The Claroty Blog

OT/ICS News Roundup: Week Ending 6.8.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:


The Hill: House panel approves bill to secure industrial systems from hacks

The House Homeland Security Committee has advanced legislation designed to boost security around industrial control systems (ICS) used to power the electric grid and other critical services in the United States.

The measure approved by the committee on Wednesday would codify and expand the Department of Homeland Security’s current efforts to identify and mitigate cyber threats to industrial control systems -- technology used in a wide swath of critical sectors, including power and water systems, manufacturing, and transportation. 

Our Take:  It’s encouraging that we are seeing more government action to ensure the security of our industrial control systems, particularly within the House Homeland Security Committee and Cybersecurity and Infrastructure Protection Subcommittee.  These discussions and debates need to happen more frequently, more visibly, and with the inclusion of both the public and private sector if there is to be meaningful advancement in the security of these vulnerable industrial environments.


FireEye Blog: A Totally Tubular Treatise on TRITON and TriStation

Despite the routine techniques employed to gain access to an OT environment, the threat actors behind the TRITON malware framework invested significant time learning about the Triconex Safety Instrumented System (SIS) controllers and TriStation, a proprietary network communications protocol. The investment and purpose of the Triconex SIS controllers leads Mandiant to assess the attacker's objective was likely to build the capability to cause physical consequences.

TriStation remains closed source and there is no official public information detailing the structure of the protocol, raising several questions about how the TRITON framework was developed. Did the actor have access to a Triconex controller and TriStation 1131 software suite? When did development first start? How did the threat actor reverse engineer the protocol, and to what extent? What is the protocol structure?

Our Take:  While it’s impossible to assess the attacker’s intent with full confidence absent more information, the target selection in this case leaves little doubt.  Of note, it is always possible that the attacker targeted with the SIS purely to demonstrate capability. The absence of a discovered payload strengthens this theory.  


Slate: Why the Military Can’t Quit Windows XP

When most organizations are deciding whether to upgrade their computers to the latest version of Microsoft Windows, they don’t have to worry about life-and-death consequences. One exception to that rule is the U.S. Department of Defense: the nation’s largest employer and a globe-spanning organization that must consider both cybersecurity risks and potentially fatal consequences related to computer failures when making the choice to abandon legacy operating systems such as Windows XP.

The military’s long-standing relationship with Windows XP is not unusual. Many PC users and companies clung to Windows XP long after its 2001 debut and refused to upgrade to follow-up Windows versions. In 2014, when Microsoft officially ended support for the aging operating system, Windows XP still accounted for 30 percent of operating systems worldwide. At the time, officials estimated that 3 percent of the Pentagon’s several million computers were still running Windows XP. That same year, a Navy official issued a directive titled “Windows XP Eradication Efforts.” But the mission-critical functions of some of those computers can defy straightforward upgrades—which is why the Pentagon has often found it easier to occasionally give Microsoft multi-million dollar contract for supporting specialized systems running on Windows XP, Windows 2003, and other legacy Microsoft products.

Our Take:  This is not unlike what we see in the field every day.  Upgrades and patches are much less straightforward in an industrial environment (vs. an IT environment), and as a result, legacy operating systems and applications are often kept in service long past their “freshness date”.  Uptime and productivity are the priorities in these environments so they cannot be taken offline for frequent maintenance windows to install new versions. Often, system maintenance occurs but once a year (if at all). Also, changing operating systems and application versions can actually put an industrial environment out of warranty with their vendors.  OT environments are extremely complex and contain interdependencies across multiple vendors and communication protocols. A patch or system upgrade on one component can very well create incompatibility with other components, again putting uptime at risk. These are but a few of the reasons we advocate industrial operators employ deep monitoring and threat detection across the network.

CNBC: The next 9/11 will be a cyberattack, security expert warns

A cyberattack of devastating proportions is not a matter of if, but when, numerous security experts believe.

And the scale of it, one information security specialist said this week, will be such that it will have its own name — like Pearl Harbor or 9/11.

"The more I speak to people, the more they think that the next Pearl Harbor is going to be a cyberattack," cybersecurity executive and professional hacker Tarah Wheeler told a panel audience during the Organization for Economic Cooperation and Development's (OECD) annual forum in Paris.

"I think that the most horrifying cybersecurity attack is going to have its own name and I think it's going to involve something more terrifying than we've thought of yet."

Our Take: While implying comparison of a cyberattack to the physical destruction and loss-of-life of 9/11 doesn’t sit quite right with us (we get it, the author needs a provocative title to hook the reader), we understand the comparison don’t disagree with the real point the quoted experts are making.  It is likely there will be high-profile, catastrophic cyberattack at some point. It is also likely, given the current trends, that a state-sponsored group will be involved. It is virtually certain the target will not see it coming. And when it happens, it will come to be known by “a name”. That kind of shorthand is how the media responds to significant events.

Subscribe to the Blog