We are LIVE! and diving into the OT breach with TXOne Networks, CEO, Terence Liu
The State of Industrial Security in 2022
This report shows nearly all — 94% — of organizations have experienced at least one security incident, which likely impacted their industrial IoT infrastructure. These incidents had significant impact on organizations, with 87% of them reporting their operations were impacted for one day or more. The incidents involved a wide range of attacks, with web application, malicious external hardware/removable media, and distributed denial of service attacks being the most frequent.
Nothing to see here just a cyber attack destroying a steel mill.pic.twitter.com/PxxbeG557L— joshua steinman (🇺🇸,🇺🇸) (@JoshuaSteinman) June 27, 2022
NanoLock Secures Industrial Machines From Disastrous Cyber Attacks
NanoLock calls itself an “embedded gatekeeper,” meaning that it’s cyber solution is embedded into a device or machine and features a strong locking mechanism that blocks modification attempts unless they are signed by a trusted authorization server.
According to Laubshtein, the company is known for its flexibility to operate in different operating system environments. “To be more clear about that, if our competitors, knows how to operate at the higher level of operating systems like Windows and Linux, we can also operate on lower [level] operating systems like Bare Metal, which is usually very sensitive to memory consumption and energy consumption,” he says. This gives the company a “huge advantage” because it can help them operate on low consumption or even batteries. Meanwhile, the company also offers a lightweight software solution, which makes it easy to operate. One of the biggest advantages of the NanoLock system is its zero trust approach.
Smart factories need smarter cyber defence
From a ransomware perspective, manufacturers are quite exposed to time-driven critical processes, Heppenstall notes. “So, if you can cause a disruption, manufacturers are perceived to be more prone and therefore more likely to pay a ransom. Companies don’t run dual manufacturing processes.”
Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”
Bystronic partners with NanoLock to co-develop cyber security solutions
Bystronic today announces a partnership with NanoLock Security, a leading device-level cyber security provider, to co-develop state-of-the-art solutions for its sheet and tube metal cutting, bending and automation systems. Over the past years, Bystronic has successfully developed its own Smart Factory Software Suite together with the recently acquired company Kurago. The Smart Factory Software Suite digitizes all business processes and interconnects machines with all other customer processes.
Eran Fine, co-founder and CEO of NanoLock, adds: “Smart factories must integrate strong machine-level protection against cyber security risks to ensure the operational integrity of their systems. Our machine-level solution brings Zero Trust protection to industrial systems without having any impact on performance. We are proud to work with Bystronic and jointly develop secure solutions for their smart systems – thereby setting a benchmark for the entire industry.”
Cybersecurity Leaders Launch Operational Technology Cybersecurity Coalition
Today, a diverse group of cybersecurity leaders joined together to launch the Operational Technology Cybersecurity Coalition. Founding members include Claroty, Forescout, Honeywell, Nozomi Networks, and Tenable, each with decades of experience in building, protecting, and defending our nation’s industrial control systems and critical infrastructure assets.
The OT Cyber Coalition advocates for vendor-neutral, interoperable, and standards-based cybersecurity solutions and works collaboratively with industry and government stakeholders on how to best deploy data-sharing solutions that enhance our country’s collective defense. Its efforts support the notion that competitive solutions promote innovation and strengthen our national security.
The Old Switcheroo: Hiding Code on Rockwell Automation PLCs
Team82 and Rockwell Automation today disclosed some details about two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software. CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. Modified code could be downloaded to a PLC, while an engineer at their workstation would see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.
Manufacturing: Security and Resilience Start with Visibility
Having real-time situational awareness of your OT networks, including visibility into assets, connections, communications, protocols and more, allows you to start improving cyber resiliency. The good news is that you can automate asset inventory for manufacturing facilities, eliminate blind spots, and reveal assets that might have previously been missed.
Once you’ve got excellent visibility, you can move onto risk reduction. This requires real-time detection of vulnerabilities, threats and anomalies at both brownfield and greenfield facilities. It includes process insights that highlight threats to reliability, such as failing equipment, unusual variable values and networking communication anomalies.
Log4j Security Vulnerability Response Center
For remediation for Apache Log4j 2 CVE-2021-44228 and CVE 2021-45046, PTC recommends removing the JNDILookup.class as described in the remediation from Apache. Throughout PTC’s testing to date (December 10 to December 15, 2021) there have been no adverse impacts from using this method. PTC has not used this dynamic loading capability in our products, and the remediation should be both effective to the vulnerability and very low risk to our products. Any risk of this change is limited in scope to the logging subsystem of applications, and any resulting errors are far less significant than the exposure of this vulnerability. Customers can preemptively remediate the vulnerability while awaiting official certification to reduce their immediate exposure to this critical issue.
Industrial Organizations Targeted in Log4Shell Attacks
As of Monday night, Siemens has confirmed that 17 of its products are affected by CVE-2021-44228 and there are many more that are still being analyzed. The German industrial giant has started releasing patches and it has provided mitigation advice.
Schneider Electric has also released an advisory, but it’s still working on determining which of its products are affected. In the meantime, it has shared general mitigations to reduce the risk of attacks.
Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis
This is a critical vulnerability that is affecting a wide range of systems and users. It is very easy to exploit so many attackers are testing out the new vulnerability very rapidly. Users should upgrade quickly their Apache logging utility to Log4j 2.16.0 or alternatively apply one of the workarounds provided by the vendor. Nozomi Networks customers will be able to leverage our Threat Intelligence service for the latest countermeasures to this exploit.
Implications of Log4j Vulnerability for Operational Technology (OT) Networks
This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more. Log4j is found in popular open-source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation’s Unified Architecture (UA) Java Legacy. Additionally, adversaries can leverage this vulnerability in proprietary Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) which make use of Java in their codebase.
Inside the Log4j2 vulnerability (CVE-2021-44228)
In 2013, in version 2.0-beta9, the Log4j package added the “JNDILookup plugin” in issue LOG4J2-313. To understand how that change creates a problem, it’s necessary to understand a little about JNDI: Java Naming and Directory Interface.
JNDI has been present in Java since the late 1990s. It is a directory service that allows a Java program to find data (in the form of a Java object) through a directory. JNDI has a number of service provider interfaces (SPIs) that enable it to use a variety of directory services. For example, SPIs exist for the CORBA COS (Common Object Service), the Java RMI (Remote Method Interface) Registry and LDAP. LDAP is a very popular directory service (the Lightweight Directory Access Protocol) and is the primary focus of CVE-2021-44228 (although other SPIs could potentially also be used).
The Long-range Disruption of Industrial IoT LoRaWAN Networks
This blog post from the Nozomi Networks Labs team investigates attacks against a low-power radio frequency WAN technology that is widely used in industrial IoT networks. Our research focused on the viability of discovering the transmission frequency of the IoT network, and jamming the signal to disrupt network communication. Although there are some practical limitations to the attack scenario we investigated, we clearly determined that there are potential attack vectors that should be considered as technology matures.