The Claroty Blog

OT/ICS News Roundup Week of 9.18.17

| Steve Ward

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past few days: 

FireEye Blog: Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production….

One of the droppers used by APT33, which we refer to as DROPSHOT, has been linked to the wiper malware SHAPESHIFT. Open source research indicates SHAPESHIFT may have been used to target organizations in Saudi Arabia.

Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT. The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration.

Our Take: While there is no evidence to suggest that this group has conducted any destructive/wiper attacks, there is a significant precedent with the Saudi Aramco attack which should cause alarm. In that case, the business networks were the target. It would appear based on the details released by FireEye that similar targeting is occurring in this case. Regardless, companies in these sectors should take note and take precaution. We should also remember that lateral movement from business (IT) networks to operational technology (OT) networks is possible and a probable move for any sophisticated adversary.


SC Media: Energy Dept. to invest up to $50M in infrastructure cybersecurity, resilience

The U.S. Energy Department will sink up to $50 million in multiple projects, 20 of them cybersecurity-related, under the umbrella of its National Laboratories to boost the resilience and security of the U.S. critical energy infrastructure.

“A resilient, reliable, and secure power grid is essential to the Nation's security, economy, and the vital services that Americans depend on every day,” Secretary of Energy Rick Perry said in a release, noting that back-to-back Hurricanes Harvey and Irma, and the ongoing recovery efforts, have emphasized the need to boost the nation's electricity delivery system to accommodate and recover from disruptions.

Our Take:  Any and all investments into strengthening the security of America’s critical infrastructure networks is welcomed and applauded. We are hopeful that with recent disclosures of nation-state attacks against US Energy and Nuclear facilities, this will be the beginning of a new period of action.

IoT Agenda: Industrial IoT security: Is risk increasing?

In my experience (and this may shock security wonks), security is not a change driver. Fear is simply not enough. Industrial systems are usually not willing to implement a new architecture (just) to improve security. The power industry is my favorite example. The industry has been screaming for 20 years that security is a problem. And, it will go right on screaming … unless something else drives the change.

The good news? IIoT is that change driver. While it may not drive the change, security is absolutely a change gate. When implementing a new architecture for any reason, every application insists on security. Since IIoT is motivating many, many industrial applications to redo their architectures, security is getting better. Of course, implementing a new architecture for a major industrial application, or for that matter an entire industry, is daunting. But this is the magic of the sweeping changes offered by IIoT. IIoT is compelling. Change is coming, and it’s coming fast.

Our Take: We agree that the movement towards “IIoT” and the convergence of IT and OT networks SHOULD be a change gate for better cybersecurity. We are hopeful but caution the industry as-a-whole not to repeat past mistakes of technology adoption with security as an after-thought. We are encouraged by recent moves from major players such as Rockwell Automation and Schneider to partner with cybersecurity firms – we think it demonstrates a strong understanding on the part of ICS vendors that security must be a paramount concern.  

SecurityBrief Asia: Quann and Claroty Strengthen Singapore’s Critical Infrastructure Security

The two companies will work together to build an advanced operational technology (OT) security solution to address challenges that Singapore’s critical information infrastructures face day-to-day.

“This partnership has been in stealth mode for over a year as we have been building up our joint capabilities and carrying out trials for key customers. It brings together one of the best-in-class OT solution providers with a leading MSSP,” comments Quann’s managing director Foo Siang-tse.

The partnership also aligns with the Singapore government’s Smart Nation vision. The partnership will secure control systems – the backbone of critical infrastructures such as transport, water, communications and power.

Our Take: We are incredibly proud to add Quann to a growing list of strategic partners around the globe. Their presence in Singapore and focus on Critical Infrastructure security enables Claroty to expand its reach to Asia at an incredibly important and increasingly dangerous time. We are already working with Quann to support their MSSP offering and are seeing tremendous response from the Singapore and broader Asia market.

Rockwell Automation: New Services from Rockwell Alert Operators of Security Threats

“Our threat detection services are a passive, nonintrusive security solution,” said Umair Masud, consulting services portfolio manager, Rockwell Automation. “This is crucial because we don’t want to adversely impact complex, industrial control systems by introducing new traffic onto the network.”

The new set of services is built on top of threat detection software, created by Claroty, an Encompass Product Partner of the Rockwell Automation PartnerNetwork program.

Our Take: We have previously announced our partnership with Rockwell Automation. This latest announcement marks the launch of Rockwell’s MSSP offering for its clients – built upon the Claroty platform. We are thrilled to see a major trend emerging in which the top ICS vendors are charging full speed ahead with cybersecurity at top of mind.


Subscribe to the Blog