The Claroty Blog

OT/ICS News Roundup: Week Ending 6.29.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

 

Reuters: Exclusive: Ukraine says Russian hackers preparing massive strike

Hackers from Russia are infecting Ukrainian companies with malicious software to create “back doors” for a large, coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday.

The hackers are targeting companies, including banks and energy infrastructure firms, in a roll out that suggests they are preparing to activate the malware in one massive strike, cyber police chief Serhiy Demedyuk said. Ukrainian police are working with foreign authorities to identify the hackers, Demedyuk added.

The Kremlin denied the allegations. “No, that is not true,” said spokesman Dmitry Peskov, in comments conveyed to Reuters by his office on Wednesday.

Our Take: The increase in malicious activity targeting Ukrainian companies is a fact; the objective and timing of this activity is less clear.  With this week’s anniversary of the NotPetya attack, it is not a stretch to imagine some sort of coordinated attack being readied, but there does not appear to be enough forensic information available to determine the end-game.  The report does infer that IT networks are being targeted, which of course was how NotPetya originated before it spread to industrial networks. We continue to urge operators of industrial networks to review their network segmentation scheme and identify all vulnerable endpoints in their network to reduce the chance of such “spillover damage” from a future attack.

 

The Hill: House passes bill to addressing industrial cybersecurity

The bill offered by Rep. Don Bacon (R-Neb.) would codify work the Department of Homeland Security is currently doing to identify cyber threats to industrial control systems and mitigate them. Industrial control systems are used to run critical services in the United States, including the electric grid, water systems, and manufacturing plants. 

The House passed the legislation in a voice vote Monday evening, after it cleared the House Homeland Security Committee earlier this month. However, there is currently no companion legislation being offered in the Senate.

Bacon introduced the legislation in May, after FBI and Homeland Security officials blamed hackers linked to the Russian government for waging a cyberattack campaign against the energy sector and other critical infrastructure sectors. In some cases, the hackers successfully breached networks where they were able to access information on industrial control and supervisory control and data acquisition, or SCADA, systems. 

Our Take: It’s highly encouraging the see lawmakers in the House advance a basic but critical piece of legislation on ICS security, but much work is to be done before it reaches the President’s desk.  The Department of Homeland Security, specifically the National Cybersecurity and Communications Integration Cell, can be a national asset in the fight to make our critical infrastructure more secure and resilient to cyber attacks.  However, the government alone cannot solve this problem; it will take a unified effort between the public and private sectors to fully address industrial cybersecurity.

 

CSO: IoT security a concern, but most companies don't have a way to detect attacks on ICS

It seems everyone wants in on the Internet of Things (IoT) — and that desire for connectivity includes power plants, water treatment centers, and manufacturers — even though 65 percent of surveyed companies acknowledged that Industrial Control Systems (ICS) security risks are more likely with IoT.

Nevertheless, organizations want to bump up the efficiency of their industrial processes with new IT. They are pouring money into security for IT networks, while also boosting automation efficiency by connecting their operational technology (OT) with external networks — this despite 77 percent believing their organization is likely to become a target of a cybersecurity incident involving their industrial control networks.

Our Take: More connectivity naturally introduces new risks to industrial control system (ICS) owners and operators, but this risk can be managed.  Some have called for eliminating digital technologies and automation all together for the most sensitive and critical assets. We think there’s a better solution, one that doesn’t sacrifice all of the benefits of connectivity for gleaning real-time performance analytics and enabling remote access.  It starts with gaining better visibility into what is on your network and how it is behaving. Establishing this baseline of activity greatly increases an operator’s chances of detecting malicious anomalies well before any production is at risk.

 

Dark Reading: Destructive Nation-State Cyberattacks Will Rise

Incidents like last year's WannaCry attacks by suspected North Korean threat actors and the more recent news about Russian hackers taking control of hundreds of thousands of network routers worldwide have clearly spooked the enterprise InfoSec community.

Security vendor Tripwire surveyed attendees at Infosecurity Europe 2018 in London earlier this month and found 83% of the 416 respondents saying they expected nation-state attacks against critical infrastructure targets in Europe to increase in the next 12 months.

Our Take: Unfortunately, we can’t disagree with the attendees at Infosecurity Europe.  The reality of today’s ICS/OT threat landscape is that barriers to entry are falling and the attack surface is expanding.  The result is more terrain to defend and more actors. It’s not all doom and gloom, though. Automation vendors have made great strides in recent years to improve the security of their products and the research community is hard at work to find vulnerabilities early and empower infrastructure owners and operators to patch their holes with minimal disruption to operations.  

 

Advanced Manufacturing: IIoT: From Catchphrase to Reality

Newton’s Third Law is that for every action, there is an equal and opposite reaction. With the IIoT, the equivalent is for every advancement in technology, the greater the need for cybersecurity.
“Most industrial devices were never intended to be exposed over an open network link to the Internet,” said Younes of Litmus Automation. “As a consequence, they do not have the proper security in place to protect data from being stolen or being hacked.

“Many systems are also not able to talk to the cloud or support bidirectional communications,” he continued. “Data should be secured using standardized, enterprise-class security protocols and mechanisms. OEMs and manufacturers should authenticate devices and encrypt data transport from end to end.”

“It’s critical that security is addressed at every level when building an IIoT solution,” said Joe Gazzarato, FANUC director Zero Down Time Cloud System and application development. “There needs to be more partnerships between solution providers and information technology companies.”

Our Take:  Ditto!  The IIoT ecosystem affords manufacturers and other industrial companies enormous opportunities to optimize efficiencies.  It also introduces risk. Like most technological innovations, industrial security has lagged behind the digital transformation that is taking place in our plants and factories.  As the industrial arc begins to bend more towards security, however, we are proud to partner with the most prominent automation vendors to ensure that industrial innovations are reliable, efficient and secure.

Subscribe to the Blog