Category Archives: Advice for SMEs

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on CIO.com.

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.

Some thoughts on “Ransomware a real risk for SCADA networks”

5 June 2017

By now the ‘Air gapping’ myth should be expunged from every ICS/SCADA manager on earth.” I really like this statement from Daniel Cohen-Sason, published on 23 May 2017 in the CYBERBIT blog.

From my point of view, the ‘Air Gap’ era ended with the introduction of portable engineering stations about 30 years ago.

Modern OT networks are often designed on the basis of the ISA 95 Standard with network zones and security devices, e.g. firewalls, to control the communications flow between the process control and SCADA systems across the zones. Modern production requires a lot of Machine-to-Machine (M2M) communication between the production networks zones and between the production network and the business network. Besides this M2M communication Human-to-Machine (H2M) communication is required, e.g. for operator access from the business network and for remote maintenance.

For M2M and H2M interaction communication channels must be opened on the firewalls. With this, there is always a chance that malware can spread across such required connections. Furthermore, cyber attackers can gain access, e.g. through remotely exploitable vulnerabilities, after they hijacked a M2M communications endpoint in the business network. We dealt with this very effectively in the past 20 years.

Many of the required connections use the SMB protocol for exchange of data. That’s no problem per se. The problem is, that we still use Windows 7 and Windows Server 2008 in the manufacturing industry which cannot work with the latest versions of the SMB protocol for data exchange.

Since WannaCry exploited a vulnerability in SMB version 1.0, it was only a matter of time before WannaCry would find its way across a required connection from the business network to the production network.

How to deal with the problem?

  • Priority patching.

The systems at the border between the business network and the production network must me patched with highest priority. Although this is somewhat tricky to achieve in WSUS, it’s worth to deal with this WSUS feature. In addition to the operating system components, all application components must be patched as well. The same applies to Linux based systems.

  • Deactivating SMB.

Is a great means in the case of an emergency, and part of a long-term data exchange strategy.

  • Set up asset and vulnerability management.

At least all systems at the endpoints of required M2M and H2M connections must be included. This enables you to evaluate the scale of the problem in the case of a new vulnerability.

  • Faster innovation cycles.

At least for the systems at the perimeter of the production network we must allow for shorter innovation cycles. With Windows 8, Windows 10, and Windows Server 2012, new versions of the SMB protocol are used which are not affected by WannaCry. Don’t forget to deactivate the SMB V1.0 compatibility in the this versions.

This includes the technology used for data exchange. For example, the widely used Robocopy fosters the spreading of WannaCry because it is based on the SMB protocol.

  • Increase the level of isolation.

Start with challenging the required M2M and H2M connections. Eliminate every connection without a business purpose. For the remaining, check whether the best available security technology is used.

Take care!

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

Rethinking the Patch Strategy in the ICS Domain

5 February 2017

In the past weeks I reviewed several drafts on Industrial Control System (ICS) security. Although of limited value in the ICS Domain, patching and malware protection are key issues of all drafts.

Especially the patch process, which works moderately satisfying in the Office-IT domain, cannot be directly applied to ICS systems because ICS systems cannot be just rebooted to apply the patch.

Industrial control system patch cycle

Industrial control system patch cycle

To reboot an ICS system a shutdown of the process is required. In the worst case, the operators have to wait several weeks or months for the next scheduled plant maintenance to implement the patch and to reboot the ICS. During this time the ICS is more vulnerable against the threats mitigated by the patch.

With this, we have to design and operate our ICS systems and networks such, that they are resilient against cyber-attacks during the time until the next scheduled maintenance.

The following are examples of technical measures:

  • Isolation of ICS and SCADA systems in secured network zones inside the production network and strict flow control across security devices between the zones are basic design principles for creating robust systems.
  • A secure remote maintenance solution which is completely under control of the plant operators, ideally a rendezvous solution to keep the external service provider in the DMZ.
  • A secure and controlled remote access solution for plant operators.
  • Strict Network Access Control in the entire production network to increase resilience against attackers from internal.
  • No Internet access and personal email in the entire production network. This is a quick win! The same holds for the deactivation of USB disk devices.

Have a good weekend.

Whaling emerges as major cybersecurity threat

3 December 2016

Whaling is a type of cyber fraud that targets mainly corporate executives. It is very closely related with phishing, thus not new. For a superb collection of examples see this slide show published on CIO.com.

As always, the combination of People, Process and Technology measures (PPT approach) is the best way to combat whaling:

People. The most effective way to deal with whaling is security awareness training. Include some whaling attacks in your anti-phishing training to raise awareness.

Processes. Enhance your information handling policy (IHP) or office manual. Add rules for the compliant handling of business requests by email:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Never trust an email of a business partner when it is not signed with the partners valid email certificate.

Communicate the IHP to all users and train them in use and handling of email certificates.

Technology. Configure your email system such that all mails to external partners and at least all emails from company executives are signed with a valid email certificate.

With this, the risk of getting the victim of a whaling attack is greatly reduced.

Have a good weekend.

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report.  Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.

New York’s Cybersecurity Requirements for Financial Service Companies are a real game changer

1 November 2016

In post ‘Learn How the NYDFS Cybersecurity Regulations Will Impact Your Company‘ Shawn E. Tuma talks about the impact of the New York Department of Financial Services Cyber Security Regulation on the daily business.

Negotiating service contracts and working with third parties will require considerably more effort after the entry into force of the regulation. But a regulation has long been overdue, at least since the details of the Target data breach in December 2013 come to be known.

From a security point of view the Cybersecurity Regulation is a real game-changer. Some concepts are borrowed from the ISO 27001, but in some areas the NYDFS Cybersecurity Regulation goes much further than the ISO requirements.

The scope of the regulation, Nonpublic Information, is clearly and sufficiently broad defined in section Definitions (500.01). In my opinion, the focus on Nonpublic Information might create blind spots because significant damage can be caused by compromised Public Information as well.

Section 500.02 demands the implementation of a Cybersecurity Program. The program shall be designed to

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

The requirement to mitigate any negative effects‘ is new, and will have a major impact on IT security operations.

Section Audit Trail (500.06) requires the implementation of a Privileged Account Management (PAM) solution.

Section Multi-Factor-Authentication (500.12) states, where Multi-Factor Authentication (MFA) is required. Unfortunately, MFA is not mandatory for the access to non-web applications. I would prefer so secure all applications with MFA.

The strict application of the Principle of Least Privilege, which is demanded in section Access Privileges (500.07), for access to Nonpublic Information is a big step forward.

All in all, the Cybersecurity Requirements for Financial Service Companies are a big step forward towards increased cyber security. If implemented well, the likelihood of data breaches will decrease dramatically.

If your company is implementing a cyber security program currently, it makes definitely sense to take a closer look at this regulation. It can be easily adapted to whatever type of business.

Have a good day.