Tuesday, December 23, 2014

Hackers Seriously Damage German Steel Mill

Facts Targeted attack on a steel plant in Germany.Method Using sophisticated spear phishing and social engineering, the attacker gained initial access to the corporate network at the steelworks. From there, they moved successively into the production networks. Damage inflicted Individual control components failed increasingly frequently, as did entire facilities. The failures resulted in a blast furnace suffering an uncontrolled shutdown. This resulted in massive damage to the system.Targeted groups Operators of industrial plants. Technical skills The technical capabilities of the attacker were evaluated as very advanced. The compromise extended from a number of different kinds of internal systems to industrial components. The know-how of the attackers was not only very sophisticated in the field of conventional IT security, but extended to a detailed knowledge of applied industrial control and production processes. This is a significant report. Industrial control systems (ICS) are generally built with many layers of protection – from physical safety systems, to cyber safety systems or safety instrumented systems (SIS), to equipment protection systems. These layers upon layers of systems are designed to protect not just equipment, but human life if ever an unsafe condition arises. All bets are off though, if these systems are compromised.

Lost in the media coverage of the Sony cyberattack is a German government report issued last week describing a cyberattack that resulted in “massive” damage to a blast furnace at a steel mill.

We've translated the full text of the German incident description below:

APT attack on industrial plants in Germany

From the limited information in the report, it looks like at least the physical safety systems worked, since there are no reports of injuries. But the systems at the site failed to protect the blast furnace from damage. The report states that as a consequence of the attack, an uncontrolled shutdown caused “massive” damage to the blast furnace.

Evolving best practice
This attack is a clear example of why best practices are evolving toward providing sophisticated, hardware-based protections for at least SIS and protection equipment. Software security protections, such as firewalls, are notoriously vulnerable to attack. A technically sophisticated attacker can compromise software-based defenses remotely over the Internet from the comfort and safety of anywhere they please. Hardware-enforced Unidirectional Security Gateways are gaining global attention as an industry best practice, embraced and endorsed by regulations and guidelines such as NERC CIP, IEC 62443-3-3, the ANSSI guidelines and others.

When it comes to protecting ICS, soft interiors need hard shells.

See what we had to say about the NSA Director’s recent comments about the capabilities of attackers to target ICS.

Friday, December 19, 2014

NSA Director Says Cyberattacks on Critical Systems a Matter of “When, Not If”

I recently had the opportunity to review the entire testimony of Adm. Michael Rogers, director of the National Security Agency (NSA) and head of U.S. Cyber Command, to the House Intelligence Committee hearing, available at C-SPAN. It seems the purpose of the testimony was to support an information-sharing bill. Now, I prefer to focus on intrusion prevention rather than sharing information about already-detected intrusions, but still I found that the admiral said a number of interesting things relevant to modern intrusions and the capabilities of our adversaries.

For example, Admiral Rogers said, among other things, in response to a question about the capabilities of “trojan horses” found on industrial control system (ICS) networks:

“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that – to enter our systems, to enter those industrial control systems, and to shut down – forestall our ability to operate – our basic infrastructure.”

This statement was big news, given that the admiral is the highest-ranked individual in the American administration to have admitted that our critical infrastructure could be hacked. But to people working in the critical infrastructure cybersecurity field, this is not news at all. Common wisdom has it that any site can be hacked if an adversary is given enough time, enough money and enough talent to do the hacking – and nation-states generally have all three in abundance.

The growing threat of nation-states
What was more interesting to me was when Admiral Rogers elaborated on this statement. The headlines that followed his testimony were all about China having the ability to shut down critical infrastructures, but the Admiral’s comments were clear – several nation-states have this capability and others are developing it, and other groups and even individuals are doing the same. For example, Admiral Rogers said that his agencies are seeing criminal gangs starting to use the tools and techniques that have historically been attributed only to nation-states. It would appear that some nation-states are outsourcing their cyberattacks. Organized crime has a long history in the cyber-security world and is responsible for the majority of malware and botnets which plague all computers connected to the Internet. The question we’d all like to see answered is, “what else will these criminal groups use these types of attack techniques for, and when?”

Admiral Rogers repeatedly gave the example of the Shamoon malware, which erased 30,000 computers on the Saudi Aramco corporate network. Erasing hard disks on a control system network is a comparatively low-tech attack, but it is unfortunately very likely to be an extremely effective attack. Modern infrastructure generally cannot be operated without human oversight, and control system computers are essential in providing such oversight. Erase enough control system hard drives and the physical critical infrastructure – the power plant or pipeline – must be shut down.

How long will it take to bring back up? The Admiral was vague here, and for good reason. How long a site takes to recover from a Shamoon-style attack on control system computers very much depends on the physical industrial process in question, and the recovery time depends on how thorough and how well-practiced our disaster recovery plans are. Do we have current back-ups for every part of the control system? Were any programmable logic controllers (PLCs) or other devices attacked and erased? Do we have back-ups of that equipment?

Information sharing alone is insufficient
Now, the focus of the Admiral’s testimony was the current information-sharing bill, and so “information sharing” was the remediation that he returned to time and again when questioned. I believe that information sharing is a good thing, but it is far from sufficient in terms of preventing a widespread outage of critical infrastructures. Information sharing only works after we have discovered the characteristics of a compromise so surviving infrastructure sites can try to detect similar compromises before they, too, are crippled.

Information sharing does little to prevent widespread, simultaneous compromise. Imagine, for example, a bit of malware disguised as a device driver security update-checking program. The program looks harmless – it reaches out to a plausible-seeming website periodically to check for updates. (For the record, there should be no route from control computers to the Internet to begin with, but that rule of security gets broken more often than not.) Of course, the website is a sham, and when this bit of malware downloads and runs a particular update, suddenly hundreds or even thousands of infrastructure sites malfunction simultaneously. Did information sharing save us?

There is obviously a time and a place for information sharing, but for most critical infrastructure ICS networks, strong intrusion prevention is more important than information sharing. Furthermore, since it is theoretically impossible to reliably ask some firewall or other intrusion detection software to differentiate “good software” from “bad software” (or even “good messages” from “bad messages”), hardware-enforced Unidirectional Security Gateways at critical infrastructure cyberperimeters are one of the few very effective tools we have at our disposal to defeat these modern threats and persistent, remote attack patterns.

Applying new cybersecurity best practices
Strong cyberperimeter protections must be part of the security response to these critical ICS threats. Unidirectional Security Gateways are the new industrial cybersecurity best practice, most recently included in the new ANSSI cybersecurity guidelines. Information sharing is a worthwhile program, but it will not save us if all we have protecting our critical networks is software.

Want to hear the latest news impacting industrial security? Follow Waterfall Security on Twitter: @WaterfallSecure.  

Tuesday, December 9, 2014

November news roundup: Turbulent times for the U.S. power grid

The vulnerability of U.S. critical infrastructure to a state-sponsored attack was confirmed this past month, as the director of the NSA, Michael Rogers, reported that China has the capability to cause damage to the nation’s power grid. Rogers’ concern held a lot of weight, since it came after CERT’s discovery that in the fiscal year of 2014, hackers targeted the U.S. power grid up to 79 times. Similar to Rogers’ warning about China, CERT believes reconnaissance was the motivation for these attacks, where hackers plant malware within industrial control systems in order to gather information for more sophisticated attacks later. The worry for CERT and the NSA lies in what these hackers are capable of, underscoring the need for utilities to deploy stronger-than-firewall cybersecurity alternatives to ensure the safety and reliability of critical control system networks. Read about these developing stories and more in this month’s news roundup:
In arguably the month’s biggest news story, the director of the NSA and head of U.S. Cyber Command, Admiral Michael Rogers, publicly confirmed that China and “one or two other countries” have the capabilities to launch a cyberattack that would effectively shut down the United States electric grid. Rogers claimed that U.S. adversaries are already performing reconnaissance operations throughout U.S. critical infrastructure, making an attack that would harm these pre-infected industrial control systems a real possibility. Because most of these cyberthreats are likely state- and government-sponsored, Rogers says that the next step in preparation will be determining how to classify an act of war.
The latest security vulnerability to critical infrastructure comes in the form of three defects that were discovered within products manufactured by Advantech, an industrial technology developer. The three vulnerabilities include an OS command injection, a stack-based buffer overflow and a buffer overflow. Advantech has indicated that it will not fix two of the vulnerabilities. A fix has been issued for the third, but only in the latest release of Advantech software, and the fix does not work if an earlier installation is upgraded to the latest release without first erasing the device. This report highlights the continued problem of a “soft interior” in most control system networks, a problem that is often addressed with strong network cyber and physical perimeter protections.
Throughout the 2014 fiscal year, U.S. energy companies were the targets of 79 hacking incidents, reports CERT. Although this represents an overall decrease from last year’s number of 145, the fact remains that the grid is constantly under the threat of an attack. These hacks were not aimed at immediately disrupting or taking over operation systems, but there is concern that this malware gives the attackers  a backdoor to grid systems where they could insert harmful programs in the future.”
The Department of Homeland Security and ICS-CERT identified the Russian Trojan horse, BlackEnergy, as a threat to U.S. critical infrastructure. BlackEnergy was initially discovered within software existent amongst oil and gas pipelines, water systems and power grids, covering the spectrum of most U.S. critical industries. Consisting of the same strain of malware developed by the Russian cyberespionage group, Sandworm, investigators are almost certain that BlackEnergy can be traced back to the same group.
Check out our October news roundup for even more industrial security news.

Tuesday, December 2, 2014

Security Through Obscurity?

As I attend cybersecurity and industrial conferences across the country and world, I often hear some great questions and comments. I also sometimes hear questions that concern me very much. On a number of occasions over the past year, utility representatives, industry leaders and even regulating authorities have asked questions about exposure. No, they are not asking how to limit their attack surface. Rather, they are interested in making sure that the systems they run, build or regulate are not published to the public. Each time I hear these questions, I get a little more scared, for here is another person, perhaps even an entire company, who believes that their security depends on (at least in part) the fact that no one in the world knows where they are or what software they run. This is called “security through obscurity” and it does not work.

These questions are asked in several different ways, which explains the motivation behind such inquiries. Some want to make sure they do not need to publically disclose the manufacturer of the control systems. Others want to submit generic RFPs so that “the bad guys” don’t know what software they are running. Some extremists even want to eliminate their facilities from online services such as Google Maps.

There’s no escaping the fact that we live in a connected world, and there are some robust tools developed by the cybersecurity community to identify and fingerprint live systems. For any host connected in almost any fashion to a network, security researchers and professionals can map the system details, which can include hardware information, such as CPU and memory; software information, such as operating system and version, and applications installed; and even location, in many cases.

There are tools such as Shodan that can allow anyone to search for industrial control systems connected to the Internet. Further, using social and business media websites such as LinkedIn, Facebook and even press releases, it is almost always possible to determine the software used within the control systems at any company. Technical forums can provide even more detail, such as version and even configuration information. 

The obscurity that we thought we had created is a myth. In many cases, the secrecy has been breached without hacking or direct access to any assets. To make a long story short, the “bad guys” already know what you are running and where. 

Of course, critical infrastructures should never publish the details of their systems, such as network diagrams or detailed device logic. However, to assume that no one knows a particular site runs GE iFix or Wonderware, for example, would be a mistake. To predicate one’s security program on the concept that no one knows this is a backwards way of thinking. Best-practice defense-in-depth security architecture should begin with the assumption that the attackers know what systems and software are running.

It is time to stop kidding ourselves into believing that only we know the details about our critical infrastructure, and it is time to start protecting our control systems. This starts by reducing the attack surface. With strong perimeter protection, proper cybersecurity awareness education and good vulnerability management as a starting point, we can go a long way in protecting the safe and reliable operation of our infrastructure. 

Want to learn more about strong cybersecurity? Check out our webinars page for a case study of a power plant.

Monday, November 17, 2014

What do concussions and cybersecurity have in common?

Recently, I attend a presentation on concussion management in youth athletics. The session was offered by two prestigious doctors from the Philadelphia metropolitan area - a neurologist and a psychologist - and provided a thorough report on concussion symptoms, the effects after one takes place, and the approved processes and procedures for managing and treating these injuries. Along with the overview came a disclaimer: while science and medicine have advanced and there are now better ways to detect, manage and recover from concussions, doctors in some states are bound to certain outdated procedures that have been codified into law.

At first, I was aghast. Imagine a physician on the bench or sidelines of the local high school’s game of the week. The doctor is trained, ready, willing and able to provide the most effective treatment to an injured child. Unfortunately, because of the regulations, the doctor is not permitted to do so without jeopardizing his right to practice medicine in his state. 

Oddly enough, this scenario seems all too familiar to me. This is a story I’ve heard many times before in my discussions with industrial facilities around the world. Much like the doctor who wants to provide the best treatment, utilities and industrial plants generally want to deploy the most appropriate cybersecurity solutions available to protect their employees, assets, and customers. However, these organizations face the same challenge as the doctors – overly prescriptive and out-of-date regulations.

Many believe regulations to be an effective means to engage utilities and industry toward cybersecurity. When first introduced, regulations are highly successful in guiding the development of up-to-date cybersecurity programs. However, over time, regulations with the best of intentions quickly become checklists to establish compliance with the legislated standard. The explicit requirements can significantly hinder innovation, which is often an unintended result. Worse still, the nature of the bodies that author these regulations – in regards to both the medical profession and cybersecurity – tend to adapt to new technologies slowly. This hinders organizations from taking advantage of the latest research and development.

Regulations are necessary to provide guidance and to establish minimum requirements, but codifying procedures and technology sets organizations up to fail – literally. Outdated procedures and technology leads to compromised systems. To stay truly safe and secure, we must encourage regulators to become more adaptable. 

We do our part at Waterfall Security to impact regulation changes.  What can you do?

Friday, November 14, 2014

Patching critical infrastructure: What Bash means for ICS security

On September 25, a bug deemed “Shellshock” was discovered in Bash, a command shell on Unix, Linux and Mac OS X operating systems that is used heavily in scripting and for communication between one program and an operating system for certain kinds of services. Much of the media attention has centered on how Shellshock is a threat to cybersecurity in general, lumping all practice areas under one umbrella. Since critical infrastructure networks are much more difficult to patch and update than corporate networks, many control system security practitioners are wondering what, specifically, are the implications of Shellshock on control system networks, and what can we do to protect against these vulnerabilities. Surprisingly, a recent search of the Internet yielded no clear summary of the impacts of Shellshock on control networks specifically, hence this posting.

In order to be affected by Shellshock in the first place, a device must have Bash installed. Since Bash is not a standard Windows component, it’s unlikely that Windows systems will be vulnerable unless the program was installed for some reason. Mac OS X and Linux both use Bash heavily, and if any non-Linux Unix is running on a network, then Bash is also very likely deployed somewhere within that system, if not everywhere.

Here are some examples of how Bash might affect particular systems:
·         Web servers that use CGI scripts, like Apache, transfer information like the “user agent” string directly to Bash. That string can be set in some browsers, and is easily set in many popular command-line Internet tools. The exploitation of these vulnerable web servers is trivial. This compromise can be accomplished from any IP address that has access to send a web request into the vulnerable server.
·         Most Mac/Linux/Unix gear that uses DHCP on an industrial network is ripe for an attack from the local network. While most critical control systems have been drilled into using static IP addresses rather than DHCP for exactly this reason, some sites still have equipment using DHCP. If a hacker can get his hands on a laptop or other computer connected to a control network and can turn on a DHCP server on the machine, all bets are off.
·         Every device that runs Linux or some other Unix derivative with Bash installed, and has a Web user interface, is vulnerable. This includes a lot of networking gear, firewalls and even some RTUs, PLCs and other equipment. Figuring out which of these firmware-based systems have Bash installed is problematic in itself. Vulnerable equiment can generally be hacked by any machine, which can send a message to the Web server.

Software and firmware updates should of course only be applied to equipment on control system networks after thoroughly researching a patch’s reliability. In principle, while patches are being tested, or in some cases still being developed, all vulnerable DHCP, web and other functionalities should be disabled. This is easier said than done since it is not even clear which devices with embedded Unix-based operating systems have Bash installed at all, not to mention that some of the affected functions may be essential to the current design and operation of the control system.

This is just another example of why many control system vendors deploy Unidirectional Security Gateways. The gateways replicate servers to external networks to provide seamless, safe integration of control system networks with corporate and other networks. IT teams can then feel free to install the latest, up-to-the-second updates to all equipment on corporate networks, including the replica servers, without putting critical operations at risk.

The takeaway here is nothing new, and yet, is underlined with each new serious vulnerability. And all software has bugs, some of which are security vulnerabilities, meaning all software can be hacked. Industrial users should deploy hardware-enforced, stronger-than-firewalls perimeter protections to ensure that the next Shellshock, or dozen Shellshocks, do not expose critical infrastructures to attacks from corporate networks, and from the Internet beyond those networks.

To find out more about ICS security solutions, check out our products page here.

Monday, November 10, 2014

Waterfall/Area 81 Racing Team Podiums Twice at Goblins Go Double SARRC

Fall at VIRginia International Raceway has always been an enjoyable experience for the Area 81 Team. Cooler temps, beautiful scenery and a relaxed atmosphere makes the Goblins GO SARRC a staple on the Area 81 Racing Team calendar. Both drivers stepped up on podium for both races. Saturday's results were Richard second, Tim third. Sunday's results were swapped between the drivers with Tim taking second and Richard third. Overall a good weekend for the team.

“We made several improvements to the car since our last race here in the spring, so we were chasing setup all weekend. I qualified eighth overall and third in class for the first race, but quickly passed five cars and was third overall and second in class. The car developed under steer in Turn 6 soon after that. I hit the outside curbing and it sent the car spinning across the track. I didn't hit the tire wall but it was too close to get the car turned back on the track. We don't have reverse so it was left to the discretion of race control to get me pushed back. The car overheated during the long delay and I had to bring it in. The shunt must have affected my alignment and the car handled worse on Sunday. I spun again during the second race but was able to get back on before losing class position. I was disappointed to be several seconds slower than I was in the spring and couldn't compete for the win. I'll be ready to defend my championship in the spring. Special thanks to Matt Bell and Timmy Orr for filling in as crew in the absence of my crew chief. I couldn't have made the race without them!” -Tim Pierce, Car 18

“The newly re-paved VIR track has been a bit of challenge for me. All weekend, the car ran fine and it was certainly fast, but just lacked overall downforce for the turns. That being said, I had a decent race weekend with second place Saturday and third place on Sunday. Saturday's Race 1 was fairly uneventful after the first couple of laps I was by myself. I saw Tim go off in Turn 6 and hoped he and the car was okay. Qualifying for Sunday's race was going well and the tires had just warmed up, when I broke a throttle cable on my fourth lap. Sunday's Race 2 was full of consistent laps, however the car just lacked a bit of speed in the corners. With all the racing, I expected the new paving to get rubbered in and gain some grip, but that was not the case. Either way it was an enjoyable weekend at VIR with great weather and great social interaction within our team plus NC Region SCCA Members.” -Richard Franklin, Car 81

Next event for the Area 81 Racing Team will be the Last Chance SCCA Time Trials at Roebling Road Raceway, Savannah, GA on Nov 16-17th, 2014. Stay tuned to our website, www.Area81Racing.com, or Facebook for updates.

Wednesday, November 5, 2014

Waterfall/Area 81 Racing Takes SARRC F1000 Championship in Daytona

The 2014 points season concluded at the SARRC Invitational Challenge at the world-renowned Daytona International Speedway over the weekend. Area 81 Racing’s Tim Pierce was tied for first and Richard Franklin 11 points back in third place going into their first appearance at Daytona. Four F1000 competitors were in the running for the SARRC Championship.  After the dust settled, Tim earned his first SARRC Championship with a second-place finish and second overall. Richard would finish a respectable sixth place in class and seventh overall.

Both drivers took advantage of the Friday test day to become familiar with the track and determine car setup for the high banks of Daytona. The Saturday qualifying sessions gave the team confidence, as Richard placed second in Q1 and Tim placed second in Q2. The Sunday race ultimately featured Tim starting second and third overall, with Richard in striking distance in fifth position and seventh overall. A Formula Atlantic, who held pole position, pulled off the track with mechanical issues during the warmup lap and Tim quickly slid up into his position on the front row for the green flag. A careful start put Tim in third on the opening lap and briefly in fourth place at the halfway point, but he was able to find a rhythm with a spectacular display of determination in back and forth passes to regain second place. Richard found himself out of the draft of the front group, but kept them in sight while in a battle of his own. Unfortunately, the race was cut short a lap when a disabled car pulled off in the infield hairpin and a full course caution brought out the safety car for the checker flag.

"There is no feeling like going 154 mph on the banks of Daytona. I had no idea my car would go that fast. We had the rare opportunity to test various aerodynamic profiles on Friday. My Firman RFR-1000 has always had great mechanical grip so I thought I could remove the wing elements for minimum downforce and maximum top speed. The chain developed a tight spot on Saturday and we did not have a spare. My dad told me to just run it until it breaks. I was a little nervous between the chain and the fierce fight with two other drivers, but we ended up finishing well enough to win the championship. We have faced extreme adversity throughout the year and that makes it so much sweeter. I’d like to thank Waterfall Security Solutions, BriKy Coolers and Franklin Insurance Agency, as well as my family, my crew, and the team. This championship would not be possible without their support." -Tim Pierce, Car 18
"Congrats to Tim for a hard fought 2014 SARRC F1000 Championship. He is a talented driver and has had to overcome some unfair/unwarranted mechanical issues in the past. Consistent points scoring wins Championships, and this year it was Tim’s turn to shine. As for Daytona, I was pleasantly surprised to find myself at the top of the time sheets on Friday’s test day.  The car had plenty of speed, so we didn’t really make any changes. Unfortunately, that meant I stayed at the same relative pace, while my competitors got faster.  The race was cut short by a couple of laps right off the start by a FA stopping on course on the warm-up lap. I had a fierce battle for 5th until the yellow came out again.   As six F1000’s lined up nose-to-tail, I was looking forward to taking advantage of the big draft on the restart, but by then the 12 lap race was over.  Reflecting on the year, I’ve still had a good SARRC racing season, with plenty of wins and podiums. Many thanks to my family, crew and sponsors; Waterfall, BriKy Coolers and Franklin Insurance Agency for making it all possible." -Richard Franklin, Car 81    

Want to know where you can see the Area 81 Racing team? Stay tuned to www.Area81Racing.com and Facebook for updates.

Monday, November 3, 2014

October news roundup: Are we ready for cyberwarfare?

The rising likelihood of cyberwarfare has been a prominent topic over the last couple of weeks in industrial cybersecurity press. The reports that politically-motivated hackers have no reservations when it comes to launching large-scale cyberattacks against a nation’s critical infrastructure did not mesh well with the news that most industrial control systems are understaffed and underprepared for the possibility of cyberwarfare. Attacks have become increasingly sophisticated, and hackers are determined to get around common firewall defenses through whichever means possible. Overall, this makes the ensured protection of our critical infrastructure all the more important. Here are some recent reports on the topic:

The lack of cyberattacks that have been directed at industrial control systems (ICS) in the past has made them extremely susceptible to future attacks, according to SC Magazine’s correspondent at the Stockholm International Summit on Security in ICS. Because control systems aren’t under attack from advanced threats, such as malware, nearly as much as large enterprises are, the likelihood of a successful hacking attempt is troublingly high. According to the article, there’s little incentive among critical infrastructure security professionals to fix a crisis that hasn’t occurred yet.

The motives behind hacker groups Dragonfly and Energetic Bear may have been misinterpreted all along, according to a new report from Dark Reading. The article claims that compromised companies were not from the critical energy sector, but rather suppliers for OEMs that served pharma and biotech. Dragonfly’s malware concentrated on uploading malicious code into systems that would reflect real-world ICS configurations. The targeted companies’ “trojanized” computers were connected to industrial control system utilities and drivers.

Stewart Baker, a former general counsel for the NSA, warns the industry that organizations have no reservations toward using cyberweaponry as a means to gain power on the international stage. This suggests that the future of international disputes will be settled on a digital battlefield, with the primary target being critical infrastructure, an area where knowledgeable political hackers know they can do a lot of damage.

Security professionals have discovered that Sandworm, a hacking organization with links to Russian cyberespionage, are likely going after industrial SCADA systems that use products from GE Intelligent Platforms by way of malware. Researchers from Trend Micro claimed that the hackers used files that run through the application, CIMPLICITY, in order to gain closer access to the programs that run in conjunction with SCADA systems.

Peter Behr and Blake Sobczak look at how a large amount of basic vulnerabilities affecting power grids, factories and pipelines have gone largely unaddressed. This is as a result of the sensors and remote controllers that play a huge role in transferring vital data throughout ICS being built without cybersecurity in mind. Thus, critical infrastructure is left with a gaping flaw in security by the design of the systems themselves.

Want to read more? See what we had to say about cyberwarfare earlier this year.

Monday, October 27, 2014

Waterfall Security named to Deloitte’s Israel 2014 Technology Fast50

The past few years have been quite the wild ride for Waterfall Security, as we’ve grown tremendously in several ways. The hard work of the entire team has paid off handsomely, and we were recognized for this success with the number 20 spot on Deloitte’s annual Israel Technology Fast50 ranking, which honors the 50 private and publicly held fastest growing technology companies in Israel, based on five years of revenue growth. It’s a testament to our commitment to the safety and reliability of critical control systems, and validator of our stronger-than-firewalls suite of Unidirectional Security Gateway products.

Industry awareness of Unidirectional Security Gateways has taken off, and we’ve been flooded with inquiries and demo requests. Critical infrastructure sites around the world are recognizing the need to deploy stronger, hardware-enforced perimeter protections as an industry best practice in order to ward off today’s evolving targeted persistent attacks (TPAs). Our conversations with existing customers and prospects led to the development of new applications leveraging the technology.

In late-2013, we unveiled the Waterfall for Bulk Electric System (BES) Control Centers, which protects two-way communications with BES Control Centers, such as power grid Balancing Authorities and Reliability Coordinators. We also announced the Waterfall FLIP, which allows the user to temporarily flip the direction of a Unidirectional Security Gateway to send communications back into a protected control system network. Our latest enhancement to these technologies is the just-announced Application Data Control, which adds a new layer of security in the management of application layer data by applying rules, policies and verification tests to application data flowing between IT business networks on OT industrial networks. The solution addresses the risks of both data exfiltration attacks and targeted, cybersabotage attacks against industrial networks.

We look forward to a busy and productive 2015, with plans to expand into new verticals and regions. As attack tactics continue to evolve, Waterfall will continue to deliver stronger-than-firewalls solutions to critical infrastructures to enable the safe and continuous operation of control system networks.

Learn more about our suite of stronger-than-firewalls products.

Friday, August 15, 2014

Remote Access Best Practices

Common wisdom is that “if I have a firewall and encryption, I must be safe.” Virtual private networks (VPNs) are seen as the solution to the remote access problem, but this common belief is very much mistaken. Viruses, malware and online attacks move through encrypted VPN connections as easily as they can move through un-encrypted local area networks (LANs). The whole point of a VPN is to make remote users feel as though they are locally connected to trusted LANs. Encryption provides protection against data theft, data manipulation, and man-in-the-middle attacks, but it provides zero protection against attacks from either the networks they connect, their workstations, or their endpoints. Laptops, workstations and mobile devices used for remote access are notoriously prone to compromise.

Now to be fair, understanding of remote access risks varies greatly. Some utilities very much do “get it” and have deployed powerful remote access protections. The Department of Homeland Security (DHS) Catalog of Control System Security: Recommendations for Standards Developers provides much better advice than just “use a firewall and VPN.” The North American Electric Reliability Corporation (NERC) 2011 Guidance for Secure Interactive Remote Access is even better – in fact, it’s pretty good, as it even starts to mention more advanced and appropriate protections.

One of these more advanced protections are hardware-enforced industrial cyberperimeters, which are Waterfall’s focus. All software has bugs, and some bugs are security vulnerabilities. In practice then, all software is vulnerable. The Heartbleed bug and second set of OpenSSL bugs makes this point in spades. These bugs allowed attackers to steal private security keys from public-key cryptosystems used by a large fraction of the world’s websites, and in fact used by OpenSSL-based VPN implementations, as well. Since the bugs were announced, I have spoken to many experts about them. Not one believes that this vulnerability lay in wait, un-exploited, these last many years. Governments and organized crime rings all over the world have spent billions over the last decade to develop sophisticated attack tools, and to find and exploit zero-day attacks. For example, the latest Wikileaks revelation is that the NSA has a list of vulnerabilities able to compromise pretty much every firewall in existence.

All software is vulnerable. Software protections have failed repeatedly to protect IT networks. Why, then, should we trust software to protect critical control system networks, especially when hardware-based protections are available? Unidirectional Gateways replicate industrial servers for painless, safe and continuous remote monitoring. Remote Screen View lets remote personnel see the screens of critical machines, and participate in emergency problem resolution by directing the actions of local personnel over the phone in real time. Even a simple Secure Bypass device adds enormous value to an emergency VPN capability. No remote user should have the power to initiate a remote connection into a protected, critical network without the knowledge and participation of personnel at the industrial site. And no targeted attacker should have the power to initiate a remote connection to an industrial site simply by attacking software.

Hardware-based remote access protections are more powerful than software-based protections, and are far simpler. Serious software-based protection is not easy at all, and as hard as it is to implement, those protections can never be as thorough as simple hardware-based protections.

The time for hardware-based protections has arrived. Why is everyone still talking about software?

For more information on products for protecting your critical infrastructure site from the Heartbleed vulnerability and other remote access pain points, please click here.

Tuesday, April 29, 2014

The Security Risks of Remote Access and “Cloud Control Systems”

Today, Waterfall Security has the privilege of participating in a panel at the Federal Energy Regulatory Commission (FERC) Technical Conference to discuss technical and operational issues in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards that the commission approved in late 2013. While Waterfall supports the improvements made in NERC CIP Version 5 over previous versions, we have expressed concerns over the cybersecurity of central turbine monitoring systems and other types of interactive remote access. 

Most turbine vendors require continuous monitoring of operations as a condition of hardware warrantees and hardware support contracts. Turbine vendors generally also require that sites allow occasional remote control of the turbines to correct vibration and other anomalies that might grow into catastrophic failures. This continuous monitoring and occasional remote access is most often enabled by an encrypted virtual private network (VPN) tunnel connected directly from the central monitoring site to the turbine owner’s control system network. This tunnel generally bypasses all of the owner’s corporate security technologies. This means is that there is only one layer of security between any vendor-monitored turbine anywhere in the world – even those turbines not under the jurisdiction of NERC CIP – and any vendor-monitored turbine in the U.S. Further, the remote access permissions that sites grant to vendor monitoring and diagnostics centers are much more intrusive than the Inter-Control Center Communications Protocol (ICCP) set point permissions that are typically granted by generating utilities to BES Control Centers. This makes no sense though. The CIP Version 5 standards require many technical security controls for BES Control Centers, but the central vendor sites are not held to the same standards. In fact, there are currently no technical security measures required of central vendor sites.

These concerns reflect a deeper issue around interactive remote access from any one site or laptop to a large number of similar targets in the Bulk Electric System (BES). In many utilities, there is a set of senior engineers’ laptops which are configured to with “occasional” on-demand access to any of hundreds of generating and substation/switching sites via VPN. In addition, many control system technology vendors are setting central “monitoring and diagnostics” sites for their products, not just turbine vendors. While individual remote access is a security problem, should an attacker take advantage of an opening, these risks are multiplied when one site or one laptop has access to hundreds of such VPN connections.

This issue is easily resolved through a combination of hardware-enforced Unidirectional Security Gateways configured with unidirectional Remote Screen View capabilities. Since the gateways enable one-way communication channels out of the control system, there is zero risk of a cyberattack getting back in. Vendors who need to fix anomalies can call the affected site and turn on screen sharing through Remote Screen View to see site screens and to direct engineering personnel to correct the problems.

Waterfall has formally submitted these comments in a prepared statement for the April 29 FERC Technical Conference. It is our hope that FERC and NERC will take a deeper look into the risks posed by central turbine monitoring and remote access systems, and will take the appropriate measures to mitigate these threats to the reliability of the BES.

Friday, March 14, 2014

What the end of Windows XP support means for industrial cybersecurity

We are now in the final month of Microsoft offering support for its Windows XP operating system, which presents a new security challenge for the great many control systems still running XP. Without support, XP control systems will not receive regular security updates, making them susceptible to cyberattacks. Control systems running older versions of XP will of course be no less secure than they already are.

This shouldn’t be news to any utilities using Windows XP, as Microsoft is pretty transparent about the Windows lifecycle. (Set your calendars now for April 11, 2017, Windows Vista users, however few of you are.) Despite knowing that support is ending, laggards among control system vendors are still shipping new products on Windows XP, demonstrating an “if it ain’t broke, don’t fix it” attitude. Well, Windows XP is now officially broken.

Utilities aren’t exactly early adopters when it comes to new operating systems — and with good reason. With every new operating system comes a host of bugs and glitches that put reliability-critical and safety-critical systems at risk. When Windows 8 was released, the control system world watched and learned as corporate information technology (IT) teams struggled with it while the kinks were ironed out. Only once a technology is proven and the reliability risks well-understood do we start seeing industrial customers begin to deploy the technology. This shaves at least a few years off the lifespan of operating systems in the industrial world compared with the corporate world.

This has long been a problem with no simple solution and reflects a larger debate surrounding the issue. Upgrading an industrial control system to the latest operating system is generally impossible, as the old version of software generally does not run the same (or run at all) on a new operating system. Regularly upgrading to new versions of control system software is often cost-prohibitive, due to the resources needed to test a change that big. The testing cost of installing regular security updates at all is prohibitive in complex environments with serious safety and reliability concerns.

For the foreseeable future, and very possibly indefinitely, a great many control systems will continue to suffer from a very “soft interior” security-wise. Compensating measures in the form of strong physical security perimeters and strong cybersecurity perimeters continue to be far more important in preventing attacks to control system networks than these measures are important to corporate IT networks. One compensating measure we see being deployed ever more widely is hardware-enforced Unidirectional Security Gateways, which allow business-critical industrial data to flow in one direction out of a protected network, without any chance of an attack getting back in through the equipment.

The day is upon us. If our control system has a soft interior, we had better put a hard shell around that interior if we want to stay safe.

Read more about how Unidirectional Security Gateways can protect critical infrastructures.    

Wednesday, March 5, 2014

Desperately Seeking SCADA

Shodan, “the scariest search engine on the Internet,” was back in the news this month with the launch of Shodan Maps. For those unfamiliar, Shodan tracks devices that are connected to the Internet, including SCADA and industrial control systems (ICS). Now, instead of just identifying these systems, searchers can see where they’re located. This is troubling, as it gives our adversaries physical directions to what appear to be poorly defended critical infrastructure systems. 

Fortunately, Shodan isn’t designed for your average Googler. Those who are capable of carrying out a large-scale cyberattack against critical infrastructure sites, though, will have the technological knowhow to navigate the search engine. Researchers with Project SHINE have identified more than 1 million IP addresses globally that are potentially associated with SCADA and ICS devices. However, at the recent Public Safety Canada ICS Security Workshop, it was reported that the DHS investigated the 500,000 American IP addresses SHINE reported, and found that only a little more than 7,000 were real control system equipment. While this is a small percentage of the original number, it is still a disturbing amount of equipment.

The issue remains: in a constantly connected universe, any system that is connected directly or indirectly to the Internet is vulnerable to attack. Large scale control systems recognize this and are buried behind layers of firewalls, but firewalls aren’t enough to defend against modern day cyberthreats. Firewall vulnerabilities are well known to anyone with a modest security background, and control systems connected to the Internet is a problem made worse by exposing them via search engine.

The best-defended control systems, such as those at every American nuclear plant and an even larger number of conventional power plants, have installed Unidirectional Security Gateways, a stronger-than-firewall technology that thoroughly protects control systems from Internet attacks, however indirect they are. That someone with average skills can locate Internet-exposed control systems should inspire any utility manager to improve defenses.

See how unidirectional security gateways can deliver true security.

Follow us on Twitter @WaterfallSecure.
Like us on Facebook.

Follow us on LinkedIn.

Monday, February 3, 2014

S4 Takeaway: Differences between North America and Europe

I've had a week now to reflect on my experience at Digital Bond's 2014 S4 conference and compare it to others I had last quarter. I spent almost all of Q4 2013 on the road with customers and at conferences, both in North America and Europe. While it is unfair to paint either region with one brush, I do see broad differences in the level of understanding of industrial cybersecurity issues.

For example, in North America, I rarely have to explain why cybersecurity is important to industrial sites. I am often asked to relate what the latest developments are, how they fit into the overall risk and solution picture, and how various debates in the industrial control system (ICS) security field are evolving. I also tend to see people working to understand how the latest developments fit into their understanding, and deciding what these developments suggest as to how organizations need to evolve their security programs.

Compare that with Europe, where interactions with representatives of critical infrastructure owners and operators tend to be more challenging. Operations teams will often say that security is an IT problem. However, IT is busy deploying privacy-focused security technologies on operational and control system networks with limited success. Both groups struggle to see how state-of-the-practice OT security technology, like Unidirectional Gateways, fit in their IT-style integrated systems and IT security programs. The widely known, very effective techniques used to break into IT-style networks are a risk Europeans tend to discount.

In hindsight, my experience at S4 really highlighted these differences. The programs and discussions were all about control systems and issues and solutions specific to them. For example, I'd been hearing about the DNP3 news second-hand, and was really looking forward to Chris Sistrunk's presentation of his and Adam Crain's work. "Ahh," I thought, "they used a fuzzer! And against master stations, not remote terminal units. Of course they found vulnerabilities – good for them! More work like that needs to be done." And then there was the "risk-based" debate regarding the NIST cybersecurity framework, which crystallized the understanding that cyber risk assessment really does need to be different for critical infrastructure sites versus other kinds of industrial sites.

To be fair, there are other large (by ICS cybersecurity standards) and high-quality events on the slate every year in North America – NERC's GridSecCon, the SANS SCADA events, the ACS Cyber Security Conference and the DHS ICSJWG events all spring to mind. Many Europeans attend and contribute to these events and to S4 – the real leaders in Europe are no slackers. But S4 seems to be where the world's technical leaders get together to argue things out. Differences between experts remain when the day is over, of course, but at least everyone goes away armed with the latest data and counter-arguments.

Admittedly, my experience in Europe is limited. I've only just started attending events and visiting European customers, and there is a spectrum of sophistication in a region this large and diverse. For example, one meeting I had with senior government and industry leaders in the UK earlier this year was impressive. I did not have to explain to them why security was important or how control systems were different – they were the ones asking me the hard questions, testing my answers and seeing how my information fit into their understandings and plans.

On average though, I have the impression that there is more awareness-level work to do in Europe than there is in North America. Look for greater Waterfall participation in European industrial cyber-security events, as well as standards, guidance and research efforts.

By the way: business is booming. We're swamped. Waterfall is hiring. Not all the jobs are posted yet. Drop us a note if you enjoy working hard, doing important work and being on the road a lot:  jobs@waterfall-security.com