Monthly Archives: November 2016

Update on IIoT Security Basics

27 November 2016

Number One vulnerability on the OWASP IoT Top 10 from 2014 was “Insecure Web Interface”. The OWASP IoT Project makes the suggestions below to mitigate these vulnerabilities:

A secure web interface requires:

Default passwords and ideally default usernames to be changed during initial setup

Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account

Ensuring web interface is not susceptible to XSS, SQLi or CSRF

Ensuring credentials are not exposed in internal or external network traffic

Ensuring weak passwords are not allowed

Ensuring account lockout after 3 -5 failed login attempts

Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.

Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:

SIMATIC HMI Panel

This HMI panel is well configured. For access e.g. to the files a login to the system is required.

But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:

SIMATIC HMI Panel File System Browser Details

With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.

Have a good week!

IIoT Security Basics

19 November 2016

During my daily check of the Department of Homeland Security’s ICS-CERT Advisory Feed I found an interesting report that deals with a vulnerability in a family of Schneider Electric Power Meters. I researched similar advisories and the corresponding product manuals.

From that I derived some basic rules for the design of Industrial IoT (IIoT) Devices:

Factory default for all network adapters of IIoT devices is DISABLED.
As soon as a network adapter is enabled the user is forced to reset the password of the device and of all inbuilt users to non-trivial values. The embedded operating system should check at least against the ‘25 worst passwords’ published in the year of manufacturing.
A reset to trivial passwords shall be rejected by the embedded operating system.
The vendors guarantee that IIoT devices are free of Backdoor accounts.
All network connections shall be encrypted by default.

With this, the risk of cyber-attacks against IIoT devices is dramatically reduced. And, if built-in during design phase, the production costs will increase, if at all, only moderately.

Have a good weekend.

If one can ping an industrial controller, one can stop it

12 November 2016

On Wednesday I watched the Indegy webinar “How a new PLC Simulator vulnerability can compromise SCADA/ICS networks?“. The webinar dealt with a recently detected vulnerability in a simulator software.

Simulators are used for verification and validation of changes to process control systems (PCS) before the changes are applied to the PCS. If the changes passes the tests it is very likely that the changes will have no negative impact on the PCS and thus to the safety of the process. Simulators are executed on the Engineering Station which is directly connected to the control system and to the production network.

PCS are very specialized realtime industrial computer systems. All PCS are lacking of the security features we know from the office IT, e.g. authorization, authentication and malware protection.

The slide below brings it straight to the point:

The Center of Gravity in the ICS Domain

With this, the isolation of the Engineering Stations and the PCS in separate network zones is the key to security in the ICS domain. Access to these networks must be limited to authorized staff and through few strictly controlled access paths.

And with this, the first commandment of the Office IT Security, “Thou Shall Patch“, becomes less important in Industrial IT (OT) Security. “Thou Shall Isolate“, across the entire OSI stack, is the first commandment of OT Security.

Have a good weekend, and enjoy the webinar.

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report. Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.

New York’s Cybersecurity Requirements for Financial Service Companies are a real game changer

1 November 2016

In post ‘Learn How the NYDFS Cybersecurity Regulations Will Impact Your Company‘ Shawn E. Tuma talks about the impact of the New York Department of Financial Services Cyber Security Regulation on the daily business.

Negotiating service contracts and working with third parties will require considerably more effort after the entry into force of the regulation. But a regulation has long been overdue, at least since the details of the Target data breach in December 2013 come to be known.

From a security point of view the Cybersecurity Regulation is a real game-changer. Some concepts are borrowed from the ISO 27001, but in some areas the NYDFS Cybersecurity Regulation goes much further than the ISO requirements.

The scope of the regulation, Nonpublic Information, is clearly and sufficiently broad defined in section Definitions (500.01). In my opinion, the focus on Nonpublic Information might create blind spots because significant damage can be caused by compromised Public Information as well.

Section 500.02 demands the implementation of a Cybersecurity Program. The program shall be designed to

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

The requirement ‘to mitigate any negative effects‘ is new, and will have a major impact on IT security operations.

Section Audit Trail (500.06) requires the implementation of a Privileged Account Management (PAM) solution.

Section Multi-Factor-Authentication (500.12) states, where Multi-Factor Authentication (MFA) is required. Unfortunately, MFA is not mandatory for the access to non-web applications. I would prefer so secure all applications with MFA.

The strict application of the Principle of Least Privilege, which is demanded in section Access Privileges (500.07), for access to Nonpublic Information is a big step forward.

All in all, the Cybersecurity Requirements for Financial Service Companies are a big step forward towards increased cyber security. If implemented well, the likelihood of data breaches will decrease dramatically.

If your company is implementing a cyber security program currently, it makes definitely sense to take a closer look at this regulation. It can be easily adapted to whatever type of business.

Have a good day.

IT Security Matters

Klaus Jochem

Monthly Archives: November 2016

Update on IIoT Security Basics

IIoT Security Basics

If one can ping an industrial controller, one can stop it

NSS Labs Tests Leading Web Browsers for Secure End User Experience

New York’s Cybersecurity Requirements for Financial Service Companies are a real game changer

Share this:

Share this:

Share this:

Share this:

Share this: