The CyberX-Files – Issue #6

Digest of notable ICS cybersecurity content — curated by CyberX’s ICS security geeks

The times, they are a changin’ … We live in interesting times.

Welcome to the 6th edition of the CyberX-Files! In this issue we discuss: why the top US intelligence office feels the persistent danger of Russian cyberattacks is akin to the “blinking red light” warnings ahead of the Sept. 11, 2001 attacks; an attempted attack on a Ukrainian chlorine factory; and the EU’s NIS Directive to tighten security for critical infrastructure organizations, with fines for non-compliance up to $20M.

In CyberX news, our RSA NetWitness integration has been certified by RSA. This further supports our mission to enable unified IT/OT security governance by integrating seamlessly with your existing SOC workflows and security stacks (IBM QRadar, Splunk, Palo Alto Networks, etc.). As Gartner writes, a single security and risk management function is better-positioned to address advanced threats across both IT and OT — with the added bonus of leveraging scarce resources across both functions.

Thanks to everyone who attended our Happy Hour at the House of Blues during Black Hat 2018 (see photo attached)! We hope you had a great time and enjoyed interesting conversations about OT security.

Enjoy this issue of the CyberX-Files and please drop me a line at [email protected] with any feedback!

In This Newsletter

ICS/SCADA/OT Security News

Top Intelligence Officer: Cyber Threat Warnings ‘Blinking Red’

The New York Times
  • National Intelligence Director Dan Coats warned that digital attempts to undermine America are occurring daily, not just at election time.
  • The nation’s top intelligence official, a former Republican senator from Indiana, said that Russia has been the most aggressive foreign actor, but cyber threats also are coming from China, Iran and North Korea, as well as criminal networks and individual hackers.
  • The US DHS and FBI, in coordination with international partners, have detected Russian government actors targeting government and businesses in the energy, nuclear, water, aviation and critical manufacturing sectors,” Coats said.

Read the full story in The New York Times

Ukraine Claims it Blocked VPNFilter Attack at Chemical Plant

The Register
  • Ukraine’s SBU Security Service says it stopped a cyberattack against a chlorine plant in Central Ukraine that was launched using the notorious VPNFilter malware. The plant provides chlorine to water treatment and sewage plants throughout Ukraine and its products are used by consumers in 23 regions of Ukraine, Moldova and Belarus.
  • SBU reported: “Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia.”
  • VPNFilter, first detected in May, is estimated to have hijacked half a million IoT devices such as routers and NAS devices. The code of some versions overlaps with versions of the BlackEnergy malware developed by the Russian GRU’s Sandworm group, which successfully attacked the Ukrainian electrical grid in 2015 and 2016.
  • In May, Cisco Talos’ security team warned of the destructive capability of the VPNFilter malware as it allows for theft of website credentials and monitoring of Modbus SCADA protocols. The malware also intercepts web traffic & inserts malicious code (MITM attack) and includes a self-destruct module that bricks routers by wiping their firmware.

Read the full story in The Register
View a SANS webinar about VPNFilter

House Passes Bill Addressing Industrial Cybersecurity

The Hill
  • The House of Representatives has approved legislation aimed at strengthening the cybersecurity defenses of critical infrastructure networks, such as electric grid, water systems, and manufacturing plants.
  • The bill was presented after FBI and DHS announced that hackers backed by the Russian government had waged a cyberattack against the energy sector and other critical infrastructure sectors.
  • The “DHS Industrial Control Systems Capabilities Enhancement Act of 2018” bill instructs the DHS to help identify threats to industrial control systems and take the lead on coordinating across critical sectors to respond to cyber incidents.
  • It authorizes the DHS to provide cyber technical assistance to end users, manufacturers and others to help find and mitigate vulnerabilities in industrial control systems that could potentially be exploited by hackers.
  • It codifies a current vulnerability disclosure program through which the DHS discloses previously unknown flaws in ICS to the private sector.
  • DHS officials must brief Congress on efforts to protect these systems twice each year for the four years following the bill’s enactment.

Read the full story in The Hill

Cybersecurity Rules Needed for Pipelines: FERC Commissioners

  • The emergence of natural gas as a significant part of the fuel mix has greatly raised the stakes for pipeline cybersecurity. Natural gas pipelines are not subject to the same standards as electric grid operators.
  • The TSA, the authority in charge of the gas pipeline security, confirmed that it only had 6 full-time employees to oversee the security of the entire US gas infrastructure.
  • Although it has the authority to enforce mandatory standards to protect gas pipeline infrastructure from cyberattacks, TSA relies instead on voluntary standards.
  • The Federal Energy Regulatory Commission (FERC) is recommending that pipeline security be a responsibility of a national regulator with sufficient resources to address cybersecurity threats, such as the DoE.
  • Mandatory standards for gas pipelines need not be identical to those used by the electric sector and should instead reflect the unique operational risks facing gas pipelines.
  • According to FERC commissioners, the safety and security of our electric grid is an area that should rise above partisan politics.

Read the full story in Chron


CyberX In The News

While Everyone was Focused on GDPR, the NIS Directive Snuck in Through the Back Door

  • As we’ve seen with WannaCry and NotPetya, attacks on critical infrastructure can have a devastating impact on industrial production, with global losses in the billions of dollars.
  • While GDPR is a privacy directive focused on organizations that collect personal data, the NIS Directive is focused on strengthening resilience for providers of critical infrastructure services.
  • Fines for non-compliant companies can be up to £17 million ($20M+) in the UK.
  • Based in the US? Don’t wave NISD off. Many US companies are also affected because they have operations in the EU.
  • Also, in case of a major safety or environmental incident — anywhere in the world — US organizations could be held negligent and financially liable for not adhering to the “minimum standards of due care” defined by NISD.
  • The NIS Directive requires a multi-layered strategy incorporating modern security controls such as OT asset management, vulnerability management, threat modeling, and behavioral anomaly detection.

Read the full story in VentureBeat
Download our Executive Guide to the NIS Directive

These 7 Nation-State Backed Hacks Have Put us on Brink of Global Cyber War

The Last Watchdog on Privacy and Security
  • Nation-state backed cyberattacks reveal that military and intelligence units routinely hack to not only gather intelligence, but to also knock down critical infrastructure and even interfere with elections.
  • Nation-states acted as sponsors of the most prominent attacks to industrial infrastructure in the past few years. Examples include: North Korea’s WannaCry attack in May 2017; [Russia’s Not Petya attack in June 2017]; Iran’s hack of a Saudi Arabian petrochemical plant in August 2017; Russian attacks that caused power outages in Kiev in 2015 and 2016, as well as Russia’s Dragonfly 2.0 campaign targeting US and European energy companies.
  • Phil Neray of CyberX commented: “As we’ve already seen with Russian threat actors, the goal is to establish footholds in OT networks that could later be used for more destructive attacks.”

Read the full story in The Last Watchdog on Privacy and Security

CyberX Security
Research & Technology News

CyberX Announces “RSA Ready” Interoperability with RSA NetWitness Platform

  • RSA has certified CyberX’s enterprise-class platform as interoperable with the RSA NetWitness® Platform.
  • The new interoperability supports a unified IT/OT security governance strategy that leverages your existing investments in IR workflows and orchestration, trained personnel, and RSA NetWitness technology.
  • According to Wam Voster, Gartner Research Director, “In a continuously evolving threat landscape, a single established security and risk management function is better-positioned to address these threats across both IT and OT.”
  • “OT security is now a board-level issue,” said Matthew Chase, Senior Manager of Technical Alliances for RSA NetWitness Platform. “The new interoperability enables our joint customers to accelerate ICS detection and response by gaining access from their existing RSA NetWitness consoles to CyberX’s continuous, real-time visibility into ICS-specific protocols, devices, and threats, leveraging full-fidelity packet data.”
  • Buck Watia, VP of Alliances & Business Development at CyberX, commented: “We’re honored to be working with RSA to protect the global critical infrastructure upon which we all depend every day. This is just the first step in our integration with RSA’s comprehensive portfolio for threat detection and risk governance.”

Read the full story on the CyberX site

Upcoming Events

  • SANS webinar about VPNFilter malware and implications for ICS, featuring Tim Conway, SANS Technical Director for ICS & SCADA Programs, and Doug Wylie, SANS Director of Industrials and Infrastructure Practice Area. Sign-in to view the archived version.
  • EnergySec Annual Security & Compliance Summit, August 27-29, 2018, Anaheim, CA.
  • Cyber Senate ICS Cyber Security and Resilience USA conference, September 18-19, Sacramento California.
  • Palo Alto Networks Day Japan, September 27, Tokyo.
  • Palo Alto Ignite ’18 Europe Security Conference, October 8-10, Amsterdam, NL.
  • CS4CA Europe, October 23, 2018, London, UK

About CyberX

Founded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS/SCADA/OT risk.

Our ICS-aware self-learning engines deliver immediate insights about assets, vulnerabilities, and threats — in less than an hour — without relying on rules or signatures, specialized skills, or prior knowledge of the environment.

CyberX is a member of the IBM Security App Exchange Community and the Palo Alto Networks Application Framework Community, and has partnered with premier solution providers and MSSPs worldwide including Optiv Security, DXC Technology, and Deutsche-Telekom/T-Systems.