Welcome to issue #8 of the CyberX-Files!
- Ariel Litvin, CISO of global CPG manufacturer First Quality Enterprises, was recognized as a finalist for the prestigious 2018 Northeast Information Security Executive (ISE) of the Year Award. Mr. Litvin was acknowledged for implementing a cohesive IT/OT security monitoring and governance strategy at FQE, as well as for fostering closer collaboration between the firm’s IT and OT organizations. FQE has implemented CyberX’s continuous asset discovery, vulnerability management, and threat monitoring platform in multiple plants, along with centralized management providing a global view of OT risk across all its facilities. You can watch a video of Mr. Litvin presenting at the Palo Alto IGNITE conference here.
- CyberX released a native app for Splunk, now available as a free download on Splunkbase. CyberX’s Splunk app is the first native ICS threat monitoring app for Splunk in the industry, and it complements CyberX’s 2017 release of the industry’s first native ICS threat monitoring app for IBM QRadar.
- CyberX collaborated with NIST and industry partners such as OSIsoft to secure manufacturing industrial control systems. NIST deployed CyberX’s platform in its lab environment to demonstrate new ways of securing manufacturing industrial control systems with behavioral anomaly detection.
- CyberX joined the McAfee Security Innovation Alliance.
- CyberX joined the GE Digital Alliance Program. The company also announced that its platform has been installed in GE Power’s integration environment to support joint GE and CyberX customers with interoperability validation testing.
- CyberX sponsored an educational SANS webcast with Idaho National Labs (INL) about a new approach to securing critical industrial infrastructure called consequence-driven cyber-informed engineering (CCE).
- CyberX and Palo Alto Networks jointly presented in a SANS webinar titled “Accelerating the Time Between ICS/SCADA Threat Detection and Prevention”.
Additionally, CyberX recently hosted executive seminars in Tokyo and Paris. In Tokyo, more than 70 people attended “Emerging ICS/SCADA Threats and How to Maximize Operational Resilience.” The seminar included presentations from: Mihoko Matsubara, NTT Corporation’s Chief Cyber Security Strategist; Dale Peterson, founder of the S4 ICS Security Conference; Palo Alto Networks; and CyberX’s Co-Founder, General Manager, and CTO Nir Giller.
In Paris, CyberX and its regional partner, GECI International, hosted an educational seminar on the same topic. Featured speakers included representatives from Thales Security, a global security provider.
At the ICS Cyber Security Conference in Atlanta, Emerson Automation Solutions and CyberX jointly presented a seminar titled “ICS Security Researchers & Automation Vendors: Building Mutual Trust,” where they described a real-world example of how security researchers from CyberX uncovered a vulnerability in an ICS product and worked cooperatively with the ICS supplier.
Also at the conference, CyberX conducted a hands-on workshop with Palo Alto Networks, where practitioners learned how to apply best practices to more effectively secure their ICS and SCADA environments using the Palo Alto Networks Security Operating Platform and its integration with CyberX’s purpose-built ICS cybersecurity platform. Download the Palo Alto Integration Brief.
Enjoy this issue and send your feedback to [email protected]!
In this Newsletter
- ‘GreyEnergy’ APT Group Spawned from BlackEnergy & NotPetya Actors
- Federal Researchers Simulate Grid Cyberattack, Find Holes in Response Plan
- What Gets Lost in Translation When IoT Principles are Applied to Factory Processes?
- Are Our Nation’s Oil and Gas Pipelines Safe from Cyberattack?
- ICS Networks Continue to be Soft Targets for Cyberattacks
- The West Holds A Cyberwar Advantage, But Victory Would Be Pyrrhic
- Upcoming Events
ICS/SCADA/OT SECURITY NEWS
‘GreyEnergy’ APT group spawned from BlackEnergy & NotPetya actors
- ESET recently discovered APT malware from attack group GreyEnergy, which is comparable to the BlackEnergy group as it targets the energy sector and critical infrastructure in Ukraine.
- The malware has a modular design and command-and-control architecture like the BlackEnergy malware used in a December 2015 attack against the Ukrainian energy grid. Telemetry data shows that GreyEnergy malware has been active over the last three years, but the group hasn’t been documented until now.
- The group is descended from TeleBots, known for launching the BlackEnergy trojan and NotPetya attacks against Ukraine in recent years.
- Victims are infected in one of two ways — through spear phishing campaigns or via the compromise of public-facing web servers. When victims are infected, the actors often deploy internal command-and-control proxies on their networks, allowing them to secretly redirect internal server requests to external malicious servers.
- Victims are initially infected with a first-stage backdoor called GreyEnergy mini or FELIXROOT, used to map the network and steal administrative passwords.
- This paves the way for the main GreyEnergy payload, which is deployed on “servers with high uptime” and “workstations used to control ICS environments.”
- GreyEnergy modules create backdoors, extract files, take screenshots, perform keylogging, and steal credentials.
Federal Researchers Simulate Grid Cyberattack, Find Holes in Response Plan
Wall Street Journal
- DARPA researchers conducted a drill to test how the grid could recover from catastrophic incidents including supply chain attacks, ransomware, and misconfigurations of critical machinery.
- Grid operators conduct tabletop exercises to determine who would do what during a cyberattack, but those activities lack the depth and urgency of a real-world scenario and might not reveal problems in response plans.
- Researchers assessed a worst-case scenario: A cyberattack that shuts down all power for several weeks, resulting in depleted batteries and inoperable generators that normally should kickstart a downed electric grid.
- With no access to internet or cell phones, teams used forensic tools to detect hackers, disinfect devices, and isolate the network. Once they set up a secure foundation, they used diesel generators to build up power gradually in several substations, and then set up landlines and a central operating area to help bring other parts of the grid back online.
- Government officials introduced several surprise scenarios, such as a new virus that disconnected parts of the network that engineers had just rebuilt.
- One conclusion: Forensic teams often devote too much time to the most visible problems, leaving them unprepared for bigger issues such as wiper malware that can erase all the progress they make. At one point, researchers also lost about half of a day because they misinterpreted normal grid behavior as a sign of a cyberattack.
- The group will host another test in May or June with more participants, including utility operators and others who haven’t yet used the security tools. The next one is expected to be tougher.
CyberX in the News
What Gets Lost in Translation When IoT principles are Applied to Factory Processes?
- Industry 4.0 and the industrial internet of things (IIoT) have entered the vernacular, but many of us are unaware of what gets lost in translation when internet of things (IoT) principles are applied to factory processes.
- A smart factory demands an infrastructure whose robustness and reliability are an order of magnitude higher than the typical IT infrastructure.
- For years, the assumption was that most ICS environments were air-gapped from IT networks to guard against hacks. But most experts now acknowledge that “the air gap is a myth” in all but a specialized subset of environments, such as nuclear facilities, says CyberX.
- According to CyberX’s “Global ICS & IIoT Risk Report,” one-third of OT networks are connected to the public web. “IT and OT networks are increasingly connected to facilitate remote monitoring and maintenance of industrial equipment, and this increases the available attack surface.”
- “To make matters worse, most OT protocols were designed many years ago” and are “insecure by design,” CyberX said. For example, such regimes don’t require authentication for uploading new ladder logic or firmware to the controllers. In short, an attacker who cracks the OT network usually has free rein to compromise many of its ICS devices.
- Clearly, there’s a lot more factory security work left to do than your average OT manager would care to admit.
Are Our Nation’s Oil and Gas Pipelines Safe From Cyberattack?
- According to Deloitte, the crude oil and natural gas industries are in the crosshairs of hackers as more operations go digital. The Ponemon Institute reports that just two years ago, the energy industry was named the second most at-risk for cyberattacks, and that three-quarters of sector companies had reported at least one incident.
- Cybersecurity must be a part of overall corporate risk management.
- CyberX attributes the higher risk for cyberattacks in the oil and gas industry to trends in digitization and IoT specifically. “To reduce costs and optimize operations, oil and gas companies are deploying more and more IoT sensors so they can closely track flows and data related to production operations. This has resulted in increased connectivity between IT and OT networks, which has increased the attack surface and hence the risk.”
- Traditional firewalls are no longer enough to protect against sophisticated nation-state adversaries and cybercriminals.
- “One of the biggest issues facing the industry is the shortage of qualified OT security personnel. This increases the need for more automation and broader use of machine learning to address incident response in a more efficient manner.” As a result, integration between OT security platforms and existing SOC tools like SIEMs, firewalls, and ticketing systems is also becoming a requirement.
CyberX Security Research & Technology News
ICS Networks Continue to be Soft Targets for Cyberattacks
- CyberX analyzed one year’s worth of data gathered from 850 production ICS networks across multiple sectors, including energy, utilities, manufacturing, pharmaceuticals, and chemicals.
- The exercise showed that a high percentage of organizations that operate ICS are less safe than generally perceived and are not adequately addressing critical security issues.
- CyberX found that 40% of industrial sites are still directly connected to the Internet and are therefore exposed to more risk than when they were disconnected from the outside world.
- 53% of the sites were using obsolete Windows systems, such as Windows XP and Windows 2000, to access their ICS networks.
- 57% of the organizations aren’t running any antivirus protections for automatically updating malware signatures on engineering workstations or Windows-based systems that are used to interact with industrial control systems.
- To bolster their security, ICS operators should consider implementing measures such as continuous monitoring, more granular network segmentation, and threat modeling to prioritize mitigation efforts.
The West Holds A Cyberwar Advantage, But Victory Would Be Pyrrhic
- The definition of cyberwarfare is proving to be fuzzy at best, and there is no clear definition of the rules as they apply to acts of war within the cyber realm.
- Forbes cited CyberX’s 2019 Global ICS & IIoT Risk Report to support its hypothesis that many critical infrastructure systems at still at risk for major attacks, and to confirm the opinion of many who think nation-states and industrial enterprises have learned little from the Stuxnet attacks eight years ago.
- Any action by a government’s military or other agency that supports strategic or tactical national efforts is unquestionably cyberwarfare.
- Countries are openly conducting activities that if done in person would cause wars. Most of the activity is more of an intelligence effort than blatant acts of war, so there are different rules.
- If there were ever open cyberwarfare, the West would have a massive advantage over China and Russia as both rely so heavily on the West for software.
- Without too much work, the entire internet could be “turned off” for any protagonist state, with consequential massive financial and operational loss. The end state of this would be a true cyber Pyrrhic victory — a victory that inflicts such a devastating toll on the victor that it is tantamount to defeat.
MANUSEC European Summit, February 7-8, 2019 in Munich
Cyber Security for Critical Assets Summit, March 26-27, 2019 in Houston.
CyberX delivers the only industrial cybersecurity platform built by blue-team cyber-experts with a proven track record defending critical national infrastructure. That difference is the foundation for the most widely-deployed platform for continuously reducing ICS risk and preventing costly production outages, safety failures, and environmental incidents.
Notable CyberX customers include 2 of the top 5 US energy providers; a top 5 global pharmaceutical company; a top 5 US chemical company; and national electric and gas utilities across Europe and Asia-Pacific. Strategic partners include industry leaders such as Palo Alto Networks, IBM Security, Splunk, McAfee, RSA, Service Now, Optiv Security, DXC Technologies, and Deutsche-Telekom/T-Systems.