What is S4?

A 3 day conference, dedicated to ICS cybersecurity, held in Miami South Beach and organized by Dale Peterson.

• 3 stages: the Main Stage at the Fillmore theater, stage 2 and stage 3 mainly for technical deep dives at the ELV
• the Cabana Sessions around the Surfcomber pool to network, discuss with vendors such as Dragos, Nozomi Networks, Phoenix Contact, Keysight and many others but also get a copy of the book “Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)” signed by Andy Bochman and Sarah Freeman
• the Welcome Party at the Botanical Garden

This year, around 800 people attended the conference to create the future and Wavestone was there through my participation as both an attendee but also a speaker.

S4 actually started on April 18th with two specific events:

• The first ICS4ICS exercice (I will talk about that a bit later in this article)
• Women in ICS Security social event: more than 160 women attended the conference this year and it was great having the opportunity to meet incredible talents at a women only event; it was the first time such an event was organized at S4 and I hope not the last!

The talks started on April 19th and Dale kicked off the event with a keynote introducing this  year’s theme: No Limits!

In this article, I am going to present some of my favorite talks.

If you are interested, all videos will be released in the next weeks on S4Events YouTube channel: https://www.youtube.com/c/S4Events/videos Here is the full S4x22 video release schedule: https://s4xevents.com/wp-content/uploads/2022/04/S4x22-Video-Release-Schedule.pdf Stay tuned!

A Tale of Two (very different) Secure ICS Architectures

Speaker: Alexandrine TORRENTS, Wavestone

Well, I can’t say this is my favorite talk but I have to start with this presentation as this year was a bit special for me: first time speaker at S4.

I had the opportunity to talk on the Main Stage, right after the keynotes and talk about ICS secure architectures.

No Limits! It gave me the idea of thinking about the future of ICS network architectures.

In this presentation, I compare and contrast the requirements and corresponding secure ICS network architecture of two very different businesses within the same company: power plants and solar/wind farms.

I won’t detail the whole presentation today as I will write a more detailed article in a few weeks just in time for the release of the video on June 13th.

Interview: CISA Director Jen Easterly

Dale Peterson interviewed CISA Director Jen Easterly on the Main Stage.

The video of the interview is already available on S4Events YouTube channel: https://www.youtube.com/watch?v=xOdIUA4lWnI

I found this interview very interesting, and also very inspiring.

Jen presented CISA’s goal: understand, manage and reduce risks, as well as specific objectives for 2022-2023.

One is oriented on processes:

• Baseline goals have been defined to drive common baselines across all sectors.
• Sector specific documents will be added in the next two years.

Another one is oriented on people:

• CISA wishes to expand its ICS team and is recruiting, especially senior ICS experts.
• CISA will create an ICS JCDC workgroup (Joint Cyber Defense Collaborative) to unify defensive actions and drive down risk in advance of cyber incidents related to ICS. The workgroup will include both public and private sectors.

Jen also talked about Shields UP (https://www.cisa.gov/shields-up) . Since Russia’s invasion of Ukraine, intelligence indicates that the Russian Government is exploring options for potential cyberattacks and CISA is asking every organization to be prepared to respond to disruptive cyber incidents. They published several recommendations on their website.

This interview made me think about what could be done within the French cybersecurity agency (ANSSI) regarding ICS cybersecurity. From my understanding, the ICS expertise is spread across different business units. But what if there was a dedicated ICS cybersecurity task force driving all efforts?

Security Truth or Consequences

Speaker: Dale Peterson

Dale presented a Hard Security Truth: Cybersecurity controls at best reduce the likelihood of attack, but they do not eliminate the possibility of compromise.

Indeed, even with the best security controls implemented and the best OT security program,organizations can be defeated by human errors, configuration errors, or 0day vulnerabilities. It is not a game asset owners can win, they can only reduce the chances of losing.

But what if companies could shift to a consequence reduction mindset and maybe win the cyber risk management game?

Let’s take the example of a glass manufacturer. One of the most sensitive PLCs controls the heat of the oven. if this PLC is compromised, it could be very dangerous for the process. Of course, you can reduce the likelihood of this compromise by implementing security controls, such as network filtering for example. But what if the PLC gets compromised anyway? How could you reduce the impact and get back the control of the process as quickly as possible?

Well, do not only think about cybersecurity and focus on the business and its resiliency. Adding a manual control on the production line could do the trick and make sure the consequence of an attack would not be that important.

Well, it is not always that simple but I find it interesting to focus on consequences and find business oriented solutions to reduce cyber risks.

Dale concluded his talk by presenting his 3-step approach for consequence reduction:

• Identify high consequence event within your organization
• Determine if a cyber attack can cause that event
• If yes, find a way that it won’t

This approach looks like a safety approach, but applied to additional consequences not covered by safety, like loss of revenue.

PIPEDREAM & ICS Cyber Threat In 2022

Speaker: Rob Lee, Dragos

Rob Lee was supposed to present his ICS Cyber Treat review but with the recent news, he made a focus on Pipedream, the ICS attack toolkit/malware analyzed by Dragos: https://www.youtube.com/watch?v=H82sbIwFxt4

This toolkit has been developed by the threat group Chernovite and its capability has not been employed yet. Pipedream seems to be the most flexible ICS attack framework to date. It uses ICS-specific protocols for reconnaissance and manipulation of PLCs.

The primary targets of the toolkit include PLCs from Omron and Schneider Electric. However, pipedream capabilities could impact much more PLC vendors.

Rob presented some of these capabilities, as well as potential attack scenarios following the ICS cyber kill chain:

• EVILSCHOLAR – A capability designed to discover, access, manipulate, and disable Schneider Elctric PLCs.
• BADOMEN – A remote shell capability designed to interact with Omron software and PLCs.
• MOUSEHOLE – A scanning tool designed to use OPC UA and FINS protocols to enumerate PLCs and OT networks.
• DUSTYTUNNEL – Custom remote operational implant capability to perform host reconnaissance and command and control.
• LAZYCARGO – Drops and exploits a vulnerable ASRock driver to load an unsigned driver. Works on all Windows systems not just those with ASRock

Dragos published a full report on pipedream: https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/

What I find the most interesting in this toolkit is that it does not use a lot of CVEs, but mainly legitimate functionalities of PLCs and industrial protocols to target industrial control systems.

This toolkit was also analyzed by Mandiant, who called it Incontroller. They also made a presentation at S4 and published a detailed report of their analysis: https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

Unpwning A Building

Speaker: Peter Panholzer, Limes Security

This presentation was pretty original as cybersecurity experts had to exploit a cybersecurity vulnerability to resolve a cybersecurity incident.

The incident: a building had a complete loss of their building automation system, using KNX devices.

The initial situation: Devices of the building were no longer operational and the vendor recommended replacing the devices (cost > 100k€).

Idea to resolve the incident: the BCU key is a security parameter used to protect the device from being modified; the BCU key was probably set on the device by the attacker. The idea was to retrieve the BCU key and reprogram the devices.

How: the cybersecurity experts asked for some samples of devices, and tried to read the key from the devices. They managed to dump the firmware of one of the devices and access the memory that was not protected. They used a sliding window and with some brute force, they managed to retrieve the key that was written in clear text in the memory.

Resolution: Fortunately (in this case), the key was the same for all devices and it could be used to reset the devices and restart the building automation system

Unprecedented Attack, Unprecedented Response – SUNBURST From The Inside

Speaker: Tim Brown, SolarWinds

You’ve all heard about the SUNBURST cyberattack on SolarWinds in December 2020.  In this presentation, Tim Brown, CISO of SolarWinds took us inside and explained how he managed this major incident in the first hours, days, weeks, and months that followed.

Besides the presentation in itself that was very good, the most interesting point for me is about the final thoughts and the fact that this incident has increased the level of transparency expected of vendors.

This event caused many changes and has brought supply chain security even more to the front of cybersecurity discussions. 

Using NTIA’s VEX to Tame the Vulnerability Tsunami

Speaker: Eric Byres, aDolus Technology

SBOM (Software Bill of Materials) was kind of trendy this year at S4. Vendors and asset owners should have a SBOM to list all components and libraries used in their products and use it in their vulnerability management process to identify patches to install.

With this, you could end up with thousands of vulnerabilities to patch. But is the vulnerability exploitable in your context?

Indeed, just because a vulnerability database references a particular software component doesn’t mean the vulnerability will actually be exploitable in every software product that includes that component. As a result, organizations can waste valuable time fruitlessly searching for and patching vulnerabilities, even though those vulnerabilities aren’t actually exploitable.

This introduces VEX (Vulnerability Exploitability eXchange), which is a security advisory profile that will be used in combination with SBOM. This profile allows software suppliers to issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities.

You can use VEX for multiple use cases:

• Multiple products to one vulnerability: what products are affected by Log4j?
• Multiple vulnerabilities to a specific product: which vulnerabilities affect the product I use?

The status of a vulnerability includes affected, not affected, fixed, or under investigation.

VEX provides a method for asset owners to focus on exploitable vulnerabilities that present the most risk.

Once you get a comprehensive list of vulnerabilities that could be exploited in your product, as an asset owner, you can use the SSVC methodology to decide what to do in your context with the vulnerability: patch now, patch during the next scheduled maintenance, defer.

Another talk was related to this subject during S4: CSAF, not SBOM, is the Solution, presented by Jens Wiesner from BSI. CSAF (Common Security Advisory Framework) is an open standard about security advisories.

Top 20 PLC Secure Coding Practices

Speakers: Vivek Ponnada, Nozomi Networks and Josh Ruff, Deloitte

The Top 20 PLC Secure Coding Practices is the result of a community effort to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems: https://plc-security.com/

The idea came from a talk at S4x20 where Jake Brodsky asked why engineers and technicians aren’t trained to code and configure PLC’s in a secure manner, and then gave examples of what should be taught and done.

The aim of this session was to present some of the practices in detail and with concrete examples.

Below are two of the practices that were presented:

• Practice #3: Leave operational logic in PLC

While HMI visualization software provides some level of coding capabilities, this functionality should not be used for control or safety coding

The idea with this practice is to make sure that controls are performed by the PLC itself and not by the HMI. This way, if you bypass the HMI and send a request directly to the PLC, the PLC won’t automatically accept your request but will perform controls to make sure the logic makes sense.

It is similar to the OWASP recommendation in IT to implement controls on the server side and not on the client side for web applications.

• Practice #7: Validate paired inputs/outputs

When mutually exclusive paired inputs or outputs that physically cannot happen at the same time (e.g., motor start/stop, valve open/close) are asserted simultaneously, this may indicate a sensor failure or malicious activity.

The idea with this practice is to implement controls based on inputs/outputs that are linked together. For example, a compressor cannot be started and stopped at the same time. An attacker could turn on both the start and stop outputs simultaneously. To avoid that, a single output could be used to run the compressor with interlocks and delay timers.

If you already know the Top 20 PLC secure coding practices, you won’t learn anything with this presentation but I think it is a great introduction to understand the mindset behind these practices.

Something interesting as well, several talks this year were linked to PLC secure coding practices:

• PLC EDR: Model Checking of Logic
• PLC Library to Detect Abnormalities

You can find out more about these presentations, as well as others in Arnaud SOULLIE’s video on S4: https://www.youtube.com/watch?v=9XCNjmKJiTk

ICS4ICS: Results of the First Major Exercise

Speaker: Megan Samford, Schneider Electric

Like I mentioned earlier, S4 was the stage of the first ICS4ICS exercise on April 18th. ICS4ICS stands for Incident Command System for Industrial Control Systems.

Megan Samford talked at S4x20 about the fact that cyber was the only designated federal disaster type not currently using Incident Command System for its response framework.

Since 2020, a team of more than 1000 volunteers has been put together to create a global framework of cyber responders.

The Incident Command Process is based on a planning P cycle that provides a proven structured process to manage any incident with a standardized approach to organizing and executing work.

The objective of the exercise was to present this methodology as well as the structure of documents and templates that can be used to follow a cyber incident:

• Cover Sheet
• ICS-202 Incident Objectives
• IICS-203 Organization Assignment List
• ICS-204 Assignment List
• ICS-205A Communications List
• ICS-207 Incident Organization Chart
• ICS-208 Safety Message/Plan
• ICS-214 Activity Log

The goal for ICS4ICS after S4x22 is to expand its capabilities by:

• Conducting ICS4ICS exercices globally
• Offering ICS4ICS credentials and training globally
• Supporting more complex incidents

Of course, ICS4ICS is more of an organizational framework and does not give guidance about the cyber incident itself. I would be interested in the next few years to have insights on how companies actually used this framework and how it helped their ICS cyber incident response.

Finally, if you still have time, I recommend the following presentations as well:

• Cyber Conflict and International Relations
• Assessing the Balance Between Visibility and Confidentiality in ICS Network Traffic
• Inside Industroyer2 and Sandworm’s Latest Cyberattacks Against Ukraine
• The Great Debate: Cyber Insurance Will Play A Major Role In OT Risk Management
• When C-SHTF: Lessons Learned from the Front Lines in OT Incident Response

S4x22 was great! So many good talks but also (and foremostly) the opportunity to see again so many familiar faces of the ICS community and meet new people.

I already look forward to S4x23 that will take place from February 13th to February 16th, 2023. Next year, the conference will still be in Miami South Beach, but at the Loews as the Fillmore will be in renovation.

Cet article S4x22 – Write up of the ICS cybersecurity conference est apparu en premier sur RiskInsight.

In this article, we expose our vision of the market and the maturity of cybersecurity for industrial information systems (IS), as well as our convictions and analysis on the subject.

What is the state of the threat to industrial information systems?

In 2011, the cybersecurity of industrial information systems, suddenly came to the forefront with the Stuxnet attack and the discovery of a state level threat against Operational Technologies (OT). For a decade, Advanced Persistent Threats (APTs) were considered the biggest threat to industrial system security, through impressive and complex attacks, such as the series of “Black Energy” attacks against the Ukrainian power grid between 2007 and 2014, or the “Triton” attack against the safety systems of a chemical plant in Saudi Arabia in 2017.

However, the Snake/EKANS case in 2020 allows us to point out a trend that has been continuously increasing for the past few years: the appearance of ransomware in ICS. These ransomwares are the result of opportunistic attacks on vulnerable systems or are side effects of attacks targeting the corporate IS, as in the case of Colonial Pipeline in May 2021.

With the ransomware business model becoming sustainable on one hand, and the emergence of increasingly connected industrial IS on the other hand, it is realistic to expect a large increase in opportunistic attacks and ransomware side effects on industrial information systems.

Faced with an increasing threat, companies must implement cybersecurity measures on industrial systems and define coherent strategic goals, but this requires a real investment. Therefore, we have worked on listing ICS cybersecurity domains and the solutions to secure them. This radar is not exhaustive, but it aims to clarify the topic by giving a high-level vision.

Methodology

For five months, this radar was built with five experts in cybersecurity of Industrial IS, in addition to the hundred consultants of Wavestone’s industrial cybersecurity offer.

This radar has two parts (we will call them dials): one is presenting cybersecurity products specialized in industrial IS and the other is presenting the different domains of industrial IS cybersecurity, sorted by maturity level.

Industrial cybersecurity products are identified as such according to the following criteria:

•         They meet a need in the process of securing industrial information systems
•         They are adapted to an industrial environment in terms of hardware and software:

·       The hardware is rugged to withstand harsh conditions and/or has a long service life

·       Network security products consider industrial protocols

·       Terminal security products are compatible with obsolete systems.

The cybersecurity domains are also selected and evaluated based on the observations of our consultants in the field, with various customers in varied industrial domains, but in the French context.

The rest of this article highlights some of the important ICS domains, from the most mature to the most emerging. This analysis echoes and updates our 2019 publication presenting feedbacks on ICS protection and security. Indeed, if the main topics remains the same (e.g. IT/OT separation), the players and their maturity evolve quickly, bringing new issues and transforming the old ones.

Which basis should be used to secure an industrial network?

People, procedures, and resilience

The strengths and weaknesses of industrial IS and management IS are different. To implement effective cybersecurity measures in an industrial IS, one must first understand the levers already present in Industrial IS that can be useful for cyber security.

First, the operators in industrial production networks are very familiar with the processes and the usual functioning of the production system. In addition, procedures in the event of an incident are much more developed than in corporate IS. Together, these elements give a capacity to detect malfunction and to respond efficiently. A clever way to improve this resilience capacity is to add cyber incident detection procedures based on the teams’ current knowledge.

Network knowledge

Knowing your network makes it easier to secure the IS and maintain it in secure conditions by allowing risk analysis, network segmentation, vulnerability and patch management, regulatory compliance, etc.

It is possible to carry out this exhaustive inventory by hand on a regular basis, especially by using industrial maintenance tools. To go further, it is possible to automate the task with free mapping tools (Dragos CyberLens, GrassMarlin). Finally, probes (Nozomi, Claroty, Dragos, etc.) can go much further by automating the detection of anomalies on the network or even by helping with incident response.

Backup and recovery

The best resilience weapon against ransomware is the systematic and, if possible, offline backup of critical data for the production system. This practice is more and more implemented in OT systems.

However, additional conditions are necessary for backups to be truly useful. First, all the data needed for the system to function must be identified. This data can be either technical data (machine configuration for example) or business data. A risk analysis allows you to identify it efficiently. Finally, you must ensure that you are able to restore a functional system from the backups made, especially for certified systems.

What are the opportunities in 2021?

Our study has enabled us to highlight effective measures to greatly increase the security level of an industrial IS.

Segmenting your network

Network segmentation has been around for several years. However, it is still an important step in securing your industrial network. Having a segmented network allows to efficiently prevent the propagation of an attack and therefore its impact.

In addition to the use of appropriate firewalls, a network segmentation project requires competent architecture and integration teams with sufficient time and resources. Network segmentation is a balance between security and business needs. The use of new “Software Defined” network technologies allows to perform segmentation in a more agile way.

Separate the management network from the industrial network

The connection of industrial IS to corporate IS is necessary today, but it is also a vector of risk.

The solutions to be implemented depend on the criticality of the industrial network and the necessary flows between the two networks. However, a single interface between the two networks must always be favored to maintain control over this particularly critical interface.

A complete range of products exists, from firewalls to data diodes. A good practice is to assemble several of these solutions within a DMZ, to control the services that can communicate between the two networks.

Nevertheless, IT/OT separation goes far beyond the network issue discussed above. In terms of identity, the separation of the Active Directory (AD) between the management network and the industrial network must also be addressed. From a security perspective, it is best, if the resources are available, to separate these two ADs to avoid the spread of attacks. However, the ADs can also be linked by closely controlling authorized flows and/or providing remediation if one of the two ADs is compromised.

Identify network users

A particularity of identity management in ICS is the strong presence of shared workstations. In this situation, an adapted solution must allow several users to work on the same machine in an authenticated way, thus allowing to identify the actions of each one.

In this case, the model where each user has his own Windows session is not adapted. A possible solution is to set up a generic Windows session on which the user authenticates himself in a simple and fast way thanks to a badge and a Fast Switching software.

What are the next major cybersecurity projects for industrial IS?

SOC

Several Managed Security Services Providers (MSSP) are starting to propose ICS specialized Security Operation Centers (SOC). However, these SOCs should not be considered as miracle solutions: it is above all by knowing your business and all its particularities that the SOC can be effective.

A key aspect when setting up an industrial SOC is to clearly define a scope that is correlated with the cyber maturity of the IS. In an industrial cyber SOC, only cyber incidents should be dealt with, without considering purely operational events, which are already handled by the supervision system.

Third party security

Supply chain management, both in IT and OT, is becoming one of the most important cyber topics. REvil’s attack on Kayesa and its customers in July 2021 gives an idea of the possibilities of a supply chain attack: the attacks reach a new scale and can affect hundreds or even thousands of organizations at once. Obviously, industrial IS also involves third parties and are therefore not immune. For example, the compromise of a PLC vendor could impact numerous customers.

Third party attacks can take different forms, including the following examples:

•          Access to the IS by using a software update with a trojan inside
•          Theft of data stored by a third party
•          Access to the IS via a remote access, for example used by the third party to perform maintenance

Protecting oneself from supply chain attacks is particularly complex. However, tools exist. First, it is essential to know your supply chain and the risk related to each third party. Third parties at risk can then be subject to measures to reduce the chances of compromise such as a Security Assurance Plan (SAP) or regular audits.

Remote access to the IS can be controlled by using Bastions or privileged access management (PAM) solutions, which monitor all actions made by the third party and finely manage their rights. However, this solution can become a constraint for the user, therefore it is advised to focus on the user’s needs to propose the most relevant solutio.

Cloud

Still mainly confined to secondary functions such as inventory and supply management, the cloud is gradually making its way into industrial IS with the development of Industry 4.0. By doing so, it allows, for example, global IoT terminals management in production sites or optimizing server sizing.

But this change also raises security issues. Some of these issues have already been addressed with the democratization of the cloud in management information systems, but others have yet to be resolved. How to manage the security of IoT devices? How can cloud systems be integrated into critical environments, which are highly regulated? Who stores the data and what regulations apply?

Cet article What are the trends and challenges in industrial cybersecurity in 2021? est apparu en premier sur RiskInsight.

Industrial networks also called ‘OT’ (Operating Technology) or ‘Production Networks’ include: production networks in factories, test benches, research laboratories or embedded networks in technological products: trains, cars, planes, etc.

USB flash drives, the real swiss army knives of industrial it, are proving to be formidable vectors for cyber attacks

Particularly vulnerable industrial networks

Industrial systems have long service lifecycles lasting for several decades. These service lifecycles are much longer than those in traditional IT and often lead to problems of hardware or software degradation. These legacy systems are then no longer maintained by their suppliers as they stop publishing security updates for them. Maintaining their security is therefore complex or even impossible.

Even when updates are published, there are issues. For example, they require a maintenance window which can have an operational impact. In some cases, it may also be necessary to requalify the system or perform technical and functional testing before restarting.

In addition, system standardisation has become the norm. Windows or Linux operating systems are commonly found with fewer security patches and therefore may be more easily exploited by computer viruses.

The degradation of industrial systems, the difficulty of maintaining them in a secure state and their standardisation make them increasingly vulnerable to cyber threats. However, it is still necessary to access the industrial network to exploit these vulnerabilities, as they are historically less exposed….

These vulnerabilities are regularly exploited using removable media as a vector

Removable media is often used as a bridge between the internal office network or an external network and the industrial network. For example:

• USB storage devices can be used to deploy configurations or patches on disconnected systems. These configuration files or patches come from workstations that have an internet connection via the company network. These workstations are exposed to cyber threats, and as a result so are the USB storage devices, and through them, the disconnected systems.
• Many service providers operating on the industrial network use USB sticks to deliver configuration files, debugging tools and other software. The multitude of subcontractors means there are many data exchanges from uncontrolled networks to industrial networks, each potentially representing a threat vector that can be exploited.

These exchanges expose the industrial network to several types of threats:

• There are many viruses designed to exploit Windows vulnerabilities by spreading through removable media. One of the best-known ones is the Conficker virus, which exploits the automatic task launch mechanism of removable media and thus manages to automatically launch a virus or viral payload when the media is connected. Once a computer is infected, it can spread to other hosts through the network.
• The original intended use of storage devices can also be maliciously changed; this type of attack is called a “Bad USB”. Rubber Ducky is an example: it makes a USB key look like an input device such as a keyboard, and then launches commands when connected to a computer.
• When connected to a computer, USB killers, which look like ordinary USB sticks, store energy until they reach a high voltage, they then release this energy into the host computer to destroy its physical components.

However, the use of these removable media devices is difficult to circumvent

Removable media has several common uses such as data storage, backup, transfer or information sharing.

These different use cases have gradually emerged, often at the ingenuity of users without any real supervision from the IT department or the business. When we study these different scenarios, we can classify them into two categories:

• Those that can be easily removed by offering either a more secure alternative or an improved way of working. For example, with two industrial networks connected to each other, the implementation of a file sharing space on the network can replace a direct exchange by removable media.
• Those that could be eliminated with major investment or be very difficult to remove immediately. For example, using an isolated network to install a new computer whereby the deployment of a master image by USB can be difficult to replace.

It is difficult to do without removable media entirely, but their use remains problematic. Faced with these threats, solutions are beginning to emerge.

Multiple technical solutions exist but provide only a partial solution

A myriad of increasingly available technical solutions

There are different technical solutions for controlling the content or use of removable media. They can be categorised into several families of solutions:

• Decontamination terminals or boxes, using one or more antivirus databases, allow us to analyse the USB key content, and if necessary, (re)format or quarantine files if they are considered malicious. Several manufacturers offer this type of solution, including KUB, HOGO, Orange and SOTERIA.
• More complex ones can issue a certificate to the key after it has gone through the decontamination terminal. This certificate validates (to the host) that the key has been scanned. This requires that an agent is deployed on all workstations to enable certificate authentication. OPSWAT and FACTORY Systems are among the manufacturers. Previously mentioned KUB, also offers this more complex option on these boxes.
• Lastly, there is a solution to group the devices that are used as filters, effectively acting as security airlocks between the host and the removable media. This is a small piece of equipment, connected directly to the USB port of the host on one side, and to the USB key on the other side. Its operation is based on white-list filtering and/or blocking writing from the workstation to the removable media. SECLAB is an example of a manufacturer for this solution.

Since all solution offers have different characteristics, it is necessary to identify the one that best meets the security requirements and constraints of the user.

These technical solutions create additional steps and require time, which may hinder their adoption

Depending on the technical solution, the cleansing of removable media is a step that can be time-consuming.  For example, if the key contains lots of small files that must all be checked, the processing time will increase. This task is also highly dependent on the performance of the media being tested.

Additionally, a problem of sizing the terminal arises if the removable media is used to push several large updates (Microsoft for example) or even a complete WSUS database (Windows Server Update Services) between 2 networks (this can reach a 100GB of data). If this time is not controlled and limited, removable media users will stay clear of this technology.

Difficult access also discourages users. In the industrial sector, there are many constraints depending on where users are located. A change of area may require a change of protective equipment, clothing or special controls. Insufficient equipment could lead to the same accessibility problem.

It is necessary to place the right equipment where decontamination is taking place or is unavoidable (reception, security office), and to find the right compromise between the different implementation of solutions: e.g. a solution applied centrally (terminal) vs. distributed (box or filter).

These technical solutions often require maintenance in operational condition (MOC) and maintenance in safety condition (MSC) which must not be neglected

To properly function, the technical solutions must be maintained by updating them, updating their viral databases for when the solution integrates an anti-virus, updating the filtering rules, as well the certificate database for more complex systems. It is also useful to be able to issue reports and alerts when the tool permits.

For this purpose, the decontamination terminals require several types of access:

• antivirus updates on servers;
• internal operating system updates on servers;
• the supervision network for issuing reports and alerts;
• Sometimes to a dedicated server that will manage the certificate database and centralise administration.

These terminals can therefore be integrated into a more, or less complex architecture as required.

Decontamination terminals are equipped with an operating system and often standard applications, hence the importance of hardening their configurations so they themselves are not the victim of an attack.

It is necessary to conduct a study on the possible technical solutions by putting into perspective the reliability, utility, efficiency and cost of each option. Similarly, it is essential to review the governance of these facilities, which are at the crossroads between the management information system and the industrial information system. This should avoid problems of underestimating the implementation of these solutions and stop users turning away from the chosen solution.

The protection of industrial systems against USB-related threats requires a careful choice of technical solution and availability for users. Without this and without awareness of the cybersecurity issues, systems are exposed, and the impacts of an attack can be significant.

These tools must be the subject of a full project: from the consideration of use cases and change management

The use cases must be known to decide between the different solutions or even eliminate the use of the removable media

Before proposing a technical solution, the first question to ask yourself is why do we need to use the removable media? To answer this question, you must list all the different use cases.

In each case, it must be determined whether their use is appropriate and whether there is no more effective and/or safe alternative. Here are some examples of commonly encountered situations for which alternative solutions exist:

• If a USB key is used as storage for config. files, then a centralised solution or at least storage on suitable equipment can be used.
• In the case of media being used between two devices that are connected to a network, the implementation of an exchange server, for example using a secure protocol such as SFTP, can be considered.
• For maintenance teams working on connected systems that use removable media to update configuration files, an MFT (Managed File Transfer) exchange gateway with antivirus control can be used. This application ensures the safety of a file from an external source before making it available internally. A third-party solution would be able to make secure removable media available to staff or maintenance teams by only allowing editing of media from workstations.

In the remaining cases, an appropriate solution should be considered. The solution should be presented to users and its interest explained. For better adoption, it should have as little influence as possible on the pre-existing business process, and as a minimum, it should not lead to an excessive workload or time commitment.

In addition to being integrated with the business use case, the technical solution must meet the intended security objectives

2 selection criteria must be taken into account when deploying a removable media security solution: the business use case and the security objectives targeted.

The security objectives are often the same: check that a storage device is genuinely a storage device (i.e. not a “Bad USB”) and check that it does not contain a virus or viral payload. These 2 objectives are covered by most solutions on the market.

It is therefore the business use case that will influence the ergonomics of the chosen solution:

• A fixed monobloc terminal integrates well into the entrance of an area reserved for operations such as a laboratory or workshop. On the other hand, a tablet will be much more mobile and can be used in several situations.
• A certificate solution requiring an equipment agent on standard workstations without specific qualifications will not be difficult but can be problematic in qualified or already obsolete environments.
• Mobiles always need a way to control; a filter solution can be considered for this.

Once the type of solution has been chosen, the possibilities of integrating the solution into the existing ecosystem with proposed security measures will make it easier to select the most appropriate one.

The chosen solution must integrate administration and incident reporting functions while guaranteeing an appropriate level of security

The chosen tool must be easily manageable and have a centralised administration function if there is a significant number of facilities being planned. It is also necessary that the following elements of the solution can be updated: the operating system, the embedded applications, antivirus applications, and the signature databases.

These features mean that the solution will need a connection to the administration network and an external connection to retrieve these updates. These connections must be secure, and the update server systematically identified.

In addition, it is necessary to take precautions to ensure that the solution has been hardened and that only the useful functions are available, especially at the operating system level. It would be pointless if the key decontamination tool itself was the vector of key contamination!

Finally, it is preferable that the generated reports and event logs can be sent in a standard Syslog format, centralised and also analysed by an existing SIEM to detect and track any suspicious activities.

In conclusion, the implementation must be approved by the people who will actually use the terminal every day

There are many technical solutions that, by analysing and decontaminating these devices, can reduce exposure by removable media in industrial networks. There are 2 success factors for good implementation:

• A solution designed for business use cases with end users in mind; and
• A solution where administrative factors, the update process and security aspects have been considered upstream.

In addition to these, there is a 3^rd success factor: change management, which must ensure that the new tool is properly integrated into existing processes with appropriate communication to end users.

It is necessary to formalise a procedure in case there is a virus or any other abnormality. Detecting is ultimately only the first step towards an appropriate response.

Cet article Removable media decontamination tools – success factors for effective security gain and successful deployment est apparu en premier sur RiskInsight.

Last year, the National Health Service England (NHS) faced its most important cybersecurity crisis due to the Wannacry ransomware attack. In October 2017, the National Audit Office (NAO) published a report showing that at least 34% of trusts in England were disrupted, and around 19,494 patient appointments canceled including canceled patient operations. This was mainly due to the fact that the information system managing the appointments, the patients’ records or test results were infected by the ransomware.

However, the report points out that medical devices such as MRI scanners (that have Windows XP embedded within them) were also locked by the ransomware. Only 1,220 devices were infected representing 1% of the overall amount, because several equipments were disconnected to avoid the ransomware propagation. So why the healthcare sector suffered from such an attack and how come the ransomware spread that easily?

Healthcare cybersecurity: Low maturity level

The NAO report highlighted the challenges that the NHS had to face to tackle the attack. These challenges seem similar to the ones that several industries and manufacturers have been facing showing that an analogy of the healthcare information systems and the industrial control systems (ICS) have the same weaknesses.

Indeed, both ICS and Health Information Systems (HIS)face the same cybersecurity challenges, among them:

• The wide use of legacy devices and operating systems (such as Windows XP);
• The length of the window of exposure of these systems (the window of exposure is the time between the vulnerability disclosure and the patching of the system): the vendors support or the quality guidelines and regulations may represent obstacles for a fast patching (a recent survey conducted on 3000 security professionals working for healthcare and pharmaceutical organizations, show that 57% of the respondents had experienced at least a data breach which was conducted after the exploitation of a vulnerability for which a patch had been previously released);
• Critical and unsecure devices directly connected to the Internet exposing the medical network. For example, McAfee published a report explaining how they exploited an unsecure and connected Picture Archiving and Communication System (PACS – device that stores and shares images coming from imaging devices such as scanners) to use personal medical data;
• Lack of security by design: several organizations and researchers have been alerting on several flows affecting medical devices such as pacemakers (Cyber-flaw affects 745,000 pacemakers – BBC), insulin pumps (J&J warns diabetic patients: Insulin pump vulnerable to hacking – Reuters) or infusion pumps (Black hat conference [PDF])

A growing threat on the healthcare sector

The low cybersecurity maturity level of the healthcare sector combined with the continuous interest of some actors on personal data or life threatening made the threat skyrocket these past few years. Indeed, several cybersecurity companies have been alerting on a growing number of cyber threat actors who are targeting healthcare sector, for example:

• In the last newsletter was reported that a US hospital was hit by Samsam ransomware in January 2018. Samsam is only one of the numerous ransomware that targeted hospitals among them Locky;
• In March 2018, Kaspersky researchers discovered that a Chinese-speaking group used PlugX malware (remote access tool which has been used previously by several groups since 2012) in pharmaceutical organizations for stealing information;
• In April 2018, Symantec identified a new attack group named Orangeworm. This group has been targeting healthcare sector companies (equipments manufactures, pharmaceutical, health organizations) for several years. Orangeworm has been using a backdoor called Kwampirs which collects data in the infected systems. This malware propagates easily in Windows XP devices.

Protecting against

In order to curb the number of security incidents in the healthcare sector, several measures can be, and in some cases have already been, implemented among them:

• Design of a global cybersecurity governance by implementing a cybersecurity policy;
• Conduction of awareness campaigns towards the hospital staff on the cybersecurity threats;
• Implementation of patch management procedure in order to reduce the window of exposure of the system (a combined work with the vendors and the regulation organizations may be required so the patching covers the largest amount of device as possible);
• Network segregation into several levels of protection matching the level of criticality (medical devices should be highly protected).

Several governmental agencies and institutions have been publishing reports and guidelines in order to help healthcare organizations and the medical devices suppliers in securing their network or providing more secure medical devices. You will find here after some of the documents:

• Cyber security and resilience for Smart Hospitals – ENISA
• Security and Resilience in eHealth Infrastructures and Services – ENISA
• Guide Pratique : Règles pour les dispositifs connectés d’un Système d’Information de Santé – Agence des systèmes d’information partagés de santé [PDF]
• Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software” – FDA
• The U.S Food & Drug Administration released its Medical Device Safety Action Plan in April 2018

>>Latest news

	Aerial tramway with security holes Golem.de, April 19th Two white hackers found the control system of a new aerial tramway in the internet without any security measures. According to them, the commands were sent unencrypted, the authentication wasn’t provided and the web application was vulnerable to cross-site scritping and HTTP header injection attacks. Link to the article
	Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series Tripwire, April 16th Cisco Talos published a report revealing several vulnerabilities affecting the Moxa EDR-810 industrial secure router with firewall/NAT/VPN and manager layer 2 switch functions. This router sets perimetric security for critical assets such as pumping/treatment systems in water stations, Distributed Control Systems (DCS) in oil and gas stations … Many of the flaws received a CVSS score of 8.8. Moxa released an updated version of the firmware. Link to the article
	Advisory: Hostile state actors compromising UK organisations with focus on engineering and industrial control companies NCSC, April 5th The National Cyber Security Centre (NCSC) published an advisory revealing that several ongoing attacks have been targeting mainly engineering and industrial control companies since March 2017. The attacks are involving the harvesting of credentials using strategic web compromises and spear-phishing. The advisory also refers to the Department of Homeland Security (DHS) and FBI joint Technical Alert (see below for more information). Link to the advisory
	Sentryo Provides Anomaly Detection Technology to Siemens to Address the Cybersecurity Challenges of industrial infrastructures Sentryo, April Siemens and Sentryo signed an agreement in which Siemens AG will provide Sentryo ICS CyberVision solution to its clients among Siemens products and services. Sentryo’s solution is an asset management and anomaly detection tool designed for Industrial Control Systems. Link to the press release [FR][PDF]
	ISA announces newly published ISA/IEC 62443-4-1-2018 security standard Automation.com, March 28th The international Society of Automation released the Part 4-1 of the ISA/IEC 62443 standard. This part tackles the Product Security Development Life-Cycle Requirements. “It defines a secure development life-cycle for developing and maintaining secure products.” This includes several concepts such as security by design, patch management and product end-of-life. Link to the article
	Schneider Electric Launches Cybersecurity Virtual Academy ISS Source, March 27th Schneider Electric launched the Cybersecurity Virtual Academy which is a website that provides several materials to raise the awareness of the cybersecurity risks in the industrial control systems. Link to the article
	Threat landscape for industrial automation systems in H2 2017 Kaspersky lab, March 26th Kaspersky has published a report on the threat landscape over the industrial control systems during the second semester of 2017. In the report, Kaspersky analyses the vulnerabilities discovered by the ICS-CERT and the ones identified by Kaspersky Lab ICS Cert. Here are some figures given in the report: 322 vulnerabilities were identified by ICS-CERT and more than 50% of them are impacting the energy sector; 3,3% of industrial automation system computers were attacked by cryptocurrency mining programs during the period from February 2017 to January 2018; 10,8% of all ICS systems were attacked by botnet agents during 2017. The mains sources of botnet agent attacks on ICS systems in 2017 were internet, removable media and email messages; The Kaspersky figures show also a certain decrease on the number of attacks on ICS systems between 2016 and 2017. This can be explained by the fact that more and more companies are training their employees and began implementing simple cybersecurity measures. Link to the report
	Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems NIST, March 21st The National Institute of Standards and Technology (NIST) released a public draft of the NIST SP 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the engineering of Trustworthy Secure Systems. This document aims to provide guidelines to organizations on how to apply cyber resiliency concepts during the engineering of systems. These guidelines may be applied on new systems, modification of systems, Critical infrastructure systems … Link to the release | Link to the document [PDF]
	Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors US-CERT, March 15th The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a joint Technical Alert in which give details on how the Russian government targeted several American organizations operating in the energy, nuclear, water, commercial facilities aviation and critical manufacturing sectors (DHS and FBI have already warned about this threat in another alert published in October). The alert analyzed the attacks using the Lockheed Cyber Kill Chain (stage1:reconnaissance, stage 2: weaponization, stage 3: delivery, stage 4: exploitation, stage 5: installation, stage 6: command & control, stage 7: actions and objectives). The threat actors after gaining access to their victims information system, they conducted reconnaissance operations within the network. They mainly focused on identifying and browsing file servers. They viewed information and files regarding Industrial Control Systems (ICS) or Supervisory Control And Data Acquisition (SCADA) systems. Link to the alert
	‘Cyber event’ disrupts power in Mich. – but don’t blame hackers E&E News, March 8th An employee of a public utility that provides electricity in Michigan (Consumers Energy) inadvertently cut the electricity to about 15000 consumers. During an “internal testing” the employee overstepped his authority in a control center leading to the outage. The utility the event as a “cyber event” and reported it to the department of Energy even tought the outage had nothing to do with a malware or cyber attack. Since the event, the company adjusted the access controls. Link to the news
	A Qualitative View of 2017 Across vulnerabilities, threats, and lessons learned in hunting and incident response Dragos, March Dragos published 3 reports in which they reveal their findings and analysis regarding the industrial control systems vulnerabilities during 2017, the industrial threat landscape incident response and hunting lessons. Some of the results of these reports are the following:  “64% of 2017 ICS-related vulnerability patches don’t fully eliminate the risk because the components were insecure by design”; 5 activity groups are working on developing tools and malwares (as Crashoverride that attacked the Ukrainian electric grid in 2016); The main infection vectors are: unprotected interconnectivity with IT systems, removable media, unprotected interfacility connection and phishing. Link to the Vulnerabilities report [PDF] Link to the threat activity groups report [PDF] Link to the hunting and responding report [PDF]
	Siemens report: Mideast’s oil and gas sector needs readiness boost as cyber risk grows Siemens, March A recent report published by Siemens shows that the Middle East facing more and more attacks targeting Operational Technology (OT) (according to the report 30% of the attacks are targeting OT). The report gives the results of a survey on 176 individuals working in the Middle East who are responsible for overseeing the cybersecurity of their organisations. Here are some figures: “75% of organizations have suffered at least one security compromise that resulted in the loss of confidential information or disruption to operations in the OT environment over the past 12 months”; “68% of respondents say the top cyber security threat is the negligent of careless insider”; “31% of respondents say their organization’s industrial control systems” protection and security are adequate”. Link to the press release
	NERC Full Notice of Penalty regarding Unidentified Registered Entity NERC, February 28th The North American Electric Reliability Corporation (NERC) files a Notice of Penalty of two million seven hundred thousand dollars ($ 2,700,000), in accordance with the Federal Energy Regulatory Commission (FERC), regarding noncompliance by an Unidentified Registered Entity (URE). Indeed, a third-party URE contractor failed to comply with the information protection program and copied very sensitive data, including records associated with Critical Computer Assets (CCA), from the URE environment on its own unsecured environment. While the data was on the contractor’s network, a subset of data was available online without the need to enter a username or password for a total of 70 days. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems and access to internal CCAs. Link to the article

>>Main ICS vulnerabilities

>>Upcoming ICS events

Jun. 30-1	Nuit du Hack Paris, France
Jun. 18	IEEE Workshop on Smart Industries (IEEE SIW) Taormina, Italy
Jun. 15	European Maritime Cyber Risk Management Summit London, UK
May. 22-23	Annual Nuclear Industrial Control Cybersecurity and Resilience Conference (ICCS) Warrington, UK
May. 3-4	Global Cyber Security in Healthcare & Pharma Summit London, UK

Cet article Industrial Control Systems Cybersecurity News #2 – Radiology of the cybersecurity level of the healthcare sector est apparu en premier sur RiskInsight.

Industrial Control Systems (ICS) are complex systems that aim to control industrial processes. ICS can be found in several sectors: energy, nuclear, transport, chemistry… In brief these systems control many of the critical productive assets of companies or states making their compromise by adversaries a high risk on the environment or people’s lives.

Thus, the cybersecurity of these systems is crucial. Moreover, securing these systems may be challenging due to their complexity (mainly because ICS are a mix of technologies and their lifetime is longer than usual information systems’).

In order to meet our clients’ needs and answer to their future concerns, Wavestone has been conducting an ICS cybersecurity watch where every recent study, attack or incident and report regarding the security of Industrial Control Systems are studied. In 2017, more than 80 news were reported from which we can retrieve a lot of teachings.

So, what did we notice this year?

First of all, ICS had its share of attacks. However, this year’s attacks, more than the other years’, had an unusual worldwide impact. Indeed, while ICS attacks were usually localized on a device (for instance on health devices), factory (for example a cryptomining malware found in a water utility – for more information see below) or a region (Dallas emergency sirens ignition in April 2017), 2017’s attacks started locally and spread quickly impacting several production lines in the world (WannaCry and NotPetya).

During 2017, many attacks have been reported in the news. Moreover, we noticed that several national agencies, governments or political figures alerted on ongoing attacks or attempts on critical infrastructure. The sector that was the most targeted seems to be the Energy sector. Indeed, several news were reported from Turkey (in January), USA (in March, July), Baltic States (in May), UK (in July) and Ireland (in July) showing that this sector was a privileged target by hackers (state sponsored or not).

The energy sector wasn’t the only hot topic of the year, as a matter of fact, autonomous cars cybersecurity hit many times the headlines (even if that topic may or may not be considered as related to industrial control systems). This is mainly due to the fact that cars’ cybersecurity is a new market. Therefore, cybersecurity experts and researchers try to find vulnerabilities and exploits (for example vulnerability found in airbag control units), while car manufacturers launch partnerships and initiatives showing that cybersecurity is now one of their main concerns (for example GM invited ethical hackers to try and hack its cars).

Finally, the ICS cybersecurity market tends to grow as demonstrated by the several fundraisings and partnerships signed during this year. In a broader perspective, we can notice three kinds of actors in the ICS cybersecurity market:

• ICS cybersecurity companies: usually small-sized companies or start-ups. They are pure-players that develop and put in the market ICS-dedicated solutions (Sentryo, CyberX, Nozomi …);
• ICS vendors: we noticed last year, some vendors that conceive ICS launched partnerships with ICS cybersecurity companies to improve their systems’ security (for example Siemens-PAS partnership in September, Schneider-Claroty partnership in August);
• IT security companies: these companies (well known in the IT world) tailor their solutions for industrial context. They show a growing interest for ICS by publishing reports and attack analysis (for example Kaspersky, McAfee).*

So, what is coming next?

It may be easy to say that the ICS cybersecurity will still (unfortunately) hit the headlines. Especially with alerts of attacks targeting life threatening system such as the safety instrumented systems controllers. But, we may see more and more news on specific sectors such as maritime, transport, health… that weren’t somehow as exposed in the media as the energy or nuclear sector. The ICS cybersecurity market may continue to grow especially with partnerships and acquisitions. Industrial Control Systems will continue to face new threats, challenges and changes.

>>Latest news:

	CyberX raises $18 million in series B funding to combat rising threats to IIoT and critical infrastructure, bringing total funding to $30 million (CyberX, February 27th) CyberX announced that the company raised $18 million dollars to develop threat detection in the Industrial Internet of Things (IIoT) and critical infrastructures. The company develops a threat monitoring and risk mitigation platform that includes ICS-specific threat intelligence. Link to the press release
	Fun with Modbus 0x5A (Security Insider, February 9th) During the last edition of Defcon in Las Vegas, Wavestone presented its latest study regarding the ModBus protocol cybersecurity and specifically the function 90. An attacker may thanks to this function start, stop a controller or force it to send a determined output value,  Link to the article
	ICS detection challenge results (Dale Peterson, February 7th) At the S4x18 in January, took place the ICS Detection Challenge. The 4 companies that completed the challenge are: Claroty, Gravwell, Nozomi Networks and Security Matters. The first part of the challenge consists on evaluating the ICS Detection class of 3 products which are: Claroty, Nozomi Networks and Security Matters. It was won by Claroty over Nozomi Networks and Security Matters. The competitors’ products had to detect cyber-attacks and incidents occurring on an oil&gas company. Link to the results The second part which consists in the asset detection phase was also won by Claroty even though Nozomi provided the most details in their asset inventory. Link to the results
	Water utility in Europe hit by cryptocurrency malware mining attack (eWeek, February 7th) The security firm Radiflow discovered a cryptocurrency mining malware in the network of a water service provider in Europe. The malware was downloaded from a malicious advertising site infecting the Human Machine Interface and then spread to the SCADA network that was still running Microsoft Windows XP OS. The malware degraded the system performance. Tough the degradation wasn’t noticed by the operators. Link to the article
	Ukraine power distributor plans cyber defense system for $20 million (Reuters, February 6th) Ukraine’s state-run power distributor Ukrenergo, which was a target for cyber-attacks in the past two years (December 2016 and December 2017), will invest up to $20 million in a new cyber defense system. The acting head of Ukrainian state power distributor Ukrenergo, told that the company and international consultants had identified about 20 threats that would be eliminated with the new system. The main goal of this system is to make “physically impossible for external threats to affect the Ukrainian energy system”. Link to the article
	Increasing number of industrial systems accessible from web (study Security Week, February 2nd) According to a new report published by Positive Technologies, the number of industrial control systems (ICS) accessible from the Internet has increased significantly during the past year. Most of vulnerabilities of these systems could be exploited remotely without needing to obtain any privileges in advance. The most common types of vulnerabilities were remote code execution (24%), information disclosure (17%), and buffer overflows (12%).Most of these systems are accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework, Ethernet/IP, BACnet, and the Lantronix discovery protocol. Link to the article | Link to the report [PDF]
	Flaws in gas station software let hackers change prices, steal fuel, erase evidence (Motherboard, January 31st) Security researchers were able to connect to a web interface that manages gas station thanks to Shodan (search engine of connected devices). After using the default admin login and password, and then a hardcoded username and password, the researchers were able to shut down fuel pumps, hijack credit card payments, and steal card numbers. Link to the article
	Government warns critical industry firms to prepare for cyberattacks (Sky news, January 29th) All companies which are involved in critical industry and essential services, such as energy, transport, water, health and digital infrastructure, have been warned by the British government that they face sanctions if they do not include cybersecurity rules in their systems.The fines come as the government implements the Network and Information Systems (NIS) Directive, which would cover events such as the WannaCry attack. Link to the article
	Gemalto licensing tool exposes ICS, corporate systems to attacks (Security week, January 22nd) Kaspersky Lab researchers found 14 vulnerabilities in Gemalto Sentinel LDK (software) and the associated USB Dongle (SafeNet). The USB dongle is used to activate the software. When connected, drivers are installed and the port 1947 is added to the list of exceptions in the Windows firewall. This port can be exploited to identify remotely accessible devices. Link to the article
	SamSam ransomware hits hospitals, city councils, ICS firms (Bleeping Computer, January 19th) Samsam ransomware hit several hospitals, city councils and an ICS firm. Hancock Health admitted paying the ransom ($55.000) even though they had backups. The Samsam ransomware spread by brute forcing RDP connections. Link to the article
	Industrial systems scrambling to catch up with Meltdown, Spectre (The Register, January 18th) Meltdown and Spectre vulnerabilities also had an impact on industrial control systems. Some vendors decided to publicly communicate about their vulnerable products (OSISoft for example), other vendors like Emerson and General electric keep the information only for their customers and finally some vendors are still investigating if their products are vulnerable to Meltdown and Spectre. Link to the article For more information on Meltdown and Spectre vulnerabilities, you can read this post by Wavestone on Security Insider [French]
	Researchers find 147 vulnerabilities in 34 SCADA mobile applications (SC Magazine, January 11th) IoActive and Embedi researchers found 147 vulnerabilities in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. The top vulnerabilities were: code tampering flaws, insecure authorization, insecure data storage… This security weaknesses could allow an attacker to compromise industrial network infrastructure by exploiting the vulnerable applications. Link to the article
	Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million (Security Week, January 10th) Nozomi is an industrial cybersecurity firm that has recently raised $23.8 million. Nozomi’s offering which is “SCADAguardian”, consists on using machine learning and behavioral analysis to detect zero-day attacks in real-time. This technology allows rapid response to alerts by ICS incident alerting and notification systems. The company said the additional funding will be used to support worldwide expansion of marketing, sales, support and product innovation. Link to the article

>>Main ICS vulnerabilities

>>Recent and upcoming ICS events

Apr. 24-26	ICS Cyber security London, UK
Apr. 24-26	Industrial control systems (ICS) Cyber Security Conference Singapore
Apr. 9-10	Cyber Security for critical assets MENA Dubai, UAE
Mar. 27-29	Cyber Security for Energy & Utilities Abu Dhabi, UAE
Mar. 13-14	Maritime Cyber Security London, U.K
Mar. 6-7	Cyber Security for critical assets USA Houston, USA

Cet article Industrial Control System Cybersecurity News #1 – What to remember from 2017? est apparu en premier sur RiskInsight.