- ICS -

Last update 01.10.2017 20:30:24

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 



A silver bullet for the attacker
23.1.2018 Kaspersky  ICS
In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding practices is probably the main source of ICS security problems. As a result of this, numerous custom solutions have appeared, including proprietary network protocols and algorithms for authentication and encryption. It is these solutions that were the main source of threats discovered by ICS IT security researchers. At the same time, we can see that industrial automation systems derive some of their problems from common technologies (examples include CodeSys Runtime, Microsoft Windows vulnerabilities, etc.).

Companies attach different priority levels to such problems and the risks associated with them. It is obvious for everybody that vulnerability information should never be disclosed until a patch is released. However, many companies believe that this information should not be published even when a patch is available. For software developers, this is always a blow to their reputation. And companies that use vulnerable systems are not always physically able to install a patch or this installation may involve significant costs (interrupted operation of the systems to be updated, the cost of work related to installing updates, etc.).

We assess risks based on our experience of a security system developer and supplier. We are convinced that it is absolutely essential to inform users of vulnerable software about the new threat and the need to update their software as soon as possible. This certainly does not guarantee that all users of vulnerable systems will promptly update them and the threat will go away. However, in our experience, if this is not done very few users update their systems in a timely manner, even if patches are available. We confront hundreds of thousands of new threats every day and we can see that threat actors are on a constant lookout for new attack opportunities. And we realize that by keeping silent about problems we give those threat actors a chance.

This is why we decided to share information on one of our discoveries: according to our research, connecting a software license management token to a computer may open a hidden remote access channel for an attacker.

Why we decided to analyze SafeNet Sentinel
While performing various penetration tests, Kaspersky Lab ICS CERT experts repeatedly encountered the same service on the computers of customers who used software and hardware solutions by different industrial vendors. The experts didn’t attach much importance to it until it was found to be vulnerable. The service was hasplms.exe, which is part of the SafeNet Sentinel hardware-based solution by Gemalto. The solution provides license control for software used by customers and is widely used in ICS and IT systems.

The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required. Some of the USB token models are listed in the table below.

License control solutions of this type are based on the following operating principles: a software product requires a license to operate properly; when a USB token is plugged into the computer, the software “sees” the license and becomes fully functional. The token must be plugged in every time the software is started and remain connected while it is in use. The software part of the Gemalto solution is installed once and remains functional regardless of the life cycle of the software requiring a token.

This Gemalto solution is used in products by other software vendors, including such companies as ABB, General Electric, HP, Cadac Group, Zemax and many other organizations, the number of which, according to some estimates, reaches 40 thousand.

According to the results of independent research conducted by Frost and Sullivan in 2011, SafeNet Sentinel, which is currently owned by Gemalto, has a 40% market share for license control solutions in North America and over 60% in Europe.

The number of end users who use Gemalto solutions is not known. However, if each company has 100 clients, the number of users is in the millions. Unfortunately, few people realize that connecting a token to a computer to control licenses may not be a safe thing to do.

Vulnerabilities and attack vectors
From researchers’ viewpoint, hasplms.exe exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header – either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol.

Analyzing the service was made more difficult by the fact that the binary file used a VMProtect-type protector and generated its bytecode from the original Gemalto code. Due to this, it was decided to use fuzzing as the main tool for analyzing the vulnerable service’s behavior.

First of all, we looked at the localization function – the user could download language packs consisting of two files, one of which was localize.xml. The second file, in HTML format, had parameters, one of which turned out to be vulnerable to buffer overflow. It would have been a simple vulnerability, if it wasn’t for one curious detail: although, as mentioned above, a protector was used, for some reason the developers did not use any of the classical mechanisms providing protection from such binary vulnerabilities (such as Stack Canary, Stack Cookie, ASLR, etc.). As a result, a simple buffer overflow could allow an attacker to execute arbitrary code on the remote system.

Note that such software development flaws are very rare in modern solutions. As a rule, secure coding practices are implemented when developing serious commercial products (such as SDL – security development lifecycle), which means that security is designed into applications at the development stage, rather than being implemented as an additional option.

This attack vector can be used without LPE (local privilege escalation) – the vulnerable process runs with SYSTEM privileges, enabling malicious code to run with the highest privileges.

Sample script loading a language pack file

Result of Buffer Overflow exploitation, leading to RCE

The vulnerability was assigned the number CVE-2017-11496.

This was just one of the vulnerabilities we found. And the overall result of our research was disquieting.

In late 2016 – early 2017, 11 vulnerabilities were identified: two allowed remote code execution if exploited and nine were denial-of-service vulnerabilities.

By June 2017, Kaspersky Lab ICS CERT had identified three more vulnerabilities: an XML bomb and two denial-of-service flaws, one of which could potentially lead to remote execution of arbitrary code.

In total, 14 vulnerabilities have been identified, all quite dangerous (for example, exploitation of each of the Remote Execution of Arbitrary Code type vulnerabilities is automatically performed with SYSTEM privileges, i.e., the highest privilege level in Windows).

All attack vectors affecting the vulnerable service were multi-stage.

We promptly sent all information on the vulnerabilities identified to Gemalto. The vulnerabilities were assigned the following respective CVE numbers:

CVE-2017-11496 – Remote Code Execution
CVE-2017-11497 – Remote Code Execution
CVE-2017-11498 – Denial of Service
CVE-2017-12818 – Denial of Service
CVE-2017-12819 – NTLM hash capturing
CVE-2017-12820 – Denial of Service
CVE-2017-12821 – Remote Code Execution
CVE-2017- 12822 – Remote manipulations with configuration files
In addition to vulnerability descriptions, we sent a description of peculiar functionality to Gemalto.

Peculiar functionality
Kaspersky Lab ICS CERT experts have found that hasplms.exe has some rather unusual functionality:

When a Gemalto USB token is first connected to a computer (even if the active session is blocked), a driver and service that accepts network connections on port 1947 are installed if the Internet access is available.
If a driver is manually downloaded from the Gemalto website and installed, a driver and service that accept network connections on port 1947 are installed and port 1947 is added to Windows firewall exceptions.
If Gemalto software is installed as part of a third-party installation file, port 1947 is also added to Windows firewall exceptions.
There is an API function which enables or disables the administrative panel in the web interface, making it possible to modify the settings of the program part of the SafeNet Sentinel hardware-based solution. The panel is available by default on the localhost IP address – 127.0.0.1.
The API can be used to change the internal proxy settings for updating language packs.
After changing the proxy server, the service’s internal logic can be used to obtain the NTLM hash of the user account under which the hasplms.exe process is running (i.e., SYSTEM).
This appears to be an undocumented feature and can be used for stealthy remote access. This means that remote attackers can use these capabilities to gain access to the administrative panel of the Gemalto software, carry out attacks with system user privileges and conceal their presence after completing these attacks.

As mentioned above, Gemalto representatives were informed of this attack vector.

Non-transparent security
Solutions, technologies or individual software modules used by many third-party vendors often do not undergo proper security testing. This potentially opens up new attack vectors. At the same time, closing vulnerabilities in such products, which are often used, among other applications, in banking and industrial control systems, is not always a smooth process: for some reason, vendors of such systems are in no hurry to notify their users of problems identified in their products.

In early 2017, we sent information about 11 vulnerabilities we had identified to Gemalto. It was only in late June that, in response to our repeated requests, the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, as well as a new version of the driver, could be found on the company’s internal user portal.

On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. This time, things went quicker: on July 21 the vendor released a private notice on a new driver version – without any mention of the vulnerabilities closed.

According to Gemalto, the company has notified all of its customers of the need to update the driver via their account dashboards. However, this was apparently not sufficient: after we published information about the vulnerabilities identified, we were contacted by several developers of software which uses hasplms. It became clear from our communication with them that they were not aware of the problem and continued to use versions of the product with multiple vulnerabilities.

Update software to the current version (7.6) ASAP
We urge those users and companies that use Gemalto’s SafeNet Sentinel to install the latest (secure) version of the driver as soon as possible or contact Gemalto for instructions on updating the driver. We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes.

In the case of installing the driver via Microsoft Windows Update servers, we recommend checking hasplms.exe to make sure it is the latest version. If an obsolete version is used, it is crucial to install the latest (secure) version of the driver from the vendor’s website or contact Gemalto for instructions on updating the driver.

We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes. This will help to reduce the risk of the vulnerabilities being exploited.

Some software vendors who use third-party solutions as part of their products may be very thorough about the security of their own code, while leaving the security of third-party solutions to other companies (the vendors of these solutions). We very much hope that most companies act responsibly both with respect to their own solutions and with respect to third-party solutions used in their products.


Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks
22.1.2018 securityweek ICS

A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.

Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.Sentinel USB token makes devices vulnerable to remote attacks

Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.

Kaspersky decided to analyze the product after the company’s ICS CERT team repeatedly encountered it during penetration testing assignments.

Malicious actors can scan the network for port 1947 to identify remotely accessible devices or, if they have physical access to the targeted machine, they can connect the USB dongle – even if the computer is locked – in order to make it remotely accessible.

The Gemalto product also includes an API that can be used to remotely enable and disable the administrator interface and change settings, including proxy settings for obtaining language packs. Changing the proxy allows an attacker to obtain the NTLM hash for the user account running the licensing software process.

Eleven vulnerabilities were discovered by Kaspersky in late 2016 and early 2017, and three others were found by June 2017. Gemalto has been notified and the company has implemented fixes with the release of version 7.6, but Kaspersky is not entirely happy with how the vendor has handled the situation. The first round of flaws was only resolved in late June 2017 and Gemalto did not properly communicate to customers the risks posed by these vulnerabilities – several software developers using the license management solution told Kaspersky they had not been aware of the security holes and continued using vulnerable versions.

Related: Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

In addition to installing the latest version of the Sentinel driver, Kaspersky has advised users to close port 1947 if it’s not needed for regular activities.

While the exact number of devices using this Gemalto product is unknown, Kaspersky believes it could be millions. A 2011 study by Frost and Sullivan showed that the SafeNet Sentinel had a 40 percent share in the license control solutions market in North America and 60 percent in Europe.

The vulnerable Gemalto software is found in the products of several major companies, including ABB, General Electric, HP, Cadac Group, Siemens, and Zemax.

Last week, ICS-CERT and Siemens warned that more than a dozen versions of the SIMATIC WinCC Add-On were affected by three critical and high severity vulnerabilities introduced by the use of Gemalto software. Siemens said the flaws, two of which are related to how language packs are processed, allow DoS attacks and arbitrary code execution.

Siemens told customers that the vulnerable Gemalto software is used in SIMATIC WinCC add-ons released in 2015 and earlier.

“Given how wide spread this license management system is, the possible scale of consequences is very large, because these tokens are used not only in regular corporate environments, but also in critical facilities with strict remote access rules. The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger,” warned Vladimir Dashchenko, head of the vulnerability research group at Kaspersky ICS CERT.


Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe
17.1.2018 securityaffairs ICS

IOACTIVE researchers warn that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target SCADA Systems.
In a report released today, by IOACTIVE, researchers’ advice that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target Supervisory Control and Data Acquisition Industrial Control Systems.

SCADA-ICS stands for Supervisory Control and Data Acquisition Industrial Control System, that represents the industrial automated systems operating on critical infrastructure. These systems are responsible for the control and operation of critical services like clean water and energy respectively. Researchers of IOACTIVE released a report analyzing the impact on the security of SCADA-ICS systems operating connected to the internet of things (IoT) and mobile applications.

The report states that mobile applications are present in many ICS segments and can be divided into two groups, Local (Wi-Fi, Bluetooth) and remote applications (Internet, VPN), which are exposed to three types of attacks such as Unauthorized physical access to the device or “virtual” access to device data, Communication channel compromise (MiTM), Application compromise.

SCADA-ICS%20infrastructure

Considering these attacks mobile SCADA applications can lead to Directly/indirectly influencing an industrial process or industrial network infrastructure and compromising an operator to unwillingly perform a harmful action on the system.

The research was conducted based on OWASP 2016 and analyzed 34 vendors that released the app on Google Play Store. The mobile app analyzed revealed that 147 security issues were identified related to secure coding programming that would allow code tampering.

The researchers noticed that hackers could gain remote control to smartphones to further launch attacks on ICS vulnerable app used on hardware and software. Also, the researchers pointed out that there was an increase of 16 vulnerabilities per application.

Regarding the vulnerabilities, researchers found out that insecure authorization was present with some apps failing to include any form of authentication. Other vulnerabilities live reverse engineering were present due to the absence of code obfuscation. insecure data storage and unintended data leakage were present which could allow hackers to access the app or data related to ‘Supervisory Control And Data Acquisition’ system.

The security of society is at stake since these new vulnerabilities pose a great threat, even more than the damage caused by the 2016 Ukrainian attack. The report recommends to app developers to consider secure coding in the development planning due to the impacts on society that these flaws represent.


Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT
17.1.2018 securityweek ICS

Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

Critical infrastructure owners and operators can ask ICS-CERT to conduct onsite cybersecurity assessments of their industrial control systems (ICS) in order to help them strengthen their cybersecurity posture.

In 2017, ICS-CERT conducted 176 assessments, which represents a 35 percent increase compared to the previous year. The agency analyzed organizations in eight critical infrastructure sectors, but more than two-thirds of the assessments targeted the energy and water and wastewater systems sectors.

The highest number of assessments were conducted in Texas (27), followed by Alaska (20), Nebraska (15), New York (14), Washington (13), Idaho (12), Nevada (10) and Arizona (10).

ICS-CERT identified 753 issues as part of 137 architecture design reviews and network traffic analyses. The six most common weaknesses, which accounted for roughly one-third of the total, were related to network boundary protection, identification and authentication, allocation of resources, physical access controls, account management, and least functionality.

Security%20issues%20found%20during%20ICS-CERT%20assessments

Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.

As for identification and authentication issues, these can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.

Identification and authentication issues first made ICS-CERT’s top six weakness categories in 2015, when it was on the fourth position. In 2016 it jumped one position and last year it was the second most common security weakness.

Of all the identification and authentication issues, shared and group accounts are particularly concerning.

“[Shared and group accounts] make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” ICS-CERT said in its latest Monitor report.

Allocation of resources for cybersecurity is also a problem in many critical infrastructure organizations. ICS-CERT’s assessment teams noticed that many sites are short-staffed and in many cases there is no backup personnel.

“Although some sites had started planning or attrition of staff, many did not have a plan to address loss of key personnel. One site had seven key personnel, four of whom would be eligible for retirement next year,” the agency said.

While its assessments do not focus on physical access controls, ICS-CERT has often noticed that organizations fail to ensure that ICS components are physically accessible only to authorized personnel.

“The team observed cases where infrastructure (i.e., routers and switches) was in company space but accessible to staff with no need to have physical access. Other cases included ICS components in public areas without any physical restrictions (i.e., locked doors or enclosures) to prevent access from a passerby. Some sites did not have locked doors to the operations plant, which would allow anyone to walk in and potentially have access to control system components,” ICS-CERT explained.


Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million
10.1.2018 securityweek ICS
Industrial cybersecurity firm Nozomi Networks has raised $15 million in a Series B funding round, the company announced Wednesday. The new funding brings the total amount raised by the company to date to $23.8 million.

Nozomi’s flagship offering, SCADAguardian, employs machine learning and behavioral analysis to detect zero-day attacks in real-time; while integration with firewalls and SIEMs, ICS incident alerting and notification systems allow rapid response to alerts.

The company said the additional funding will be used to support worldwide expansion of marketing, sales and support and further bolster product innovation.

Nozomi%20Networks

Nozomi Networks Exhibits at SecurityWeek's 2017 ICS Cyber Security Conference in Atlanta (Image Credit: SecurityWeek)
The company claims to be rapidly gaining new customers across 5 continents, with more than 200 deployments that span energy, manufacturing, pharmaceuticals, chemicals, mining, utilities and other sectors.

“Now is a prudent time for funding to meet this exploding market opportunity,” said Nozomi Networks CEO Edgard Capdevielle. “We resisted the temptation of raising too much funding before our product leadership was established.”

“FireEye’s recent discovery of Triton malware in the wild highlights how critical infrastructure facilities are increasingly at risk. After extensive testing, we've partnered with Nozomi Networks because they provide the right solution customers need to detect these attacks at the earliest stages and minimize the impact before the safety and reliability of their critical operations is threatened,” Grady Summers, CTO at FireEye, said in a statement.

The Invenergy Future Fund led the Series B round with participation from THI Investments and all existing investors, GGV Capital, Lux Capital and Planven Investments SA. Nozomi previously raised $7.5 million in a Series A funding round in late 2016.

Nozomi is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and SCADAFence. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million.


Schneider Electric Patches Flaws in Pelco Video Management System
22.12.2017 securityweek ICS
Schneider Electric recently developed a firmware update for its Pelco VideoXpert Enterprise product to address several vulnerabilities, including a high severity code execution flaw.

Pelco VideoXpert Enterprise is a video management system used in commercial facilities worldwide. Researcher Gjoko Krstic discovered that the product is affected by two directory traversal bugs and an improper access control issue that can allow arbitrary code execution.

The most serious of the flaws is CVE-2017-9966, which allows an attacker to replace certain files and execute malicious code with system privileges, Schneider Electric and ICS-CERT said in their advisories.Schneider fixes vulnerabilities in Pelco video management system

Schneider fixes vulnerabilities in Pelco video management system

The directory traversal vulnerabilities are tracked as CVE-2017-9964 and CVE-2017-9965, and they have been classified as medium severity. The first security hole allows an attacker to bypass authentication or hijack sessions by “sniffing communications.”

The second directory traversal can be exploited by an unauthorized user to access web server files that could contain sensitive information.

These Pelco VideoXpert Enterprise vulnerabilities have been patched with the release of firmware version 2.1. All prior versions are affected.

This is the third round of Pelco product vulnerabilities covered in advisories published by ICS-CERT. The organization also released an advisory in June 2016 for a serious vulnerability in the Digital Sentry video management system, and in March 2015 for a high severity flaw in the DS-NVs software package.


Pepperl+Fuchs Ecom Rugged Devices Exposed to KRACK Attacks
21.12.2017 securityweek ICS

Rugged tablets, phones and PDAs made by Ecom Instruments use Wi-Fi components that are vulnerable to a recently disclosed attack method named KRACK.

Ecom Instruments, acquired last year by Germany-based factory automation solutions provider Pepperl+Fuchs, specializes in developing mobile devices designed for use in hazardous areas, including in the chemical and petrochemical, oil and gas exploration, mining, and energy sectors.

According to ICS-CERT and its German counterpart CERT@VDE, several Windows- and Android-based mobile devices from Ecom are affected by the KRACK flaws.

The list of vulnerable products includes Android-based Tab-Ex 01 tablets, Ex-Handy 09 and 209 phones, and Smart-Ex 01 and 201 smartphones, and Windows-based Pad-Ex 01 tablets, and i.roc Ci70-Ex, CK70A-ATEX, CK71A-ATEX, CN70A-ATEX and CN70E-ATEX PDAs.ecom mobile devices vulnerable to KRACK attacks

ecom mobile devices vulnerable to KRACK attacks

“ecom instruments devices are in theory attackable by replay, decryption and forging of packets,” CERT@VDE said in an advisory. “However, to perform the attack, the attacker must be significantly closer to the ecom device than to the access point. The WPA2 password cannot be compromised using a KRACK attack. Note if WPA-TKIP is used instead of AES-CCMP, an attacker can easily forge and inject packets directly into the WLAN.”

Pepperl+Fuchs and Ecom are working on addressing the vulnerabilities in the impacted Android products. As for the Windows-based devices, users have been advised to apply the patches provided by Microsoft and switch to using AES-CCMP encryption instead of WPA-TKIP.

KRACK, or Key Reinstallation Attack, is the name assigned to a series of vulnerabilities in the WPA2 protocol. The flaws can allow an attacker within range of the targeted device to read information that the user believes is encrypted and, in some cases, even inject and manipulate data.

The vulnerabilities affect millions of devices from tens or possibly hundreds of vendors. Pepperl+Fuchs is not the first industrial solutions provider to inform customers that its products are impacted by KRACK.

Days after the vulnerabilities were disclosed, Cisco, Rockwell Automation and Sierra Wireless admitted that their industrial networking devices had been vulnerable. A few weeks later, Siemens, ABB, Phoenix Contact, Lantronix and Johnson Controls also warned customers.

Experts believe the risk of attacks against the industrial devices themselves is not as big as the risk to systems used by ICS engineers and operators for remote access, such as smartphones, tablets, and network communication devices.


DHS Warns of Malware Targeting Industrial Safety Systems
20.12.2017 securityweek ICS
The National Cybersecurity & Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security (DHS) on Monday published an analysis report on a piece of malware designed to target industrial safety systems.

FireEye and Dragos reported last week that sophisticated malware, tracked by the companies as Triton and Trisis, caused a shutdown at a critical infrastructure organization somewhere in the Middle East. CyberX, a firm that specializes in industrial cybersecurity, believes Iran was likely behind the attack and the target was probably an organization in Saudi Arabia.

The NCCIC, which dubbed the malware “HatMan,” published a report that describes the threat, and provides mitigations and YARA rules.

The Python-based HatMan malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, designed for monitoring processes and restoring them to a safe state or perform a safe shutdown if a potentially dangerous situation is detected.

The malware communicates with SIS controllers via the proprietary TriStation protocol, and allows attackers to manipulate devices by adding new ladder logic.

The attack on the critical infrastructure organization in the Middle East was discovered after the hackers’ activities resulted in the SIS controller triggering a process shutdown. However, experts believe this was likely an accident, and the final goal may have been to cause physical damage.

The NCCIC pointed out in its report that the malware has two main components: one that runs on a compromised PC and interacts with the safety controller, and one that runs on the controller itself.

HatMan malware diagram

“Although by itself HatMan does not do anything catastrophic — safety systems do not directly control the process, so a degraded safety system will not cause a correctly functioning process to misbehave — it could be very damaging when combined with malware that impact s the process in tandem. Were both to be degraded simultaneously, physical harm could be effected on persons, property, or the environment,” NCCIC said in its report.

“It is safe to say that while HatMan would be a valuable tool for ICS reconnaissance, it is likely designed to degrade industrial processes or worse. Overall, the construction of the different components would indicate a significant knowledge about ICS environments — specifically Triconex controllers — and an extended development lifecycle to refine such an advanced attack,” it added.

Schneider Electric has launched an investigation into this incident. The company said there had been no evidence that the malware exploited any vulnerabilities in its products. The automation giant has advised customers not to leave the device in “Program” mode when it’s not being configured as the malware can only deliver its payload if the controller is set to this mode.

“The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed,” said Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana. “Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already?”


Triton malware was developed by Iran and used to target Saudi Arabia
16.12.2017 securityaffairs APT  ICS

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.
Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, VP of Industrial Cybersecurity for CyberX OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”


New "Triton" ICS Malware Used in Critical Infrastructure Attack
14.12.2017 securityweek ICS
A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye reported on Thursday. Experts believe the attack was launched by a state-sponsored actor whose goal may have been to cause physical damage.

Few have been provided about the targeted organization, and FireEye has not linked the attack to any known group, but believes with moderate confidence that it’s a nation state actor. This assumption is based on the apparent lack of financial motivation and the amount of resources necessary to pull off such an attack.

The activity observed by FireEye may have been conducted during the reconnaissance phase of a campaign, and it’s consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The malware, which FireEye has dubbed “Triton,” is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

According to analysis (PDF) conducted by ICS cyber security firm Dragos, which calls the malware "TRISIS", the victim was an industrial asset owner in the Middle East. Triton ICS malware targets Schneider Triconex controllers

The engineering and maintenance tool used by Triconex SIS products is TriStation. The TriStation protocol is proprietary and there is no public documentation for it, but Triton does leverage this protocol, which suggests that the attackers reverse engineered it when creating their malware.

Triton, which FireEye has described as an attack framework, is designed to interact with Triconex SIS controllers. The malware can write and read programs and functions to and from the controller, and query its state, but not all capabilities had been leveraged in this specific attack.

The hackers deployed Triton on a Windows-based engineering workstation. The malware had left legitimate programs running on the controllers in place, but added its own programs to the execution table. The threat attempts to return the controller to a running state in case of a failure, or overwrite the malicious program with junk data if the attempt fails, likely in an effort to cover its tracks.

In general, once the SIS controller has been compromised, the attacker can reprogram the device to trigger a safe state, which could cause downtime and result in financial losses. Attackers could also reprogram the SIS so that it allows dangerous parameters without triggering the safe state, which can have a physical impact, including on human safety, products and equipment, FireEye said.

However, the physical damage that can be done via the SIS controller is limited by the mechanical safety systems deployed by an organization.

In the case of the critical infrastructure attack investigated by FireEye, the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

On the other hand, FireEye noted that “intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”

Schneider Electric has launched an investigation into this incident, but initial evidence suggests that Triton does not leverage any vulnerabilities in the Triconex product and the company is not aware of any other attacks.

“It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment,” the industrial giant said.

Schneider said the targeted safety controllers are widely used in critical infrastructure, and it’s working on determining if there are any additional attack vectors. In the meantime, customers have been advised not to leave the front panel key position in “Program” mode when the controller is not being configured. The malware can only deliver its payload if the key switch is set to this mode. Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

There are only a handful of malware families specifically designed to target industrial systems, including the notorious Stuxnet, and Industroyer, the malware used in the December 2016 attack aimed at an electrical substation in Ukraine. Last year, FireEye identified an ICS malware dubbed IRONGATE, but it had not been observed in any actual attacks, leading experts to believe that it may have been developed for research purposes.


New Triton malware detected in attacks against a Critical Infrastructure operator
14.12.2017 securityaffairs ICS

Triton malware – A new strain of malware specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye
A new strain of malware dubbed Triton specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, experts speculate the involvement of a state-sponsored actor for sabotage purpose due to the lack of financial motivation and the level of sophistication of the attacks.

FireEye has not linked the Triton attack to any known APT group, the experts believe the activity they detected was part of the reconnaissance phase of a campaign, and it’s consistent with many attacks and reconnaissance activities carried out globally previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

“TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite.” continues FireEye.

“The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.”

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The attack against a SIS controller is very dangerous, once it has been compromised, the attacker can reprogram the device to trigger a safe state with a dramatic impact on the operations of the targeted environment. Attackers could also reprogram the SIS controller to avoid triggering actions when parameters assume dangerous values.

“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.” continues FireEye.

“If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.”

Back to the attack detected by FireEye, hackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but experts believe they may have inadvertently triggered it during a reconnaissance phase.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

FireEye report included the Indicators of Compromise (IoCs) for the threat.

Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

Despite a large number of infections reported for ICS systems across the years, at the time experts only detected four pieces of ICS tailored malware; Stuxnet, Havex, BlackEnergy2, and IRONGATE, and Industroyer.


Serious Flaw Found in Many Siemens Industrial Products
7.12.2017 securityweek ICS
Several product lines from Siemens are affected by a serious vulnerability that can be exploited by a remote attacker to cause systems to enter a denial-of-service (DoS) condition.

The flaw, tracked as CVE-2017-12741 and rated “high severity,” was reported to Siemens by George Lashenko of industrial cybersecurity firm CyberX.

According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters.

An attacker can cause affected systems to malfunction by sending them specially crafted packets via UDP port 161, which is used for the simple network management protocol (SNMP). In order to recover from the DoS condition, the devices must be manually restarted.

The mitigating factors section of Siemens’ advisory lists the requirement that the attacker must have network access for exploitation, and the fact that it advises organizations to operate these devices only in trusted environments.

However, CyberX told SecurityWeek that there are roughly 2,000 Siemens devices accessible from the Internet, including approximately 400 that have an open SNMP port, which could make them vulnerable to the company’s exploit.

“DoS vulnerabilities shouldn’t be taken lightly,” CyberX said. “The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover.”

The security firm said Siemens was very responsive to its vulnerability report. The vendor has released firmware updates that patch the flaw in some SIMATIC S7, EK-ERTEC, SIMOTION and SINAMICS products.

Until fixes become available for the other affected products, Siemens recommends disabling SNMP, which fully mitigates the vulnerability, protecting network access to port 161, applying defense-in-depth and cell protection concepts, and using VPNs.


Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
7.12.2017 securityweek ICS
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Attackers may be able to plant a piece of malware on an isolated network, including via compromised update mechanisms or infected USB drives, but using that malware to send valuable data outside the organization poses its own challenges.

In the past few years, Israeli researchers have found several methods that can be used to jump the air gap, including via infrared cameras, scanners, the LEDs on routers and hard drives, heat emissions, radio signals, and the noise made by hard drives and fans. One of their proof-of-concept (PoC) malware, named AirHopper, uses electromagnetic signals emitted by a computer’s graphics card to send data to a nearby receiver.

Researchers at CyberX, a company that specializes in protecting industrial control systems (ICS), have found a way to apply a similar data exfiltration method to systems in air-gapped industrial networks. The method was first disclosed in October at SecurityWeek’s ICS Cyber Security Conference by CyberX VP of Research David Atch.

CyberX shows how malware can jump the air gap via PLCs

The technique relies on PLCs and the RF signals they emit. Tests were conducted using the popular Siemens S7-1200 PLC, but experts believe the attack likely works on PLCs from other vendors as well.

The exfiltration method discovered by CyberX does not leverage any vulnerabilities or design flaws in PLCs. Experts also noted that it does not involve any RF functionality in the device itself. Rather, the RF signals emitted by the device are a byproduct of repeatedly writing to the PLC’s memory in a specific way.

Researchers analyzed the radio waves from these systems and found that the frequency changes when data is written to the device’s memory. If an attacker can manipulate this frequency, they can use it to exfiltrate data bit by bit – a certain frequency represents a “0” bit and a different frequency represents a “1” bit. The signal can be captured by a nearby antenna and decoded using software-defined radio.

Writing to the PLC memory in a specific cycle that causes a modulation in the frequency of the RF signal can be achieved by uploading a specially crafted ladder diagram to the device. Ladder diagrams are created with ladder logic, a programing language used to develop software for PLCs.

An attacker who has access to the targeted organization’s systems, specifically to its industrial controllers, can upload a malicious ladder diagram to a PLC and abuse it to exfiltrate sensitive data.

In the tests it conducted, CyberX managed to transmit data at a rate of 1 bit per second over a distance of roughly 1 meter (3 feet) with an off-the-shelf antenna. However, experts believe the distance can be increased using a higher quality antenna, and improvements made to signal processing algorithms can help increase the speed of the transmission.

The exfiltrated data can be captured using various methods, such as an antenna attached to a drone flying over the site, or by an adversary posing as cleaning staff and carrying an antenna in their pocket.

While the data exfiltration rate may seem very slow, experts believe the method can be useful for stealing small pieces of information typically collected in the reconnaissance phase of an attack launched by a sophisticated threat actor, including network topology, protocols and devices, intellectual property stored in HMIs and historians, and work schedules.

Researchers warned that these types of attacks are typically difficult to detect due to the fact that there aren’t any security solutions running on PLCs. Furthermore, once a device has been compromised, the malicious code persists for an extended period of time since they are rarely formatted.

“Organizations can prevent these types of attacks with continuous monitoring and behavioral anomaly detection,” Atch told SecurityWeek. “For example, this would immediately detect the cyber reconnaissance phase preceding data exfiltration -- such as devices scanning the network and querying devices for configuration information -- as well as unauthorized updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.”


Critical Flaw in WAGO PLC Exposes Organizations to Attacks
5.12.2017 securityweek ICS
Programmable logic controllers (PLCs) from Germany-based industrial automation company WAGO are affected by a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.

The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector.

The security hole exists due to the use of version 2.4.7.0 of the CODESYS Runtime Toolkit. This embedded software is developed by 3S-Smart Software Solutions and it’s used by several vendors in hundreds of PLCs and other industrial controllers.

A few years ago, researcher Reid Wightman discovered that versions 2.3.x and 2.4.x of CODESYS Runtime were affected by critical access control and directory traversal vulnerabilities that could have been exploited to hack devices.

Building on Wightman’s research, SEC Consult discovered that various functions of a service named “plclinux_rt” can be accessed without authentication by sending specially crafted TCP packets on port 2455, which is the programming port.

An attacker can use this method to write, read or delete arbitrary files, which can be done with a tool created by Digital Bonds several years ago for interacting with PLCs that use CODESYS. Since SSH is enabled by default on PFC200 PLCs, an unauthenticated hacker can exploit this to rewrite the etc/shadow file, which stores password hashes, and gain root privileges to the device.

SEC Consult said the vulnerability can also be exploited to modify the PLC program during runtime and cause the device to step over a function, restart or crash.

Attack simulation on WAGO PLC

The security firm told SecurityWeek that while it hasn’t scanned the Internet for devices that can be exploited on port 2455, it has found nearly 2,500 WAGO PFC200 devices on the Web via the Censys search engine. These devices are often found in critical infrastructure organizations, including power plants, the company said.

“Because of the use in industrial and safety-critical environments the patch has to be applied as soon as it is available,” SEC Consult warned in a blog post. “We explicitly point out to all users in this sector that this device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such an device.”

WAGO was informed about the vulnerability in August, but it has yet to release a patch. The vendor estimates that a fix will be made available in January 2018.

SEC Consult has published an advisory describing the flaw, but it will not release a proof-of-concept (PoC) exploit until a patch is available. In the meantime, the security firm has advised users to either delete the “plclinux_rt” service or close the 2455 port in order to prevent potential attacks.

The company believes the vulnerability could affect devices from other vendors that use CODESYS Runtime 2.3.x or 2.4.x. These are older versions of the tool – versions 3.x are not impacted.

This is not the first time a significant number of ICS devices have been exposed to attacks due to the use of a CODESYS component. Earlier this year, CyberX warned that hundreds of thousands of Industrial Internet of Things (IIoT) and ICS devices had been vulnerable due to a critical flaw in the web server component of the CODESYS WebVisu visualization software.


ICS-CERT Advice on AV Updates Solid, But Impractical
4.12.2017 securityweek ICS
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has offered some advice on how antivirus software should be updated in industrial environments, but the recommended method is not very practical and experts warn that organizations should not rely only on antiviruses to protect critical systems.

ICS-CERT recommendations on updating AVs in industrial networks

ICS-CERT, a component of the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), coordinates security incidents involving control systems and facilitates information sharing in an effort to reduce the risk of cyberattacks. The organization’s latest Monitor newsletter provides some advice on how organizations should update their antiviruses in ICS environments.

“Antivirus software, when properly deployed and up-to-date, is an important part of a defense-in-depth strategy to guard against malicious software (malware),” ICS-CERT said. “Such software is widely used in Information Technology (IT) and ICS infrastructures. In business IT environments, it is common practice to configure each antivirus client to update directly from the antivirus vendor; however, because ICS and IT systems require separation by the ICS demilitarized zone (DMZ), ICS systems require different antivirus update methods.”

The ICS DMZ is the level between the enterprise zone and the control network. The DMZ, in addition to historians and remote access servers, can include the antivirus, Windows Server Update Services (WSUS), and patch servers.

Since the ICS DMZ is typically not allowed to communicate directly to the Internet, updating these services cannot be done automatically from the vendor’s server. One method for updating antiviruses on these systems is to manually download the update, copy it to a removable media drive, and then connect that drive to the machine needing the update.

ICS architecture

However, the process is not as straightforward as it sounds. ICS-CERT has advised organizations to first verify the source of the update, and then download the update file to a dedicated host. The file should be scanned for malware and its cryptographic hash needs to be verified in order to ensure it hasn’t been tampered with.

The removable media drive should also be scanned for malware and locked (i.e. prevent files from being written to it) once the update files have been copied. Before the updates are deployed on a production system, they should be tested and validated on a test environment that mimics production machines as closely as possible.

“This process is more labor intensive than an automatic chaining of updates, but it is not prohibitively time-consuming,” ICS-CERT said. “This ‘sneakernet’ method is common in air-gapped networks. Automatically ‘daisy chaining’ the updates, which is similar to the process used in many IT environments, is convenient but not recommended.”

Experts say the method is not very practical and AVs alone are not enough

SecurityWeek has reached out to several ICS security experts for comment on the recommendations from ICS-CERT.

Anton Shipulin, an ICS security expert with Kaspersky Lab, pointed out that while the sneakernet method does work for updating protection software in air-gapped networks, in practice, organizations are having difficulties keeping their systems updated. Kaspersky often finds outdated antimalware signature databases in the ICS networks analyzed during its assessments, Shipulin said.

“For the process to work, there should be good discipline in place to carry it out regularly, as well as a technically advanced endpoint solution - with capability to get updates from centralized on-premise update servers; it’s much simpler and faster to deliver updates only to a single point,” Shipulin explained. “It’s also worth mentioning that the same process should be a requirement for all OS, control systems and device software updates (with the agreement of ICS suppliers and vendors).”

Rick Kaun, VP of solutions at industrial cybersecurity firm Verve, noted that manually applying updates can be much more complicated than the process described by ICS-CERT.

“For example, not all AV updates are the same,” Kaun explained. “If you are under warranty support with a specific vendor for a specific AV function you not only need to download the AV file, you need to either get it from the vendor or at least confirm the vendor supports it. Further, many organizations may have multiple OEM vendors each with different AV solutions so you are needing to follow this practice for more than one set of files on different target systems – tracking and reporting of completion becomes a challenge.”

“Now let’s add into the mix the frequency at which AV files are generated. If they files are updated once a month this is likely manageable. If they are updated weekly this is more challenging. Now what happens when AV files get updated daily or even faster than that? What is your corporate stance on AV update frequency? This is an important consideration in deciding an appropriate balance between latest and greatest definition files (maximum protection) versus significant human effort (convenience/manpower),” Kaun added.

“There are very few organizations that are able to maintain the rigor and frequency of an AV program as outlined in the ICS article. It is well written and good advice but not overly practical in day to day application without significant dedication of manpower and/or automated tools,” Kaun said.

All the experts contacted by SecurityWeek agree that antiviruses should not be used – especially not on their own – to protect ICS. While industrial organizations are often concerned that security software could have a negative impact on their operations, modern solutions created specifically for ICS are designed to have minimal impact while still providing comprehensive protection. Furthermore, antiviruses cannot be installed directly on critical control devices, such as PLCs and DCSs. Modern products, however, passively monitor networks for any suspicious activity, regardless of the type of device targeted.

Patrick McBride, CMO at Claroty, pointed out that security products designed for IT environments should never be used in operational technology (OT) networks.

“AV has been proven ineffective and since it is not designed to work in OT environments, you need a Rube Goldberg process just to make ineffective stuff work poorly,” McBride said. “Unfortunately, some companies rely on outdated, ineffective AV solutions because various regulations require them.”

Dana Tamir, vice president of market strategy for Indegy, pointed out another interesting aspect. While antiviruses can provide partial protection, especially against known threats, the use of traditional antiviruses may not even be possible in some organizations due to the fact that many still rely on legacy systems such as Windows NT and XP in their ICS networks, and these legacy systems may not be supported by antivirus vendors, Tamir said.

This is confirmed by a recent CyberX study, which found that three out of four industrial sites are still running outdated operating systems in their ICS networks.

“[ICS-CERT’s advice] ignores the reality that many ICS environments aren't installing any Windows security patches or running any AV protection whatsoever because of unsupported OSs like Windows 2000 and XP,” Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeek.

Tamir also noted that an organization can install antiviruses on all managed computers, but if it doesn’t use a more comprehensive solution to monitor unmanaged endpoints, threats can make it into the organization’s ICS network via the devices brought in by integrators and consultants.


Siemens Patches Several Flaws in Teleprotection Devices
2.12.2017 securityweek ICS
Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.

The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.

According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.

The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).Siemens teleprotection device vulnerabilities

Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).

The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.

As it’s apparent from the CVE identifiers, these vulnerabilities were actually discovered last year. They were reported to Siemens via ICS-CERT by researchers at HackerDom and Kaspersky Lab.

Siemens and ICS-CERT disclosed CVE-2016-4784 and CVE-2016-4785 in May 2016, when they warned that the flaws had affected SIPROTEC 4 and SIPROTEC Compact devices. An advisory published in September 2016 warned that the same products were also affected by CVE-2016-7112, CVE-2016-7114 and CVE-2016-7113.

In July 2017, Siemens informed customers that all five vulnerabilities also impacted Reyrolle devices, which provide a wide range of integrated protection, control, measurement, and automation functions for electrical substations.


Industrial Cybersecurity Startup SCADAfence Secures $10 Million
2.12.2017 securityweek ICS
Israeli industrial cybersecurity startup SCADAfence has secured $10 million in funding through a recently announced Series A round.

The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets.

SCADAfence’s solutions provide visibility of day-to-day operations, detection of malicious cyber-attacks as well as non-malicious operational threats, and risk management tools.

According to the company, the funding will help support expansion of its R&D center in Tel-Aviv and global business development teams to meet growing demand across North America, Asia and Europe.

SCADAFence's customers include Global Fortune 500 companies in the automotive, pharmaceutical, chemical and energy industries.

Investors in the Series A round include JVP, NexStar Partners, 31Ventures Global Innovation Fund, GB-VI Growth Fund Investment Limited Partnership managed by Global Brain, iAngels and DS Strategic Partners.

SCADAFence is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and Nozomi Networks.Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million. All of these companies have participated in SecurityWeek’s ICS Cyber Security Conference series.


Recently Patched Dnsmasq Flaws Affect Siemens Industrial Devices
29.11.2017 securityweek ICS
Some of the vulnerabilities discovered recently by Google researchers in the Dnsmasq network services software affect several Siemens SCALANCE industrial communications products.

Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. It can be found in Linux distributions, smartphones, routers, and many Internet of Things (IoT) devices.

Google’s security team recently found that the tool is affected by seven flaws, including ones that can be exploited via DNS or DHCP for remote code execution, information disclosure, and denial-of-service (DoS) attacks. Linux distributions, Amazon, Cisco, Synology, Sophos and other companies warned customers about the potential risks shortly after the issues were disclosed in early October.Dnsmasq flaws affect Siemens products

Earlier this month, Siemens also published an advisory to inform customers that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.

Three of the flaws affecting Siemens devices, CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496, can be exploited to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.

The SCALANCE products are also impacted by CVE-2017-14491, one of the most serious vulnerabilities discovered by Google researchers in Dnsmasq. This security hole allows an attacker to cause a DoS condition or possibly execute arbitrary code.

“In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-in-the-Middle position,” Siemens said.

The company says it’s preparing patches for the vulnerable products. In the meantime, it has advised customers to apply defense-in-depth recommendations, deploy firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive

Portal or URL redirection functionality is not used), and disable the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).

Siemens has also reported the vulnerabilities to ICS-CERT, which also published an advisory this week.


Recently Patched Dnsmasq still affect Siemens Industrial devices
29.11.2017 securityaffairs ICS

Siemens published a security advisory to confirm that four of the seven Dnsmasq vulnerabilities affect some of its SCALANCE products
In October, Google security experts disclosed seven distinct vulnerabilities in the Dnsmasq software package.

From the authors’ website, “Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot.” In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code “in the wild” and bugs in this code could be a big deal depending on the nature of the vulnerabilities.

Dnsmasq can be found in Linux distributions, smartphones, routers, and many IoT devices.

Siemens, like other companies, warned of the risks related to the set of flaws discovered by Google. Siemens published a security advisory to confirm that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.

The ICS-CERT also published an advisory on the flaws affecting Siemens products.

Three of the vulnerabilities (CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496) can be exploited by attackers to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.

“Vulnerability 1 (CVE-2017-13704) – An attacker can cause a crash of the DNSmasq process by sending specially crafted request messages to the service on port 53/udp” reads the advisory.

Dnsmasq Siemens SCALANCE products

The Siemens SCALANCE products are also affected by the CVE-2017-14491 flaw, that could be exploited by attackers to trigger a DoS condition or possibly execute arbitrary code on the vulnerable device.

“An attacker can cause a crash or potentially execute arbitrary code by sending specially crafted DNS responses to the DNSmasq process. In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-inthe-Middle position.” continues the advisory.

Siemens is working on security patches to address the Dnsmasq flaws in its products. Waiting for the fixes users need to adopt the suggested mitigations, such as using firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive Portal or URL redirection functionality is not used), and disabling the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).


Flaws in Siemens Building Automation Controllers open to hack. Fix them asap
16.10.2017 securityaffairs ICS

Siemens has released a firmware update that addresses two vulnerabilities in its BACnet Field Panel building automation controllers.
This week Siemens has released a firmware update for its BACnet Field Panel building automation products that solved two vulnerabilities, one of which is classified as high severity.

The vulnerabilities affect APOGEE PXC and TALON TC BACnet automation controllers running a version of the firmware prior to 3.5. Both families of affected devices are widely used in commercial facilities to control a heating, ventilation and air conditioning (HVAC) equipment.

BACnet Field Panel building automation controllers

This flaw, tracked as CVE-2017-9946, is classified as high severity and obtained a CVSS score of 7.5.

According to the security advisory published by the US-CERT, an unauthenticated with access to the integrated webserver attacker can trigger the flaws to download sensitive information.

“Successful exploitation of these vulnerabilities could allow unauthenticated attackers with access to the integrated webserver to download sensitive information.” states the US-CERT.

The BACnet Field Panel allows facility operators to easily configure, monitor and control the automation controllers. The attackers can bypass the authentication mechanism to download sensitive information from a device.

The company downplayed the flaw because the attacker requires network access to the web server.

A second security vulnerability tracked as CVE-2017-9947 is a directory traversal issue that could be exploited by an attacker to obtain information on the structure of the file system on vulnerable devices. It is requested the network access to the web server for the exploitation also of this vulnerability.

Below the information provided by Siemens:

“Vulnerability 1 (CVE-2017-9946) – An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.
CVSS Base Score 7.5
CVSS Vector CVSS:3.0″

and
“Vulnerability 2 (CVE-2017-9947) – A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.
CVSS Base Score 5.3
CVSS Vector CVSS:3.0″

Siemens addressed both vulnerabilities with the release of firmware version 3.5 for BACnet Field Panel Advanced modules.

Affected organizations need to install the security updates as soon as possible.


Thousands of Malware Variants Found on Industrial Systems: Kaspersky
28.9.2017 securityweek ICS
Kaspersky said it had detected roughly 18,000 malware samples belonging to more than 2,500 families on industrial control systems (ICS) in the first half of 2017.

According to the company’s “Threat Landscape for Industrial Automation Systems” report for the first six months of the year, nearly 38 percent of the industrial systems protected globally by its products were targeted during this period. This is 1.6 percent less than in the second half of 2016.

Attempts to download malware or access malicious websites (e.g. phishing pages) were blocked by the company’s products on over 20 percent of the protected ICS devices.

Windows malware was neutralized on more than half of targeted systems. However, in many cases, attackers used scripting languages such as VBS, JavaScript, .NET, AutoCAD, Word macros and Java to implement malicious functionality.

“For computers that are part of industrial infrastructure, the Internet remains the main source of infection,” Kaspersky said in its report. “Contributing factors include interfaces between corporate and industrial networks, availability of limited Internet access from industrial networks, and connection of computers on industrial networks to the Internet via mobile phone operators’ networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support).”

The security firm, which last year launched a global computer emergency response team (CERT) focusing on ICS, noted that the number of attacks on these systems dropped in January, but returned to previous levels in the next months.

Kaspersky pointed out that many of the threats targeting ICS in the first half of 2017 were ransomware. The company’s products identified 33 different file-encrypting ransomware families on industrial automation systems.

Unsurprisingly, the highest percentage of attacks involved the notorious WannaCry ransomware, which leveraged NSA-linked exploits that can be triggered without user interaction.

Rockwell Automation, Schneider Electric, Honeywell, Siemens, ABB and other ICS providers published alerts at the time to warn customers about the possibility of being hit by WannaCry.

Ransomware families targeting ICS


Threat Landscape for Industrial Automation Systems in H1 2017
28.9.2017 Kaspersky ICS
Full report (PDF)
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017.

All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers.

The data was received from computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

supervisory control and data acquisition (SCADA) servers,
data storage servers (Historian),
data gateways (OPC),
stationary workstations of engineers and operators,
mobile workstations of engineers and operators,
Human Machine Interface (HMI).
This group also includes computers of employees at contractor organizations and computers of industrial control network administrators and software developers who develop software for industrial automation systems.

Main Events
In April, the Shadow Brokers hacker group opened access to a National Security Agency (NSA) archive containing exploits and attack tools.

At first, Shadow Brokers tried to sell their archive. Later, most of it was published. The data that was made public included exploits for network equipment and routers, for banking systems, for UNIX-like systems and for various versions of Windows. Some of the vulnerabilities published were previously unknown zero-day vulnerabilities.

In June 2017, the results of research into the CrashOverride/Industroyer malware were published. Experts from ESET and Dragos Inc., as well as a number of independent researchers, came to the conclusion that the malware was designed to disrupt the operation of industrial control systems (ICS), particularly electrical substations. CrashOverride/Industroyer is capable of directly controlling switches and circuit breakers in electrical substation circuits.

Kaspersky Lab ICS CERT experts reported on Business Email Compromise (BEC) attacks carried out by Nigerian threat actors that were primarily targeting industrial and large transportation and logistics companies. In the attacks analyzed by Kaspersky Lab, industrial companies account for over 80% of potential victims. All in all, over 500 attacked companies were discovered in more than 50 countries.

An important development in the first six months of 2017 was the leak of an archive from a special unit of the US Central Intelligence Agency. The archive included information on CIA hacking tools: malware, including zero-day exploits, malicious remote access tools and related documentation. Part of the archive was published on WikiLeaks.

Ransomware has become a significant threat for companies, including industrial enterprises. It is particularly dangerous for enterprises that have critical infrastructure facilities, since malware activity can disrupt industrial processes.

During the first six months of 2017, attacks by encryption ransomware belonging to 33 different families were blocked on ICS computers. Fortunately, we did not find any dedicated programs designed specifically to block industrial automation software among the malware samples detected.

Based on the number of machines attacked, WannaCry ranked highest in the first half of 2017 – it accounted for 13.4% of all computers in industrial infrastructure attacked by encryption ransomware.
TOP 10 most widespread encryption Trojan families, H1 2017

WannaCry infections were possible because of typical industrial network configuration errors. We analyzed all infection pathways and came to the conclusion that in most cases industrial automation systems had been attacked by WannaCry malware from the local corporate network and through VPN connections.

Threat Statistics
In the first half of 2017, Kaspersky Lab products blocked attack attempts on 37.6% of ICS computers protected by them globally, which is 1.6 percentage points less than in the second half of 2016.

While the proportion of machines attacked grew from one month to the next in the second half of 2016, the dynamics were somewhat different in the first six months of 2017. We saw attacker activity fall in January, then the proportion of computers attacked rose back to its former level in February and March and then it gradually declined again from April to June.
Percentage of ICS computers attacked globally by month,
July 2016 – June 2017

In terms of the use cases and the technologies used, industrial networks are becoming increasingly similar to corporate networks. Consequently, the threat landscape for industrial systems is becoming similar to the threat landscape for corporate systems.

About 18,000 different modifications of malware belonging to more than 2,500 different families were detected on industrial automation systems in the first half of 2017.

In the first half of 2017, attempts to download malware from the Internet or access known malicious or phishing web resources were blocked on 20.4% of ICS computers.

For computers that are part of industrial infrastructure, the Internet remains the main source of infection. Contributing factors include interfaces between corporate and industrial networks, availability of limited Internet access from industrial networks, and connection of computers on industrial networks to the Internet via mobile phone operators’ networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support).
Main sources of threats blocked on ICS computers, H1 2017

Malware in the form of Windows (Win32/Win 64) executable files was blocked on more than 50% of all computers attacked. Instead of developing an executable file, threat actors often implement malicious functionality using a script language, which is executed by interpreters that are already installed on the computer of a would-be victim. A ranking of the main platforms used by malware apart from Windows is provided below.
Platforms used by malware, H1 2017

Note that attackers often use small loaders written in JavaScript, Visual Basic Script or Powershell, which are launched using command-line parameters for the relevant interpreters.


Hackers can remotely access Smiths Medical Syringe Infusion Pumps to kill patients
11.9.2017 securityaffairs ICS

The US-CERT is warning of hackers can remotely access Smiths Medical Syringe Infusion Pumps to control them and kill patients.
IoT devices continue to enlarge our surface of attack, and in some cases, their lack of security can put our lives in danger.

Let’s thinks for example of medical devices that could be hacked by attackers with serious consequences.
Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers because they are vulnerable to hacking, million people in the United States urged to get their pacemakers updated.

In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with “commercially available” equipment that goes between $15 to $3,000.

The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.

The good news is that there are no reports of hacked pacemakers yet.

News of the day is that Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled by attackers.

The medical devices are used worldwide for intensive care such as neonatal and pediatric intensive care and the surgery room.

The remotely exploitable vulnerability was discovered by the independent researcher Scott Gayou, the expert has found eight vulnerabilities in the Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps.

The bad news is that Smiths Medical will fix the flaws in the new release that is planning to release in January, 2018.

“Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.” reads the advisory published by the NCCIC/ICS-CERT.

“These vulnerabilities could be exploited remotely.”

The following Medfusion 4000 Wireless Syringe Infusion Pump versions are affected by the vulnerabilities:

Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1,
Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5, and
Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6
Smiths Medical Syringe Infusion Pumps to control them and kill patients

Some of the flaws are high in severity and can be remotely exploited to “gain unauthorized access and impact the intended operation of the pump.”

“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.” continues the US-CERT.

The most severe issue is the CVE-2017-12725 vulnerability, it is related to the presence of hardcoded credentials to automatically establish a wireless connection to a device with a default configuration.

The vulnerability has been rated with a CVSS score of 9.8

The list of high-severity vulnerabilities include:

CVE-2017-12718 – BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) – A buffer overflow vulnerability that could be exploited for remote code execution on the affected device.
CVE-2017-12720 – IMPROPER ACCESS CONTROL – The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.
CVE-2017-12724 – USE OF HARD-CODED CREDENTIALS – The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.
CVE-2017-12721 – IMPROPER CERTIFICATE VALIDATION – The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.
The other vulnerabilities are medium severity flaws that could be exploited by hackers:

to crash the communications and operational modules of the medical device.
to authenticate to telnet using hard-coded credentials.
to obtain passwords from configuration files.
The ICS-CERT provided recommendations to healthcare organizations are to protect the devices, including:
disconnecting the pump from the network until the product fix can be applied;
disable the FTP server on the pump.
assigning static IP addresses to pumps;
close unused ports:
consider the use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
monitoring network activity for malicious servers:
use strong passwords;
monitor and log all network traffic attempting to reach the affected products
regularly creating backups;


Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses
10.9.2017 thehackernews
Vulnerebility  ICS

Internet-of-things are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices. However, such devices could potentially be compromised by hackers.
There are, of course, some really good reasons to connect certain devices to the Internet.
But does everything need to be connected? Of course, not—especially when it comes to medical devices.
Medical devices are increasingly found vulnerable to hacking. Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers after they were found vulnerable to hackers.
Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.
An independent security researcher has discovered not just one or two, but eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by Minnesota-based speciality medical device maker Smiths Medical.
The devices are used across the world for delivering small doses of medication in acute critical care, such as neonatal and pediatric intensive care and the operating room.
Some of these vulnerabilities discovered by Scott Gayou are high in severity that can easily be exploited by a remote attacker to "gain unauthorized access and impact the intended operation of the pump."
According to the ICS-CERT, "Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump."
The most critical vulnerability (CVE-2017-12725) has been given a CVSS score of 9.8 and is related to the use of hard-coded usernames and passwords to automatically establish a wireless connection if the default configuration is not changed.
The high-severity flaws include:
A buffer overflow bug (CVE-2017-12718) that could be exploited for remote code execution on the target device in certain conditions.
Lack of authentication (CVE-2017-12720) if the pump is configured to allow FTP connections.
Presence of hard-coded credentials (CVE-2017-12724) for the pump's FTP server.
Lack of proper host certificate validation (CVE-2017-12721), leaving the pump vulnerable to man-in-the-middle (MitM) attacks.
The remaining are medium severity flaws which could be exploited by attackers to crash the communications and operational modules of the device, authenticate to telnet using hard-coded credentials, and obtain passwords from configuration files.
These vulnerabilities impact devices that are running versions 1.1, 1.5 and 1.6 of the firmware, and Smiths Medical has planned to release a new product version 1.6.1 in January 2018 to address these issues.
But in the meantime, healthcare organizations are recommended to apply some defensive measures including assigning static IP addresses to pumps, monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released.


Smiths Medical to Patch Serious Flaws in Syringe Infusion Pumps

8.9.2017 securityweek ICS
Minnesota-based speciality medical device manufacturer Smiths Medical is working to address several potentially serious vulnerabilities affecting some of the company’s wireless syringe infusion pumps.

According to an advisory published on Thursday by ICS-CERT, Smiths Medical’s Medfusion 4000 wireless syringe infusion pumps, which are used worldwide to deliver small doses of medication from a syringe in acute care settings, are affected by eight vulnerabilities that can be exploited remotely.

The flaws, discovered by independent researcher Scott Gayou, affect products running versions 1.1, 1.5 and 1.6 of the firmware. The vendor has promised to patch the weaknesses with the release of version 1.6.1 in January 2018, and in the meantime it recommends applying a series of defensive measures.Vulnerabilities found in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump

Only few details have been made public about each vulnerability in order to prevent exploitation, but ICS-CERT’s advisory shows that several of the flaws are considered critical or high severity.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT warned.

The most serious security hole, tracked as CVE-2017-12725 with a CVSS score of 9.8, is related to the use of hardcoded credentials to automatically establish a wireless network connection if the default configuration is not changed.

Vulnerabilities found in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump

The list of high severity vulnerabilities includes a buffer overflow that can be exploited for code execution in certain conditions (CVE-2017-12718), the lack of authentication and the presence of hardcoded credentials for the device’s FTP server (CVE-2017-12720 and CVE-2017-12724), and the lack of proper host certificate validation (CVE-2017-12721), which exposes the pump to man-in-the-middle (MitM) attacks.

The remaining flaws have been classified as having medium severity and they allow an attacker to crash the device’s communications module (without impacting the therapeutic module), authenticate to telnet via hardcoded credentials, and obtain passwords from configuration files.

Until patches are released, the vendor has advised customers to assign static IP addresses to pumps, monitor network activity for malicious DNS and DHCP servers, install the device on isolated networks, set strong and unique passwords, and regularly create backups.

Additionally, ICS-CERT recommends disabling the FTP server, closing unused ports, monitoring network traffic going to the pump, placing devices behind firewalls, and even temporarily disconnecting the pump from the network until patches become available.


Dragos Raises $10 Million to Protect Critical Infrastructure From Cyber Attacks

15.8.2017 securityweek  ICS
Dragos, a startup focused on protecting industrial control systems (ICS) and critical infrastructure from cyber threats, announced on Monday that it has raised $10 million through a Series A funding round.

According to Hanover, Maryland-based Dragos, the new funding will be used to hire additional staff to support rising customer demand fueled by recently announced partnerships with Deloitte and CrowdStrike.

Founded May 2016, Dragos offers three core offerings, along with its CyberLens network assessment tool. The three core offerings include the Dragos Platform, the Dragos Threat Operations Center, Global ICS Intelligence.

“This combination gives customers access to technology to monitor and respond to threats in the ICS, along with intelligence to make informed decisions about threats,” the company explains. “Services range from threat hunting to incident response, as well as lightweight software for routine assessments.”

Dragos has been under the spotlight recently for its analysis and report on CRASHOVERRIDE (AKA Industroyer), the malware used to disrupt power in a cyber attack against Ukraine’s national power company Ukrenergo last December. CRASHOVERRIDE is the only known malware that has successfully disrupted the electrical grid.

The company’s biggest technological differentiator is its behavioral analytics. Instead of “anomaly detection” and other types of machine learning-driven technologies that are hitting the market, the approach of Dragos is to codify human experience facing human adversaries. It identifies adversary tradecraft and turns it into behavioral analytics. As a result, defenders get context of what is going on and recommendations on what to do next, not merely a series of alerts.

Dragos was founded by Robert M. Lee, Jon Lavender and Justin Cavinee, former members of the U.S. intelligence community who worked on identifying, analyzing and responding to ICS-focused cyberattacks coming from nation-state attackers.

“Dragos exists to safeguard civilization,” said Lee, who serves as CEO of Dragos. “Critical infrastructure powers the global economy and the fabric of modern society.”

“We all strongly believe that civilian infrastructure should be off limits to any adversaries, no matter where the infrastructure is located in the world,” added Lee, who will be speaking on the subject of CRASHOVERRIDE at SecurityWeek’s 2017 ICS Cyber Security Conference in October.

The Series A round was led by investors Energy Impact Partners (EIP) and Allegis Capital. Additional support was provided by DataTribe, a cybersecurity “startup studio” that initially funded the company with a $1.2 million Seed round in August 2016

“Industrial control systems are unique unto themselves – hybrid digital and analog environments with very different operational temperaments,” said Bob Ackerman, founder and a Managing Director of cybersecurity investment firm Allegis Capital. “Unless you have lived your life in this environment, you can’t truly appreciate how different or complex ICS systems are.”


Engineering Firm Exposed Electrical Infrastructure Details: Researchers

10.8.2017 securityweek  ICS
Misconfiguration Issues with systems operated by Texas-based electrical engineering operator Power Quality Engineering (PQE) resulted in the information of various clients being exposed to the Internet, along with sensisitve corprorate information from PQE itself, UpGuard security researchers warn.

A port configured for public access and used for rsync server synchronization exposes data of clients such as Dell, the City of Austin, Oracle, and Texas Instruments, among others. A browser is all that an interested actor would need to access and download sensitive electrical infrastructure data that PQE inspectors examining customer facilities have compiled into reports, the researchers say.

Using a cyber risk scoring system developed by UpGuard, PQE was rated 181 out of a possible 950 when the data exposure was discovered. Thus, the company says, PQE "presents a number of potentially damaging attack vectors with this exposure.”

Not only does the incident reveal additional potential weak points in customer electrical systems, but publicly downloadable schematics could provide attackers with information on the “specific locations and configurations of government-operated top secret intelligence transmission zones within at least one Dell facility.”

In addition to the exposed customer data, the repository also contained a plain text file of internal PQE passwords, which provided potential attackers with further access to the company’s systems.

“This exposure illustrates several pertinent and common issues driving the spread of cyber risk today. The configuration of PQE’s rsync process to allow public access through an open port is an all too common state of affairs in IT environments. While IT personnel can restrict port access to only authorized PQE employees, such measures can easily be forgotten without processes in place to ensure security gaps are identified and closed immediately,” UpGuard says.

The data exposure was discovered after UpGuard Director of Cyber Risk Research Chris Vickery stumbled upon an open port configured to accept packets at an IP address that “returned a fully downloadable data repository originating from Power Quality Engineering.”

The repository contains folders such as “Clients,” “User,” and “Intuit,” yet the security researchers don’t know its actual size, despite downloading a 205 GB portion of data from it. The issue was discovered on July 6, 2017, and PQE secured its systems on July 8, after receiving notification from UpGuard.

The systems were accessible through port 873, which is used for command line utility rsync (remote synchronization) by default. To secure the data accessible through the port, a network admin would have to restrict the IP addresses that are allowed to access the port, using rsync’s “hosts allow/deny” functions. However, this option can be missed, as it requires an extra step when the utility is configured.

Because of this oversight, the PQE repository was able to be downloaded by anyone connecting to the unprotected IP address. The security researchers even discovered that the “Clients” folder in the main repository includes directories titled with the names of well-known corporations and public-sector organizations in Central Texas, including computer manufacturer Dell, software maker Oracle, telecom carrier SBC, and semiconductor manufacturers Freescale (now owned by NXP) and Texas Instruments, among others.

The exposed data includes reports and infrared imagery of weaknesses in clients’ power infrastructures, which were discovered and evaluated by PQE inspectors. “Such infrared studies and their associated reporting reveal, with high levels of specificity, energy infrastructure inspection results of clients like HealthSouth Rehabilitation Hospital of Austin,” the researchers explain.

One of the discovered folders was found to contain a document labeled “Director of Central Intelligence Directive No. 6/9,” which included details on Sensitive Compartmented Information Facility, or “SCIF”, which are secure rooms used by security-cleared individuals to receive sensitive information. Such rooms were designed in such a manner that external surveillance, eavesdropping, or interception information in the room was as difficult as possible.

The exposed documents revealed the precise location of such a SCIF in a Dell facility in central Texas. “The documents confirm the exquisitely stringent standards for the construction of such a room, complying with TEMPEST-level security standards for any acoustical or radio transmissions, and extending to such detailed specifications as the construction of intrusion-defeating air ducts surrounding the SCIF,” UpGuard notes.

Exposed data for other clients included schematics of solar fields, electrical gap analyses, proposals for future construction, inspection reports of aviation breakers at local airfields, maintenance reports for municipal fuel systems, and a “Hazardous Operations Report,” all pertaining to the City of Austin.

The security researchers also suggest that clients might have been further exposed, considering that a document in the repository’s “User” folder contained a number of plaintext PQE passwords, including at least one password for PQE’s GoDaddy account. The firm’s website could have been accessed and exploited to funnel visitors into a watering hole attack, the researchers suggest.

“The PQE data exposure presents a uniquely varied illustration of the many attack vectors a malicious actor can take in 2017 to exploit the sensitive data of enterprises for their own purposes. Of prime importance, however, is the process error which resulted in the data being exposed in the first place: the configuration of the rsync port to be open to public access,” UpGuard points out.


Fuzzing Tests Show ICS Protocols Least Mature

9.8.2017 securityweek ICS
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.

Fuzzing is a testing technique designed for finding software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw and further investigation is warranted. If the number of crashes is high and the time to first failure (TTFF) is short, the likelihood of exploitable vulnerabilities increases.

Synopsys’ State of Fuzzing 2017 report is based on 4.8 billion results obtained in 2016 from tests targeting 250 protocols used in industrial, Internet of Things (IoT), automotive, financial services, government, healthcare and other sectors.

In the case of ICS, Synopsys customers tested protocols such as IEC-61850 MMS, IEC-104 Server, Modbus PLC, OPC UA, DNP3 and MQTT. There are also some protocols used for both ICS and IoT, including CIP and CoAP Server.

Many of these protocols had the TTFF within five minutes. Modbus, for instance, had 37 failures after 1.5 million tests and an average test runtime of 16 minutes. The OPC UA protocol had over 16,000 failures with a testing runtime of 4.5 hours.

ICS protocols fuzzing results

In comparison, the Address Resolution Protocol (ARP), which is used to convert an IP address into a physical address and is the most mature protocol, had zero failures after over 340,000 tests with an average runtime of 30 hours.

Four of the five least mature protocols, based on average TTFF, are ICS protocols, including IEC-61850 MMS, Modbus PLC, DNP3 and MQTT.

“The protocols typically associated with ICS showed the most immaturity,” Synopsys said in its report. “Many demonstrated rapid time to first failures, with IEC-61850 MMS measured in a matter of seconds. This has bearing on IoT, as many of the protocols used in ICS are also used in IoT. Clearly, more testing is needed for the protocols within ICS and IoT, as the potential for discovering more vulnerabilities is greater in these industry verticals than in others.”

The most mature protocols, based on tests conducted by Synopsys customers, are Bluetooth LE Health, DHCPv4 Client, Bluetooth LE, ARP Client, PNG and E-LMI – each with 0 failures.


Schneider Electric, Claroty Partner on Industrial Network Security

7.8.2017 securityweek ICS
Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks.

Claroty, which emerged from stealth mode in September 2016 with $32 million in funding, will market its products through Schneider’s Collaborative Automation Partner Program (CAPP).

Schneider’s CAPP enables its customers to find the right technology solutions and integrate them with the company’s own offering. Claroty, whose products have undergone rigorous testing to ensure interoperability, will provide network monitoring solutions.

Claroty’s platform is designed to protect ICS and continuously monitor OT networks for threats without disrupting operations. The product enables organizations to control remote employee and third-party access to critical systems, including record their sessions. It also creates a detailed inventory of industrial network assets, identifies configuration issues, monitors traffic, and looks for anomalies that could indicate the presence of a malicious actor.

The product can be integrated with Schneider Electric’s existing cybersecurity and edge control offerings through the company’s EcoStruxure architecture.

Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference

“At Schneider Electric we recognize the urgent need to assist our customers in enhancing their safety and cybersecurity programs. One way we are addressing this need is through partnering with Claroty to provide real-time network monitoring and anomaly-detection,” said David Doggett, senior director of cybersecurity for Schneider Electric’s Industry Business.

“Passive network intrusion detection techniques are critical for applications where system availability is paramount,” Doggett added. “Claroty’s platform can strengthen solutions against known cyber attacks that have bypassed existing boundary protections. The technology can also alert network operators about novel attack vectors or attacks initiated by rogue insiders using existing tools and credentials.”

Schneider Electric is not the only automation giant that has teamed up with Claroty. In February, Rockwell Automation announced a partnership with the company for combined security offerings.


ICS-CERT Issues Warning of CAN Bus Vulnerability
2.8.2017 securityaffairs ICS

The US ICS-CERT issued an alert in response to a public report of a vulnerability in the Controller Area Network BUS (CAN BUS).
On Friday (28th of July), the Industrial Controls Systems Cyber Emergency Team or ICS-CERT, issued an alert in response to a public report of a vulnerability in the Controller Area Network (CAN), Bus standard.

The vulnerability detailed in the alert is a stealth Denial of Service attack that requires physical access to the CAN, and an attacker with extensive knowledge of how to reverse engineer the traffic. This ultimately results in the disruption of the availability of arbitrary functions of the target device.

The public report that is referenced in the ICS-CERT alert is from a group of Italian security researchers from Politecnico di Milano (the largest technical university in Italy), in their report the researchers detail how “modern vehicles incorporate tens of electrical control units (ECU’s) , driven by, according to estimates, as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based upon the CAN bus standard…”.

The report presents how the denial-of-service attack against the CAN bus standard is harder to detect, because it exploits the design of the CAN protocol at a low level. This allows an attacker to target malfunctions in safety-critical components or disable vehicle functionalities such as power steering or airbags for example.

The attack exploits the weakness in the CAN protocol, working between the physical and data link layers of the OSI stack without requiring any message sending capability to the attacker.

It is important to note that the research conducted in the report concluded that this attack is completely undiscoverable without a major restructure of the CAN bus networks, which is widely adopted in automotive, manufacturing, building automation, and hospitals.

A full proof of concept of the CAN denial-of-service was posted on Github, the project titled “A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks” proves the attack detailed in the paper released by Politecnico di Milano. The attack was delivered against a Alfa Romeo Giulietta using a Arduino Uno Rev 3 to disable the parking sensor module (identifier 06314018) on CAN B operating at 29 bit / 50 kbps.

CAN bus

In summary, this exploit focuses on recessive and dominate bits to cause malfunctions in CAN nodes rather than complete frames, which have been found in previously reported attacks which can be detected by IDS/IPS systems unlike this attack.

Because of how the denial of service attack exploits the design of the CAN protocol, and how easily an input port (typically ODB-II), can be accessed by a potential attacker the recommendation from ICS-CERT is to limit access to these input ports. They are also working with the automotive industry and other industries to strategize mitigation plans.

Finally, given how widely CAN bus is adopted by the automotive, healthcare, and manufacturing industries this further highlights how singular weaknesses in a secure environment can compromise the network as a whole.


ICS-CERT Warns of CAN Bus Vulnerability

31.7.2017 securityaffairs ICS

The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on Friday to warn relevant industries about a vulnerability affecting the Controller Area Network (CAN) bus standard.

CAN is a high-reliability serial bus communications standard. It’s present in most modern cars – it allows various components of a vehicle to communicate with each other – and it’s also used in the healthcare and other sectors.

A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.

The attack method presented by the experts requires physical access to the targeted vehicle and extensive knowledge of the CAN protocol, but ICS-CERT pointed out that it might be more difficult to detect compared to previously disclosed techniques.

“The severity of the attack varies depending on how the CAN is implemented on a system and how easily an input port (typically ODB-II) can be accessed by a potential attacker,” ICS-CERT said. “This attack differs from previously reported frame-based attacks, which are typically detected by IDS/IPS systems. The exploit focuses on recessive and dominate bits to cause malfunctions in CAN nodes rather than complete frames.”

Since CAN is a standard used across multiple industries and many products, patching vulnerabilities is not an easy task.

ICS-CERT says it’s working with vendors and researchers to identify mitigations for such attacks. In the meantime, the agency recommends limiting access to the OBD-II ports of a vehicle.

As cars become increasingly connected, researchers have invested significant effort into identifying potential security holes. A study conducted by IOActive last year showed that when it comes to cars, the CAN bus is the fourth most common attack vector.

Flaws that can be exploited for CAN access are also highly common, accounting for more than a quarter of the weaknesses analyzed by IOActive.


Malware experts at ESET released a free tool for ICS Malware analysis
29.7.2017 securityaffairs ICS

Security experts from ESET that spotted the Industroyer malware used against Ukraine’s power grid released a free tool for ICS Malware analysis
ESET researchers Robert Lipovsky and Anton Cherepanov have released a free tool for the analysis of ICS malware.

The security duo is the same that discovered the CrashOverride/Industroyer malware that targeted the Ukraine’s power grid,
CrashOverride/Industroyer is the fourth publicly known piece of malware, a detailed description of remaining threats was available in my article “Which Malware are Specifically Designed to Target ISC Systems?.“
Industroyer ICS malware
The development of the tool was inspired by their investigation, the expert analyzed the ICS malware involved in the attack against Ukraine’s power grid in 2016 that caused a huge power outage in the city of Kiev and neighboring regions.
The researchers developed an IDAPython script for IDA Pro that could be used by malware researchers and cyber security experts to reverse-engineer binaries that employ the OPC Data Access industrial communications protocol.

“An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol.” reads the description published on GitHub.
“It can be used to analyse such malware families as Havex RAT and Win32/Industroyer.
The script identifies CLSID, IID, and LIBID constants and creates structures and enumerations. Afterwards, these structures can be used to annotate COM method call parameters.”
Havex is a general purpose Remote Access Trojan (RAT) discovered in June 2015 when malware researchers at F-Secure spotted a cyber espionage campaign based on the Havex malware targeting ICS/SCADA systems and vendors.
The Havex malware has been used in several targeted attacks in the previous months; threat actors used it against different industry sectors.

“If there are other future malware [families] like Industroyer or Havex, [investigators] will have an easier time” finding and analyzing them, Lipovsky says.

“This tool helps you understand what the threat was designed to do,” he says. Detection is important, he says, “but if you want to understand what the attackers are up to, you need to dig in deeply.”

The availability of such kind of open-source tools allows experts to rapidly analyze ICS malware and implement automate defense systems.

Lipovsky and Cherepanov highlighted the importance for ICS/SCADA operators of early detection of the threats.

“A lot of people are downplaying these sorts of things as ‘not an attack.’ Spying is an attack,” said the expert. “These things are detectable.”

Lipovsky announced the tool during a session at the Black Hat hacking conference.


New CyberX Technology Predicts ICS Attack Vectors

20.7.2017 securityweek ICS

Industrial cybersecurity and threat intelligence firm CyberX announced on Thursday the availability of a new simulation technology that allows organizations to predict breach and attack vectors on their networks.

The new industrial control systems (ICS) security service, named ICS Attack Vector Prediction, leverages proprietary analytics to continuously predict possible attack avenues and help organizations prevent breaches.

The solution provides a visual representation of all possible attack chains targeting critical assets in the operational technology (OT) network. Scenarios are ranked based on the level of risk to help security teams prioritize mitigation.

Cybersecurity personnel are provided detailed mitigation recommendations for each vulnerability. This can include patching Windows devices, upgrading vulnerable PLC firmware, and disabling unnecessary or unmanaged remote access methods.

CyberX's in-house ICS security experts can also advise organizations on how to devise the most efficient and effective mitigation strategies, especially in large and globally-distributed organizations in sectors such as manufacturing, pharmaceuticals, chemicals, and oil and gas.

Related: Learn More at SecurityWeek's 2017 ICS Cyber Security Conference

Security teams can easily simulate the effects of each mitigation action. For example, they can simulate patching or isolating a device in order to determine if that eliminates the risk posed to important systems.

CyberX ICS Attack Vector Prediction

Scanning OT networks is not as easy as scanning IT networks because invasive actions can cause downtime. In order to prevent disruption to the customer’s systems, CyberX says its product simulates attack vectors by using agentless asset discovery and vulnerability assessment technology that combines a deep understanding of industrial systems and non-invasive traffic analysis.

The Attack Vector Prediction technology is available now as part of the base CyberX platform at no additional charge to existing customers. The CyberX platform is priced based on the number of monitored appliances, both physical or virtual.

With the addition of the attack prediction technology to its offering, CyberX says it addresses all four requirements outlined in Gartner’s Adaptive Security Architecture framework: prediction, prevention, detection and response.


CrowdStrike, Dragos Partner to Deliver Comprehensive ICS Security Services

20.7.2017 securityweek ICS

Cloud-based endpoint security firm CrowdStrike and Dragos, a company that specializes in protecting industrial control systems (ICS), announced on Tuesday a strategic partnership whose goal is to provide comprehensive cybersecurity services.

Joint customers will benefit from a combination of CrowdStrike’s assessment, preparedness and incident response services and Dragos’ expertise in protecting ICS. The offering is designed to help critical infrastructure and other organizations secure their systems against sophisticated threats.

Customers will be provided proactive enterprise security services through CrowdStrike’s Falcon platform, compilation and correlation of ICS security events via the Dragos platform, and expertise for preventing, assessing and responding to ICS incidents.

The partnership will also offer comprehensive enterprise and industry intelligence, and improved awareness, visibility and protection against threats that pose a serious risk to organizations using both networked endpoints and industrial devices.

“At CrowdStrike, we track a wide array of adversaries going after critical infrastructure with incredibly sophisticated attack methods and tools. In order to stop these breaches, it’s important to combine domain knowledge of the industrial threat landscape, actionable intelligence, advanced security services and endpoint protection technology,” said Thomas Etheridge, vice president of services at CrowdStrike. “We are thrilled to partner with Dragos, a company that brings unrivalled expertise in ICS/SCADA systems to offer joint customers improved security planning, awareness, visibility, and exceptionally fast response to incidents.”

“Current security solutions are blind to how adversaries breach industrial systems and disrupt critical operations. Together, CrowdStrike and Dragos leverage proven human expertise, adversary intelligence and unrivaled technology to uniquely equip our customers with a full understanding of the enterprise and industrial threat landscape,” said Ben Miller, director of Threat Operations at Dragos.


2017 ICS Cyber Security Conference Call for Speakers Open Through August 15

19.7.2017 securityweek  ICS

Longest Running ICS/SCADA Cybersecurity Conference to take Place Oct. 23-26, 2017 at InterContinental Hotel Atlanta

The official Call for Papers (speakers) for SecurityWeek’s 2017 Industrial Control Systems (ICS) Cyber Security Conference, being held October 23 – 26, 2017 at the InterContinental Buckhead Atlanta, Georgia, USA is open through August 15, 2017.
As the original ICS/SCADA cyber security conference, the event is the largest and longest-running cyber security-focused event series for the industrial control systems sector. The conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

2017 ICS Cyber Security Conference

With a 15-year history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber-attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

The Conference is unique and has historically focused on control system end-users from various industries and what cyber vulnerabilities mean to control system reliability and safe operation. It also has a long history of having discussions of actual ICS cyber incidents along with lessons learned.

The 2017 Conference is expected to attract more than 450 professionals from around the world, including large critical infrastructure and industrial organizations, military and state and Federal Government. The incorporates training workshops and advanced full-day training sessions on various topics.

Through the Call for Speakers, a conference committee will accept speaker submissions for possible inclusion in the program at the 2017 ICS Cyber Security Conference.

The conference committee encourages proposals for both main track and “In Focus” sessions. Most sessions are 45 minutes in length including time for Q&A.

Submissions will be reviewed on an ongoing basis so early submission is highly encouraged.

Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

To be considered, interested speakers should submit proposals by email to events@securityweek.com with the subject line “ICS2017 CFP” by August 15, 2017.

Plan on Attending the 2017 ICS Cyber Security Conference?

Online registration is open, with discounts available for early registration.

Sponsorship Opportunities

Sponsorship and exhibitor opportunities for the 2017 ICS Cyber Security Conference are available. Please contact events(at)securityweek.com for information.

About the ICS Cyber Security conference

Produced by SecurityWeek, the ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.


Inadequate Boundary Protections Common in Critical Infrastructure: ICS-CERT

14.7.2017 securityweek ICS

The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations.

ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017.

Assessments are offered to both government organizations and private sector companies whose owners and operators request them. Last year, the CERT conducted assessments in 12 of the 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, emergency services, dams, energy, food and agriculture, IT, government facilities, transportation, and water and wastewater systems.

Similar to the previous two years, inadequate boundary protection remained the most common flaw – 94 discoveries representing more than 13 percent of all weaknesses identified during assessments. Boundary protection issues can result in failure to detect unauthorized activity in critical systems, and an increased risk to control systems due to the lack of proper separation from the enterprise network.

The second most prevalent type of vulnerability, with 42 discoveries, is “least functionality.” This refers to organizations failing to implement controls to ensure that unnecessary services, ports, protocols or applications that can be exploited to gain access to ICS are disabled.

ICS-CERT also discovered 36 instances of identification and authentication flaws. Many organizations fail to implement proper identification and authentication mechanisms for their users – this leads to accountability problems and makes it more difficult to secure the accounts of individuals who have left the company.

The fourth most prevalent issue discovered during assessments is related to physical access controls – which can make it easier for malicious actors to gain an initial foothold into the targeted organization’s ICS network.

Another common problem identified by investigators was related to mechanisms for auditing and accountability. According to ICS-CERT, 26 organizations did not have a formal process in place for reviewing and validating logs, which makes it more difficult to detect an intrusion in the ICS network and respond to an incident.

ICS-CERT’s FY 2016 Annual Assessment Report also includes recommendations on how to address these issues.


ICS Security Pros Increasingly Concerned About Ransomware: Survey

11.7.2017 securityweek  ICS  Ransomware

Many security practitioners in the field of industrial control systems (ICS) believe the level of risk is high, and they are increasingly concerned about ransomware and embedded controllers, according to the SANS Institute’s fourth annual ICS cyber security survey.

ICS security experts from organizations of all sizes told SANS that they believe the top threat vectors are devices that cannot protect themselves, such as embedded controllers (44%), internal threats, including accidents (43%), external threats, such as nation-state actors and hacktivists (40%), and ransomware and other extortion attempts (35%).

Ransomware has made a lot of headlines in the past year and industrial systems are at risk, as demonstrated by both theoretical attack scenarios and in-the-wild threats such as the WannaCry malware. As a result, the number of ICS security experts concerned about ransomware has nearly doubled compared to data from the previous SANS survey.

“Although ransomware primarily infects commercial OS-based systems (e.g., Windows, Linux), the integration of these into ICS environments and the dependence of ICS on devices running these operating systems has extended ransomware’s effectiveness and reach,” SANS said in its report. “Publicly known operational impacts remain few to date but, we expect more to follow, especially given public demonstrations of ransomware targeting ICS/SCADA.”

Recent ICS hacking demonstrations also appear to have contributed to an increasing awareness that embedded controllers and control system applications are at risk – nearly one-quarter of respondents believe controllers are most at risk. On the other hand, many still believe that computers running commercial operating systems are most at risk and have the greatest impact.

Top ICS threat vectors

More than two-thirds of respondents believe the threat to ICS to be high or critical, and nearly half said their budgets for ICS security increased from the fiscal year 2016. Over the next 18 months, 20 percent or more of organizations have allocated budget for performing security assessments or audits of control systems, increase visibility into these systems, increase security awareness training, and implement anomaly and intrusion detection tools.

“Budgets for training and certification of staff responsible for implementing and maintaining security of control systems and control fell considerably, from 34% in 2016 to 26% in 2017. Rather than balancing this with increases in trained staff or outside consultants, budgets for these initiatives decreased, dropping, at 14%, below the top 10 budgetary initiatives,” SANS said. “At a time of increasing exposures and risk factors, this is counterintuitive. Rising threat levels and expanding attack surfaces require skilled professionals to address these risks.”

Of the organizations with more than 10,000 employees, 2.6 percent said they have a budget of more than $10 million for control system security in the fiscal year 2017, and 6 percent said they have a budget ranging between $1 million and $10 million. On the other hand, 2.6 percent of large companies admitted they don’t have a budget for ICS security.

The fact that some organizations have allocated budget for improving visibility is encouraging, considering that when asked if their control systems have been infected or infiltrated, 40 percent of respondents said “not that we know of,” which suggests they may have been breached, but lack visibility into their operational technology (OT) network.

ICS infections

Roughly 12 percent of respondents said their control systems were infected or infiltrated in the past year. While most of them either did not know how many times their systems were breached or said they had only detected such events up to five times, some reported more than 50 incidents.


Vulnerabilities Found in Siemens Building Tech, Smart Grid Products

7.7.2017 securityweek ICS

Siemens and ICS-CERT published advisories this week to warn organizations of potentially serious vulnerabilities affecting some of the German technology conglomerate’s building controller and smart grid devices.

Users of the OZW672 and OZW772 products, designed for remote plant control and monitoring, have been informed of medium and high severity flaws allowing attackers to access or alter historical measurement data stored on the device, and read or manipulate data in TLS sessions via man-in-the-middle (MitM) attacks.

The security holes, discovered by Stefan Viehböck from SEC Consult, have not been patched, but Siemens has provided a series of recommendations for preventing potential attacks.

Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference

Siemens also informed customers of five vulnerabilities affecting Reyrolle protection relays. The flaws, discovered by the vendor itself, can be exploited by remote attackers or ones with network access to obtain sensitive information, bypass authentication and perform administrative operations, and cause a denial-of-service (DoS) condition.

The weaknesses have been patched with the release of firmware version 4.29.01. These and other vulnerabilities also affect SIPROTEC 4 and Compact protection products.

A separate advisory published by Siemens describes a DoS vulnerability affecting the SIMATIC Logon automation software, which provides authentication for access control on SIMATIC human-machine interface (HMI) panels. The security hole has been addressed with the release of version 1.6 of the software.

Schneider Electric patches flaws in Wonderware and Ampla MES products

In addition to the Siemens advisories, ICS-CERT informed industrial organizations this week of vulnerabilities affecting Schneider Electric Ampla Manufacturing Execution Systems (MES) and the Wonderware ArchestrA Logger logging software.

Wonderware ArchestrA Logger versions 2017.426.2307.1 and prior are affected by three high severity flaws that can be exploited for remote code execution and DoS attacks.

Ampla MES versions 6.4 and earlier fail to properly protect sensitive information – specifically, passwords are hashed using a weak algorithm, and session data is not encrypted when the software interacts with third-party databases.


Unpatched Flaws in Schneider Electric U.motion Builder Disclosed

30.6.2017 securityweek ICS
The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Security researcher Andrea Micalizzi, also known as “rgod,” discovered that the U.motion Builder software, version 1.2.1 and prior, is affected by several vulnerabilities, including ones rated critical and high severity.

Advisories published by ICS-CERT and the vendor describe the flaws as SQL injection, path traversal, authentication bypass, hardcoded password, improper access control, information disclosure, and denial-of-service (DoS) issues.

An attacker can exploit the security holes to execute arbitrary code and commands, steal files, gain access to the system with high privileges, obtain information, and cause a DoS condition – in some cases even without authentication.

The security holes were reported by Micalizzi to Schneider via Zero Day Initiative (ZDI) and ICS-CERT in March 2016. Several months later, the vendor said it was expecting a patch to become available by the end of the year.

Since fixes still haven’t been released, ZDI has made public more than 20 advisories detailing each of the vulnerabilities found by the researcher in U.motion Builder. The advisories include details, such as affected file and parameter, that could allow malicious actors to exploit the flaws.

Schneider Electric has now promised to release an update by the end of August and instructed customers to apply the patch as soon as it becomes available. In the meantime, the company has advised users to place the affected software behind a firewall, ensure that the machine hosting the software is not connected to the Web, use application whitelisting and access control features, and ensure that remote access is only possible over a trusted VPN.

This is not the first time researchers have decided to disclose unpatched flaws affecting Schneider products after the vendor’s failure to release patches or provide any status updates.

In April, experts disclosed two weaknesses affecting Schneider PLCs. The vendor admitted making a mistake in that case, but it seems it was not an isolated incident.

ICS-CERT has also published a couple of advisories this week detailing critical flaws in Siemens’ Viewport for Web Office Portal, SIMATIC, SINUMERIK and SIMOTION products.


Group Pushes For Industrial Control Systems (ICS) Security Testing Standards

30.6.2017 securityweek ICS
There is a pressing need for technical assurance standards for industrial control systems (ICS). This is the conclusion and recommendation of a new paper from CREST (a leading UK accreditation body), and is supported by the UK National Cyber Security Centre (NCSC). That need just got stronger if, as now suspected, NotPetya and perhaps WannaCry, were cyber weapons tests. An encryption/wiper inside the critical infrastructure could have dire effects.

The danger is discussed in the stated rationale for the paper (PDF) titled 'Industrial Control Systems - Technical Security Assurance Position Paper'. "The increased connectivity of ICS environments and their use of conventional IT infrastructure components and protocols has enlarged the attack surface that can be exploited by ever more sophisticated cyber security attackers, such as state-sponsored attacks, organised cybercrime and extremist groups."

The problem for ICS is that while the attack surface is growing, the resistance against implementing new security controls that might disturb operational continuity remains high. "Securing ICS environments in many organisations is technically demanding and difficult to undertake (obscure and often obsolete technology, limited resources, high degree of sensitivity)," notes the report. Although there are several published frameworks for securing ICS environments -- including NIST SP.800-82r2, CPNI Security for Industrial Control Systems, IEC 62443, and ISA99 -- there is a lack of mandatory standards on how to test and assure that security.

The report notes that technical security testing specialists consider "inadequate management support (eg. lack of budget, poor resourcing, low risk appetite) as the most important factor affecting the ability to secure ICS environments and undertake technical security testing activities." Other difficulties include the evaporation of the air gap between IT and OT as a viable security control; cultural barriers and a resistance to change; the shortage of skilled resources; and a high degree of technical complexity and obscurity.

The effect of a difficult testing environment and a lack of management drive means that ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed; and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. "Frequent technical security assurance provides stakeholders, both inside and outside the organisation, with objective fact-based information on what remediation is required, why it is required and how it should be applied," says CREST. The purpose of this paper is to lay the groundwork for developing such standards.

"ICS environment owners require assurances that risk is being identified, assessed and evaluated," says Ian Glover, president of CREST. "Above all else they need to know that there are appropriate measures in place to manage and mitigate risk. Research on the project," he continued, "has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution."

CREST's research confirmed that the overall context for all technical security testing should be provided by ICS environment owners (for example, all technical security testing should be business-led) and that the approach should be standards based. From this it developed a six-point standards-based testing process: define and agree scope; assess risks; undertake discovery; develop test plan; conduct technical security tests; and analyze and report test results.

The scoping process requires that the tests be aligned to the strategic, process and system requirements of the organization. "It is important," says CREST, "to be able to make this connection for all stakeholders and ensure there is a good understanding of the strategic, process and systems context as risk identified in ICS environments will have relevance at all three levels in the organisation."

Risk assessment explores the main threats and vulnerabilities of the ICS environment and determines the key risks and likely risk scenarios to be tested. Threat intelligence, says the paper, can "come from a wide variety of sources including the dark web, inside industry sources, open source monitoring, government sources and hacking forums."

The discovery step is designed to determine the specific devices that make up the infrastructure, systems and services in the ICS environment.

Developing a test plan requires a schedule of carefully constructed offline and online tests that are designed to assess the key risks of the ICS environment. There are, suggests CREST, proven test methods that can be used. "While as a general rule online technical security testing in ICS environments should be used with caution," says the report, "there are a variety of measures that can be taken to ensure services are aligned with the needs of the client and the risk of disruption is minimised."

Conducting the technical security tests involves a combination of offline and online tests that help to assess the ICS environment in a progressive check-test-check manner. "Research on the project has shown that Red Teaming is regarded by technical security testers working in ICS environments as a particularly valuable testing technique," notes the paper.

The final step, analysis and reporting, should document and report test results that are aligned to the business objectives and scope agreed with the ICS environment owner.

"This Position Paper," concludes CREST, "has identified a variety of actions that can be taken to help improve the uptake and use of technical security testing in ICS environments but of fundamental importance is the need to develop a standard for conducting technical security testing and the certification of organisations capable of providing technical testing services against this standard." It urges that work should start on developing its proposals into a "standard to help provide assurance that cyber risks are being managed in ICS environments."

It has the backing of the UK National Cyber Security Centre (NCSC). "We believe this paper provides a valuable contribution to the current thinking on this challenging topic and we look forward to working with CREST, as well as ICS operators and the cyber security industry."


Experts spotted Industroyer ICS Malware and linked it to Ukraine Power Outage
13.6.2017 securityaffairs ICS

Researchers at antivirus firm ESET have discovered a new strain of malware, dubbed Industroyer, that appears to have been designed to target power grids.
The experts published a detailed analysis of the malware, they speculated the malicious code has been involved in the December 2016 attack on an electrical substation in Ukraine.

“Win32/Industroyer is a sophisticated piece of malware designed to disrupt the working processes of industrial control systems (ICS), specifically industrial control systems used in electrical substations.
Those behind the Win32/Industroyer malware have a deep knowledge and understanding of industrial control systems and, specifically, the industrial protocols used in electric power systems” states the report published by ESET.

ESET shared some data with ICS security firm Dragos that tracked the malware as CRASHOVERRIDE and the threat actor responsible for the campaign as ELECTRUM.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are Stuxnet, BlackEnergy, and Havex.

Industroyer is a sophisticated modular malware that includes several components such as a backdoor, a launcher, a data wiper, at least four payloads, and many other tools. The experts focused their analysis on the payloads (IEC 60870-5-101 (aka IEC 101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA)) the core components of the malware in the attacks that allow controlling electric circuit breakers.

The Industroyer backdoor allows attackers to execute various commands on the targeted system, the C&C server is hidden in the Tor network and it can be programmed to be active only at specified times, making hard its detection.

The backdoor installs the launcher component, which initiates the wiper and the payloads, it also drops a second backdoor disguised as a trojanized version of the Windows Notepad application.

The wiper component is used in the final stage of the attack to hide tracks and make difficult to restore the targeted systems.

The payloads allow the malware to control circuit breakers, it implements industrial communication protocols. Researchers at ESET believe the malware’s developers have a deep knowledge of power grid operations and industrial network communications.

Industroyer malware

“In addition to all that, the malware authors also wrote a tool that implements a denial-of-service (DoS) attack against a particular family of protection relays, specifically the Siemens SIPROTEC range” continues ESET. “The capabilities of this malware are significant. When compared to the
toolset used by threat actors in the 2015 attacks against the Ukrainian power grid which culminated in a black out on December 23, 2015 (BlackEnergy, KillDisk, and other components, including legitimate
remote access software) the gang behind Industroyer are more advanced, since they went to great lengths to create malware capable of directly controlling switches and circuit breakers”

Both ESET and Dragos collected evidence that suggests Industroyer/CRASHOVERRIDE was involved in the 2016 power outages in Kiev region, which was attributed to Russia state-sponsored hackers.

Researchers at Dragos believes the ELECTRUM APT group is directly linked to the Sandworm APT group, ESET highlighted that while there are no code similarities between the malware used in the 2015 and 2016 attacks in Ukraine, some components are similar in concept.

“The CRASHOVERRIDE malware impacted a single transmission level substation in Ukraine on December 17th, 2016. Many elements of the attack appear to have been more of a proof of concept than what was fully capable in the malware. The most important thing to understand though from the evolution of tradecraft is the codification and scalability in the malware towards what has been learned through past attacks” states the report published by Dragos.

Researchers at Dragos published the description of theoretical attacks, hackers used the Industroyer malware to open closed breakers in an infinite loop, causing the substation to de-energize.

“The command then begins an infinite loop and continues to set addresses to this value effectively opening closed breakers. If a system operator tries to issue a close command on their HMI the sequence loop will continue to re-open the breaker. This loop maintaining open breakers will effectively de-energize the substation line(s) preventing system operators from managing the breakers and re-energize the line(s).” states the Dragos report.

The operators of the targeted facility cannot close the breakers from the HMI, in order to restore the situation they need to interrupt communications with the substation and manually fix the problem.

In another possible attack scenario, hackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to shut down.


ICS Companies Are Worried About Cybersecurity, But Are They Worried About the Right Things?
13.6.2017 securityaffairs ICS

Companies operating Industrial Control Systems (ICS) have a special set of challenges to deal with. Which is the state of the art?
The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment. Once connected, companies discovered the value of data that comes from industrial systems and additional pressures arose to connect isolated Control Networks to relatively open Corporate Networks. This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment and have tragic impacts in the real world.
Kaspersky Lab recently conducted a survey of 359 industrial cybersecurity practitioners and uncovered some discrepancies between the perception and reality of ICS cybersecurity incidents.
83% of respondents feel prepared to handle an ICS cybersecurity incident, which is fortunate because over 50% had at least one cybersecurity incident to deal with in the past year — so they are getting a lot of practice.
The media talks at length about skilled attacks against ICS assets coming from nation states, hacktivists, competitors — often against 3rd party contractors up the supply chain. Survey takers seem to agree as 74% are expecting to see an attack against their industrial infrastructure in the coming year. But this is an interesting discrepancy as the top concern is conventional malware affecting control systems. How many companies are preparing to defend against the few, skilled attackers when they are most likely to be impacted by run-of-the-mill malware being sprayed across the Internet?
Inline image 3
ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools. According to the survey, companies are responding to the threats with antimalware, network monitoring and device access controls. Over half of the respondents aren’t considering vulnerability scanning and patch management.
ICS-state-edited
Based on the stats above, it seems likely that there will be many cybersecurity incidents in the coming months. What should industrial organizations prepare for? The survey highlights the top three concerns as:
– damage to product and service quality,
– loss of proprietary or confidential information, and
– reduction or loss of production at a site
On average these impacts added up to $497,000 per incident last year. So we have a likely probability and a quantifiable impact to base risk decisions upon. Now, these companies need to figure out how to make the right decisions.
Given that these companies are responsible for large scale industrial equipment, security incidents could have much bigger impacts in the real world than most. The challenges of an ICS environment are different than traditional, stand-alone control systems and highly connected corporate networks. The successful companies will be the ones with a unique plan to address the unique risks.
“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams. They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness.” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab. “With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind”.


'Industroyer' ICS Malware Linked to Ukraine Power Grid Attack

12.6.2017 securityweek ICS
Industroyer/CRASHOVERRIDE malware targets electrical substations - Photo Credit: Idaho National Laboratory

Researchers have conducted a detailed analysis of a piece of malware that appears to have been specially designed for cyberattacks targeting power grids. The malware is believed to have been used in the December 2016 attack aimed at an electrical substation in Ukraine.

The malware was discovered by ESET, which has dubbed it Industroyer. The company has also shared some data with ICS cybersecurity company Dragos, which tracks it as CRASHOVERRIDE and the threat actor that uses it as ELECTRUM.

Links to Ukraine power grid attacks

Malware designed to specifically target industrial control systems (ICS) is rare – Industroyer is only the fourth such threat known to the cybersecurity community. The other ICS-tailored malware families are Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities, BlackEnergy, used in the December 2015 Ukraine power grid attacks, and Havex, used mainly against organizations in Europe.

While they could not confirm that Industroyer/CRASHOVERRIDE was the direct cause of the 2016 power outages in Ukraine’s Kiev region, which are believed by many to be the work of Russia, both ESET and Dragos – based on compilation dates and other data – are fairly confident that this is the malware used in the attack.

Dragos believes the ELECTRUM actor has direct ties to the BlackEnergy (Sandworm) group, and ESET pointed out that while there are no code similarities between the malware used in the 2015 and 2016 Ukraine attacks, some components are similar in concept.

Attack scenarios

Industroyer has been described as a sophisticated modular malware that has several components: a backdoor, a launcher, a data wiper, various tools, and at least four payloads. These payloads are the most interesting component as they allow the malware’s operators to control electric circuit breakers.

In one theoretical attack scenario described by Dragos in its report, malicious actors use the malware to open closed breakers in an infinite loop, causing the substation to de-energize. By executing commands in an infinite loop, the attackers ensure that operators of the targeted facility cannot close the breakers from the HMI. This can require operators to interrupt communications with the substation and manually address the issue, which could result in an outage that lasts for a few hours.

In another scenario described by researchers, the attackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to go offline. Experts believe that launching such an attack in a coordinated fashion against multiple sites could result in outages that last for a few days.

Industroyer/CRASHOVERRIDE components

The malware’s main backdoor component allows attackers to execute various commands on the infected system. It communicates with its command and control (C&C) servers over the Tor network and it can be programmed to be active only at specified times, which are likely mechanisms for avoiding detection.

This component also deploys a secondary backdoor disguised as a trojanized version of the Windows Notepad application. The main backdoor is also responsible for installing the launcher component, which initiates the wiper and the payloads.

The wiper is apparently designed for the final stages of the attack to help the attackers hide their tracks and make it more difficult to restore affected systems. This includes clearing registry keys, and overwriting ICS configuration and Windows files.

The payloads, which allow attackers to control circuit breakers, leverage industrial communication protocols. This suggests that at least some of the malware’s developers have a deep understanding of power grid operations and industrial network communications.

Other tools tied to the Industroyer malware include a custom-built port scanner and a denial-of-service (DoS) tool that exploits CVE-2015-5374 to cause Siemens SIPROTEC relays to become unresponsive.

While the samples analyzed by ESET and Dragos can be used to target other energy organizations in Europe and some parts of the Middle East, the malware could also be adapted for attacks targeting the North American grid.

Researchers at Dragos pointed out that while CRASHOVERRIDE appears to be designed to specifically target the energy sector, attackers could create new modules for other types of targets.