Ilias Sidqui, Auteur

Industrial Control Systems Cybersecurity News #2 – Radiology of the cybersecurity level of the healthcare sector

Ilias Sidqui — Tue, 05 Jun 2018 13:18:33 +0000

>>FOCUS

Last year, the National Health Service England (NHS) faced its most important cybersecurity crisis due to the Wannacry ransomware attack. In October 2017, the National Audit Office (NAO) published a report showing that at least 34% of trusts in England were disrupted, and around 19,494 patient appointments canceled including canceled patient operations. This was mainly due to the fact that the information system managing the appointments, the patients’ records or test results were infected by the ransomware.

However, the report points out that medical devices such as MRI scanners (that have Windows XP embedded within them) were also locked by the ransomware. Only 1,220 devices were infected representing 1% of the overall amount, because several equipments were disconnected to avoid the ransomware propagation. So why the healthcare sector suffered from such an attack and how come the ransomware spread that easily?

Healthcare cybersecurity: Low maturity level

The NAO report highlighted the challenges that the NHS had to face to tackle the attack. These challenges seem similar to the ones that several industries and manufacturers have been facing showing that an analogy of the healthcare information systems and the industrial control systems (ICS) have the same weaknesses.

Indeed, both ICS and Health Information Systems (HIS)face the same cybersecurity challenges, among them:

The wide use of legacy devices and operating systems (such as Windows XP);
The length of the window of exposure of these systems (the window of exposure is the time between the vulnerability disclosure and the patching of the system): the vendors support or the quality guidelines and regulations may represent obstacles for a fast patching (a recent survey conducted on 3000 security professionals working for healthcare and pharmaceutical organizations, show that 57% of the respondents had experienced at least a data breach which was conducted after the exploitation of a vulnerability for which a patch had been previously released);
Critical and unsecure devices directly connected to the Internet exposing the medical network. For example, McAfee published a report explaining how they exploited an unsecure and connected Picture Archiving and Communication System (PACS – device that stores and shares images coming from imaging devices such as scanners) to use personal medical data;
Lack of security by design: several organizations and researchers have been alerting on several flows affecting medical devices such as pacemakers (Cyber-flaw affects 745,000 pacemakers – BBC), insulin pumps (J&J warns diabetic patients: Insulin pump vulnerable to hacking – Reuters) or infusion pumps (Black hat conference [PDF])

A growing threat on the healthcare sector

The low cybersecurity maturity level of the healthcare sector combined with the continuous interest of some actors on personal data or life threatening made the threat skyrocket these past few years. Indeed, several cybersecurity companies have been alerting on a growing number of cyber threat actors who are targeting healthcare sector, for example:

In the last newsletter was reported that a US hospital was hit by Samsam ransomware in January 2018. Samsam is only one of the numerous ransomware that targeted hospitals among them Locky;
In March 2018, Kaspersky researchers discovered that a Chinese-speaking group used PlugX malware (remote access tool which has been used previously by several groups since 2012) in pharmaceutical organizations for stealing information;
In April 2018, Symantec identified a new attack group named Orangeworm. This group has been targeting healthcare sector companies (equipments manufactures, pharmaceutical, health organizations) for several years. Orangeworm has been using a backdoor called Kwampirs which collects data in the infected systems. This malware propagates easily in Windows XP devices.

Protecting against

In order to curb the number of security incidents in the healthcare sector, several measures can be, and in some cases have already been, implemented among them:

Design of a global cybersecurity governance by implementing a cybersecurity policy;
Conduction of awareness campaigns towards the hospital staff on the cybersecurity threats;
Implementation of patch management procedure in order to reduce the window of exposure of the system (a combined work with the vendors and the regulation organizations may be required so the patching covers the largest amount of device as possible);
Network segregation into several levels of protection matching the level of criticality (medical devices should be highly protected).

Several governmental agencies and institutions have been publishing reports and guidelines in order to help healthcare organizations and the medical devices suppliers in securing their network or providing more secure medical devices. You will find here after some of the documents:

>>Latest news

	Aerial tramway with security holes Golem.de, April 19t^h Two white hackers found the control system of a new aerial tramway in the internet without any security measures. According to them, the commands were sent unencrypted, the authentication wasn’t provided and the web application was vulnerable to cross-site scritping and HTTP header injection attacks. Link to the article
	Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series Tripwire, April 16^th Cisco Talos published a report revealing several vulnerabilities affecting the Moxa EDR-810 industrial secure router with firewall/NAT/VPN and manager layer 2 switch functions. This router sets perimetric security for critical assets such as pumping/treatment systems in water stations, Distributed Control Systems (DCS) in oil and gas stations … Many of the flaws received a CVSS score of 8.8. Moxa released an updated version of the firmware. Link to the article
	Advisory: Hostile state actors compromising UK organisations with focus on engineering and industrial control companies NCSC, April 5th The National Cyber Security Centre (NCSC) published an advisory revealing that several ongoing attacks have been targeting mainly engineering and industrial control companies since March 2017. The attacks are involving the harvesting of credentials using strategic web compromises and spear-phishing. The advisory also refers to the Department of Homeland Security (DHS) and FBI joint Technical Alert (see below for more information). Link to the advisory
	Sentryo Provides Anomaly Detection Technology to Siemens to Address the Cybersecurity Challenges of industrial infrastructures Sentryo, April Siemens and Sentryo signed an agreement in which Siemens AG will provide Sentryo ICS CyberVision solution to its clients among Siemens products and services. Sentryo’s solution is an asset management and anomaly detection tool designed for Industrial Control Systems. Link to the press release [FR][PDF]
	ISA announces newly published ISA/IEC 62443-4-1-2018 security standard Automation.com, March 28^th The international Society of Automation released the Part 4-1 of the ISA/IEC 62443 standard. This part tackles the Product Security Development Life-Cycle Requirements. “It defines a secure development life-cycle for developing and maintaining secure products.” This includes several concepts such as security by design, patch management and product end-of-life. Link to the article
	Schneider Electric Launches Cybersecurity Virtual Academy ISS Source, March 27^th Schneider Electric launched the Cybersecurity Virtual Academy which is a website that provides several materials to raise the awareness of the cybersecurity risks in the industrial control systems. Link to the article
	Threat landscape for industrial automation systems in H2 2017 Kaspersky lab, March 26^th Kaspersky has published a report on the threat landscape over the industrial control systems during the second semester of 2017. In the report, Kaspersky analyses the vulnerabilities discovered by the ICS-CERT and the ones identified by Kaspersky Lab ICS Cert. Here are some figures given in the report: 322 vulnerabilities were identified by ICS-CERT and more than 50% of them are impacting the energy sector; 3,3% of industrial automation system computers were attacked by cryptocurrency mining programs during the period from February 2017 to January 2018; 10,8% of all ICS systems were attacked by botnet agents during 2017. The mains sources of botnet agent attacks on ICS systems in 2017 were internet, removable media and email messages; The Kaspersky figures show also a certain decrease on the number of attacks on ICS systems between 2016 and 2017. This can be explained by the fact that more and more companies are training their employees and began implementing simple cybersecurity measures. Link to the report
	Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems NIST, March 21^st The National Institute of Standards and Technology (NIST) released a public draft of the NIST SP 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the engineering of Trustworthy Secure Systems. This document aims to provide guidelines to organizations on how to apply cyber resiliency concepts during the engineering of systems. These guidelines may be applied on new systems, modification of systems, Critical infrastructure systems … Link to the release \| Link to the document [PDF]
	Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors US-CERT, March 15^th The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a joint Technical Alert in which give details on how the Russian government targeted several American organizations operating in the energy, nuclear, water, commercial facilities aviation and critical manufacturing sectors (DHS and FBI have already warned about this threat in another alert published in October). The alert analyzed the attacks using the Lockheed Cyber Kill Chain (stage1:reconnaissance, stage 2: weaponization, stage 3: delivery, stage 4: exploitation, stage 5: installation, stage 6: command & control, stage 7: actions and objectives). The threat actors after gaining access to their victims information system, they conducted reconnaissance operations within the network. They mainly focused on identifying and browsing file servers. They viewed information and files regarding Industrial Control Systems (ICS) or Supervisory Control And Data Acquisition (SCADA) systems. Link to the alert
	‘Cyber event’ disrupts power in Mich. – but don’t blame hackers E&E News, March 8^th An employee of a public utility that provides electricity in Michigan (Consumers Energy) inadvertently cut the electricity to about 15000 consumers. During an “internal testing” the employee overstepped his authority in a control center leading to the outage. The utility the event as a “cyber event” and reported it to the department of Energy even tought the outage had nothing to do with a malware or cyber attack. Since the event, the company adjusted the access controls. Link to the news
	A Qualitative View of 2017 Across vulnerabilities, threats, and lessons learned in hunting and incident response Dragos, March Dragos published 3 reports in which they reveal their findings and analysis regarding the industrial control systems vulnerabilities during 2017, the industrial threat landscape incident response and hunting lessons. Some of the results of these reports are the following: “64% of 2017 ICS-related vulnerability patches don’t fully eliminate the risk because the components were insecure by design”; 5 activity groups are working on developing tools and malwares (as Crashoverride that attacked the Ukrainian electric grid in 2016); The main infection vectors are: unprotected interconnectivity with IT systems, removable media, unprotected interfacility connection and phishing. Link to the Vulnerabilities report [PDF] Link to the threat activity groups report [PDF] Link to the hunting and responding report [PDF]
	Siemens report: Mideast’s oil and gas sector needs readiness boost as cyber risk grows Siemens, March A recent report published by Siemens shows that the Middle East facing more and more attacks targeting Operational Technology (OT) (according to the report 30% of the attacks are targeting OT). The report gives the results of a survey on 176 individuals working in the Middle East who are responsible for overseeing the cybersecurity of their organisations. Here are some figures: “75% of organizations have suffered at least one security compromise that resulted in the loss of confidential information or disruption to operations in the OT environment over the past 12 months”; “68% of respondents say the top cyber security threat is the negligent of careless insider”; “31% of respondents say their organization’s industrial control systems” protection and security are adequate”. Link to the press release
	NERC Full Notice of Penalty regarding Unidentified Registered Entity NERC, February 28^th The North American Electric Reliability Corporation (NERC) files a Notice of Penalty of two million seven hundred thousand dollars ($ 2,700,000), in accordance with the Federal Energy Regulatory Commission (FERC), regarding noncompliance by an Unidentified Registered Entity (URE). Indeed, a third-party URE contractor failed to comply with the information protection program and copied very sensitive data, including records associated with Critical Computer Assets (CCA), from the URE environment on its own unsecured environment. While the data was on the contractor’s network, a subset of data was available online without the need to enter a username or password for a total of 70 days. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems and access to internal CCAs. Link to the article

>>Main ICS vulnerabilities

Date	CVSS v3 score	Equipment	Vulnerability	Link to the advisory
Apr. 17^th	9.8	Schneider Electric InduSoft Web Studio and InTouch Machine Edition	Stack-based Buffer Overflow	Link
Apr. 17^th	10.0	Schneider Electric Triconex Tricon	Improper Restriction of Operations within the Bounds of a Memory Buffer	Link
Apr. 17^th	9.8	Rockwell Automation Stratix Services Router	Improper Input Validation, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use of Externally-Controlled Format String	Link
Apr. 17^th	9.8	Rockwell Automation Stratix and ArmorStratix Switches	Improper Input Validation, Resource Management Errors, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use of Externally-Controlled Format String	Link
Apr. 17^th	9.8	Rockwell Automation Stratix Industrial Managed Ethernet Switch	Improper Input Validation, Resource Management Errors, 7PK – Errors, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use of Externally-Controlled Format String	Link
Apr. 5^th	10.0	Rockwell Automation MicroLogix	Improper Authentication	Link
Apr. 3^rd	9.8	Siemens Building Technologies Products (Update A)	Stack-based Buffer Overflows, Security Features, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, XML Entity Expansion, Heap-based Buffer Overflow, Improper Access Control	Link
Mar. 29^th	9.8	Siemens TIM 1531 IRC	Missing Authentication for Critical Function	Link
Mar. 20^th	9.8	Geutebruck IP Cameras	Improper Authentication, SQL Injection, Cross-Site Request Forgery, Improper Access Control, Server-Side Request Forgery, Cross-site Scripting	Link
Mar. 13^th	9.3	OSIsoft PI Web API	Permissions, Privileges, and Access Controls; Cross-site Scripting	Link
Mar. 1^st	9.8	Moxa OnCell G3100-HSPA Series	Reliance on Cookies without Validation and Integrity Checking, Improper Handling of Length Parameter Inconsistency, NULL Pointer Dereference	Link

>>Upcoming ICS events

Jun. 30-1	Nuit du Hack Paris, France
Jun. 18	IEEE Workshop on Smart Industries (IEEE SIW) Taormina, Italy
Jun. 15	European Maritime Cyber Risk Management Summit London, UK
May. 22-23	Annual Nuclear Industrial Control Cybersecurity and Resilience Conference (ICCS) Warrington, UK
May. 3-4	Global Cyber Security in Healthcare & Pharma Summit London, UK

Cet article Industrial Control Systems Cybersecurity News #2 – Radiology of the cybersecurity level of the healthcare sector est apparu en premier sur RiskInsight.

Industrial Control System Cybersecurity News #1 – What to remember from 2017?

Ilias Sidqui — Mon, 26 Mar 2018 16:47:21 +0000

>>Editorial: What to remember from 2017?

Industrial Control Systems (ICS) are complex systems that aim to control industrial processes. ICS can be found in several sectors: energy, nuclear, transport, chemistry… In brief these systems control many of the critical productive assets of companies or states making their compromise by adversaries a high risk on the environment or people’s lives.

Thus, the cybersecurity of these systems is crucial. Moreover, securing these systems may be challenging due to their complexity (mainly because ICS are a mix of technologies and their lifetime is longer than usual information systems’).

In order to meet our clients’ needs and answer to their future concerns, Wavestone has been conducting an ICS cybersecurity watch where every recent study, attack or incident and report regarding the security of Industrial Control Systems are studied. In 2017, more than 80 news were reported from which we can retrieve a lot of teachings.

So, what did we notice this year?

First of all, ICS had its share of attacks. However, this year’s attacks, more than the other years’, had an unusual worldwide impact. Indeed, while ICS attacks were usually localized on a device (for instance on health devices), factory (for example a cryptomining malware found in a water utility – for more information see below) or a region (Dallas emergency sirens ignition in April 2017), 2017’s attacks started locally and spread quickly impacting several production lines in the world (WannaCry and NotPetya).

During 2017, many attacks have been reported in the news. Moreover, we noticed that several national agencies, governments or political figures alerted on ongoing attacks or attempts on critical infrastructure. The sector that was the most targeted seems to be the Energy sector. Indeed, several news were reported from Turkey (in January), USA (in March, July), Baltic States (in May), UK (in July) and Ireland (in July) showing that this sector was a privileged target by hackers (state sponsored or not).

The energy sector wasn’t the only hot topic of the year, as a matter of fact, autonomous cars cybersecurity hit many times the headlines (even if that topic may or may not be considered as related to industrial control systems). This is mainly due to the fact that cars’ cybersecurity is a new market. Therefore, cybersecurity experts and researchers try to find vulnerabilities and exploits (for example vulnerability found in airbag control units), while car manufacturers launch partnerships and initiatives showing that cybersecurity is now one of their main concerns (for example GM invited ethical hackers to try and hack its cars).

Finally, the ICS cybersecurity market tends to grow as demonstrated by the several fundraisings and partnerships signed during this year. In a broader perspective, we can notice three kinds of actors in the ICS cybersecurity market:

ICS cybersecurity companies: usually small-sized companies or start-ups. They are pure-players that develop and put in the market ICS-dedicated solutions (Sentryo, CyberX, Nozomi …);
ICS vendors: we noticed last year, some vendors that conceive ICS launched partnerships with ICS cybersecurity companies to improve their systems’ security (for example Siemens-PAS partnership in September, Schneider-Claroty partnership in August);
IT security companies: these companies (well known in the IT world) tailor their solutions for industrial context. They show a growing interest for ICS by publishing reports and attack analysis (for example Kaspersky, McAfee).*

So, what is coming next?

It may be easy to say that the ICS cybersecurity will still (unfortunately) hit the headlines. Especially with alerts of attacks targeting life threatening system such as the safety instrumented systems controllers. But, we may see more and more news on specific sectors such as maritime, transport, health… that weren’t somehow as exposed in the media as the energy or nuclear sector. The ICS cybersecurity market may continue to grow especially with partnerships and acquisitions. Industrial Control Systems will continue to face new threats, challenges and changes.

>>Latest news:

	CyberX raises $18 million in series B funding to combat rising threats to IIoT and critical infrastructure, bringing total funding to $30 million (CyberX, February 27^th) CyberX announced that the company raised $18 million dollars to develop threat detection in the Industrial Internet of Things (IIoT) and critical infrastructures. The company develops a threat monitoring and risk mitigation platform that includes ICS-specific threat intelligence. Link to the press release
	*Fun with Modbus 0x5A (Security Insider, February 9th)* During the last edition of Defcon in Las Vegas, Wavestone presented its latest study regarding the ModBus protocol cybersecurity and specifically the function 90. An attacker may thanks to this function start, stop a controller or force it to send a determined output value, Link to the article
	*ICS detection challenge results (Dale Peterson, February 7th)* At the S4x18 in January, took place the ICS Detection Challenge. The 4 companies that completed the challenge are: Claroty, Gravwell, Nozomi Networks and Security Matters. The first part of the challenge consists on evaluating the ICS Detection class of 3 products which are: Claroty, Nozomi Networks and Security Matters. It was won by Claroty over Nozomi Networks and Security Matters. The competitors’ products had to detect cyber-attacks and incidents occurring on an oil&gas company. Link to the results The second part which consists in the asset detection phase was also won by Claroty even though Nozomi provided the most details in their asset inventory. Link to the results
	*Water utility in Europe hit by cryptocurrency malware mining attack (eWeek, February 7th)* The security firm Radiflow discovered a cryptocurrency mining malware in the network of a water service provider in Europe. The malware was downloaded from a malicious advertising site infecting the Human Machine Interface and then spread to the SCADA network that was still running Microsoft Windows XP OS. The malware degraded the system performance. Tough the degradation wasn’t noticed by the operators. Link to the article
	*Ukraine power distributor plans cyber defense system for $20 million (Reuters, February 6th)* Ukraine’s state-run power distributor Ukrenergo, which was a target for cyber-attacks in the past two years (December 2016 and December 2017), will invest up to $20 million in a new cyber defense system. The acting head of Ukrainian state power distributor Ukrenergo, told that the company and international consultants had identified about 20 threats that would be eliminated with the new system. The main goal of this system is to make “physically impossible for external threats to affect the Ukrainian energy system”. Link to the article
	*Increasing number of industrial systems accessible from web (study Security Week, February 2nd)* According to a new report published by Positive Technologies, the number of industrial control systems (ICS) accessible from the Internet has increased significantly during the past year. Most of vulnerabilities of these systems could be exploited remotely without needing to obtain any privileges in advance. The most common types of vulnerabilities were remote code execution (24%), information disclosure (17%), and buffer overflows (12%).Most of these systems are accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework, Ethernet/IP, BACnet, and the Lantronix discovery protocol. Link to the article \| Link to the report [PDF]
	*Flaws in gas station software let hackers change prices, steal fuel, erase evidence (Motherboard, January 31st)* Security researchers were able to connect to a web interface that manages gas station thanks to Shodan (search engine of connected devices). After using the default admin login and password, and then a hardcoded username and password, the researchers were able to shut down fuel pumps, hijack credit card payments, and steal card numbers. Link to the article
	*Government warns critical industry firms to prepare for cyberattacks (Sky news, January 29th)* All companies which are involved in critical industry and essential services, such as energy, transport, water, health and digital infrastructure, have been warned by the British government that they face sanctions if they do not include cybersecurity rules in their systems.The fines come as the government implements the Network and Information Systems (NIS) Directive, which would cover events such as the WannaCry attack. Link to the article
	*Gemalto licensing tool exposes ICS, corporate systems to attacks (Security week, January 22nd)* Kaspersky Lab researchers found 14 vulnerabilities in Gemalto Sentinel LDK (software) and the associated USB Dongle (SafeNet). The USB dongle is used to activate the software. When connected, drivers are installed and the port 1947 is added to the list of exceptions in the Windows firewall. This port can be exploited to identify remotely accessible devices. Link to the article
	*SamSam ransomware hits hospitals, city councils, ICS firms (Bleeping Computer, January 19th)* Samsam ransomware hit several hospitals, city councils and an ICS firm. Hancock Health admitted paying the ransom ($55.000) even though they had backups. The Samsam ransomware spread by brute forcing RDP connections. Link to the article
	*Industrial systems scrambling to catch up with Meltdown, Spectre (The Register, January 18th)* Meltdown and Spectre vulnerabilities also had an impact on industrial control systems. Some vendors decided to publicly communicate about their vulnerable products (OSISoft for example), other vendors like Emerson and General electric keep the information only for their customers and finally some vendors are still investigating if their products are vulnerable to Meltdown and Spectre. Link to the article For more information on Meltdown and Spectre vulnerabilities, you can read this post by Wavestone on Security Insider [French]
	*Researchers find 147 vulnerabilities in 34 SCADA mobile applications (SC Magazine, January 11th)* IoActive and Embedi researchers found 147 vulnerabilities in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. The top vulnerabilities were: code tampering flaws, insecure authorization, insecure data storage… This security weaknesses could allow an attacker to compromise industrial network infrastructure by exploiting the vulnerable applications. Link to the article
	*Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million (Security Week, January 10th)* Nozomi is an industrial cybersecurity firm that has recently raised $23.8 million. Nozomi’s offering which is “SCADAguardian”, consists on using machine learning and behavioral analysis to detect zero-day attacks in real-time. This technology allows rapid response to alerts by ICS incident alerting and notification systems. The company said the additional funding will be used to support worldwide expansion of marketing, sales, support and product innovation. Link to the article

>>Main ICS vulnerabilities

Date	CVSS v3	Equipment	Vulnerability	Advisory
Feb. 15^th	9.8	Nortek Linear eMerge E3 Series	Command Injection	Link
Feb. 15^th	9.8	GE D60 Line Distance Relay	Stack-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer	Link
Feb. 13^th	9.8	Wago PFC200 Series	Execution of some unauthenticated commands such as reading, writing, or deleting arbitrary files, or manipulate the PLC application during runtime.	Link
Feb. 8^th	9.9	Gemalto Sentinel License Manager	Null Pointer Dereference, Buffer Overflows, Improper Access Control.	Link
Feb. 1^st	9.8	3S-Smart Software Solutions GmbH Codesys Web Server	Stack-based Buffer Overflow.	Link
Jan. 25^th	9.8	Nari PCS-9611	Improper Input Validation.	Link
Jan. 11^th	9.8	Phoenix Contact FL Switch	Improper Authorization, Information Exposure.	Link
Jan. 9^th	9.8	General Motors and Shanghai OnStar (SOS) iOS Client.	Cleartext Storage of Sensitive Information, Man-in-the-Middle, Improper Authentication.	Link