CyberX on Russian cyber-reconnaissance in the CyberWire Podcast

In this CyberWire podcast from July 24, CyberX VP of Industrial Cybersecurity Phil Neray discusses Russian cyber-reconnaissance. Listen to his comments in the podcast recording starting at 3:29. “It’s dangerous and reckless to assume that Russian cyber-reconnaissance can be discounted because no one has actually turned off the power yet. It’s clear that our adversaries now have direct access to hundreds or potentially thousands of systems that monitor and control our electrical grid, and they’ve vacuumed up all kinds of sensitive information to help them plan their attacks. Now it’s only a matter of political will — and desire to test our red lines — that’s holding them back from throwing the switch. The potential consequences would be dramatic, ranging from human safety issues to a temporary shutdown of our entire...
SANS Webinar: Anatomy of the TRITON ICS Cyberattack

SANS Webinar: Anatomy of the TRITON ICS Cyberattack

Watch this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor, and Phil Neray, VP of Industrial Cybersecurity at CyberX, to learn about: Technical architecture of the TRITON malware — including how the attackers cleverly inserted a backdoor into the firmware memory region of the safety controller without interrupting its normal operation or being detected Threat models showing how the attackers may have compromised an engineering workstation to deploy malware that communicates with the safety controller using its native protocol How to defend against similar attacks in the future via a multi-layered active defense model incorporating continuous monitoring, vulnerability management, threat intelligence, and automated threat modeling View Phil’s presentation .pdf here View Justin’s presentation .pdf here Download the Transcript .pdf here Overview An industry game-changer, the TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the controller itself. Moreover, the attackers cleverly inserted the backdoor into the controller’s firmware memory region without interrupting its normal operation and without being detected. TRITON exposed yet another breed of ICS systems that attackers can now target to compromise industrial operations, the physical safety control systems or Safety Instrumented Systems (SIS) that provide automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures. The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause...