The Claroty Blog

OT/ICS News Roundup: Week Ending 6.1.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:


eWEEK: NIST Develops Guide to Securely Converting Industrial IoT to Wireless

Unfortunately, moving an industrial IoT network to wireless can be a daunting task. “There are a lot of challenges,” said Rick Candell, an electronics engineer for the National Institute of Standards and Technology. Candell is the principal author of NIST’s new ebook, “Guide to Industrial Wireless Systems Deployment.” The publication is considered a science-based set of guidelines for taking your factory floor wireless.

“The key is to keep your operation running,” Candell explained. “You’re not doing this to download movies.” The goal is to reach whatever level of reliability a manufacturing operation requires, he said.

Candell’s guide is intended to be read by the IT and engineering staff at a company with manufacturing facilities, whether those facilities are inside or outdoors. But it’s actually an invaluable reference for business wireless planners, regardless of whether they have a factory or a warehouse.

Our Take: We are encouraged to see Chapter 6 in the ebook is dedicated to Industrial Wireless Security and believe the reference is worth a read for anyone considering the addition of wireless networking in their operational environment.  While fairly high-level, the book does reference several recommended layers of security, including network monitoring and anomaly detection. However, we frequently see industrial environments running traditional wired networks that still have not implemented a full cyber protection strategy, and in many cases, do not have a full accounting of the endpoints on that network.  Adding wireless to this complex environment does increase the attack surface so we urge for those moving in this direction to use it as an opportunity to ensure the entire OT environment is secure.


Utility Dive: 5 ways energy companies can protect themselves from cyberattacks

It’s clear that critical infrastructure is a primary target for both rogue and state-sponsored hackers. The FBI/DHS just issued a joint alert to that effect in February, specifically calling out the energy sector as sitting in the crosshairs of international cyber actors. We know the enormous implications of these types of systems going offline. Knocking out EDI providers doesn’t simply slow down business or cost money; it can prevent people from receiving gas and electricity in their homes. The resulting disruption is inconvenient at best, dangerous at worst, and can snowball into a variety of other issues with effects that only increase over time.

And yet here we are. Why? A large part of the issue comes down to human error. With over 90 percent of cyberattacks stemming from phishing emails, companies must remember that no one is immune. While it’s important to invest heavily in training and awareness, companies should also make sure their technology platforms both leverage trusted firewalls, anti-virus and anti-phishing protections, and employ security best practices to block phishing at the source.

Our Take: The author references compliance in two of the five steps.  While compliance is a requirement for many industrial operators, it is important to view regulatory mandates as a floor, not a ceiling.  In other words, they define the minimum standard required to comply with the law, not necessarily what is needed to protect your environment; compliant does not necessarily mean secure.  We suggest starting with a holistic security assessment, and then overlaying compliance requirements to ensure they are covered within the implementation plan.

The Washington Post: The Cybersecurity 202: Only YOU can prevent a VPN Filter malware attack. That's a problem for the FBI.

The FBI’s move to seize control of a network of half a million wireless routers and other devices infected with malicious software threw a wrench into a massive hacking campaign by a group linked to the Russian military.

But the FBI is limited in how much it can do to disrupt the global botnet on its own. While the bureau got a court order last week to take over a domain at the botnet's core that allows the connected devices to launch attacks, it's now up to owners of the infected equipment to take active steps to prevent hackers from hijacking the devices again.

That's not likely to happen anytime soon. In fact, ridding the infected devices of malware dubbed VPN Filter “is likely to take at least a year, if not multiple years,” said Vikram Thakur, technical director of the security response team at the cybersecurity firm Symantec. “To remove the malware, and update the router to be free of known security vulnerabilities, requires a degree of end user interaction with the router that is unlikely to happen in the short term."

Our Take: Cybersecurity has always been a shared responsibility and the latest development with VPNFilter is yet another reminder that users themselves play an important role.  Thanks to the good work of Cisco’s Talos Group, in close coordination with law enforcement, the FBI is now in control of a significant portion of the bonet, which will disrupt the second and third stages of the malware.  This is especially good news for the ICS community since these stages include a plug-in module for monitoring SCADA protocols.

Subscribe to the Blog