Over the holidays, you likely read or heard about a number of “Top 10” lists. Examples include Top 10 News Stories, Top 10 Books, Top 10 Movies, and Top 10 You-Name-It.
Thinking you would not want to miss out on the top topics about one of your favorite subjects, industrial security, I took a look at what the top articles were for this blog in 2014. I also looked at which cyber security white papers and other documents were downloaded most frequently.
The results show that there were three top themes:
1.The End of Support (EOS) for Windows XP
2.The Dragonfly advanced malware campaign
3.“Cyber Security Big Picture”
The “Cyber Security Big Picture” topic included information on the NIST cyber security framework and cyber security concepts for CEOs.
Finally, particular application areas showed a high area of interest. This included Defense in Depth strategies for oil and gas applications and industrial wireless applications.
If any of these topics are of interest to you, or you want to make sure you didn’t miss any useful content, read on.
Reader visits and content downloads helped us determine
the top cyber security topics of 2014.
The malware campaign known as Dragonfly has surprised those of us concerned with industrial cyber security on several fronts. Initially, it was notable as the first malware since Stuxnet in 2010 to specifically target Industrial Control Systems (ICS) components.
Then, research done by Joel Langill of RedHat Cyber, showed that its target was most likely the pharmaceutical industry, rather than the energy industry as initially reported. This represented the first time that a sophisticated attack vector had gone after the discrete manufacturing sector.
Next, although Dragonfly collected information on industrial control systems, it did not harm these systems. Instead, it gathered information for the likely purposes of counterfeiting or competitive intelligence. (It would, nonetheless, be easy for its creators to modify its modules for destructive purposes in the future.)
Dragonfly was also remarkable because of the devious methods and pathways it took to get to the control system. Joel coined the apt term “Offense in Depth” to describe the diversified arsenal of attack vectors it employed.
Today, we are releasing the final two parts of our white paper on Dragonfly. These are Part C – Assessing the Consequences and Part D – Defending Industrial Control Systems. These analyses reveal another concerning aspect of Dragonfly, in particular how “usual” security solutions would not have defended against it. Thankfully though, there are techniques and products available to defend against it.
The Dragonfly malware campaign used devious Offense in Depth techniques to access control systems. While “usual” security solutions would not have defended against it, there are techniques and products that would have been effective.
The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco .
Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modis operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.
Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.
What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.
Let’s take a look at Dragonfly in more detail and see what we can learn from it.
RATs (Remote Access Tools) are key components of the Dragonfly malware.
Image Credits: The Quinton Report and The Dragonfly Woman
When I started Tofino Security in 2006, my two goals were to make industrial cyber security easy to deploy and better suited for the real needs of mission critical networks. Our first generation products went a long way in doing that, but like any initial offerings they reflected a limited feedback loop from users in the field.
Today I am proud to say that we have integrated lessons learned over the last eight years to deliver Tofino 2.0, our next generation of industrial cyber security solutions.
Tofino 2.0 is a suite of products and services that includes:
- A new set of security appliances—the Tofino Xenon product line
- A new software tool—the Tofino Configurator 2.0
- A new Deep Packet Inspection Loadable Security Module (LSM)—the Tofino EtherNet/IP Enforcer
All products are now integrated with online licensing systems, plus made-to-order manufacturing. I believe this combination makes it extremely easy for control systems professionals to deploy ready-to-go cyber security solutions that work.
While normally my articles are designed to help educate you on industrial security topics, I hope my enthusiasm for Tofino 2.0 will convince you to read further and find out how this new generation makes implementing security on the plant floor both flexible and simple.
Introducing our new Tofino Xenon family of state-of-the-art security appliances
Editor’s Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
About 6 months ago I wrote an article for this blog about the NIST Cybersecurity Framework. The article described how the framework came to be, what it is, what it is supposed to do and what you should do about it.
If you have any interest in industrial cyber security you will want to download the latest version of the framework and have it on hand for reference. If you are in one of 16 critical infrastructure industries (shown in a table in this earlier article), or if you rely on any of them for your success, your organization needs to go one step further and become familiar with its content.
In this article I am going to discuss the newly revised ICS Security Guideline – NIST 800-82 Rev. 2 – and offer some useful thoughts on it.
If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I just have been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA Security consortium and foreign APT threats. But the highlight was the plenary speech by Jon Callas on the second day entitled “Security and Usability in the age of Surveillance”. Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic – The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources.
A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
Keeping production systems up and running is the primary concern of controls engineers. Nowadays, part of achieving high availability includes protecting networks from accidental events and unforeseen security threats.
In speaking to our customers about this challenge we found out that they would like an all-around device that is easy to use and that can be deployed in the harshest industrial environments. Today I want to introduce you to a handy new tool for meeting these requirements.
Introducing the EAGLE One Industrial Security Router
Our just announced EAGLE One security router is what we like to call “the Swiss Army knife of routers”. It provides comprehensive industrial network security with a very good price/performance ratio. Plus it is rugged enough for use in industries such as oil and gas.
One of the indicators that it’s time to update your network design is when troubleshooting issues take too long and having a significant impact on production. That was one of the issues Johnson Controls’ Automotive Experience Group was facing when it decided its “one size fits all” flat network infrastructure had to change.
The flat network design had been controlled by the IT department which initially did not understand how the good practices it used to manage the enterprise network were disrupting the plant floor network.
As the demand for real-time information has increased, more and more IT professionals are becoming involved with manufacturing networks. If you are one of those people, or if you are an engineer who wishes IT understood your operational network requirements, then the Johnson Controls story that follows may be helpful. Read more
Recently there was a thread on SCADASEC news, a restricted access critical infrastructure mailing list, about the challenges of firewalling BACnet networks. If you only work in the industrial automation space, you may not have heard of this protocol, but it is big in building automation. Regardless, the discussion around BACnet applies to many industrial protocols.
The question raised was whether or not BACnet traffic can be managed by a firewall. The problem is that BACnet, like many other automation protocols, doesn’t play by the usual IT rules. In BACnet’s case, it does not use TCP/IP at all, so trying to secure it with a typical IT firewall that looks for TCP port numbers is a lost cause.
BACnet is a non-TCP /IP protocol used in building automation systems that cannot be secured by typical IT firewalls. Image courtesy of Schneider Electric.
Improving the cyber security of industrial networks is a challenge you may be facing.
On the one hand your manufacturing processes probably use devices such as PLCs (programmable logic controllers) and DCS (distributed control systems) that were designed with a focus on reliability and safety rather than security.
On the other hand your industrial networks are already, or soon will be, connected to your company’s enterprise networks and migrated to Ethernet.
In considering how to decrease cyber risk and protect assets, it is important to look for technology solutions that are designed for the plant floor. Read more