The Claroty Blog

OT/ICS News Roundup: Week Ending 5.25.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:


CyberScoop - Trisis masterminds have expanded operations to target U.S. industrial firms

A group known for infecting a Saudi petrochemical plant with highly sophisticated industrial control malware has expanded its operations, according to new research, with a former U.S. official telling CyberScoop that companies inside the United States have been breached.

New York Times - Company: Industrial Hacking Group Has Targets Beyond Mideast

A U.S. cybersecurity company says the hacking group behind a worrying breed of destructive software is operating well beyond the Middle East, raising the possibility that it is laying the groundwork for dangerous cyberattacks around the world.

 Our Take:

Details are a scarce at present, but additional use of Triton malware or other malware crafted to impact safety systems is a big deal for industrial asset owners.  Since safety systems are designed to protect people, expensive assets and the environment, attacks on these systems need to be taken very seriously.   Claroty will continue to monitor and update...


Washington Post – The Cybersecurity 202: The FBI is trying to thwart a massive Russia-linked hacking campaign

 U.S. law enforcement is trying to seize control of a network of hundreds of thousands of wireless routers and other devices infected by malicious software and under the control of a Russian hacking group that typically targets government, military and security organizations.

In a statement issued late Wednesday, the Justice Department said the FBI had received a court order to seize a domain at the core of the massive botnet, which would allow the government to protect victims by redirecting the malware to an FBI-controlled server.

The DOJ attributed the hacking campaign to the group known as Sofacy, also known as Fancy Bear. While the statement did not explicitly name Russia, Fancy Bear is the Russian military-linked group that breached the Democratic National Committee in the presidential election.

Our Take: Reducing the risk from cyber attacks will continue to take a concerted and coordinated effort from the broad range of players -- particularly for well heeled state actors. Governments will need to continue to play an active role.


Reuters: Cyber firms warn on suspected Russian plan to attack Ukraine

Cisco Systems Inc on Wednesday warned that hackers have infected at least 500,000 routers and storage devices in dozens of countries with highly sophisticated malicious software, possibly in preparation for another massive cyber attack on Ukraine.

Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

Our Take:

This one is connected to the first.  What stands out to us is that the VPNFilte codebase shared heritage with BlackEnergy and the fact that it included capability for “monitoring Modbus SCADA protocols” as reported in the source Cisco Talos blog.  Stay tuned to our blog for more analysis.


FedScoop: Manfra details how DHS will protect nation’s critical functions

Fresh off the debut of the Department of Homeland Security’s new cybersecurity strategy, Jeanette Manfra outlined how the agency is collaborating with the private sector to help safeguard the nation’s most essential functions from cyberattacks.

The assistant secretary for the Office of Cybersecurity and Communications said that DHS and its cyber component, the National Protection and Programs Directorate, were working to identify and protect key areas designated as “national critical functions.”

“Those are things like a stable financial system, the ability to have clean water, the ability to have electricity and now, the ability to have communications,” Manfra said Tuesday at the Security Through Innovation Summit presented by McAfee and produced by FedScoop and CyberScoop. “All of these systems need to be stable, they need to be resilient, they need to be secure.”

Our Take:

Protecting our nation’s critical infrastructure is indeed both a government and industry responsibility. The DHS's emphasis on better information sharing that transcends industries is a positive development that is essential to promoting shared situational awareness of cyber threats in near real-time.  The private sector has been asking for this for some time.  But, we don’t need more studies of what critical infrastructure is, how it is vulnerable, etc...multiple administrations have studied it to death. What matters now is turning ideas into action toward better monitoring and protecting it.  This falls largely in the hands of  private industry.  We encourage Federal policymakers to bring the multiple tools of government to encourage and enable businesses to do this.


The Register: Brit water firms, power plants with crap cyber security will pay up to £17m, peers told

Plans to fine Britain's national utilities and infrastructure providers £17m for shoddy cyber security will be at the forefront of industry's mind once everyone "gets over" GDPR, peers heard at a House of Lords committee.

Speaking on a panel on cyber security for critical national infrastructure (CNI) yesterday, Elliot Rose, cyber security head at PA consulting, warned: "We've all been preoccupied with GDPR, but the [EU Network and Information Systems] directive [will carry] significant fines."

Rose added that a lot of these organizations - including water, electric and telecoms organizations – are facing challenges, as their legacy systems increasingly interface with and are exposed to the internet. He said that was "a particular area of concern" – citing one example of airports introducing remote control towers to manage traffic.

Our Take:

It’s encouraging to see governments across the world begin to recognize that cybersecurity is more than just protecting against data breaches and intellectual property theft.  The UK is a leading voice, among others, on guidelines and best practices to help organizations get ahead of any ever-evolving threat.


Fifth Domain: Are DoD’s cyber forces too focused on the network?

Cyber Command’s primary mission is defense of the Department of Defense Information Networks, but some believe they might need to expand beyond DoD’s networks.

Regarding the aiming point for DoD, “we have spent years and years focused on infrastructure. Routers, switches, servers and making sure that’s right. We know how to do that, we have policies and regulations on how to do that and it’s done very well,” Col. Paul Craft, director of operations at Joint Force Headquarters-DoDIN, the DoD’s global operational defensive unit, said May 16 at the AFCEA Defensive Cyber Operations symposium in Baltimore, Maryland.

“We need to shift because that’s not the only thing the information network is. It’s also our platform IT; it’s also all of our programs of record; it’s also our [industrial control systems] ICS and [supervisory control and data acquisition] SCADA systems; it’s also the cloud; it’s also all of our cross domains that we have out in the network.”

Our Take:

Hear, hear!  IT systems were a logical starting point for DoD, but it is absolutely time to expand the conversation to the include industrial control systems that run some of the Nation’s most mission-critical operations across the Defense Industrial Base.  

Subscribe to the Blog