Securely sending industrial data to AWS IoT services using unidirectional gateways
Unidirectional gateways are a combination of hardware and software. Unidirectional gateway hardware is physically able to send data in only one direction, while the gateway software replicates servers and emulates devices. Since the gateway is physically able to send data in only one direction, there is no possibility of IT-based or internet-based security events pivoting into the OT networks. The gateway’s replica servers and emulated devices simplify OT/IT integration.
A typical unidirectional gateway hardware implementation consists of a network appliance containing two separate circuit boards joined by a fiberoptic cable. The “TX,” or “transmit,” board contains a fiber-optic transmitter, and the “RX,” or “receive,” board contains a fiber-optic receiver. Unlike conventional fiber-optic communication components, which are transceivers, the TX appliance does not contain a receiver and the RX appliance does not contain a transmitter. Because there is no laser in the receiver, there is no physical way for the receiving circuit board to send any information back to the transmitting board. The appliance can be used to transmit information out of the control system network into an external network, or directly to the internet, without the risk of a cyber event or another signal returning into the control system.
Honeywell to Acquire SCADAfence, Strengthening its Cybersecurity Software Portfolio
Honeywell today announced it has agreed to acquire SCADAfence, a leading provider of operational technology (OT) and Internet of Things (IoT) cybersecurity solutions for monitoring large-scale networks. SCADAfence brings proven capabilities in asset discovery, threat detection and security governance which are key to industrial and buildings management cybersecurity programs.
The SCADAfence product portfolio will integrate into the Honeywell Forge Cybersecurity+ suite within Honeywell Connected Enterprise, Honeywell’s fast-growing software arm with strategic focus on digitalization, sustainability and OT cybersecurity SaaS offerings and solutions. This integration will enable Honeywell to provide an end-to-end enterprise OT cybersecurity solution to site managers, operations management and CISOs seeking enterprise security management and situational awareness. The acquisition strengthens existing capabilities in cybersecurity and bolsters Honeywell’s high-growth OT cybersecurity portfolio, helping customers operate more securely, reliably and efficiently.
🔏🚗 In-Depth Analysis of Cyber Threats to Automotive Factories
We found that Ransomware-as-a-Service (RaaS) operations, such as Conti and LockBit, are active in the automotive industry. These are characterized by stealing confidential data from within the target organization before encrypting their systems, forcing automakers to face threats of halted factory operations and public exposure of intellectual property (IP). For example, Continental (a major automotive parts manufacturer) was attacked in August, with some IT systems accessed. They immediately took response measures, restoring normal operations and cooperating with external cybersecurity experts to investigate the incident. However, in November, LockBit took to its data leak website and claimed to have 40TB of Continental’s data, offering to return the data for a ransom of $40 million.
Previous studies on automotive factories mainly focus on the general issues in the OT/ICS environment, such as difficulty in executing security updates, knowledge gaps among OT personnel regarding security, and weak vulnerability management. In light of this, TXOne Networks has conducted a detailed analysis of common automotive factory digital transformation applications to explain how attackers can gain initial access and link different threats together into a multi-pronged attack to cause significant damage to automotive factories.
In the study of industrial robots, controllers sometimes enable universal remote connection services (such as FTP or Web) or APIs defined by the manufacturer to provide operators with convenient robot operation through the Control Station. However, we found that most robot controllers do not enable any authentication mechanism by default and cannot even use it. This allows attackers lurking in the factory to directly execute any operation on robots through tools released by robot manufacturers. In the case of Digital Twin applications, attackers lurking in the factory can also use vulnerabilities in simulation devices to execute malicious code attacks on their models. When a Digital Twin’s model is attacked, it means that the generated simulation environment cannot maintain congruency with the physical environment. This entails that, after the model is tampered with, there may not necessarily be obvious malicious behavior which is a serious problem because of how long this can go unchecked and unfixed. This makes it easy for engineers to continue using the damaged Digital Twin in unknown circumstances, leading to inaccurate research and development or incorrect decisions made by the factory based on false information, which can result in greater financial losses than ransomware attacks.
🚙 Digital Twins: The Benefits and Challenges of Revolutionary Technology in Automotive Industries
With the advent of Industry 4.0, an increasing number of organizations have implemented digital twin technology to optimize their performance, enhance their educational initiatives, or facilitate advanced maintenance. Even the automotive industry has readily embraced this transformational technology. However, organizations must acknowledge that the adoption of digital twin technology may simultaneously expose them to potential cyber threats. Thus, securing digital twins within an organization should be viewed as an essential priority, on par with their implementation.
One of the challenges of implementing digital twin technology is maintaining consistency between the physical and virtual twins. In the case of a model corruption attack, it can be difficult to detect the issue, as developers may not notice the problem until they inspect the repository or run jobs on an infected digital twin. Running an infected digital twin not only leads to inconsistencies, but it can also compromise the CPS, as the malicious code sent by the infected twin may cause additional harm.
🔏🦾 Anatomy of Robots: Cybersecurity in the Modern Factory
In highly networked modern factories and complex robots’ operating modes, attackers have the opportunity to use more diverse methods to carry out cyberattacks on robots, particularly in the case of manufacturers who do not take product cybersecurity issues seriously. This complacency creates opportunities for attackers that break into a factory to easily compromise these devices. When robots are successfully attacked, in addition to directly causing the factory to halt the manufacture of products, this tampering will also affect the safety of people’s lives due to the nature of close cooperation between co-bots and humans. With this in mind, using past and current robotics cybersecurity literature and research as reference, we will analyze the following potential attack scenarios for robots.
🔏 How Secure Is Your Digital Additive Manufacturing Data?
Although additive manufacturing doesn’t inherently bring with it any extreme risks, it can be the first time a manufacturer is faced with digital processes and establishing secure IT systems. “We work with companies all the time that have a traditional manufacturing line where plans are still on paper, and the data is stored on a local hard drive,” says Hayes. “Implementing additive allows that company to jump steps ahead in the technology curve, and all of a sudden, they can have digitally connected systems and cloud networks.” Securing those networks is up to individual organizations, notes Hayes. “The security of any data inside of that EOS machine is as safe or as vulnerable as that organization’s overall IT security.”
Industry 4.0 at Risk: Can CNC Machines Hold Fast Against Cyberattacks?
We are LIVE! and diving into the OT breach with TXOne Networks, CEO, Terence Liu
The State of Industrial Security in 2022
This report shows nearly all — 94% — of organizations have experienced at least one security incident, which likely impacted their industrial IoT infrastructure. These incidents had significant impact on organizations, with 87% of them reporting their operations were impacted for one day or more. The incidents involved a wide range of attacks, with web application, malicious external hardware/removable media, and distributed denial of service attacks being the most frequent.
Nothing to see here just a cyber attack destroying a steel mill.https://t.co/PxxbeG557L— joshua steinman (🇺🇸,🇺🇸) (@JoshuaSteinman) June 27, 2022
NanoLock Secures Industrial Machines From Disastrous Cyber Attacks
NanoLock calls itself an “embedded gatekeeper,” meaning that it’s cyber solution is embedded into a device or machine and features a strong locking mechanism that blocks modification attempts unless they are signed by a trusted authorization server.
According to Laubshtein, the company is known for its flexibility to operate in different operating system environments. “To be more clear about that, if our competitors, knows how to operate at the higher level of operating systems like Windows and Linux, we can also operate on lower [level] operating systems like Bare Metal, which is usually very sensitive to memory consumption and energy consumption,” he says. This gives the company a “huge advantage” because it can help them operate on low consumption or even batteries. Meanwhile, the company also offers a lightweight software solution, which makes it easy to operate. One of the biggest advantages of the NanoLock system is its zero trust approach.
Smart factories need smarter cyber defence
From a ransomware perspective, manufacturers are quite exposed to time-driven critical processes, Heppenstall notes. “So, if you can cause a disruption, manufacturers are perceived to be more prone and therefore more likely to pay a ransom. Companies don’t run dual manufacturing processes.”
Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”
Bystronic partners with NanoLock to co-develop cyber security solutions
Bystronic today announces a partnership with NanoLock Security, a leading device-level cyber security provider, to co-develop state-of-the-art solutions for its sheet and tube metal cutting, bending and automation systems. Over the past years, Bystronic has successfully developed its own Smart Factory Software Suite together with the recently acquired company Kurago. The Smart Factory Software Suite digitizes all business processes and interconnects machines with all other customer processes.
Eran Fine, co-founder and CEO of NanoLock, adds: “Smart factories must integrate strong machine-level protection against cyber security risks to ensure the operational integrity of their systems. Our machine-level solution brings Zero Trust protection to industrial systems without having any impact on performance. We are proud to work with Bystronic and jointly develop secure solutions for their smart systems – thereby setting a benchmark for the entire industry.”
Cybersecurity Leaders Launch Operational Technology Cybersecurity Coalition
Today, a diverse group of cybersecurity leaders joined together to launch the Operational Technology Cybersecurity Coalition. Founding members include Claroty, Forescout, Honeywell, Nozomi Networks, and Tenable, each with decades of experience in building, protecting, and defending our nation’s industrial control systems and critical infrastructure assets.
The OT Cyber Coalition advocates for vendor-neutral, interoperable, and standards-based cybersecurity solutions and works collaboratively with industry and government stakeholders on how to best deploy data-sharing solutions that enhance our country’s collective defense. Its efforts support the notion that competitive solutions promote innovation and strengthen our national security.
The Old Switcheroo: Hiding Code on Rockwell Automation PLCs
Team82 and Rockwell Automation today disclosed some details about two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software. CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. Modified code could be downloaded to a PLC, while an engineer at their workstation would see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.
Manufacturing: Security and Resilience Start with Visibility
Having real-time situational awareness of your OT networks, including visibility into assets, connections, communications, protocols and more, allows you to start improving cyber resiliency. The good news is that you can automate asset inventory for manufacturing facilities, eliminate blind spots, and reveal assets that might have previously been missed.
Once you’ve got excellent visibility, you can move onto risk reduction. This requires real-time detection of vulnerabilities, threats and anomalies at both brownfield and greenfield facilities. It includes process insights that highlight threats to reliability, such as failing equipment, unusual variable values and networking communication anomalies.
Log4j Security Vulnerability Response Center
For remediation for Apache Log4j 2 CVE-2021-44228 and CVE 2021-45046, PTC recommends removing the JNDILookup.class as described in the remediation from Apache. Throughout PTC’s testing to date (December 10 to December 15, 2021) there have been no adverse impacts from using this method. PTC has not used this dynamic loading capability in our products, and the remediation should be both effective to the vulnerability and very low risk to our products. Any risk of this change is limited in scope to the logging subsystem of applications, and any resulting errors are far less significant than the exposure of this vulnerability. Customers can preemptively remediate the vulnerability while awaiting official certification to reduce their immediate exposure to this critical issue.
Industrial Organizations Targeted in Log4Shell Attacks
As of Monday night, Siemens has confirmed that 17 of its products are affected by CVE-2021-44228 and there are many more that are still being analyzed. The German industrial giant has started releasing patches and it has provided mitigation advice.
Schneider Electric has also released an advisory, but it’s still working on determining which of its products are affected. In the meantime, it has shared general mitigations to reduce the risk of attacks.
Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis
This is a critical vulnerability that is affecting a wide range of systems and users. It is very easy to exploit so many attackers are testing out the new vulnerability very rapidly. Users should upgrade quickly their Apache logging utility to Log4j 2.16.0 or alternatively apply one of the workarounds provided by the vendor. Nozomi Networks customers will be able to leverage our Threat Intelligence service for the latest countermeasures to this exploit.
Implications of Log4j Vulnerability for Operational Technology (OT) Networks
This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more. Log4j is found in popular open-source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation’s Unified Architecture (UA) Java Legacy. Additionally, adversaries can leverage this vulnerability in proprietary Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) which make use of Java in their codebase.
Inside the Log4j2 vulnerability (CVE-2021-44228)
In 2013, in version 2.0-beta9, the Log4j package added the “JNDILookup plugin” in issue LOG4J2-313. To understand how that change creates a problem, it’s necessary to understand a little about JNDI: Java Naming and Directory Interface.
JNDI has been present in Java since the late 1990s. It is a directory service that allows a Java program to find data (in the form of a Java object) through a directory. JNDI has a number of service provider interfaces (SPIs) that enable it to use a variety of directory services. For example, SPIs exist for the CORBA COS (Common Object Service), the Java RMI (Remote Method Interface) Registry and LDAP. LDAP is a very popular directory service (the Lightweight Directory Access Protocol) and is the primary focus of CVE-2021-44228 (although other SPIs could potentially also be used).
The Long-range Disruption of Industrial IoT LoRaWAN Networks
This blog post from the Nozomi Networks Labs team investigates attacks against a low-power radio frequency WAN technology that is widely used in industrial IoT networks. Our research focused on the viability of discovering the transmission frequency of the IoT network, and jamming the signal to disrupt network communication. Although there are some practical limitations to the attack scenario we investigated, we clearly determined that there are potential attack vectors that should be considered as technology matures.