This week, the largest electric utility trade show and conference in the U.S., DistribuTECH, is being held. One of the tracks in the conference portion of the event is “Defending the Grid.” The prominence of the topic at this show, along with recent high-profile hacking attacks (Sony, Target) that have caught the attention of top management in all industries, add up to one thing – it’s time to look at or review the state of cyber defenses at your substations.
It’s not a surprise that critical infrastructure, such as the electrical grid, has been an increasing target for sophisticated cyberattacks. What may be news to you, however, is the fact that the legacy devices and protocols used in substations are particularly vulnerable to both intentional and accidental cyber incidents.
What then is the right approach to take to secure substations? It starts with the best practice of Defense in Depth.
Electrical substations are vulnerable to both intentional and accidental cyber incidents.
Over the holidays, you likely read or heard about a number of “Top 10” lists. Examples include Top 10 News Stories, Top 10 Books, Top 10 Movies, and Top 10 You-Name-It.
Thinking you would not want to miss out on the top topics about one of your favorite subjects, industrial security, I took a look at what the top articles were for this blog in 2014. I also looked at which cyber security white papers and other documents were downloaded most frequently.
The results show that there were three top themes:
1.The End of Support (EOS) for Windows XP
2.The Dragonfly advanced malware campaign
3.“Cyber Security Big Picture”
The “Cyber Security Big Picture” topic included information on the NIST cyber security framework and cyber security concepts for CEOs.
Finally, particular application areas showed a high area of interest. This included Defense in Depth strategies for oil and gas applications and industrial wireless applications.
If any of these topics are of interest to you, or you want to make sure you didn’t miss any useful content, read on.
Reader visits and content downloads helped us determine
the top cyber security topics of 2014.
The malware campaign known as Dragonfly has surprised those of us concerned with industrial cyber security on several fronts. Initially, it was notable as the first malware since Stuxnet in 2010 to specifically target Industrial Control Systems (ICS) components.
Then, research done by Joel Langill of RedHat Cyber, showed that its target was most likely the pharmaceutical industry, rather than the energy industry as initially reported. This represented the first time that a sophisticated attack vector had gone after the discrete manufacturing sector.
Next, although Dragonfly collected information on industrial control systems, it did not harm these systems. Instead, it gathered information for the likely purposes of counterfeiting or competitive intelligence. (It would, nonetheless, be easy for its creators to modify its modules for destructive purposes in the future.)
Dragonfly was also remarkable because of the devious methods and pathways it took to get to the control system. Joel coined the apt term “Offense in Depth” to describe the diversified arsenal of attack vectors it employed.
Today, we are releasing the final two parts of our white paper on Dragonfly. These are Part C – Assessing the Consequences and Part D – Defending Industrial Control Systems. These analyses reveal another concerning aspect of Dragonfly, in particular how “usual” security solutions would not have defended against it. Thankfully though, there are techniques and products available to defend against it.
The Dragonfly malware campaign used devious Offense in Depth techniques to access control systems. While “usual” security solutions would not have defended against it, there are techniques and products that would have been effective.
My previous article covered part of Scott Howard’s presentation on ICS Security for Oil and Gas applications from this year’s Design Seminar. In that article, we reviewed some of the cyber security fundamentals discussed by Scott.
For example, we examined the fact that most cyber threats are unintentional and originate from within the control network. We also looked at the fact that a perimeter defense is not sufficient and that IT solutions are not appropriate on the plant floor.
Instead, what’s needed is Defense in Depth, that is, multiple layers of defense that work together to prevent network incidents or contain them if they do occur. A key best practice for Defense in Depth is to implement the zone and conduits model as defined in the ISA IEC 62443 standard. While not a regulation, this standard provides practical guidance that leads to more robust cyber security.
Today, we will take a closer look at zones and conduits and then review how they were be implemented in three oil and gas applications.
The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco .
Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modis operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.
Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.
What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.
Let’s take a look at Dragonfly in more detail and see what we can learn from it.
RATs (Remote Access Tools) are key components of the Dragonfly malware.
Image Credits: The Quinton Report and The Dragonfly Woman
When I started Tofino Security in 2006, my two goals were to make industrial cyber security easy to deploy and better suited for the real needs of mission critical networks. Our first generation products went a long way in doing that, but like any initial offerings they reflected a limited feedback loop from users in the field.
Today I am proud to say that we have integrated lessons learned over the last eight years to deliver Tofino 2.0, our next generation of industrial cyber security solutions.
Tofino 2.0 is a suite of products and services that includes:
- A new set of security appliances—the Tofino Xenon product line
- A new software tool—the Tofino Configurator 2.0
- A new Deep Packet Inspection Loadable Security Module (LSM)—the Tofino EtherNet/IP Enforcer
All products are now integrated with online licensing systems, plus made-to-order manufacturing. I believe this combination makes it extremely easy for control systems professionals to deploy ready-to-go cyber security solutions that work.
While normally my articles are designed to help educate you on industrial security topics, I hope my enthusiasm for Tofino 2.0 will convince you to read further and find out how this new generation makes implementing security on the plant floor both flexible and simple.
Introducing our new Tofino Xenon family of state-of-the-art security appliances
Editor’s Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
About 6 months ago I wrote an article for this blog about the NIST Cybersecurity Framework. The article described how the framework came to be, what it is, what it is supposed to do and what you should do about it.
If you have any interest in industrial cyber security you will want to download the latest version of the framework and have it on hand for reference. If you are in one of 16 critical infrastructure industries (shown in a table in this earlier article), or if you rely on any of them for your success, your organization needs to go one step further and become familiar with its content.
In this article I am going to discuss the newly revised ICS Security Guideline – NIST 800-82 Rev. 2 – and offer some useful thoughts on it.
What’s protecting your business from today’s latest security threats? If you’re relying on a single defense – your company, communications network and sensitive data are open to attacks by cyber criminals and hackers. Even a well-designed solution can malfunction or be bypassed.
To keep critical business processes up and running, a layered approach to security is far more reliable. At Belden, we encourage our customers to employ multiple security measures through a “Defense in Depth” approach.
Defense in Depth was originally used as a military strategy by the Romans. For security purposes, it means each layer of protection is designed to address a specific type of threat. If one security measure is bypassed or fails, the next layer steps in to defend the system.
Companies can be exposed to a variety of different security threats. Some are intentional, such as disgruntled employees, computer malware or information theft. Many others, however, are accidental – including employee mistakes or misconfiguration errors. No matter the aim, it is vital that businesses have a defense prepared for all possible threats.
Belden’s expertise helps protect critical assets from intrusion or manipulation. With a portfolio of security solutions designed for various mission-critical industries – from data centers to city wastewater plants to commercial buildings – Belden provides companies with a pragmatic approach to cyber and physical security.
Editor’s Note: This article was contributed by Thomas Nuth, product marketing manager.
Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue.
What’s also interesting is the change in focus of this discussion topic. The key question has changed from an interested “Why do we need to secure our industrial network?” to a frantic “How do we do it?”
Obama’s Executive Order on Cybersecurity: A Sign of the Times? Image Credit: Mashable Read more
Recently I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).
Phishing, like fishing, can be profitable. Image Credit: Fotopedia
Notice that the US Internal Revenue Service now uses Cyrillic script on its staff email addresses! And they use AOL as an email service, rather than irs.gov
. (Is the US budget sequestration really hurting that badly?
The third fun item is that the link you are supposed to click on (irs.gov/pub/irs-pdf/forms2012/) actually resolves to prospectrealty.net/wp-content/plugins/Bridge-Book-Printer/forms.htm.
(Note to Prospect Realty – you might want to secure your web site a little better.)
Beware Industrial Security Pros: Phishing Season is Open
Obviously, this email is a phishing attack. The creators of the email want me to click on the fake IRS link. If I did, my browser would be directed to the Prospect Realty website they have hacked. There I would either see a page that looked like an IRS log-in page (so the crooks could steal any confidential corporate information I enter) or the site would try to download some nasty Java applet that would take over my computer (assuming I hadn’t patched Java recently).
This phishing attack is so crude and so obvious that it is funny.
But in another way, it isn’t funny at all.