The Claroty Blog

OT/ICS News Roundup: Week Ending 6.22.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

Associated Press: Inspector general: 2 US dams at risk of ‘insider threats’

Two dams critical to U.S. national security are at high risk for “insider threats” that could impair operations because of poor computer security practices such as too many employees having access to administrator accounts and failures to routinely change passwords, according to a new inspector general report.

An evaluation released Monday by the U.S. Department of the Interior doesn’t name the two dams, and spokeswoman Nancy DiPaolo cited national security concerns. But they are among five dams operated by the U.S. Bureau of Reclamation that are considered “critical infrastructure,” meaning their destruction or impairment could hurt national security. Those five dams are Shasta and Folsom Dams in California, Glen Canyon Dam in Arizona, Grand Coulee Dam in Washington and Hoover Dam, which straddles Nevada and Arizona.

Our Take:  Unfortunately, the insider threat cited by this inspector general report is not unique to these two dams.  We witness this type of sloppy cyber hygiene all throughout the critical infrastructure community. Managing remote access and administrator privileges requires attention to detail and sometimes organizations must sacrifice some convenience to ensure highly privileged accounts are not compromised.  Of course, Claroty’s Secure Remote Access (SRA) solution was designed to address this precise risk for organizations.

Power Engineering: Survey: Cybersecurity Lags in Critical Infrastructure Systems

A survey by cybersecurity firm Parsons indicates a pronounced lack of countermeasures to cyberattacks within industrial control systems and operational technologies.

That survey targeted 300 industrial control system engineers working in infrastructure sectors including energy, chemical, water, defense, and manufacturing.

Among the findings, 66 percent of respondents said their organizations are adding more connected industrial internet of things devices to ICS in the OT environment, 80 percent said OT environments are using a mix of old and new technologies and 78 percent said they are not highly involved in ICS cybersecurity.

Our Take: The survey results mirror what we have been saying for the last two years and what we see in the field every day.  While we don’t see anything new here, another voice joining the dialog to share this message can only be good thing.


Dark Reading: How to Prepare for 'WannaCry 2.0'

As things stand now, we're currently in the phase of "WannaCry 1.5," which is not causing the same level of damage but is still cause for concern. Every day, mutations (some minimal, others significant) of WannaCry appear and are used by ransom-hungry hacking groups. However, as malware becomes more sophisticated, there is an increased chance that a WannaCry 2.0 will become real. The underlying factors that enabled WannaCry to become so successful to its creators are still relevant:

  • Patching: Organizations are not implementing patching cycles in a timely manner. For example, a patch for EternalBlue was available in March 2017, but WannaCry was still able to infiltrate systems two months later, in May 2017, because of the delayed patching by organizations.
  • Hacker persistence: Zero-day and one-day vulnerabilities are still appearing and being used in the wild. Hackers, including independent and nation-state groups, are looking for the right opportunity to spread a ransomware strain that could have the same (or better) lateral movement capabilities as WannaCry.

Our Take: That WannaCry 2.0 (meaning an even more sophisticated malware attack) will appear at some point is a given; such is the evolution of threats and of technology in general.  While WannaCry did not target industrial sites specifically, it was able to move from IT environments into OT networks largely because of poor network segmentation practices.  And it was able to move unabated and wreak havoc throughout these OT networks because of generally weak (or absent) detection technologies within the OT environment. Happily this changing, but not quickly enough.  We will almost certainly see the same jump of the threat from IT to OT networks with the next WannaCry or NotPetya.


Reuters: China-based campaign breached satellite, defense companies: Symantec

A sophisticated hacking campaign launched from computers in China burrowed deeply into satellite operators, defense contractors and telecommunications companies in the United States and southeast Asia, security researchers at Symantec Corp said on Tuesday.

It was unclear how Thrip gained entry to the latest systems. In the past, it depended on trick emails that had infected attachments or led recipients to malicious links. This time, it did not infect most user computers, instead moving among servers, making detection harder.

Following its customary stance, Symantec did not directly blame the Chinese government for the hack. It said the hackers launched their campaign from three computers on the mainland. In theory, those machines could have been compromised by someone elsewhere.

Our Take: This story highlights the degree to which nation-states are playing the long game in cyberspace and targeting infrastructure with strategic implications.  It also demonstrates how the OT security field extends into space. According to Symantec, the campaign specifically targeted the systems that control physically command and control the satellites.  We can expect nation-states to continue this activity in preparation for contingencies.


CNN: Elon Musk: Tesla worker admitted to sabotage

In an email to Tesla employees late Sunday night, CEO Elon Musk says that an unnamed employee admitted to sabotaging the company's Fremont, California plant. The problem comes as Tesla scrambles to boost production of its Model 3 sedan to 5,000 a week by early July -- the rate at which Musk says the company can become profitable.

Musk said the Tesla employee had confessed to "quite extensive and damaging sabotage to our operations." The email said the employee made changes to the computer code of the company's manufacturing operating system. The employee also exported large amounts of highly sensitive company data to unknown third parties.

Our Take: Most of the industrial cybersecurity dialog focuses on external threats: network infiltration, malware, and the like.  We don’t hear as much about internal threats such as sabotage as these are highly targeted, and likely easier to keep quiet.  Still, cybersecurity teams must be on the lookout for any anomalies on the ICS networks that could indicate a potential threat.  This includes code changes, firmware updates, configuration changes, etc. whether they originate internally or from a vendor. Establishing a baseline of what is normal in the environment helps to spot these anomalies more quickly, and the security team must be informed about any scheduled maintenance or changes so they can cross-check against what they see on the network.

Subscribe to the Blog