Welcome to issue #9 of the CyberX-Files!
In CyberX news, we were awarded a patent for our innovative IIoT- and ICS-aware risk analytics and machine learning technology. CyberX is the only IIoT/ICS security firm to have been awarded a patent for its threat detection analytics, commercially available since early 2015. Here are the highlights of our recent corporate news:
- CyberX was awarded a patent (US. Patent 10,015,188) for unique methods and systems for learning ICS network behavior and accurately identifying anomalous activities. The patent relies on a new and innovative way of using finite-state machine (FSM) modeling techniques to rapidly analyze ICS environments and M2M communications, minimizing false positives as well as false negatives.
- Advancing our strategic SOC integration initiative, CyberX’s native app for Service Now is now certified in the ServiceNow Store. CyberX delivered the first native ICS threat monitoring app for IBM QRadar in 2017 and is still the only IIoT/ICS security firm offering certified native apps for Splunk, ServiceNow, and Palo Alto Networks.
- We’ve also joined the GE Digital Alliance Program, and our platform has been installed in GE Power’s integration environment to support joint GE and CyberX customers with interoperability validation testing.
- CyberX has established a partnership with regional cybersecurity expert Spire Solutions to strengthen IIoT & ICS security in the Middle East.
- CyberX hosted an educational SANS webinar with Palo Alto Networks, titled “Palo Alto Networks and CyberX Integration: Accelerating the Time Between ICS/SCADA Threat Detection and Prevention.” View a short technical video of the integration.
Additionally, CyberX had a significant presence at the S4x19 ICS Security Conference, where the CISO and director of IS operations for First Quality Enterprises, one of our manufacturing customers, presented a well-attended session on “A CISO’s Perspective on Unifying IT/OT Security Monitoring and Governance” (stay tuned for the video).
We also gave away signed copies of Bruce Schneier’s new book about IoT security, titled “Click Here to Kill Everybody;” connected with 30 CISOs and other security and OT professionals at an exclusive dinner event; and sponsored the “Craft Beer Bash” on the last day.
CyberX also recently participated in the ARC Industry Forum, whose theme was “Driving Digital Transformation in Industry and Cities”; the DistribuTECH conference for utilities; the IBM THINK Conference; and the Cyber Defence Summit in Ryad.
Enjoy this issue and please send any feedback to [email protected]!
In this Newsletter
- Triton Attack More Widespread than Publicly Known
- DHS Says SamSam Ransomware is Targeting Critical Infrastructure
- New Honeywell Research Finds USB Threats Impacting Industries
- Critical Infrastructure Ransomware Ryuk Targets Printing Systems
- 2019 Attacks on ICS/Critical Infrastructure Seek Financial Gain
- The Coming Cyberwar: Russia Poised to Attack US Government Entities and Critical Infrastructure
- Tips for Preventing Credential Theft Attacks on Critical Infrastructure
- “Matter of Time” Before Someone Takes an Entire Country Offline
IIoT/ICS/OT SECURITY NEWS
Triton Attack More Widespread than Publicly Known
Dark Reading& CyberScoop
- New facts about the 2017 TRITON cyberattack on a Saudi Arabia petrochemical plant show initial indicators were first seen three months before the outage reported in August 2017. However, an initial outage was misdiagnosed as a mechanical issue by the automation vendor rather than as an attack.
- Both outages lasted about a week, bringing significant costs to the plant in terms of lost production and cleanup costs for chemicals that were being processed (potentially in the hundreds of millions of dollars).
- There were also significant risks to human safety and risks of environmental damage, from the potential release of toxic hydrogen sulfide gases.
- In CyberX’s view, the key lesson from the Triton attack is the organizational breakdown between the IT security team, its OT team, and the automation vendor’s team. As quoted in Dark Reading, “There were no clear definitions of which team was responsible for ensuring that security controls had been properly implemented and were actually effective.”
- How the attack could have been prevented
- Misconfigured firewalls enabled attackers to pivot from the IT network to the DMZ and then to the OT network.
- There were anti-virus alerts on workstations about the presence of Mimikatz credential stealing malware, but they were ignored by operators.
- There were ongoing alerts about the RUN/PROGRAM key being in the PROGRAM position, which enables changes to the ladder logic code running in the safety controller — but these were also ignored. The attackers compromised the controllers by uploading a custom remote access trojan (RAT) into them.
- Further clues that were ignored include Remote Desktop Protocol (RDP) sessions to the plant’s engineering workstations from within the IT network.
DHS Says SamSam Ransomware is Targeting Critical Infrastructure
- A newly published DHS and FBI activity alert warns that SamSam ransomware operators have targeted multiple industries, including critical infrastructure entities.
- Actors are targeting network-wide infections of entire organizations, which are more likely to garner large ransom payments when compared to infections of individual systems. Additionally, organizations are more likely to pay large ransom amounts as they need to resume operations quickly.
- To gain persistent access to a victim’s network, the actors target vulnerabilities in Windows servers. In mid-2016 they started using RDP for their attacks, via brute force or stolen credentials. The use of RDP eliminates the need for user interaction to execute the ransomware and also ensures the attack remains undetected.
- SamSam operators have purchased stolen RDP credentials from known darknet marketplaces, which are used to infect a network within hours of purchasing the credentials.
- SamSam actors leave ransom notes on encrypted machines, instructing victims to contact them through a Tor hidden service site and pay a ransom in Bitcoin.
- The alert includes a series of recommendations, such as ensuring that cloud-based VM instances with public IPs have no open RDP ports, using strong passwords and two-factor authentication, maintaining a good back-up strategy, and continuously monitoring for unauthorized remote access, among others.
New Honeywell Research Finds USB Threats Impacting Industries
Electric Light and Power
- A new analysis of portable USB media usage across industrial facilities verified that “in the wild” threats from these devices are significant; many were targeted and intentional.
- Of the 50 industrial locations analyzed, nearly half (44%) faced threats from removable USB devices, which bypass perimeter defenses such as firewalls.
- More than 25% of the threats had the potential to cause a major disruption to plant operations, including loss of view or loss of control. 16% were targeted specifically against ICS or IoT systems.
- While threats are real, industrial cybersecurity resilience at many companies is still shockingly low. Risk assessments across industrial companies find everything from control system passwords posted in clear view on sticky notes, to outdated encryption methods.
- Experts recommend deploying IIoT- and ICS-aware security monitoring systems to immediately detect when attackers have compromised the OT network — such as via infected USB drives — before they can cause any real damage.
Critical Infrastructure Ransomware Ryuk Targets Printing Systems
New York Times
- A malware attack hobbled printing production control systems of Tribune Publishing, delaying publication of several leading newspapers across the US.
- Titles hit included the Los Angeles Times, Chicago Tribune, Baltimore Sun, and many others especially in South Florida, one of the company’s major markets.
- While computer malware attacks on infrastructure are hardly new, this would be the first known attack on major newspaper printing operations. If politically motivated, it would define new territory in recent attacks on the media.
- After the IT team made some progress containing the malware, some security patches didn’t hold and the virus began to reinfect the network, impacting servers used for news production and manufacturing processes.
- The attack shares characteristics with a form of ransomware called Ryuk, which was used to target a North Carolina water utility in October and other critical infrastructure.
CyberX in the News
Italian Oil Services Company Saipem Hit by Cyberattack
- According to reports, Saipem, an Italian oil services company, is the latest victim of a cyberattack that appears to be targeting servers in the Middle East.
- Saipem said the attack originated in Chennai, India, but that does not necessarily reveal the identity of the attacker as malicious actors often use random servers from around the world to hide their true location.
- The company has shared few details about the attack – it’s unclear if it was ransomware or another type of intrusion – but its representatives claim that no data was stolen and that only some servers in its infrastructure were impacted.
- CyberX says the target itself provides insight as to who may be behind the attack. “It’s still too early to tell, but given Saipem’s position as a trusted 3rd-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past — which points to the destructive Shamoon attacks of 2012 and 2016, now widely attributed to Iran.”
- A study conducted by Ponemon Institute revealed that three-quarters of oil and gas companies in the Middle East had suffered at least one security incident that resulted in disruption to OT operations or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions. More alarming, nearly half believe they may not be aware of all breaches.
2019 Attacks on ICS/Critical Infrastructure Increasingly Seek Financial Gain
- CyberX security experts expect nation-state attacks on industrial and critical infrastructure networks to continue; however, there will be a new trend.
- According to CyberX, “An interesting twist is that we expect to see an uptick in cybercriminal organizations getting in the act for financial gain. You can easily imagine cybercriminals installing back-doors in industrial networks and then renting them out to others for cryptomining, ransomware, and theft of intellectual property about proprietary manufacturing processes.”
The Coming Cyberwar: Russia Poised to Attack US Government Entities and Critical Infrastructure
- Russia has been engaged in a massive reconnaissance and targeting operation against US critical infrastructure. In March 2018, the DHS and FBI released a joint Technical Alert (TA) describing Russian government actions targeting “U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
- Adversary techniques and tradecraft were honed over a six-month period. This has given Russia and its intelligence agencies the blueprint for how to map out our power grid (among other things) and prepare for an attack.
- Russia launched the first successful BlackEnergy attack against Ukraine in December of 2015. BE was originally developed in 2007 as a distributed DDoS tool. It evolved in 2014 to a full package that targeted ICS and multiple types of operating systems, and embedded espionage modules along with KillDisk, which erases files and destroys the ability to boot up computers.
- In CyberX’s view, “Adversaries don’t usually install footholds in enemy territory unless they plan to eventually launch an attack.”
- Would Russia attack? CyberX responds: “Energetic Bear has been active in our critical infrastructure since at least 2014 when they injected Havex malware into software downloads from industrial automation vendors … Infecting software downloads is also the same technique that Russian threat actors used to spread NotPetya, which caused billions of dollars in damage to industrial firms worldwide – so it’s clear they aren’t afraid of causing massive chaos when they decide it’s time to make it happen.”
Tips for Preventing Credential Theft Attacks on Critical Infrastructure
- As we know, hacked critical infrastructure can dramatically impact safety, can shut businesses down and cost millions of dollars in lost revenue and brand damage.
- ICS systems are easy targets because most of them run on legacy, older infrastructure, resulting in unpatched systems.
- According to a new report by CyberX, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.
CyberX Security Research and Technology News
“It’s a Matter of Time” Before Someone Takes an Entire Country Offline
- Nir Giller, co-founder and CTO of CyberX, described the December 2015 blackout in Ukraine, in which three major power suppliers were simultaneously taken over, hackers gained remote control of the stations’ dashboards, and manually switched off about 60 substations, leaving 230,000 Ukrainians in the cold and dark for six straight hours.
- The hack was widely attributed to Russia, whose military invaded Crimea in 2014. “It’s a new weapon,” Giller says. “It wasn’t an accident. It was a sophisticated, well-coordinated attack.”
- The biggest vulnerabilities in Western infrastructure are older facilities. Factories, energy plants, and water companies all operate using machinery that is often very old. New devices and software are installed alongside the older machinery, often to control or monitor it. This the “Industrial Internet of Things” (IIoT). Hackers don’t need to control an entire plant, the way they did in Ukraine. They only need to control an individual sensor on a single machine. “In the best-case scenario, you have to get rid of a batch of product. In the worst case, it’s a medicine that is not supervised or produced correctly.”
- NotPetya and WannaCry changed the culture of black hat hackers, demonstrating that infrastructure could also be attacked with devastating consequences. As a result, the Ports of Barcelona and San Diego were also attacked in 2018.
- CyberX has been deployed in the Carlsbad Desalination Plant in California, the largest seawater desalination plant in the US. And it serves an area prone to annual droughts. Giller declined to say exactly how CyberX protects the plant but the implication of the company’s work is clear — before CyberX showed up, it was pretty easy to shut down the water supply to about 400,000 people in San Diego.
- The article provides details of other attacks including Russia’s WiFi router hacks, Stuxnet, and WannaCry.
SANS Webinar: NIST Recommendations for ICS & IIoT Security – Feb 28 2019 |3:30 PM EST
NIST recently published a report demonstrating how off-the-shelf, ICS-aware behavioral anomaly detection (BAD) effectively reduces cyber risk for manufacturing organizations, as well as risk from equipment malfunctions. The report was the product of a close collaboration between NIST, CyberX, and other technology providers such as OSIsoft.
CyberX Executive Seminar: Ensuring Cyber Resilience for Industrial & Critical Infrastructure – Feb 27, 2019 | 12:30 GMT | London, United Kingdom
SANS ICS Security Summit & Training – Mar 18, 2019 – Mar 19, 2019 | Orlando, Florida
Cyber Security for Critical Assets (CS4CA) Summit – Mar 26, 2019 – Mar 27, 2019 | Houston, Texas