The Claroty Blog

OT/ICS News Roundup: Week Ending 3.30.18

| Patrick McBride

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

Fox News: Ransomware, other cyberattacks hit US cities, states, companies

U.S. cities, states and companies increasingly find themselves at risk for cyberattacks and breaches involving so-called ransomware, which place them at the mercy of hackers demanding money.

Recent examples have taken place in computer networks serving the cities of Atlanta, Baltimore, Denver, and the operations of Boeing.

Atlanta’s computer systems were hit with a ransomware attack March 22, locking important city data behind an encrypted wall that can be unlocked only if the city pays the hackers $51,000 in the form of Bitcoin cryptocurrency.

But Atlanta isn’t alone in being barraged with cyberattacks. Baltimore officials admitted Wednesday that a ransomware attack targeted the city's 911 dispatch system over the weekend, leading to a 17-hour shutdown of the emergency dispatching system.

The world's largest aerospace company, Boeing, was the target of a cyberattack Wednesday via the notorious WannaCry ransomware -- the same tool that crippled the health care services in Britain last year, the Seattle Times reported.

News of the Boeing attack was met with widespread alarm, with officials fearing the hackers may have brought down the company's production equipment. But Boeing urged for calm, saying the cyberattack breached only a few machines.

“We’ve done a final assessment,” Linda Mills, head of communications for Boeing Commercial Airplanes, told the publication. “The vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.” 

Our Take:  Like a college student coming home for Spring Break, WannaCry has returned and is asking for money.  There are plenty of very good network tools available to identify and patch the WannaCry-vulnerability in Windows endpoints.  So, one must wonder why so many industrial endpoints are still vulnerable. 

WannaCry illustrates how ICS networks can be impacted not by a targeted attack, but as unintended collateral damage to an attack on IT systems.  In a blog entry published just after the initial WannaCry attack, we outlined several factors that may make industrial environments particularly susceptible to WannaCry and future variants of the malware.  Given recent events, it’s probably worth re-reading here.

Security Week: Severe Vulnerabilities Expose MicroLogix PLCs to Attacks 

Rockwell Automation has released patches and mitigations for several potentially serious vulnerabilities discovered by Cisco Talos researchers in its Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs).

According to Cisco Talos, the vulnerabilities can be exploited for denial-of-service (DoS) attacks, modifying a device’s configuration and ladder logic, and writing or removing data on its memory module.

Since these controllers are typically used in industrial environments, including in critical infrastructure organizations, exploitation of the flaws could result in significant damage, Talos said.

The most serious of the flaws, based on their CVSS score of 10, are a series of access control issues that have been assigned a dozen CVE identifiers. A remote and unauthenticated attacker can exploit these vulnerabilities to obtain sensitive information, modify a device’s settings, or change its ladder logic – all by sending specially crafted packets.

While exploiting many of these flaws requires that the controller’s keyswitch is in REMOTE or PROG position, reading the master password and the master ladder logic works regardless of the keyswitch setting.

Our Take:  While we applaud Rockwell addressing these vulnerabilities quickly, it is also important to remember, an adversary doesn’t need a vulnerability to impact processes in many plants built over the last 30 years.  Time and again we see even basic protections missing in very large OT environments, such that if an attacker gets a foothold on the network, they don’t need to exploit vulnerabilities to own an endpoint.  Many ICS assets do not have authentication controls built-in and can be modified by anyone spoofing the right management console or simply sending command line code.  That is why we are such advocates for behavioral monitoring and anomaly detection.  If there is a configuration change or some other out of band modification made to an endpoint, a highly-contextualized alert will enable responders to investigate quickly.

 The Hill: GOP chair urges passage of Homeland Security cyber legislation 

The bill would reorganize and rename the Department of Homeland Security (DHS) office that secures civilian federal networks and critical infrastructure from cyber and physical threats, transforming it from a headquarters component into a stand-alone agency.

McCaul has led a multiyear push to reorganize the office, currently called the National Protection and Programs Directorate (NPPD). His stand-alone bill to reorganize and rename NPPD the Cybersecurity and Infrastructure Security Agency passed the House in December.

 A Senate bill reauthorizing Homeland Security includes language that would reorganize the cyber office, and was approved by the Senate Homeland Security and Governmental Affairs Committee earlier this month. The upper chamber has yet to take up the legislation for a vote.

 Meanwhile, Homeland Security officials have been advocating for the bill, saying the reorganization and name change will allow them to better execute their cyber mission and recruit and retain personnel.

NPPD is responsible for working with operators of critical infrastructure — including companies in the financial, energy and manufacturing sectors — to protect against and respond to cyberattacks. Officials are also engaging with state officials to protect digital voting infrastructure from cyber threats, following Russian interference in the election.

Our Take:  Last week, we applauded Chairman McCaul’s sponsorship of legislation to add specialists from the private sector to Homeland Security incident response teams.  We are also encouraged by this effort to reorganize the NPPD and sharpen its focus.  The reference to a potential benefit “better… recruit and retain personnel” is particularly important.  The private sector has faced a cybersecurity skills gap for some time.  This issue is particularly acute for industrial cyber security skills and is potentially worse in the government sector.  Finding an individual who ticks the boxes of both OT background and extensive cybersecurity skills is like lassoing a unicorn…finding one is hard enough, adding it to your “stable” is off the charts.  If the reorganization results in increasing the NPPD’s ability to execute its mission, we’re all for it.  Congressional support for the change appears to be quite strong as well.

Subscribe to the Blog