. The NexDefense Fellows Program will serve as a useful outlet to discuss the positive and negative consequences of today’s hyper-connectivity to these critical systems.” Eric added, “In my role as NexDefense Strategic Technical Advisor and Senior Fellow, I look forward to working closely with the team to address industry-wide security challenges with innovative solutions that can have a valuable effect on reliability, safety and productivity of control systems.”
Michael Chipley, PhD., President, The PMC Group, consultant and respected contributor to NIST cybersecurity guidelines and best practices including the Cybersecurity Framework and SP 800-82 R2—“Connected devices are at the core of building automation subsystems that provide services such as fire and physical security protection, heating and ventilation and automated lighting control, all of which are actively converging with business enterprise and industrial control systems. Cybersecurity as it relates to systems-of-systems is a topic that increasingly affects everyone and commands greater visibility with the public.”
Eric Cornelius, Director of Critical Infrastructure and Industrial Control Systems (ICS), Cylance, previously Deputy Director, Control Systems Security Program, US Department of Homeland Security (DHS)—“Electronic Perimeters alone cannot adequately protect control systems from attackers intent on stealing data, damaging equipment, or compromising the process itself. The NexDefense Fellows program will help open up discussions on security issues to more people from industry, raising awareness of what can be done to better protect people and processes from harm.”
Bryan Singer, Principal Investigator, Kenexis Consulting Corporation, and former Chairman ISA99—“The most successful industrial automation risk management programs are built on a foundation that recognizes safety and security are inextricably linked. While only a few companies have truly embraced this philosophy to date, others are still struggling with where to start. NexDefense’s Cybersecurity Fellows program will be a valuable opportunity to share and discuss risk management concepts like this with a broader audience.”
Each NexDefense Fellow will deliver their messages through a variety of mediums, with the intention to reach the public and private sectors and raise security awareness about the importance of expanded investment in the design, operation and maintenance of critical control systems around the world.