The Claroty Blog

OT/ICS News Roundup: Week Ending 3.23.18

| Patrick McBride

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

The Hill: House approves legislation to authorize Homeland Security cyber teams

The legislation would authorize the “cyber hunt and incident response teams” at Homeland Security to help owners and operators of critical infrastructure respond to cyberattacks as well as provide strategies for mitigating cybersecurity risks.

The bill would also allow Secretary of Homeland Security Kirstjen Nielsen to add cybersecurity specialists from the private sector to the response teams.

It would require that Homeland Security’s National Cybersecurity and Communications Integration Center — the office in which the response teams are housed — continually evaluate the response teams and report to Congress on their efforts at the end of each fiscal year for four years after the bill becomes law.

Our Take:  We applaud Chairman McCaul for his sponsorship of this bill.  We have been saying for some time that protection of critical infrastructure will require the combined, and coordinated, efforts of the private and public sectors.  This is an encouraging step.


Dark Reading: Gartner Expects 2018 IoT Security Spending to Reach $1.5 Billion

Enterprises worldwide will spend $1.5 billion this year protecting their IoT networks and connected devices against a range of security threats, according to new estimates from Gartner.

That figure represents a 28% increase from the $1.2 billion spent on IoT security last year and reflects growing enterprise concern over vulnerabilities in IoT and connected networks. Gartner says by 2021, such concerns will push IoT security spending to over $3.1 billion.

Gartner predicts that concerns over IoT risks will drive spending for tools and services that can help organization discover and manage IoT assets on the network, perform security assessments of IoT hardware and software, and conduct penetration testing. Professional services will account for $946 million of the $1.5 billion in total that organizations will spend on IoT security this year, according to Gartner. By 2021, IoT security service spending will more than double to nearly $2.1 billion.

"And there are so many IoT device types and vendors that it’s challenging to determine what risks they bring and what levels of controls can be implemented to mitigate that risk," Contu says. “The net result is that just like happened with IT security: everybody's playing security catch-up with IoT security as well”.

Our Take:  With everyone from the US Federal Government to the majority of IT professionals expressing they don’t not feel prepared against the risk of cyber-attack on their IIoT and OT environments, the current spending level is clearly inadequate.   With these same constituencies admitting they are planning catch-up in their IIoT/OT security posture, we believe the more relevant metric is the rate of growth.  IoT security spending increasing from US$1.2B in 2017 to US$3.1B in 20121 represents a 27% compound annual growth rate.  While this outpaces nearly any IT security category, the real question is “are they catching up quickly enough?”  Given the current state of risk, we would argue growth of >40% would indicate that at-risk industries are making OT cyber-defense a top priority.  Time will tell.


HelpNetSecurity: Middle East oil and gas companies are unprepared to address OT cyber risk

Cyber security breaches in the Middle East are widespread and frequently undetected, with 30 percent of the region’s attacks targeting operational technology (OT), finds a new study by Siemens and Ponemon Institute.

60 percent of respondents believe the cyber risk to OT to be greater than IT, and in 75 percent of cases those questioned had experienced at least one security compromise resulting in confidential information loss or operational disruption in the OT environment in the last 12 months.

Despite awareness of rising OT cyber risk, budgets for OT cyber services and solutions have not kept up with the threat. At present, oil and gas organizations in the Middle East dedicate only a third, on average, of their total cyber security budget to securing the OT environment. This suggests that organizations are not aligning their cyber investments with where they are most vulnerable and highlights the urgency to address OT cyber security.

Organizations must overcome the fear of connectivity and gain continuous visibility into their OT assets, and the operating environment needs to be secured all the way to the edge. Analytics should be leveraged in order to make smarter, faster decisions, and organizations should demand purpose-built OT cyber solutions. Lastly, it’s crucial to partner with OT cyber security experts with real domain expertise.

Our Take:  This survey data is not surprising, an previous Siemens/Ponemon survey from last year reported similar findings in the US oil and gas industry, and the findings are further validated by the frequent examples of oil and gas cyber-security incidents cited in the media over the past year.  We suspect the percent of companies that have experienced a material security compromise is actually higher than 75%, as this only reflects the incidents that were detected.   We particularly applaud the article’s author for the last paragraph.  We couldn’t agree more.  We have been saying the same thing since day one, and built the Claroty Platform with this mind.


InfoSecurity Magazine: OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks

An Iran-linked APT group has been using OilRig to compromise critical infrastructure, banks, airlines and government entities since 2015 in a range of countries, including Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. According to fresh analysis by Nyotron, the latest spate of attacks has been focused on a number of organizations across the Middle East and shows that the OilRig group has significantly evolved its tactics, techniques and procedures to include next-generation malware tools and new data exfiltration methods.

Some of the new tools are off-the-shelf, dual-purpose utilities, but others are previously unseen malware using Google Drive and SmartFile, as well as internet server API (ISAPI) filters for compromising Microsoft Internet Information Services (IIS) servers.

Nyotron said that for one, the group has built a sophisticated remote access Trojan (RAT) that uses Google Drive for command-and-control (C&C) purposes. It supports a variety of configuration settings, uses encryption and registers as a service: The malware simply retrieves commands from the attacker’s account on Google Drive and exfiltrates files to it.

Worryingly, at the time of the research, this RAT was not detectable by any antivirus engine that is part of VirusTotal.

Our Take:  Two things really jump out here.  First, the OilRig group has built sophisticated remote-access capability into their attack toolkit. This underscores the need for an authentication gate between the OT network and remote employees and 3rd parties.  Second, the malware being used to facilitate the remote access is undetectable by any of the most common antimalware engines.  Threats, by nature, evolve ahead of security technologies, which is why so many traditional security products fail to detect zero-day threats.  It is important not to look just for bad things (this is the known), but to constantly monitor your environment for changes and anomalies which may indicate the presence of a previously unknown threat.   Claroty’s Continuous Threat Detection and Secure Remote Access  can help protect against both of these advanced threats.


Subscribe to the Blog