Welcome to the 1st issue of the CyberX-Files — our monthly digest of news, research and analysis related to ICS, SCADA and OT security.
We’ve scoured the world for articles that are thought-provoking, informative, and relevant (and we promise not to bore you with fluffy marketing content).
If you’re on the front-lines of ICS security, please let me know if you find these articles helpful!
Phil Neray | VP Industrial Security | CyberX
ICS/SCADA/OT Security News
According to a Honeywell-commissioned survey of 130 decision makers from industrial organizations:
- Over half (53%) have suffered a cybersecurity breach.
- Respondents listed a range of breach sources including malware spread from other parts of the enterprise, malicious hackers, government-sponsored attacks, direct attacks on control systems, DoS attacks, and removable media.
- Less than a third have implemented best practices such as access control for plant computers (30%); user authentication for HMI devices (24%); and up-to-date Windows systems (17%).
Editor’s Note: The Honeywell report echoes many of the findings in CyberX’s “Global ICS & IIoT Risk Report,” a data-driven analysis of real-world vulnerabilities identified via passive monitoring of traffic from 375 production ICS networks worldwide.
Security researchers randomly selected 34 Android mobile apps in the Google Play Store — written by well-known ICS/SCADA automation vendors, such as Schneider Electric and Siemens, and third-party developers — to check for vulnerabilities based on the OWASP Mobile Top 10. Here’s what they found:
- 147 security flaws that could be exploited to disrupt an industrial process or network.
- 59% had insecure authorization mechanisms, such as lack of password protection.
- 38% failed to implement secure communication — including via poor handshakes, incorrect SSL versions, and cleartext data transmission — which can lead to MITM attacks.
The principal risk is that these mobile applications are a direct gateway to your critical control systems, often over remote connections such as the public Internet. This means that cyberattackers could compromise your ICS systems — for example, with phishing attacks targeting smartphones belonging to your control engineers or OT vendor maintenance personnel.
A Black Hat Europe survey of CISOs, CIOs, CTOs and other cybersecurity professionals — with nearly half being CISSPs — reveals that:
- 77% believe a cyberattack will breach critical EU infrastructure within the next two years — and that it will affect multiple countries in the region.
- The greatest threats are cyberespionage by large nation-states like Russia and China (32%); failure of EU countries to implement adequate cyber defenses (18%); attacks by organized crime gangs (17%); and a shortage of skilled security personnel (13%).
- Targeted attacks are the biggest concern, cited by 48% of respondents.
These sentiments are strikingly similar to those expressed by security professionals in the 2017 Black Hat USA Attendee Survey from last summer. You can read a summary and access the full report here.
CyberX In The News
- According to CyberX’s threat intelligence team, Triton was likely created by Iran and the victim was likely an organization in Saudi Arabia.
- Iran was responsible for destructive attacks on Saudi Aramco in 2012 and 2017 with Shamoon, which destroyed ordinary PCs. This is an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary.
- Stuxnet showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be an evolution of that approach. (Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid, but it did not modify code or firmware in the PLC itself.)
- OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication.
- The research focused on how to exfiltrate reconnaissance data after a successful intrusion to an air-gapped industrial control network.
- CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.
- The transmitted signal can be picked up by a nearby antenna before being decoded using a low-cost Software-Defined Radio (SDR) located outside the facility or even mounted on a drone flying overhead.
- The data exfiltration method does not rely on any vulnerability or design flaw in the Siemens PLC, and the same approach might work on other hardware.
You can also view the video of CyberX’s VP of Research delivering a similar presentation at the ICS Cyber Security Conference in Atlanta.
CyberX Security Research & Technology News
- The new app provides a richer user interface than the simple Syslog integration typically provided by ICS security vendors.
- It supports a unified approach to IT and OT security in the corporate SOC, enabling CISOs to strengthen OT security while building upon the significant investments they’ve already made in people, workflows, and technology for the corporate SOC.
- It gives SOC analysts visibility into the specialized protocols, devices, and threats found in OT networks, via CyberX’s purpose-built OT security platform, while supporting tighter collaboration between IT and OT teams.
CyberX has completed its technology integration with CyberArk, the market-share leader in privileged account security, to provide secure remote access for critical industrial networks.
The integration of CyberX’s continuous ICS monitoring platform with CyberArk’s Privileged Session Manager (PSM) enables industrial organizations to:
- Receive real-time alerts whenever CyberX detects remote sessions on the OT network that were not authorized by CyberArk. CyberX also incorporates ICS-specific behavioral analytics and self-learning to immediately detect anomalous behavior indicating a potential OT breach.
- Continuously monitor and audit privileged user sessions in the CyberX console, including which ICS devices are being accessed and whether the session is being recorded by CyberArk.
- Perform incident response, threat hunting and threat modeling around remote access. To enable rapid response, SOC analysts can now query the CyberX event timeline to identify all remote sessions based on forensic details such as which remote access protocols were used (SSH, RDP, VNC, etc.) and whether sessions were authorized by CyberArk.
Additionally, they can leverage CyberX’s exclusive automated threat modeling capability to proactively identify and secure multi-step attack chains that incorporate remote access connections to compromise critical assets.
In its 2017 Global ICS & IIoT Risk report, CyberX presents the results of its analysis of 375 production OT networks over the past 18 months, across the US, Europe, and APAC. The data clearly shows that control networks are easy targets for current adversaries — while busting some common industrial security myths:
- No air-gap: One-third of industrial sites are connected to the Internet, making them accessible by hackers and malware exploiting vulnerabilities and misconfigurations.
- Weak authentication: Nearly 3 out of 5 sites have plain-text passwords traversing their control networks, which can easily be sniffed by attackers performing cyber-reconnaissance.
- Vulnerable devices: On average, 28% of all OT devices per site have a security score of less than 70% from exploitable vulnerabilities such as known CVEs, open ports, etc.
To learn about other key findings — and how to proactively mitigate them with automated threat modeling and continuous monitoring — get the complimentary report here.
Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed industrial cybersecurity platform for continuously reducing ICS risk. The CyberX platform combines an embedded understanding of industrial devices, protocols, and applications with ICS-specific continuous monitoring and anomaly detection, asset and network topology discovery, risk and vulnerability management, automated threat modeling, and threat intelligence.
To see CyberX’s OT security platform in action, request a demo here.