Over the holidays, you likely read or heard about a number of “Top 10” lists. Examples include Top 10 News Stories, Top 10 Books, Top 10 Movies, and Top 10 You-Name-It.
Thinking you would not want to miss out on the top topics about one of your favorite subjects, industrial security, I took a look at what the top articles were for this blog in 2014. I also looked at which cyber security white papers and other documents were downloaded most frequently.
The results show that there were three top themes:
1.The End of Support (EOS) for Windows XP
2.The Dragonfly advanced malware campaign
3.“Cyber Security Big Picture”
The “Cyber Security Big Picture” topic included information on the NIST cyber security framework and cyber security concepts for CEOs.
Finally, particular application areas showed a high area of interest. This included Defense in Depth strategies for oil and gas applications and industrial wireless applications.
If any of these topics are of interest to you, or you want to make sure you didn’t miss any useful content, read on.
Reader visits and content downloads helped us determine
the top cyber security topics of 2014.
The malware campaign known as Dragonfly has surprised those of us concerned with industrial cyber security on several fronts. Initially, it was notable as the first malware since Stuxnet in 2010 to specifically target Industrial Control Systems (ICS) components.
Then, research done by Joel Langill of RedHat Cyber, showed that its target was most likely the pharmaceutical industry, rather than the energy industry as initially reported. This represented the first time that a sophisticated attack vector had gone after the discrete manufacturing sector.
Next, although Dragonfly collected information on industrial control systems, it did not harm these systems. Instead, it gathered information for the likely purposes of counterfeiting or competitive intelligence. (It would, nonetheless, be easy for its creators to modify its modules for destructive purposes in the future.)
Dragonfly was also remarkable because of the devious methods and pathways it took to get to the control system. Joel coined the apt term “Offense in Depth” to describe the diversified arsenal of attack vectors it employed.
Today, we are releasing the final two parts of our white paper on Dragonfly. These are Part C – Assessing the Consequences and Part D – Defending Industrial Control Systems. These analyses reveal another concerning aspect of Dragonfly, in particular how “usual” security solutions would not have defended against it. Thankfully though, there are techniques and products available to defend against it.
The Dragonfly malware campaign used devious Offense in Depth techniques to access control systems. While “usual” security solutions would not have defended against it, there are techniques and products that would have been effective.
The End of Service (EOS) for Windows XP means it is going to be harder to keep existing industrial networks cyber secure and available.
After our series of articles on the impact of End of Service (EOS) for Windows XP you may realize that moving away from the operating system is going to be difficult and time consuming. Plus, you need a way to mitigate risk in the meantime.
Fortunately there is an easy fix for mitigating Windows XP risk now. It is as simple as installing industrial firewalls to protect your control networks from malware, whether introduced accidentally or maliciously.
Now, many vendors’ claim that using their products is “easy”. Just like programming a VCR was never as easy as it was cracked up to be, you might be suspicious of our assertion that installing industrial firewalls is easy.
Manufacturing networks such as the one at this pharmaceutical factory can be protected from Windows XP cyber security risk through the use of industrial firewalls.
The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco .
Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modis operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.
Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.
What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.
Let’s take a look at Dragonfly in more detail and see what we can learn from it.
RATs (Remote Access Tools) are key components of the Dragonfly malware.
Image Credits: The Quinton Report and The Dragonfly Woman
Editor’s Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
About 6 months ago I wrote an article for this blog about the NIST Cybersecurity Framework. The article described how the framework came to be, what it is, what it is supposed to do and what you should do about it.
If you have any interest in industrial cyber security you will want to download the latest version of the framework and have it on hand for reference. If you are in one of 16 critical infrastructure industries (shown in a table in this earlier article), or if you rely on any of them for your success, your organization needs to go one step further and become familiar with its content.
In this article I am going to discuss the newly revised ICS Security Guideline – NIST 800-82 Rev. 2 – and offer some useful thoughts on it.
If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I just have been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA Security consortium and foreign APT threats. But the highlight was the plenary speech by Jon Callas on the second day entitled “Security and Usability in the age of Surveillance”. Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic – The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources.
A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
System Integrators play an important role in helping manufacturers benefit from industrial automation technologies. They design and implement sophisticated control systems and their expertise, project management skills and manpower help companies achieve advances that cannot be realized with internal resources.
If your company is a System Integrator or Control System Integrator then you have likely been building up your expertise in the area of industrial cyber security as demand for services related to this topic has grown.
In fact today I am participating in a webinar for the Control System Integrators Association. It’s about how to help companies reduce the operational risk created by the end of service (EOS) for the Windows XP operating system. The webinar is at 11am EST today, and you can still register for it. If you miss the webinar, this article provides an overview of what I will be saying.
Windows XP EOS is a BIG Opportunity
Windows XP has been the workhorse operating system for factories, energy facilities and many critical infrastructure systems around the world. The operating system runs important manufacturing, process and production applications on the plant floor, in the field as well as in control rooms and engineering offices. It is also embedded in thousands of devices that control many factory automation and process control operations.
With Microsoft ceasing to provide the security updates and “hot fixes” that were routinely available before April 8, 2014, computers and other devices are more vulnerable to security risks and viruses. The EOS of Windows XP places industrial users in a very uncomfortable position.
The risk of security issues and resultant downtime will steadily increase over time. Yet the cost of upgrading or replacing Windows XP-based systems, and particularly the cost of the associated disruption to operations, is often prohibitive.
If your job mandate includes maintaining uptime then network security is an area you can’t afford to ignore. In the industrial space the biggest risk comes from accidental network introductions, such as a virus introduced by a supplier or an employee via a USB drive. Once that happens, your manufacturing or process control operations could be in jeopardy.
In the two videos in this article I explain how cyber security risk is different in the industrial environment than in the IT or office environment. I then zero in on how risk has been increased with the end of service for Windows XP and I explain how industrial firewalls can help.
Preserve Uptime by Minimizing Industrial Cyber Security Risk
Cyber security for industrial networks focuses on preserving uptime by guarding against accidental introductions of viruses or malware. (1:10)
There’s no escaping the push to secure industrial applications. The end of support for Microsoft’s Windows XP operating system is just the latest situation that contributes to the need to make sure that industrial networks have cyber security measures in place.
The challenge is how to go about it. No one wants to be tagged with the responsibility to implement it because the technology can be confusing, the doublespeak from the experts can be frustrating, and the pressure to do something without clear direction or budget from management is commonplace.
If you’re the person tasked with security—and if you’re reading this, you probably are—the ambiguity surrounding security for industrial systems has probably struck you already.
Vendors are not offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure … just more secure than you were before.
One tool in the toolbox to help you improve the cyber resilience of your facility is to leverage the know-how of your company’s IT security experts. Before you start running for the hills at this suggestion, I hope you will read on and find out how this may actually help.
Why IT Are Your Friends When IT Comes to PLC Security
As daunting as solving the industrial systems security puzzle for your facility may seem, a part of the answer has been right in front of you the whole time:
You need to reach out to your friends in the IT department.
While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
Keeping production systems up and running is the primary concern of controls engineers. Nowadays, part of achieving high availability includes protecting networks from accidental events and unforeseen security threats.
In speaking to our customers about this challenge we found out that they would like an all-around device that is easy to use and that can be deployed in the harshest industrial environments. Today I want to introduce you to a handy new tool for meeting these requirements.
Introducing the EAGLE One Industrial Security Router
Our just announced EAGLE One security router is what we like to call “the Swiss Army knife of routers”. It provides comprehensive industrial network security with a very good price/performance ratio. Plus it is rugged enough for use in industries such as oil and gas.