Tag Archives: Integrity loss

Triton: Dangerous and Puzzling – Part III

18 March 2018

The reports published on Triton so far give no hint on how the attack was started. With Occam’s razor in mind I concluded in part II of this post series that it is very likely, that the attacker compromised the Engineering Service Providers (ESP) network and the systems used for developing the SIS software. Since the next software update is sure to come, it is only a matter of time until the SIS installation in the production network gets compromised.

In this part I will talk about how to prevent and protect against such attacks.

Part III: Prevention and Protection

To protect against such kind of attacks data integrity must be ensured across the entire supply chain.

Ensure Integrity Across the Supply Chain

Ensure Integrity Across the Supply Chain

Engineering Service Provider’s responsibilities

Build: The ESP must make sure that the project data and software cannot be compromised in his facilities during software design and build.

Transfer: The ESP must secure the data against manipulation during transport.

Plant Operator’s responsibilities

Validate: After handover, the operator must check that the software and project data fulfil only the intended functions, before the SIS or DCS is updated. This must be governed by a Standard Operating Procedures (SOP) with formal approvals.

Install: The operator must follow a SOP for secure update of SIS and DCS software.

In the following section I will give some best practice to achieve data integrity across the supply chain. Anti-malware solutions are not listed because they are industry standard. Nevertheless, it is important to note that in Triton like cases pattern based anti-malware solutions will not prevent or protect against the attack. Pattern based anti-malware solutions protect only against malware “in the wild”. That’s not the case here, thus we have to apply other means to ensure integrity.

Development network

  • Perform all project work in an isolated Development Network (D-NET) with a Development DMZ (D-DMZ).
  • Control remote access to the D-DMZ through a user proxy to allow access for authorized staff only. Two Factor Authentication is mandatory for access to the D-DMZ.
  • For remote user access to the D-NET use a jump station in the D-DMZ.
  • Terminate all connections from the Office Network to the D-NET in the D-DMZ.
  • Terminate all connections from the D-NET in the D-DMZ.
  • If an SIS or DCS is operated in the D-NET, it should be placed in an isolated in a network  zone (D-SIS) in the D-NET. Allow only incoming connections from the engineering station to the SIS or DCS. Terminate all outgoing connections from the D-SIS in the D-NET.

Data exchange

  • For data exchange with the Office network allow only outgoing connections from the D-DMZ to dedicated systems/ports in the Office network.
  • Don’t use the SMB protocol for exchange of data between the office network and the D-DMZ and D-NET.
  • Implement Network Access Control (NAC) in the D-DMZ and D-NET to block connections of untrusted devices.
  • Never connect mobile workstations used in the D-NET or D-DMZ to other networks and vice versa. Once such a workstation was connected to a network outside the D-NET or D-DMZ it is potentially compromised.

System hardening

  • Block all USB disk devices in the D-NET.
  • Block all internet access and e-mail in the D-DMZ and D-NET.
  • Lock down all workstations and servers in the D-NET and D-DMZ.
  • Perform regular integrity checks on all systems in the D-NET and D-DMZ.

Software development best practice

  • Set up software version control for all development work.
  • If contractually possible, handover only sources, makefiles and checksums to the operator.

  • Secure network transfer is the method of choice. Bundle all sources in an encrypted archive. Send the encryption key in a secure e-mail to the operator.
  • If transfer by USB devices is required use only USB devices with AES hardware encryption and key pad. Run a secure before the new software is copied.

  • Extract the software to a trusted development system in an isolated network zone of the operators network.
  • Validate the checksums of the sources and makefiles against the supplied checksum details.
  • Build the software.
  • Install the software on a test system and verify that only the intended functions are implemented.

  • Use a secure transfer method to move the new software and project data to the SIS or DCS  network.
  • Install the software with regards to the corresponding SOP.

Have a great week.

Bromium – The Dawn Of A New Era In Corporate Cyber Threats?

14 July 2014

The Dawn Of A New Era In Corporate Cyber Threats? | A Collection of Bromides on Infrastructure.

Although the picture reminds me of some scenes of Terminator II, Bill Gardner does not announce the imminent end of the world. In this blog post he just creates awareness for a new kind of attacks with may have dramatic impact on businesses.

Fortunately, today’s attackers focus on new market businesses. The impact of a data theft, e.g. loss of reputation or annoyed customers, is costly and exasperating for companies, but not life-threatening. Destruction of data and of backups, as in the case of Code Spaces, might lead in the worst case to loss of business and disastrous effect on customers.

But the expansion of malicious activities to old market businesses, like chemical and pharmaceutical plants or basic infrastructure like national gas or power supply systems, could have  a catastrophic impact on businesses, environment and people.

In addition, a third type of damage, integrity loss, caused by tampering of data, makes things really worse, because this kind of damage is very hard, and often only after several years, to discover.

We urgently need to prepare for the “Maximum Credible Accident!

For a good starting point see Mark Brown’s article “Where should a CISO look for cyber security answers – hardware, software or wetware?”.

Don’t Panic – All will end well!

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.