The CyberX-Files – Issue #3

Digest of notable ICS cybersecurity content — curated by CyberX’s ICS security geeks

It’s been a busy month for the ICS security community.

In an unprecedented announcement, the US DHS and FBI confirmed that Russian threat actors have successfully compromised US critical infrastructure networks.

Also, new information emerged that TRITON may be connected to a series of cyberattacks on Saudi Arabian petrochemical plants — including one aimed at a joint venture between Saudi Aramco and Dow Chemical.

Experts also say that TRITON was far more sophisticated than any previous attack from Iran — but they speculate that Iran may have worked with Russia or North Korea to improve its capabilities.

We’ve also been busy at CyberX, announcing the largest Series B funding round to date for an ICS cybersecurity company. The new round, which brings our total financing to $30M, was led by Norwest Venture Partners, a top-tier Silicon Valley firm and early investor in FireEye. The funding follows a milestone year of rapid growth for CyberX during which bookings grew by a factor of 3x.

In addition, CyberX held its 3rd executive seminar on ICS security, featuring security and operations leaders from CyberX customers including Swissgrid, EWZ Energy, and Lonza Group, a global supplier to the pharmaceutical and biotechnology industries.

We’d love to hear your perspectives on ICS cybersecurity and how your organization is implementing a unified strategy for IT and OT security — please don’t hesitate to email us your thoughts.

In This Newsletter



ICS/SCADA/OT Security News

A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try

The New York Times
  • TRITON was “a dangerous escalation in international hacking … designed to sabotage operations and trigger an explosion that would have killed people.”
  • It may be associated with string of cyberattacks on petrochemical plants in Saudi Arabia during January 2017, which destroyed corporate PCs (similar to Shamoon). The targeted companies include privately-held National Industrialization Company (Tasnee) and Sadara Chemical Company, a joint venture between Saudi Aramco and Dow Chemical.
  • TRITON was far more sophisticated than any previous attack originating from Iran, but Iran could have improved its abilities or worked with another country, like Russia or North Korea.
  • Schneider’s Triconex safety controllers are currently used in about 18,000 plants around the world, including in nuclear and water treatment facilities, oil and gas refineries, and chemical plants — but it’s only a matter of time before the same tradecraft is used by other adversaries against other types of controllers.

Read the full story in The New York Times

One-Third of All Cyberattacks Target OT Networks

Dark Reading
  • According to a Ponemon Institute survey sponsored by Siemens, 75% of Middle East organizations have been hit by at least one attack that either disrupted OT or led to the theft of corporate IP, in the last 12 months.
  • 30% of all cyberattacks worldwide are against OT networks.
  • 60% of organizations say that OT risk is greater than IT risk.
  • Although surveys are not as reliable as analyses of real-world network traffic data (see CyberX’s Global ICS & IIoT Risk Report), the survey conveys the real-world perceptions of 200 professionals responsible for OT security in their organizations.

Read the full story in Dark Reading

Ukraine Power Company to Increase Cyber Budget

Dark Reading
  • Ukraine’s state-run power distributor will invest up to $20M over several years in cyber defense.
  • In 2015, attackers used stolen credentials to remotely manipulate ICSs and shut down power for 225,000 customers.
  • In 2016, a 200MW power outage was linked to the same threat actors. [Known as Sandworm, the Russian-linked group used custom malware to control PLCs using their native ICS protocols.]
  • The energy company was also a victim of NotPetya in June 2017.

Read the full story in Dark Reading

CyberX In The News

DHS, FBI Warn on Russian State Actors Targeting Critical Infrastructure

InfoSecurity Magazine
  • The DHS/FBI alert states that Russian government threat actors targeted “government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
  • Hackers targeted trusted 3rd-party suppliers, before pivoting and gaining remote access to energy-sector networks.
  • The activity goes back to at least March 2016, involving APT groups such as Dragonfly, aka Energetic Bear.
  • According to CyberX: “The DHS/FBI alert validates what the ICS community has known for months: Russian cyberattackers have both the intent and the ability to successfully compromise our critical infrastructure networks, including in our nuclear facilities. It’s easy to see how Russia could leverage these dangerous footholds to test our red lines and threaten us with sabotage in the event of escalating hostilities, such as new Russian incursions on former Soviet territories.”

Read the full story in InfoSecurity Magazine

After Triton Attack, CyberX Raises $18M to Defend Industrial Networks

Xconomy, Reuters, SecurityWeek
  • CyberX’s new funding brings total amount raised to $30M.
  • According to Dror Nahumi, general partner at Norwest Venture Partners: “We are extremely impressed with CyberX’s solution and its successful adoption with top-tier enterprise customers across multiple verticals.”
  • Omer Schneider, CyberX co-founder and CEO, said: “As a top-tier global VC, NVP’s investment in CyberX is recognition that we are successfully delivering differentiated technology and expertise enabling us to win over the world’s most sophisticated and demanding customers.”
  • Nir Giller, CyberX co-founder and CTO, said: “We’re proud that our team has delivered a series of industry-firsts, including the first anomaly detection platform to incorporate ICS-specific threat intelligence, risk and vulnerability assessments, and automated threat modeling [attack vectors], as well as native integration with SOC tools.”

Read the full story in Xconomy, Reuters, SecurityWeek

CyberX Security
Research & Technology News

Growing Cyber Threats to Oil & Gas Facilities

By CyberX in Oilman Magazine
  • The TRITON attack appears to have been carefully planned and occurred in a number of stages.
  • The attackers likely gained access to the ICS network by compromising the credentials of a control engineer or trusted 3rd-party contractor.
  • The next step was to compromise a Windows-based engineering workstation in the OT environment.
  • The final step was compromising the safety controller itself. The attackers developed custom modules to communicate with the controller from the engineering workstation, using the same protocol the TriStation TS311 software itself uses to communicate with the Triconex controllers.
  • They exploited a zero-day (or perhaps a vulnerable design) in the controller firmware to inject a Remote Access Trojan (RAT) into its memory region — without interrupting its normal operation and without being detected.
  • We believe the purpose of the RAT was to enable persistent access to the controller, even when the physical key was turned to RUN mode — which is designed to prevent unauthorized updates to the PLC code — rather than PROGRAM mode. This is why we believe that this attack was merely the first phase of a much larger planned attack.
  • Fortunately, modern ICS cybersecurity systems have evolved and now use passive network monitoring and detailed packet dissection of ICS protocols, combined with advanced self-learning algorithms, to detect this type of anomalous activity in real-time—without relying on rules or signatures, specialized skills, or prior knowledge of the environment.

Read the full story in Oilman Magazine

CyberX Analysis of DHS/FBI Alert re: Russian Targeting of Critical Infrastructure

  • The DHS/FBI alert states that Russian government threat actors targeted “government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
  • The attackers demonstrated sophisticated techniques — from phishing to watering hole attacks — to steal credentials, plus covered their tracks by deleting logs and other digital breadcrumbs that could reveal their presence.
  • A technique called “Template Injection” was used to silently harvest credentials by attaching malicious documents that automatically connect to an external SMB server controlled by the attackers. (Unlike common phishing attacks, the document themselves do not contain malicious code.) The documents appeared to be resumes from control engineers.
  • Echoing Stuxnet, the attackers manipulated LNK files (Windows shortcut files), to conduct malicious activities. In this case, they used LNK files to gather user credentials when the LNK file attempted to load its icon from a remote SMB server controlled by the attackers.
  • The DHS alert includes a screenshot taken by the threat actors of an HMI in one of the facilities compromised — indicating they successfully pivoted from the IT network to the OT network. HMIs are used to monitor and control the actual physical processes in an industrial facility, like turbines and compressors.

Read the full analysis by Phil Neray on the CyberX blog

About CyberX

Founded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS and IIoT risk. Our ICS-specific self-learning engine delivers accurate insights about assets, targeted attacks, malware, vulnerabilities, and attack vectors — in less than an hour — without relying on rules or signatures, specialized skills, or prior knowledge of the environment. CyberX is a member of the IBM Security App Exchange Community and has partnered with premier solution providers worldwide including Optiv Security and Deutsche-Telekom/T-Systems.

To see CyberX’s OT security platform in action, request a demo here.