The Claroty Blog

OT/ICS News Roundup: Week Ending 7.27.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week: Moving Towards Secure Remote Access in Manufacturing

Whether you’re working from home, picking up e-mails on the go or away on business, it’s usually possible to remotely access you company’s network. Though easy to implement in many enterprises, complexity and security present hefty barriers to many industrial businesses. This article discusses secure remote access and the challenges it presents.

Our Take: We agree. In addition to simplifying (beyond VPN and RDC) how employees and third parties access the network remotely, a comprehensive secure remote access capability can significantly reduce a commonly-exploited path attackers use to gain a foothold on industrial networks (e.g., See Ukraine electric grid hack in 2015 as a good example). Even if we didn’t have a “dog in the fight” we would agree that mitigating this risk to industrial networks is really important. Oh, and as a side benefit to the plant/shop floor/operations personnel, if the solution also records the sessions they can audit whether the vendor is doing what they said they would do in their change request. The Future of the ICS Cyber Security Detection Market

Our asset owner clients are getting bombarded by sales efforts from these companies and asking me what they should do. If their ICS security program is at the right stage of maturity, and they are willing to commit the manpower these solutions require, we are encouraging them to try one of the market leaders out.

Here are four predictions for the ICS detection market. The first three are straightforward, and the fourth is new, less obvious and the most interesting.

Our Take: We generally agree with Dale’s assessment of the ICS Cyber Security Detection Market, even if we disagree with a few points. Any disagreements from our end are mostly nuances we will cover in a blog. One great point Dale makes is that that “most [ICS Cyber Security Detection vendors] will fail”. This is why having the appropriate level of capital and a great team is so vitally important this market. Claroty fortunately has both. And while Dale may still be skeptical about ICS vendors being in the cybersecurity business, at this juncture it is important that ICS cyber vendors have the support and validation from these vendors so that asset owners can be comfortable in using these solutions. We’re fortunate to have this support also.

SecurityWeek: Shipping Giant COSCO Hit by Ransomware

COSCO, one of the world’s largest shipping companies, described the incident as a “local network breakdown” in the Americas region. The firm says it has suspended connections with other regions while it conducts an investigation. While COSCO’s statement does not mention a cyberattack, the company told some news outlets that the disruptions are the result of a ransomware attack. If COSCO was truly hit by ransomware – it’s not uncommon for companies to misclassify cyber threats in the initial phases of an investigation – it would not be the first time a major shipping company has fallen victim to this type of attack.

Our Take: A good reminder that you don’t need to be THE target to be impacted by attacks. This was a particularly tough lesson for asset owners with NotPetya attacks that hit some operational environments very hard.

The Wall Street Journal: Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say

Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing.

The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, “air-gapped” or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

Our Take: This article and many others were driven by DHS webinars on the topic -- not any new news. We published a detailed blog on the topic - Walking Back the Blackout Hysteria.

Subscribe to the Blog