The Claroty Blog

OT/ICS News Roundup: Week Ending 7.13.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:


Dark Reading: ICS Security: 'The Enemy Is in the Wire'

"The enemy is in the wire." During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we've known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down.

This company, which to date has not been named, called Saudi Aramco to help investigate software found on some of its computer systems. Together with experts from Mandiant, they discovered a new cyber weapon with echoes of Stuxnet, which was used to attack and disable Iran's uranium enrichment plant by making centrifuges spin at self-destructive speeds.

Our Take: In the age of multinational industrial operators connected by global networks, there is no longer a secure perimeter “wire”; any threat is a potential global threat.  But we digress. Whether or not this particular enemy has already crossed our borders (while possible, the claim has not been publicly validated), it is just a matter of time before a Trisis variant or similar threat is discovered somewhere beyond the initial target and we can’t wait for it to happen.  The author also outlines some preemptive actions which we agree are all good practices:

  • Get a full accounting of what is on OT and IT systems and how they communicate.
  • Identify ICS and network devices that should be decommissioned and replaced
  • Implement network segmentation

To go a step further, our Galina Antova recently published a series of 7 steps you can take starting today to put your organization on the path toward better situational awareness and risk reduction. It’s worth reviewing.

Dark Reading: Ukraine Security Service Stops VPNFilter Attack at Chlorine Station

Ukraine's SBU Security Service reportedly detected and shut down a cyberattack that used VPNFilter malware on network equipment in a chlorine station that supplies water treatment and sewage plants.

Interfax-Ukraine reported that the LLC Aulska station in July was hit with a VPNFilter infection intended to disrupt operations at the chlorine station.

"Specialists of the cyber security service established minutes after [the incident] that the enterprise's process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident," the SBU wrote on its Facebook page, according to the report.

Our Take: This reporting, while disturbing, is indicative of a threat that has long worried the ICS/OT security community.  The water sector, despite the lack of attention it receives from media and government, is one of the most vulnerable and high risk critical infrastructure sectors.  At this juncture it is too early to comment with high fidelity on SBU’s claims based on what we know about VPNVilter. Needless to say, we are monitoring this development closely.

Forbes: Senate To Probe Growing Cybersecurity Threats, Is Energy Infrastructure Safe?

Thursday the full Senate Energy & Natural Resources Committee will be holding a hearing to examine how gas and electric gets delivered; the infrastructure available and what needs to be done to increase supply/delivery. The discussion will look at the policy issues for securing power grids from cyber or physical attacks.

The hearing comes on the heels of a draft memo leaked last month from Department of Energy suggesting that “growing threats, including cyber-attacks” to “the energy sector” were possible. The Energy Department is not alone as grid security has become a regular topic for academics and public policy analysts around the beltway for some time.

Our Take:  The frequency and quality of recent hearings on Capitol Hill, including this one, is indicative of lawmakers’ growing concern about cyber threats to critical infrastructure.  Most of these hearings have been focused on the energy sector, and rightfully so. And while the energy sector is a high-profile, high-value target, it is also among the most mature when it comes to industrial cybersecurity.  For this reason, lawmakers should also focus their attention on less mature but equally attractive lifeline sectors like water, communications, and transportation.

Subscribe to the Blog