The Claroty Blog

OT/ICS News Roundup: Week Ending 8.10.18

| Patrick McBride, Dave Weinstein

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

Dark Reading: Even 'Regular Cybercriminals' Are After ICS Networks

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

"The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday," says Ross Rustici, senior director of intelligence services at Cybereason. "The project shows that regular cybercriminals are interested in critical infrastructure, [too]."  

Our Take: We agree.  Indeed the days when only nation-states target ICS networks are certainly numbered.  The proliferation of malware frameworks and more ubiquitous access to target information is opening the door to parties with non-political or ideological motivations.  We expect these criminal actors to focus on those industries that either have the most to lose from operational downtime or the reputational fallout of a high-profile incident.  We should not rule out the possibility that these actors, although they may be non-aligned, enjoyed a degree of state-sponsorship.


Dark Reading: Researchers Release Free TRITON/TRISIS Malware Detection Tools

A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

Researchers from Nozomi Networks, along with independent ICS expert Marina Krotofil, previously with FireEye, today demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack.

Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.

The researchers today added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.

Our Take:  It goes without saying that we applaud these researchers work and hope that ICS operators will take full advantage of its benefits.  TRITON is a useful case study for demonstrating what we in the ICS/OT security community are up against. These types of tools in response to observations in the wild will be key to elevating our collective defense posture.


E&E News: DOE to vet grid's ability to reboot after a cyberattack

The Department of Energy is planning an unprecedented, "hands-on" test of the grid's ability to bounce back from a blackout caused by hackers, E&E News has learned.

The "Liberty Eclipse" exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure.

The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.

DOE's goal is to "gain insights into how industry, with DOE support, would execute response to a significant cyber incident," according to planning documents obtained by E&E News.

Our Take: As far as we’re concerned, these types of exercises can’t happen enough.  It is great to see that the Department of Energy is taking a proactive approach to preparing for response and recovery in the event of a significant incident.


The Wall Street Journal: U.S. Officials Push New Penalties for Hackers of Electrical Grid

Top administration officials are devising new penalties to hit back more forcefully at state-sponsored hackers of critical infrastructure to deter attacks such as the successful penetration of U.S. utilities by Russian agents last year.

The push for explicit action is coming from top federal agencies to fight worsening threats to the country’s electricity system and other critical industries, particularly menacing actions from Russia, China, Iran and North Korea.

The events have forced “an evolution in the U.S. government’s thinking about how to deter malicious cyberactors,” said Robert L. Strayer, the State Department’s deputy assistant secretary in charge of cybersecurity matters, in an interview.

Spearheading the effort are the departments of State, Treasury and Defense, among other major agencies, according to government officials.

Our Take: Hear, hear!  In the interest of norms building and deterrence, it is imperative that we devise and enforce penalties for aggressors in cyberspace, especially when their targets include civilian and lifeline infrastructure.


SecurityWeek, Reconnaissance, Lateral Movement Soar in Manufacturing Industry

An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.

The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.

The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.

Our Take: This report highlight some very important trends that we are witnessing in the field.  While most of the public’s focus is on the energy sector, manufacturing is experiencing a very active threat landscape.  We agree that the rapid and largely ungoverned convergence of IT and OT networks is a major contributing factor. It’s also worth noting that this industry, in particular, is highly dependent on remote access, which constitutes a common threat vector.

Subscribe to the Blog