Welcome to issue # 10 of the CyberX-Files!
In CyberX news, we closed $18 million in a strategic funding round led by Qualcomm Ventures and Inven Capital. Here are the highlights of our recent corporate news:
- The new funding — highlighted in several top-tier publications including Xconomy and VentureBeat — will be used to expand our global footprint, fuel product innovation, and expand our IoT/ICS threat intelligence resources.
- CyberX was named a Hot IoT Security Startup to Watch by Network World.
- CyberX was named a winner in three distinct product categories of the 2019 Cybersecurity Excellence Awards: IoT Security, ICS/SCADA Security, and Critical Infrastructure Security. of the 2019 Cybersecurity Excellence Awards: IoT Security, ICS/SCADA Security, and Critical Infrastructure Security.
- The CISO of Teva Pharmaceuticals, a CyberX customer since 2017, was featured in a SANS webinar titled “A CISO’s Perspective on Presenting OT Risk to the Board.” You can watch a brief interview with the CISO in this video, plus view the webinar and transcript of the SANS webinar here.
- CyberX announced the first app for Palo Alto Networks Cortex to enable zero-trust security for OT networks.
- The CyberX threat intelligence team is proud to report that our ICS Malware Sandbox was one of the few products to identify LockerGoga as ransomware out-of-the-box. See our analysis of LockerGoga in this technical blog post by David Atch, CyberX VP of Security Research.
- NIST and CyberX hosted an educational SANS Webinar titled “NIST Recommendations for ICS & IIoT Security”. During the webinar attendees learned about how CyberX detected 15 examples of high-risk anomalies in NIST’s testbed environment. View webinar and read the transcript here.
- CyberX’s Chief Architect, Amit Porat and Danny Jump, ClearPass Product Manager, jointly presented during HP Aruba Atmosphere 19 about the integration between the ClearPass NAC and CyberX’s asset discovery and classification in a session titled “What Can ClearPass Policy Manager offer for OT/ICS.”
- CyberX’sVP of Industrial Cybersecurity, Phil Neray was invited to present at AGC’s 15thAnnual Information Security Conference, at RSA 2019, where he shared insights on the state of OT cybersecurity.
- CyberX and Palo Alto Networks hosted an ICS/SCADA Security Lunch & Learn in Rosemont, Illinois, about how the companies are working together to detect and prevent cyberattacks against critical and industrial infrastructure.
- CyberX announced a partnership with Spire Solutions to strengthen industrial cybersecurity for organizations in the Middle East.
- In conference news, CyberX participated in: the SANS ICS Security Summit in Orlando; Cyber Security for Critical Infrastructure conference in Amsterdam; Entelec 2019 Conference in Houston; ICS Cyber Security in London; Cyber Security for Critical Assets (CS4CA) Summit in Houston; and the “Hack the Capitol” event with ICS Village in Washington, DC. View upcoming events.
Enjoy this issue and please send any feedback to [email protected]!
In this Newsletter
- America’s Electric Grid has a Vulnerable Back Door – and Russia Walked Through It
- FireEye Threat Research Confirms New Intrusion by the Attacker Behind TRITON
- Major US Utility Agrees to Pay Record NERC Fine for Lax Security
- PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks
- Ransomware Hits Colorado Water Utility
- Power and Metals Giant Norsk Hydro Hit by Ransomware
- Industry Reactions to New Triton Attacks on Critical Infrastructure
- ARC Interview with CyberX
- IoT Bill would Require Government Use Devices to Meet Cybersecurity Standards
- Cybersecurity Advisory Committee will Strengthen National Security Through a Stronger Public-Private Partnership
- Bring IT and OT Together to Improve Critical Infrastructure Security
IoT & ICS SECURITY NEWS
There was great interest in ICS and IoT security during RSA, as ICS has come to the forefront for most governments and businesses. The ICS Village was bustling for a full two days with over 30 sessions and demos, including an ICS cyber attack simulation and smart city panel. Additionally, critical infrastructure was highlighted in a CISA session as one of the top priorities for the agency in 2019 along with election security and supply chain. And there were several sessions on OT, including a presentation by Cisco about how OT is widening supply chain attack surfaces. Other recent industry coverage includes:
America’s Electric Grid has a Vulnerable Back Door – and Russia Walked Through It
The Wall Street Journal
- The Wall Street Journal reconstructed the worst known hack into the nation’s power system. In this pieced together account of the attack, the Journal details how over two dozen utilities were breached, with the hackers penetrating far enough to reach the industrial control systems of at least eight companies.
- Instead of hitting the utility companies head on, the hackers went after hundreds of 3rd-party contractors who had no reason to be on high alert against foreign agents.
- The hackers planted malware on sites of online publications read by utility engineers, such as Control Engineering and Consulting-Specifying Engineer. They then sent fake résumés with tainted attachments, pretending to be job seekers.
- Once they had network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows.
- In March 2018, the U.S. released a report that pinned responsibility for the hostile activities on “cyber actors” working for the Russian government, indicating that they’ve been active since at least March 2016.
- Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.
Read the full account in The Wall Street Journal.
FireEye Threat Research Confirms New Intrusion by the Attacker Behind TRITON
FireEye Threat Research Blog
- FireEye confirms that it has uncovered additional intrusion activity by the attacker behind TRITON – including new custom tool sets – at a second critical infrastructure facility.
- The attacker has been active since at least 2014.
- After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network.
- This report details the threat actor’s tactics for moving laterally through the network and their use of commodity hacking tools like MimiKatz as well as legitimate admin tools like RDP and PsExec/WinRM.
- The attacker also used custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion. For example, they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation.
- The analysis found that “the actor was present in the target networks for almost a year before gaining access to the Safety Instrumented Systems (SIS) engineering workstation,” confirming that continuous monitoring and anomaly detection are essential in identifying threats during their early phases.
Read the full blog here.
Major US Utility Agrees to Pay Record NERC Fine for Lax Security
- Duke Energy agreed to pay a record $10 million fine from regulators to settle 127 violations of security standards meant to protect the electric grid from catastrophic outages.
- North American Electric Reliability Corp. (NERC) cited a “lack of management engagement, support, and accountability” at the organization, according to a 765-page dossier of dozens of incidents, saying they “posed a serious risk to the security and reliability” of the bulk power system.
- Violations included: employees connecting corporate laptops to critical infrastructure protection (CIP) networks; a fired employee continuing to have access to sensitive computer systems because their manager neglected to inform the Help Desk; and “improper patching.”
Read full article in E&E News.
PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks
The Wall Street Journal
- On the heels of the Duke Energy fines, three more utility companies including PG&E, DTE Energy Company and a municipal utility in Missouri broke rules designed to protect the nation’s electric system from cyber and physical attacks and were sanctioned by federal regulators.
- The cases against the utility companies were lodged from 2014 to 2016—a time when Russia was in the midst of a major campaign to penetrate utility defenses, according to federal officials.
- Although penalty cases aren’t uncommon, it isn’t typical for the public to know the operator’s identity. It’s clear that public officials are becoming more vocal about threats to critical infrastructure.
- And this increased public attention has the electric industry concerned. In fact, last week, three trade groups asked the FERC to re-evaluate its rules on disclosure practices and to halt procession records requests, including those by the media.
- As the debate on how much information to share publicly continues, each of the utility companies has agreed to pay its infractions of security rules.
Read full article in The Wall Street Journal.
Ransomware Hits Colorado Water Utility
- The Fort Collins-Loveland Water District (FCLWD) was hit with ransomware earlier this year. Fortunately, operations weren’t affected but the incident prompted the water company to switch its IT service provider and call the FBI.
- In many emergency planning exercises, it isn’t the lack of electricity that triggers chaos and widespread casualties. It’s the lack of clean water that forces people from their homes.
- The nation’s nearly 70,000 water and wastewater utilities are having great difficulty dealing with online threats. As one IT manager at a midsize water utility put it, “It’s not a question of if, it’s a question of when” hackers disrupt vital U.S. water systems.
- New Jersey is one of the only states to take regulatory action with regards to water security. The state requires utilities to report cyber events to its environmental officials and include cybersecurity in risk management plans.
- Mary-Anna Holden, a commissioner on the New Jersey Board of Public Utilities, stated, “if someone’s hacked into the operational network and can control chlorination, do something to the [wastewater] digesters or can get control of the wastewater plant, that’s the thing that keeps me up at night. You could cause cholera or dysentery downstream, which could be a major city. How do you counteract that?”
- Sixty-three cyber vulnerabilities were uncovered in the “water supply” sector in 2018, according to federal data, accounting for 15% of all industrial security problems. And even if supply interruptions or chemical releases don’t become a full-blown crisis, a hack that causes people to lose faith in the quality of their water is “certainly within the realm of possibility” for nation-state hackers.
Read full article in E&E News.
CyberX in the News
Power and Metals Giant Norsk Hydro Hit by Ransomware
One of the world’s biggest makers of aluminum with sites in 50 countries, stated that file-scrambling malware had infected its IT systems in the US and Europe.
- This cyber-intrusion forced a shutdown of its global computer network to contain the spread, and workers have had to switch to manual operations at its plants or temporarily halt production entirely, as a precaution.
- CyberX told The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments.
- “Manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day – so as you might expect, CEOs are eager to pay. Plus the security of industrial networks has been neglected for years, so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries,” Phil Neray from CyberX explained. “These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”
Read full article in The Register.
Industry Reactions to New Triton Attacks on Critical Infrastructure
According to David Atch, VP or Security Research at CyberX:
- “The latest information about TRITON highlights two important insights. First, the attackers were present in the victim’s networks for almost a year before gaining access to the SIS engineering workstation, which shows why it’s critical to continuously monitor OT networks for suspicious or unauthorized behavior — so you can spot adversaries before they shut down or blow up your plant.”
- “Second, signature-based mechanisms are no longer sufficient to protect OT networks from targeted attacks, because — similar to what we suspect happened in the LockerGoga attack — the attackers used admin-like tools similar to PsExec to move laterally through the network, remotely execute tasks, and deploy purpose-built zero-day malware.”
Read full article in SecurityWeek.
ARC Interview with CyberX
ARC Industry Forum 2019
- ARC is the leading technology research and advisory firm for industry, infrastructure, and cities.
- In this in-depth interview with Sid Snitkin, ARC’s vice president of cybersecurity services, Phil Neray (CyberX’s VP of Industrial Cybersecurity) describes the IIoT and ICS threat landscape; best practices for securing industrial networks; and why responsibility for OT security has now shifted to the CISO’s organization.
Watch full interview here.
IoT Bill would Require Government Use Devices to Meet Cybersecurity Standards
The Internet of Things Cybersecurity Improvement Act of 2019 would require the U.S. government to only purchase devices that meet the legislation’s minimum-security requirements.
- The bill would require NIST to craft recommendations that address secure development, identity management, patching, and configuration management for IoT devices.
- Phil Neray, vice president of industrial cybersecurity at CyberX states, “this bipartisan bill is an important step towards steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world.”
- For too long many IoT device makers “have deprioritized security in favor of faster time-to-market and lower costs,” said Neray, noting that many devices have weaker security and lack the basics of security including simple patching and hard-coded administrative password removal. “As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories.”
Read full article in SC Magazine.
CyberX Research News
Cybersecurity Advisory Committee will Strengthen National Security Through a Stronger Public-Private Partnership
- In late 2018, the federal government established the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate the protection of the nation’s critical infrastructure and the .gov domain.
- To succeed, CISA must ensure this high degree of public-private collaboration because the private sector owns, operates, and maintains approximately 85 percent of the nation’s critical infrastructure.
- It is alarming that privately-owned critical infrastructure contains significant security vulnerabilities. According to CyberX, “Industrial control systems continue to be soft targets for adversaries, with security gaps in key areas such as plain-text passwords (69% of sites), direct connections to the internet (40%), weak anti-virus protections (57%), and WAPs (16%).”
- To ensure collaboration, Congress introduced the Cybersecurity Advisory Committee Authorization Act of 2019to provide CISA and the DHS guidance on cybersecurity policy and rulemaking.
Read full article in The Hill.
Bring IT and OT Together to Improve Critical Infrastructure Security
SecurityIntelligence, brought to you by IBM
- Data from CyberX’s recent “2019 Global ICS & IIoT Risk Report,” which analyzed network traffic data from 850-plus production OT networks worldwide, confirmed that ICSs continue to be easy targets for adversaries. Security gaps in key areas include the use of plain-text passwords (69% of sites), direct connections to the internet (40%), weak antivirus protections (57%) and legacy Windows systems such as XP that no longer receive patches from Microsoft (53%).
- It’s hard to say how to improve something if you don’t know who is responsible for making those improvements. “The sophistication of recent cyberattacks has demonstrated the need to leverage the skills of existing security operations center (SOC) personnel to combat threats that often cross IT and OT boundaries,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “From a governance point of view, it also makes more sense to have a single C-level executive — typically the chief information security officer (CISO) — be responsible and accountable for all of the digital risk in your organization, regardless of whether it affects IT or OT networks.”
- One of the greatest challenges with ICS environments is limited visibility, which is why the next step in ICS security is conducting a thorough risk assessment. “Once this is complete, the focus should be on identifying which of these environments are connected and which of them would be vulnerable to attack,” he advised. “This can very quickly give a focal point for remediation activity.”
Read full article in SecurityIntelligence.
Industrial Control Systems Security – May 27 2019 – May 30 2019 | Delta Hotels, Prince Edward, Charlottetown, Prince Edward Island
Come and hear our presentation “A Data-Driven Analysis of Hidden Vulnerabilities in IIoT & ICS Networks” on May 29th at the Public Safety Canada “Industrial Control Systems Security Symposium”. READ MORE
Ensuring Cyber Resilience for Industrial & Critical Infrastructure – Zurich, Switzerland – May 29 2019 | 1:30 pm | The Zurich Marriott Hotel, Neumuehlequai 42, Zurich, Switzerland
Join Novartis, EWZ Energy, former Swissgrid executives, Palo Alto Networks, and DXC Technology as they discuss best practices for OT security. READ MORE
Ignite 19 USA – Jun 03 2019 – Jun 06 2019 | Austin, TX
Visit our booth and see firsthand a demo of the industry-leading IoT&ICS cybersecurity platform integrated with Palo Alto Network’s Panorama and Cortex. Also catch a presentation by First Quality Enterprises titled “A CISO’s Perspective on Unifying IT/OT Security Monitoring & Governance for ICS/SCADA Network” as well as a technical session about our Cortex app titled “Protection of ICS, IoT and Medical Environments with Cortex Hub.” READ MORE
Bourbon-Tasting Dinner & IoT/ICS Security Conversation at Gartner Security Summit – Jun 18 2019 | 6:30 am | SUCCOTASH Restaurant, 186 Waterfront Street, National Harbor, MD
Please register for this invitation-only, bourbon-tasting dinner. This is a unique opportunity to connect with other CISOs and security professionals to share their experiences around OT security and unified IT/OT security strategies. READ MORE
Ensuring Cyber Resilience for Industrial & Critical Infrastructure – Amsterdam, Netherlands – Jun 19 2019 | 8:30 am | Tobacco Theater, Nes 75-87, Amsterdam, Netherlands
2018 was a major tipping point for ICS/SCADA threat awareness. Management boards and government officials now understand that modern cyberattacks like NotPetya, TRITON and LockerGoga can easily bypass perimeter defenses, shut down production facilities, and have a major impact on financial results — as well as major safety consequences. READ MORE
ICS Village at Liveworx 19 – June 10-13 | Boston | Boston Convention & Exhibition Center (BCEC)
A one-of-a-kind digital transformation event for the industrial enterprise, LiveWorx brings together 6,500+ technologists who will advance their business strategies, solve challenges, establish connections, experience disruptive tech demos and redefine the future of work.