The EU recently passed the Network and Information Security (NIS) Directive (NISD), requiring critical infrastructure organizations to implement stronger security and breach reporting for ICS/SCADA/OT networks. Why does NISD matter? Industrial organizations can be fined up to £17 million, or 4% of their global revenue, for non-compliant companies in the UK.
Knowledge Base for IIoT, ICS & SCADA SecurityYour trusted source for the latest ICS vulnerability research, industrial threat intelligence, and educational information about best practices for IIoT, ICS and SCADA security.
SANS Webinar: All Your Network Traffic Are Belong to Us – VPNFilter Malware and Implications for ICS
In this educational webinar led by Tim Conway and Doug Wylie from SANS, with Phil Neray from industrial cybersecurity firm CyberX, you’ll learn about VPNFilter’s architecture and capabilities. implications for ICS networks and asset owners, and how to defend against VPNFilter and similar malware in the future.
Demonstrating Stuxnet-like sophistication, the adversaries exhibited a high-level of planning and resources consistent with past nation-state attacks on critical infrastructure. In particular, they exploited a PLC vulnerability and developed ICS-tailored malware to communicate directly with a specific type of industrial controller using its native ICS protocol. Watch this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor, and Phil Neray, VP of Industrial Cybersecurity at CyberX, to learn more about TRITON and ICS cybersecurity.
CyberX’s Phil Neray discusses the TRITON attack and other growing cyberthreats to the oil & gas industries in the March/April 2018 edition of OILMAN magazine.
After completing our analysis of the TRITON malware code (sometimes also called TRISYS and HatMan malware), we suspect the TRITON malware itself is only a small part of a planned larger attack. We found no usage directives in the TRITON code itself. Rather, its primary goal appears to be to give attackers a means to execute remote code on the compromised controller, opening the door to future deployment of malicious components. TRITON merely opens the door.
David Atch of CyberX on the Stage 2: Technical Deep Dives at S4x18 talks about how they use a specialized ICS Sandbox to safely analyze ICS malware.
In this educational webinar led by Doug Wylie, SANS Director of the Industrials & Infrastructure practice area and previously Director of Product Security and Risk Management at Rockwell Automation, with Phil Neray, VP of Industrial Cybersecurity at CyberX, we’ll explore the challenges behind blending IT, OT and IIoT Security in the corporate SOC.
CyberX Security Researchers Demonstrate Exfiltration of Reconnaissance Data from Air-Gapped ICS/SCADA Networks
The security research team at CyberX demonstrates a stealthy hack at Black Hat Europe 2017 that shatters the myth of the air-gapped ICS network.
Phil Neray discusses “Global ICS & IIoT Risk Report” on Dale Peterson’s Unsolicited Response Podcast
In this episode of the Unsolicited Response Podcast, host Dale Peterson talks with Phil Neray of CyberX about the Global ICS & IIoT Risk Report.
A data-driven analysis of vulnerabilities in real-world OT networks based on analyzing 375 industrial control networks via Network Traffic Analysis (NTA), across multiple industrial sectors in the US, EMEA and APAC.
SANS Webinar: NotPetya, Dragonfly 2.0 & CrashOverride: Is Now the Time for Active Cyber Defense in ICS/SCADA Networks?
In this educational SANS webinar led by Mike Assante, SANS Director of Critical Infrastructure & ICS/SCADA Security, we’ll explore:
• Limitations of basic ICS/SCADA security: Why firewalls & segmentation aren’t sufficient anymore
• NotPetya, CrashOverride & Dragonfly 2.0: Technical descriptions & how they work
• Active Cyber Defense: What is it & how can ICS/SCADA defenders implement it
Get your complimentary copy of Chapter 1 from this recently-published guide to ICS and SCADA security. Written by ICS/SCADA security experts, this educational chapter describes what’s driving IT/OT convergence and how ICS/SCADA security is different than IT security. It also covers major components, standards and terminology commonly used in industrial environments today (SCADA, DCS, PLC, HMI, NIST SP 800-82, PROFINET, etc.).
According to ICS-ALERT-14-281-01B, BlackEnergy malware targets a vulnerability (CVE-2014-0751) in HMI systems from GE CIMPLICITY, Siemens WinCC, and Advantech/Broadwin WebAccess. CyberX’s threat intelligence team reverse-engineered BlackEnergy3 and discovered it was designed to perform exfiltration of sensitive information from OT networks (especially valuable during the reconnaissance phase of the cyber kill chain). We found that BlackEnergy3 can penetrate OT networks — even when they’re theoretically isolated from IT networks by a firewall — via RPC communication using named pipes over SMB.
Join Mike Assante, SANS Director of Critical Infrastructure & ICS — described in Wired as “one of the most respected experts in the world” when it comes to cyber and power grids — as he discusses new ICS/SCADA attack vectors including:
• WannaCry & Petya ransomware
• Cyber-espionage targeting corporate IP
Download your complimentary overview of best practices risk assessments for ICS and SCADA security, and learn how to implement an ICS-focused risk mitigation framework that’s practical and efficient. This chapter provides specific examples of ICS vulnerabilities and security policies, and describes how to identify assets, network topology, data flows, and vulnerabilities without impacting production systems.
Months before Mirai malware was found to be infecting IoT devices, CyberX’s threat intelligence team discovered RADIATION. Targeting surveillance cameras commonly used in industrial environments, the RADIATION malware is much more sophisticated than Mirai because it exploits a zero-day vulnerability in IIoT devices rather than open ports and default credentials that can easily be addressed. We’ve since identified 25,000 Internet-accessible devices compromised by RADIATION, and found that cybercriminals are now providing DDOS-for-Hire services using this massive botnet army.
Researchers from CyberX’s threat intelligence team have uncovered a remote code execution (RCE) vulnerability in the Allen-Bradley MicroLogix 1100/1400 families of Rockwell Automation PLCs. With a CVSS score of 9.8, the stack-based buffer overflow vulnerability (CVE-2016-0868) was described in ICS-CERT advisory ICSA-16-026-02. CyberX first demonstrated the exploit at the 2015 ICS Cybersecurity Conference, and it was subsequently described in detail in the chapter on “ICS Zero-Day Vulnerability Research” from the book “Hacking Exposed Industrial Control Systems.”
The U.S. Department of Homeland Security (DHS) reports that cyber incidents at energy facilities increased by nearly a third over 2015. But the actual number of ICS/SCADA security incidents isn’t the really concerning part of the story. More worrisome, say federal cybersecurity officials and private security specialists, is that the vast majority of industrial organizations lack the technology and personnel to continuously monitor their operational systems for anomalous activity, which leaves them unable to detect intrusions when they happen.
CyberX has discovered critical vulnerabilities in a popular software framework used in hundreds of thousands of IIoT and industrial control system (ICS) devices.
Video from S4x17 ICS Cybersecurity Conference – Down the Rabbit Hole: Insights from Real-World ICS Vulnerability Assessments & Threat Research
In this technical session, we discuss zero-day vulnerabilities our threat research team has discovered in industrial firewalls and PLCs. We also describe RADIATION, the IIoT DDoS malware our platform discovered in the network of one of our customers. Finally, we summarize what we’ve learned about the current state of ICS security, based on automated vulnerability assessments we’ve performed in real-world OT environments across a diverse range of industries.
CyberX’s threat intelligence team was the first to report that the Mirai attack on Brian Krebs’ website used GRE (Generic Routing Encapsulation) floods to generate its massive volume of 665 Gbps of traffic — and this post reveals how we did it. By reverse-engineering Mirai, our team found that Mirai implements GRE (a tunneling protocol) using Transparent Ethernet Bridging, unlike previous DDoS attacks which relied on ICMP, SYN and a variety of UDP reflection and amplification attacks. CyberX also uncovered which specific CNC servers were used in the attack, how Mirai spreads using telnet, and a list of affected vendors.
According to Deloitte, 31% of manufacturers have never conducted a vulnerability assessment, and 50% only do them occasionally. Most have no idea what vulnerabilities and malware are in their networks or where to start to address them. In this educational webinar, ICS cybersecurity veteran Jim Blaschke discusses what’s driving the convergence of IT and OT in manufacturing environments — and how manufacturers can protect themselves from insider threats and targeted attacks as well as operational incidents that cause downtime.