Author: Andrew Ginter

FireEye reports that the Triton (aka Trisys) malware targeting safety instrumented systems has been discovered at another undisclosed target in the Middle East. As a result of investigating that intrusion, FireEye reports that the threat actors behind Triton are a government-sponsored Russian agency. Triton targets safety systems and is operated by interactive remote control. Human agents use software tools with the look and feel of Remote Desktop (RDP) to operate Triton and other attack tools during the intrusion. FireEye reports that, relative the first Triton attack, a new development is the extensive use of new, custom versions of popular attack tools.

Norsk Hydro has been hit by a ransomware attack. The firm reports that some aluminum smelting plants have switched to manual operations, and some metal extrusion plants have halted production altogether. There are theories that the ransomware was deliberately planted in a corporate Active Directory controller in such a way as to infect most Windows hosts at the company. This sounds like a combination of attacks #3 and #4 from The Top 20 Cyberattacks on Industrial Control Systems. The lessons here are simple: Even messages from trusted IT domain controllers can host, or be part of, a cyber attack. Firewalls do not

I am pleased to announce the general availability of my new book, Secure Operations Technology (SEC-OT). SEC-OT is a perspective, a methodology and a set of best practices that document what thoroughly-secured industrial sites actually do. What these sites do differs sharply from what most industrial sites do. Most industrial sites practice IT Security (IT-SEC) whose focus is to "protect the information" - the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure

The Carbon Black Quarterly Incident Response Threat Report for 2018 shows that destroying forensic evidence to hide attack sources and attack capabilities is becoming increasingly common. The report quotes an incident response professional as observing that “We’ve seen a lot of destruction of log data, very meticulous cleanup of antivirus logs, security logs and denying IR teams the access to data they need to investigate.” More specifically, the report finds that in the last 90 days: 32% of investigated attacks included attackers wiping entire machines to hide evidence 72% of all IR professionals reported seeing deleted logs in at least one

“The beginning of wisdom is the definition of terms.” - Socrates (470 – 399 B.C.) Definitions are important - good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition: pen: a tube of ink with a tiny ball bearing at the tip How useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition: pen: a tool for writing or drawing with ink Someone new to the language would likely hear this second definition and say “ahh - so that's what those things are called,” because

The Meltdown / Spectre saga continues. Ulf Frisk just posted a description of a vulnerability he has coined "Total Meltdown". It seems that Microsoft developers introduced an even worse vulnerability while fixing the Meltdown vulnerability in Windows 7 and Windows 2008 Server R2. With this broken Meltdown "fix" installed, any program can read or write any word in any other program's memory, or the kernel's memory for that matter, just by reaching out and touching – no special tricks required. The cure is worse than the disease. Microsoft will be in for harsh criticism on this, not just because of the

Consider a prolonged power outage over a large metropolitan area, or a cyber attack targeting a nuclear power plant. These are real attacks, not hypothetical ones, that affected people’s lives, and cost owners and operators both monetary and reputational damages.  A key problem with modernization of industrial control systems for critical infrastructure is that increased network connectivity is essential modernization and digitization, but undisciplined connectivity introduces cyber vulnerabilities that can result in catastrophe. Insuring for cyber risks to industrial networks with a wide- reaching impacts on the physical world is a complex undertaking for insurers. This is why, increasingly, such

A chronic complaint of industrial control system (ICS) security practitioners is under-funding, and funding decisions for security programs are frequently made by business decision-makers with a limited understanding of cybersecurity and cyber risk issues. Waterfall Security Solutions has just released a new report proposing a methodology for evaluating and communicating risk to decision makers with a limited understanding of cyber-security concepts and technologies. Communicate Examples, Not Scores How is the risk of a cyber attack most commonly evaluated today? We generally consider the level of technical sophistication of the attackers we are concerned about, their level of industrial process knowledge, the

The big news today is the Spectre and Meltdown bugs. These vulnerabilities let attack code such as Javascript steal passwords, encryption keys and session cookies from kernel memory and/or browser windows on nearly all modern computers. The performance hits and code changes needed to fix these bugs are extensive. A LOT of costly testing will be needed in the very short term before fixes for Meltdown and Spectre can safely be applied to our ICS/OT/SCADA networks. The only bright spot in this situation is that as usual, Waterfall customers are taking these developments in stride. Properly-designed ICS security programs make