Welcome to issue # 10 of the CyberX-Files!

In CyberX news, we closed $18 million in a strategic funding round led by Qualcomm Ventures and Inven Capital. Here are the highlights of our recent corporate news:

Enjoy this issue and please send any feedback to [email protected]!

In this Newsletter

 

IoT & ICS SECURITY NEWS

There was great interest in ICS and IoT security during RSA, as ICS has come to the forefront for most governments and businesses. The ICS Village was bustling for a full two days with over 30 sessions and demos, including an ICS cyber attack simulation and smart city panel. Additionally, critical infrastructure was highlighted in a CISA session as one of the top priorities for the agency in 2019 along with election security and supply chain. And there were several sessions on OT, including a presentation by Cisco about how OT is widening supply chain attack surfaces. Other recent industry coverage includes:

America’s Electric Grid has a Vulnerable Back Door – and Russia Walked Through It

The Wall Street Journal
  • The Wall Street Journal reconstructed the worst known hack into the nation’s power system. In this pieced together account of the attack, the Journal details how over two dozen utilities were breached, with the hackers penetrating far enough to reach the industrial control systems of at least eight companies.
  • Instead of hitting the utility companies head on, the hackers went after hundreds of 3rd-party contractors who had no reason to be on high alert against foreign agents.
  • The hackers planted malware on sites of online publications read by utility engineers, such as Control Engineering and Consulting-Specifying Engineer. They then sent fake résumés with tainted attachments, pretending to be job seekers.
  • Once they had network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows.
  • In March 2018, the U.S. released a report that pinned responsibility for the hostile activities on “cyber actors” working for the Russian government, indicating that they’ve been active since at least March 2016.
  • Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.

Read the full account in The Wall Street Journal.


FireEye Threat Research Confirms New Intrusion by the Attacker Behind TRITON

FireEye Threat Research Blog
  • FireEye confirms that it has uncovered additional intrusion activity by the attacker behind TRITON – including new custom tool sets – at a second critical infrastructure facility.
  • The attacker has been active since at least 2014.
  • After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network.
  • This report details the threat actor’s tactics for moving laterally through the network and their use of commodity hacking tools like MimiKatz as well as legitimate admin tools like RDP and PsExec/WinRM.
  • The attacker also used custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion. For example, they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation.
  • The analysis found that “the actor was present in the target networks for almost a year before gaining access to the Safety Instrumented Systems (SIS) engineering workstation,” confirming that continuous monitoring and anomaly detection are essential in identifying threats during their early phases.

Read the full blog here.


Major US Utility Agrees to Pay Record NERC Fine for Lax Security

E&E News
  • Duke Energy agreed to pay a record $10 million fine from regulators to settle 127 violations of security standards meant to protect the electric grid from catastrophic outages.
  • North American Electric Reliability Corp. (NERC) cited a “lack of management engagement, support, and accountability” at the organization, according to a 765-page dossier of dozens of incidents, saying they “posed a serious risk to the security and reliability” of the bulk power system.
  • Violations included: employees connecting corporate laptops to critical infrastructure protection (CIP) networks; a fired employee continuing to have access to sensitive computer systems because their manager neglected to inform the Help Desk; and “improper patching.”

Read full article in E&E News.


PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks

The Wall Street Journal
  • On the heels of the Duke Energy fines, three more utility companies including PG&E, DTE Energy Company and a municipal utility in Missouri broke rules designed to protect the nation’s electric system from cyber and physical attacks and were sanctioned by federal regulators.
  • The cases against the utility companies were lodged from 2014 to 2016—a time when Russia was in the midst of a major campaign to penetrate utility defenses, according to federal officials.
  • Although penalty cases aren’t uncommon, it isn’t typical for the public to know the operator’s identity. It’s clear that public officials are becoming more vocal about threats to critical infrastructure.
  • And this increased public attention has the electric industry concerned. In fact, last week, three trade groups asked the FERC to re-evaluate its rules on disclosure practices and to halt procession records requests, including those by the media.
  • As the debate on how much information to share publicly continues, each of the utility companies has agreed to pay its infractions of security rules.

Read full article in The Wall Street Journal.


Ransomware Hits Colorado Water Utility

E&E News
  • The Fort Collins-Loveland Water District (FCLWD) was hit with ransomware earlier this year. Fortunately, operations weren’t affected but the incident prompted the water company to switch its IT service provider and call the FBI.
  • In many emergency planning exercises, it isn’t the lack of electricity that triggers chaos and widespread casualties. It’s the lack of clean water that forces people from their homes.
  • The nation’s nearly 70,000 water and wastewater utilities are having great difficulty dealing with online threats. As one IT manager at a midsize water utility put it, “It’s not a question of if, it’s a question of when” hackers disrupt vital U.S. water systems.
  • New Jersey is one of the only states to take regulatory action with regards to water security. The state requires utilities to report cyber events to its environmental officials and include cybersecurity in risk management plans.
  • Mary-Anna Holden, a commissioner on the New Jersey Board of Public Utilities, stated, “if someone’s hacked into the operational network and can control chlorination, do something to the [wastewater] digesters or can get control of the wastewater plant, that’s the thing that keeps me up at night. You could cause cholera or dysentery downstream, which could be a major city. How do you counteract that?”
  • Sixty-three cyber vulnerabilities were uncovered in the “water supply” sector in 2018, according to federal data, accounting for 15% of all industrial security problems. And even if supply interruptions or chemical releases don’t become a full-blown crisis, a hack that causes people to lose faith in the quality of their water is “certainly within the realm of possibility” for nation-state hackers.

Read full article in E&E News.

CyberX in the News

Power and Metals Giant Norsk Hydro Hit by Ransomware

The Register
One of the world’s biggest makers of aluminum with sites in 50 countries, stated that file-scrambling malware had infected its IT systems in the US and Europe.
  • This cyber-intrusion forced a shutdown of its global computer network to contain the spread, and workers have had to switch to manual operations at its plants or temporarily halt production entirely, as a precaution.
  • CyberX told The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments.
  • “Manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day – so as you might expect, CEOs are eager to pay. Plus the security of industrial networks has been neglected for years, so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries,” Phil Neray from CyberX explained. “These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”

Read full article in The Register.


Industry Reactions to New Triton Attacks on Critical Infrastructure

SecurityWeek

According to David Atch, VP or Security Research at CyberX:

  • “The latest information about TRITON highlights two important insights. First, the attackers were present in the victim’s networks for almost a year before gaining access to the SIS engineering workstation, which shows why it’s critical to continuously monitor OT networks for suspicious or unauthorized behavior — so you can spot adversaries before they shut down or blow up your plant.”
  • “Second, signature-based mechanisms are no longer sufficient to protect OT networks from targeted attacks, because — similar to what we suspect happened in the LockerGoga attack — the attackers used admin-like tools similar to PsExec to move laterally through the network, remotely execute tasks, and deploy purpose-built zero-day malware.”

Read full article in SecurityWeek.


ARC Interview with CyberX

ARC Industry Forum 2019
  • ARC is the leading technology research and advisory firm for industry, infrastructure, and cities.
  • In this in-depth interview with Sid Snitkin, ARC’s vice president of cybersecurity services,  Phil Neray (CyberX’s VP of Industrial Cybersecurity) describes the IIoT and ICS threat landscape; best practices for securing industrial networks; and why responsibility for OT security has now shifted to the CISO’s organization. 

Watch full interview here.

 

IoT Bill would Require Government Use Devices to Meet Cybersecurity Standards

SC Magazine

The Internet of Things Cybersecurity Improvement Act of 2019 would require the U.S. government to only purchase devices that meet the legislation’s minimum-security requirements.

  • The bill would require NIST to craft recommendations that address secure development, identity management, patching, and configuration management for IoT devices.
  • Phil Neray, vice president of industrial cybersecurity at CyberX states, “this bipartisan bill is an important step towards steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world.”
  • For too long many IoT device makers “have deprioritized security in favor of faster time-to-market and lower costs,” said Neray, noting that many devices have weaker security and lack the basics of security including simple patching and hard-coded administrative password removal. “As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories.”

Read full article in SC Magazine.

CyberX Research News

Cybersecurity Advisory Committee will Strengthen National Security Through a Stronger Public-Private Partnership

The Hill
  • In late 2018, the federal government established the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate the protection of the nation’s critical infrastructure and the .gov domain.
  • To succeed, CISA must ensure this high degree of public-private collaboration because the private sector owns, operates, and maintains approximately 85 percent of the nation’s critical infrastructure.
  • It is alarming that privately-owned critical infrastructure contains significant security vulnerabilities. According to CyberX, “Industrial control systems continue to be soft targets for adversaries, with security gaps in key areas such as plain-text passwords (69% of sites), direct connections to the internet (40%), weak anti-virus protections (57%), and WAPs (16%).”
  • To ensure collaboration, Congress introduced the Cybersecurity Advisory Committee Authorization Act of 2019to provide CISA and the DHS guidance on cybersecurity policy and rulemaking.

Read full article in The Hill.


Bring IT and OT Together to Improve Critical Infrastructure Security

SecurityIntelligence, brought to you by IBM
  • Data from CyberX’s recent “2019 Global ICS & IIoT Risk Report,” which analyzed network traffic data from 850-plus production OT networks worldwide, confirmed that ICSs continue to be easy targets for adversaries. Security gaps in key areas include the use of plain-text passwords (69% of sites), direct connections to the internet (40%), weak antivirus protections (57%) and legacy Windows systems such as XP that no longer receive patches from Microsoft (53%).
  • It’s hard to say how to improve something if you don’t know who is responsible for making those improvements. “The sophistication of recent cyberattacks has demonstrated the need to leverage the skills of existing security operations center (SOC) personnel to combat threats that often cross IT and OT boundaries,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “From a governance point of view, it also makes more sense to have a single C-level executive — typically the chief information security officer (CISO) — be responsible and accountable for all of the digital risk in your organization, regardless of whether it affects IT or OT networks.”
  • One of the greatest challenges with ICS environments is limited visibility, which is why the next step in ICS security is conducting a thorough risk assessment. “Once this is complete, the focus should be on identifying which of these environments are connected and which of them would be vulnerable to attack,” he advised. “This can very quickly give a focal point for remediation activity.”

Read full article in SecurityIntelligence.

Upcoming Events

Industrial Control Systems Security – May 27 2019 – May 30 2019 | Delta Hotels, Prince Edward, Charlottetown, Prince Edward Island
Come and hear our presentation “A Data-Driven Analysis of Hidden Vulnerabilities in IIoT & ICS Networks” on May 29th at the Public Safety Canada “Industrial Control Systems Security Symposium”. READ MORE

Ensuring Cyber Resilience for Industrial & Critical Infrastructure – Zurich, Switzerland – May 29 2019 | 1:30 pm | The Zurich Marriott Hotel, Neumuehlequai 42, Zurich, Switzerland
Join Novartis, EWZ Energy, former Swissgrid executives, Palo Alto Networks, and DXC Technology as they discuss best practices for OT security. READ MORE 

Ignite 19 USA – Jun 03 2019 – Jun 06 2019 | Austin, TX
Visit our booth and see firsthand a demo of the industry-leading IoT&ICS cybersecurity platform integrated with Palo Alto Network’s Panorama and Cortex. Also catch a presentation by First Quality Enterprises titled “A CISO’s Perspective on Unifying IT/OT Security Monitoring & Governance for ICS/SCADA Network” as well as a technical session about our Cortex app titled “Protection of ICS, IoT and Medical Environments with Cortex Hub.” READ MORE

Bourbon-Tasting Dinner & IoT/ICS Security Conversation at Gartner Security Summit – Jun 18 2019 | 6:30 am | SUCCOTASH Restaurant, 186 Waterfront Street, National Harbor, MD
Please register for this invitation-only, bourbon-tasting dinner. This is a unique opportunity to connect with other CISOs and security professionals to share their experiences around OT security and unified IT/OT security strategies. READ MORE

Ensuring Cyber Resilience for Industrial & Critical Infrastructure – Amsterdam, Netherlands – Jun 19 2019 | 8:30 am | Tobacco Theater, Nes 75-87, Amsterdam, Netherlands
2018 was a major tipping point for ICS/SCADA threat awareness. Management boards and government officials now understand that modern cyberattacks like NotPetya, TRITON and LockerGoga can easily bypass perimeter defenses, shut down production facilities, and have a major impact on financial results — as well as major safety consequences. READ MORE

ICS Village at Liveworx 19 – June 10-13 | Boston | Boston Convention & Exhibition Center (BCEC)
A one-of-a-kind digital transformation event for the industrial enterprise, LiveWorx brings together 6,500+ technologists who will advance their business strategies, solve challenges, establish connections, experience disruptive tech demos and redefine the future of work.