Blog

Threats to operations control systems are no longer theoretical. With manufacturing control networks connectivity steadily increasing, a unidirectional IIoT architecture reflects a robust and trustworthy way of achieving the increased efficiencies and other business benefits of the IIoT’s central. New post by Courtney Schneider, Cyber Policy Research Manager at Waterfall Security

Watch Waterfall Security’s video for a brief explanation on how to achieve safe IT/OT integration and 100% protection from remote cyber threats with Unidirectional Security Gateways. Protect your industrial and OT network perimeter from remote cyber threats using the strongest cyber protection available. Click through to learn more.

The essence of today’s OT security problem is that the data-centric, IT-class protections are simply not enough for operational security and control system security needs. A cyber breach to physical processes and powerful tools can have disastrous consequences. Preventing misuse and protecting correct control is the goal of OT security. Read the new post by Courtney Schneider, Cyber Policy Research Manager at Waterfall Security

Over the last few decades, the clear path to securing operational technology has been difficult to forge as so much has come from the vast world of IT data protection, encryption and authentication. On the other hand, practitioners on the OT side of the digital network speak about the risks and unwanted consequences of this very technology to the physical systems they operate. The term SEC-OT - short for ‘Secure Operations Technology’ - is an attempt to combine all of the knowledge and best practices of secure industrial sites into one cohesive and disciplined approach. While the traditional IT approach is

FireEye reports that the Triton (aka Trisys) malware targeting safety instrumented systems has been discovered at another undisclosed target in the Middle East. As a result of investigating that intrusion, FireEye reports that the threat actors behind Triton are a government-sponsored Russian agency. Triton targets safety systems and is operated by interactive remote control. Human agents use software tools with the look and feel of Remote Desktop (RDP) to operate Triton and other attack tools during the intrusion. FireEye reports that, relative the first Triton attack, a new development is the extensive use of new, custom versions of popular attack tools.

Norsk Hydro has been hit by a ransomware attack. The firm reports that some aluminum smelting plants have switched to manual operations, and some metal extrusion plants have halted production altogether. There are theories that the ransomware was deliberately planted in a corporate Active Directory controller in such a way as to infect most Windows hosts at the company. This sounds like a combination of attacks #3 and #4 from The Top 20 Cyberattacks on Industrial Control Systems. The lessons here are simple:Even messages from trusted IT domain controllers can host, or be part of, a cyber attack. Firewalls do not

Waterfall Security is pleased to announce our Industrial Security Podcast featuring interviews with world-recognized experts on a wide range of industrial cybersecurity topics. The podcast will address current and developing ICS topics such as: Do expert ICS penetration testers target live/running systems? (cheat: not always, but yes, they do, carefully) What questions should boards of directors be asking their CIO/CSO’s about industrial/OT cybersecurity? What changes is the Industrial Internet of Things (IIoT) bringing about in the next few years? What does the latest industrial cyber risk assessment methodology from EPRI look like? All of these questions are answered in episodes

Much has been written and debated regarding communicating cyber risk to boards and other key corporate decision makers. Conveying to a non-technical audience the criticality of cyber vulnerabilities in IT systems that support business functions can be a daunting task; but what if the systems don’t just support the business, what if they are the business?For businesses who supply critical services and infrastructure to their customers, risk to the control systems from a cyber source is a relatively new concept, and industrial cyber risk dramatically increases the severity of worst-case scenarios. Information technology that supports business functions and protects confidential

The Carbon Black Quarterly Incident Response Threat Report for 2018 shows that destroying forensic evidence to hide attack sources and attack capabilities is becoming increasingly common. The report quotes an incident response professional as observing that “We’ve seen a lot of destruction of log data, very meticulous cleanup of antivirus logs, security logs and denying IR teams the access to data they need to investigate.” More specifically, the report finds that in the last 90 days:32% of investigated attacks included attackers wiping entire machines to hide evidence 72% of all IR professionals reported seeing deleted logs in at least one

Governments all over the world are beginning to toughen cyber regulations imposed on industry to respond to the increasing threat of cyber attacks on national critical infrastructure. This class of cyber attack does not just limit itself to enterprise systems. If the control systems of a digitized petro-chemical plant, for example, fall in the hands of a threat actor, not only can the national energy supply be in danger, but the physical plant itself could be at risk of explosion or fire. This clear and present danger is considered a serious threat in Israel, where several such attacks attempted on industrial

The CEO of TSMC - the manufacturer of key chipsets for Apple's iPhones, and for many other global companies - reported Monday that the company was forecasting a drop of 2% in Q3 revenues, or about $160M, due to an infection of its manufacturing facilities by a variant of the Wannacry ransomware.  The malware entered the manufacturing network when a new piece of fab tool equipment was installed. The malware appears to have spread rather quickly, as the CEO indicated that at the peak of the infection, 10,000 machines were impaired at several manufacturing sites. The CEO maintained that the

OT remote access is efficient and convenient - for attackers Remote access might look like a good idea. Every computer on an enterprise network certainly has some sort of Remote Desktop capability: tech support takes control of my laptop routinely to install new software or to fix issues. Sometime our vendors have remote access into our servers and other systems, to provide remote support. When we are talking about the enterprise network, this is a great capability, reducing costs, reducing headcount per campus, sometimes even reducing travel time. When migrating to the OT world of industrial networks, this type of solution does

“The beginning of wisdom is the definition of terms.” - Socrates (470 – 399 B.C.) Definitions are important - good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition: pen: a tube of ink with a tiny ball bearing at the tipHow useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition: pen: a tool for writing or drawing with inkSomeone new to the language would likely hear this second definition and say “ahh - so that's what those things are called,” because

Different continents point to similar concerns The Black Hat Asia 2018 attendee survey polled IT and security professionals from 12 East Asian countries, Australia and elsewhere, asking about the threats and challenges they are most concerned with, the attacks and attackers they fear most, as well as their cybersecurity posture. The main takeaway from the survey is that security professionals across the globe are reaching a growing consensus, sharing a high level of concern over targeted cyberattacks and potential breaches of critical infrastructure. The same concern was echoed in the previous BlackHat survey that polled European security professionals several months ago,

Written into law The Directive on the Security of Network Information Systems (NIS) represents the first pan-European law covering requirements for cybersecurity. It aims to achieve a common security posture for European countries by means of strengthening 1) cybersecurity capabilities at a national level, 2) EU-wide cybersecurity cooperation, and 3) risk management and reporting for operators of essential services and digital service providers. 2018 will be a year of changes for cybersecurity in the European Union. Deadlines approaching include transposing the NIS Directive into European States’ national law by May 9, 2018, and each EU Member State identifying national operators of essential

The Meltdown / Spectre saga continues. Ulf Frisk just posted a description of a vulnerability he has coined "Total Meltdown". It seems that Microsoft developers introduced an even worse vulnerability while fixing the Meltdown vulnerability in Windows 7 and Windows 2008 Server R2. With this broken Meltdown "fix" installed, any program can read or write any word in any other program's memory, or the kernel's memory for that matter, just by reaching out and touching – no special tricks required. The cure is worse than the disease. Microsoft will be in for harsh criticism on this, not just because of the

Consider a prolonged power outage over a large metropolitan area, or a cyber attack targeting a nuclear power plant. These are real attacks, not hypothetical ones, that affected people’s lives, and cost owners and operators both monetary and reputational damages.  A key problem with modernization of industrial control systems for critical infrastructure is that increased network connectivity is essential modernization and digitization, but undisciplined connectivity introduces cyber vulnerabilities that can result in catastrophe. Insuring for cyber risks to industrial networks with a wide- reaching impacts on the physical world is a complex undertaking for insurers. This is why, increasingly, such

Cybersecurity best practice according to ANSSI, France’s National Agency for the Security of Information Systems, points to unidirectional data flow solutions. Why? Because it’s the safest and most reliable way to segregate and protect your critical network from less trusted networks and cyber threats. The regulation is now reality, and we’re here to make sense of it all. ANSSI’s detailed cybersecurity guidance for Industrial Control Systems issued in 2014 was and is still today seen as the most comprehensive, clear, and sophisticated industrial control system (ICS) security best practice in the world: Cybersecurity for Industrial Control Systems – Classification Method and Key

A chronic complaint of industrial control system (ICS) security practitioners is under-funding, and funding decisions for security programs are frequently made by business decision-makers with a limited understanding of cybersecurity and cyber risk issues. Waterfall Security Solutions has just released a new report proposing a methodology for evaluating and communicating risk to decision makers with a limited understanding of cyber-security concepts and technologies. Communicate Examples, Not Scores How is the risk of a cyber attack most commonly evaluated today? We generally consider the level of technical sophistication of the attackers we are concerned about, their level of industrial process knowledge, the

Black Hat and Dark Reading’s attendee survey from their recent 2017 Black Hat Europe event is a wake-up call to company stakeholders, boards, and information and operational security practitioners; yielding some significant findings about the perceptions of the current threat landscape. Survey participants were sourced predominantly from IT and security backgrounds throughout Europe, and the results cover a wide range of cyber-security concerns and defense capabilities. Black Hat’s goal was to gain insight into the state of cybersecurity in Europe, particularly the perception of threat. The survey’s findings shed light on the concerns professionals have about major breaches, and these

The big news today is the Spectre and Meltdown bugs. These vulnerabilities let attack code such as Javascript steal passwords, encryption keys and session cookies from kernel memory and/or browser windows on nearly all modern computers. The performance hits and code changes needed to fix these bugs are extensive. A LOT of costly testing will be needed in the very short term before fixes for Meltdown and Spectre can safely be applied to our ICS/OT/SCADA networks. The only bright spot in this situation is that as usual, Waterfall customers are taking these developments in stride. Properly-designed ICS security programs make

TRITON/TRISIS is the fifth industrial malware found in the wild and the third malware specifically designed to cause damage to physical equipment and jeopardize safety. The malware warrants a stern warning to owners and operators: segment networks properly or face the consequences. The target of the malware was the Schneider Electric’s Triconex safety instrumented system (SIS). TRITON is essentially a payload, stage 2 of an attack. At this point we don't know how the malware was installed in the industrial network (stage 1), but this comes as no surprise, since some segments of certain industrial networks are routinely hacked. What is shocking is

Waterfall Security Solutions is of course an industrial cybersecurity technology provider, but technology is only part of any industrial security program – policies, procedures and training are also essential. This means that the advancement of security education has always been essential to Waterfall’s mission to improve industrial cybersecurity. The potential consequences of malicious misoperation of industrial processes can have thoroughly unacceptable consequences for property, the environment, workers at industrial sites, and public safety. To improve one’s security posture, it is required to have a wider awareness of modern risks, threats and cyberattack techniques, in addition to a deeper understanding of modern

The Industrial Internet of Things (IIoT) is forecast to bring untold value to industrial operations. The IIoT introduces a new network architecture which greatly expands the traditional manufacturing systems paradigm – by increasing the interoperability and optimization of a large number of control systems. For the last 25 years, industrial network architecture has been based on the Purdue Enterprise Reference Architecture - or Purdue Model.  What we see emerging here is the evolution of the long-standing Purdue Model of industrial networks. The Purdue model can be visually represented in a pyramid shape; indicating a clear hierarchy of organizational levels, applications &

AGC Partners recently released an in-depth report detailing the growing market for manufacturing analytics, and the companies that currently make up its booming ecosystem. The subject is timely, as advancements in the Industrial Internet of things (IIoT), Big Data, and Machine Learning have opened the door for manufacturers to embrace manufacturing analytics, particularly, process optimization and predictive maintenance. The report, titled “Taking Big Data from the Carpet to the Concrete,” proposes that manufacturing analytics is no longer simply a support function focused on costs , but rather, has quickly proved to be a strategic capability impacting revenue and “determining future competitiveness

Recently, a major Canadian company suffered a targeted ransomware attack and was forced to pay $425,000 to restore the encrypted data of both its production base and back-up servers. We have spoken and warned of ransomware in the past, particularly in the aftermath of the global WannaCry attack. Most ransomware attacks are untargeted, wide-spread attacks which infect as many hosts as possible with different keys and let victims recover back-ups for a few hundred dollars in bitcoin. Two hospitals in California as well as the University of Calgary are reported to have suffered targeted ransomware attacks demanding ransom in the

Recently, Waterfall announced a global partnership with intelligence-led security company FireEye, in a push to deliver comprehensive cybersecurity solutions for businesses with industrial sites. The partnership seamlessly integrates FireEye’s cloud-based Threat Analytics Platform (TAP) with reliability-critical and safety-critical industrial control system (ICS) networks via Waterfall’s Unidirectional CloudConnect®, creating the foundation for an industrial Defense-in-Depth plan. Populating FireEye’s TAP with live data from ICS networks through Waterfall’s CloudConnect enables security analysts and audit teams to identify, prioritize and respond to critical security incidents in real time, even incidents on the most sensitive of ICS networks. The integrated solution enables ICS owners and

Recent reports of cyber attacks on U.S. nuclear reactors have brought upon public doubt on the strength of cyber protections at nuclear power plants. The response from nuclear plants has resoundingly been "no need to panic, nothing to see here," but other pundits are saying "I’m not sure I believe that." Looking between these narratives, what should the public believe? Here is the background - judge for yourself In 2008, Waterfall Security Solutions completed the first deployment of a Unidirectional Security Gateway at a nuclear power plant in the United States. Unidirectional Gateways are used routinely instead of firewalls for connecting SCADA

I recently attended the NERC CIP Emerging Technologies Round Table meeting on Cloud & IoT, where a primary focus was Bulk Electric System (BES) Cyber Systems in the cloud. BES Cyber Systems are systems with an adverse effect on the BES within 15 minutes of failure or compromise. Interestingly, the most thought-provoking discussion at the end of the day had to do with the Internet, not with the cloud. Can electric utilities withstand the most sophisticated of Internet-based cyberattacks? Imagine a massive distributed denial of service (DDoS) attack that targets, not Microsoft Azure or Amazon, but one or more electric utilities

If hindsight is 20/20, then disaster prevention usually gets fine-tuned only after the most unfortunate events occur. Such is the overarching objective of the U.S. Bureau of Safety and Environmental Enforcement (BSEE) Oil and Gas and Sulfur Operations in the Outer Continental Shelf-Blowout Preventer Systems and Well Control (or Well Control Rule), which was published in the Federal Register in April of 2016. But putting in place regulation that seeks to prevent disasters, such as the Deep Water Horizon explosion and spill of 2010, is not a straightforward endeavor. Section 250.720 of the rule covers the issue of Real Time Monitoring

 Guest blog The recent WannaCry/WannaCrypt, attacks received global attention in the news and social media. Its widespread impact and rapid propagation shocked and scared people around the world. Concern was amplified by reports that it involved a stolen NSA exploit (EternalBlue). Existing Microsoft patches for the underlying SMB vulnerability gave some comfort, but only those with new and updated Windows systems. The impact on business was particularly noteworthy. Operations were disrupted in parts of the British National Health System, Spain’s Telefonica, FedEx, Deutsche Bahn, LATAM airlines, and Renault-Nissan, which had to stop production at several plants. While there were no reports of control

A short while back, I was asked to speak at an event held by The Cyber Resilient Energy Delivery Consortium (CREDC), a research and development initiative funded by the U.S. Department of Energy. Its research focuses on cybersecurity and cyber-resiliency of energy delivery systems for the electric power and oil & gas industries. I’d like to share here a part of my contribution to this forum. The future of combined software and hardware cybersecurity products seems to be fertile ground. While software-based cybersecurity measures such as firewalls and cryptosystems have been around for the past 30 years, hardware-enforced security is still

Guest Blog To the non-expert, cyber security can look tantalizingly simple: Just put a guard in front of your stuff and use it to keep the bad guys out. This observation tracks closely with the non-computing analogy of facility entry guards, a favorite comparison brought up during coffee at Board dinners: Guards control who enters the building,we are told, so security gateways should do the same for networks. The problem is that things are not so simple. Take the TCP protocol as an example: For a server to authenticate a client through a gateway, a session must first be established, which involves

Recently, Waterfall joined 24 vendors from Industrie 4.0 (I4.0) and the Industrial Internet Consortium (IIC) in demonstrating secure cloud interconnectivity at the Hannover Messe industrial event. Unidirectional gateway technology and strong encryption was at the heart of this outsourced security demo, illustrating how to benefit from direct integration of control systems with cloud systems, without risk of any remote, online attack damaging industrial systems. This important demonstration illustrated how industrial businesses can take advantage of the operational benefits of the industrial cloud, without exposing industrial control networks to remote cyber risks. The demo: Interoperability between Industrie 4.0 and Industrial Internet Consortium

When covering for risk, best practice teaches us to categorize, measure and profile our vulnerabilities. Intel - the world’s largest and most highly valued semiconductor chip maker and inventor of the processors found in most personal computers - knows this process well. Countless tests are run by the manufacturer to ensure that problems are avoided and the technology carries out its functions without exposing its customers to unwanted threats. Recently, however, a potential vulnerability turned into a worst-case scenario for the chipmaker. Intel has released a patch for a remote hijacking vulnerability which has been lurking in its Active Management Technology,

"WannaCrypt" or “WannaCry” is the latest ransomware variant responsible for shutting down countless organizations, including critical infrastructures and manufacturing sites as large as Renault and Nissan. The cybersecurity advice most probably followed by all these sites was to use firewalls to keep their networks “safe” and to always install the latest security updates. It has been exactly two months since Microsoft issued the MS17-010 fix for the "EternalBlue" vulnerabilities that WannaCrypt exploits, and frankly that’s not enough time for every device in every site, factory and hospital to verify the patch, test, approve the changes and update all of their operational

The Department of Homeland Security recently stated that it had received reports of 59 cyber incidents at energy facilities last year- up nearly a third from the previous year. Those 59 were only a fraction of the 290 incidents the DHS combatted last year across industrial sectors including oil and gas, chemical plants, manufacturing, and nuclear facilities. According to IBM Managed Security Services data, attacks targeting industrial control systems (ICS) increased over 110 percent in 2016- a surge of dramatic proportions. Now let’s look at the issue on a larger scale. Based off of 30,000 samples of infected control system files,

Recently we’ve received a lot of interest from water and waste management facilities regarding our Unidirectional Security Gateway- which is making me wonder what’s brought this on?  Let’s look at the facts. The primary source for cyber risks in water and waste management facilities comes from the use of wide-area-networks (WANs) for monitoring and the collection of data. A typical water site has two primary WAN connections: One to the corporate network, and through that network to the Internet, and customers, partners and vendors. The other WAN is connected to pumping stations and remote sensors to gather important data that

This is a question that might not even emerge initially in the minds of IT security professionals. However, when we take a closer look, the differences are clear. Consider the history of IT and SCADA networks. The original "killer app" for IT networks was mainframe transaction processing. The original model for IT systems was a leger book - keep track of the money. The data in the leger book is what was important. This perspective continues to this day.Where did SCADA networks come from? Before there were SCADA networks we controlled physical processes with switches, dials and gauges. When these

[vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_column_text] This past month we have witnessed another win in the world of ICS security standards coming from France’s preeminent information systems security standards body.  The French are known for being the best in the world at many things, it would be silly to even list the obvious.  But what is not as obvious to many people is that they are also world class at protecting their national critical infrastructure from cyber crime.  First, the National Agency for the Security of Information Systems (ANSSI), has recently issued directives enforced by military law (Loi de

The Ukraine power grid cyberattack continued to dominate cybersecurity news in February as various researchers reported findings from their investigations of the incident. In other news, researchers discovered sustained cyberattacks against Japan’s critical infrastructure, most likely perpetrated by a nearby nation state. Amidst these reports, industrial and critical infrastructure leaders met to discuss strategies and solutions to protect against and respond to such attacks, and President Obama revealed his plan to build a stronger cybersecurity defense posture for the U.S. Underlying these events is the realization that the attacks against the Ukraine and Japan are just the beginning.Cyber-Attack Against Ukrainian

It’s no surprise the cyberattack on Ukraine’s power grid dominated industrial control system (ICS) cybersecurity news in January. Following the news of the power outages and subsequent discovery of malware and other signs of a purposeful network intrusion, cybersecurity experts, DHS and others have revealed alarming instances of cyberattacks, increasing vulnerabilities and lack of adequate cyberdefenses at industrial and nuclear sites, dams and other critical infrastructure. Perhaps the Ukraine attack is the wake up call the industry needs to escalate its investment in cybersecurity protections, such as Unidirectional Security Gateways. In the meantime, learn more in our roundup of these

Recent reports from the Nuclear Threat Initiative and Chatham House, both find that nuclear facilities in many countries are “easy targets for cyberattacks.” Among problems cited in the reports are a significant nuclear presence, few government regulations, and inadequate or corrupt oversight of nuclear facilities.The reports highlight important issues, but are disappointing in that they provide little insight into the raw data used to draw their conclusions. Both reports talk about regulations existing in some jurisdictions and not in others, and also cite cybersecurity elements of regulations in some jurisdictions, but not others, but provide no sources. References to the

Three of the seven strategies in the December 2015 report from the DHS NCCIC/ICS-CERT, “Seven Strategies To Secure Industrial Control Systems,” recommend unidirectional gateways for maximum protection from cyberattacks.The report points to an increase in the frequency and complexity of cyber incidents. ICS-CERT received reports of 295 incidents in 2015, although it is believed that many more went unreported or undetected. Increasingly capable cyber adversaries who can, and have, defeated traditional IT-centric security protections perpetrate these attacks.To mitigate this growing threat, the DHS encourages us to deploy technology to prevent these increasingly sophisticated attacks.Seven Strategies to Defend ICSsImplement Application Whitelisting

Paul Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New York ISO, recently published “Cybersecurity: IT vs. OT, and the Pursuit of Best Practices” in the January 2016 edition of Electricity Policy. The article reviews the state of control system security in the power grid and makes recommendations to improve security. A central recommendation in the article is that “it’s time for transmission and distribution companies to install unidirectional gateways between their SCADA/OT networks and their business networks.” At Waterfall Security, we are steadfast in maintaining that increased use of unidirectional security gateways will measurably improve

December’s cybersecurity news further illustrated the reality that foreign state hackers are targeting U.S. critical infrastructure. Of greater concern is the fact that much of our infrastructure security is inadequate to protect against a targeted attack. With outdated security and the growing adoption of the Industrial Internet of Things (IIoT), power grids, dams and other critical infrastructure are at increased risk of a successful network intrusion. Will recent legislation provide the protections needed to improve cybersecurity for critical infrastructure, or is it too little, too late? Read on to learn more about the news and events that capped 2015 and

The threat of terrorism is top of mind for many, and of increasing concern to those tasked with protecting industrial control systems (ICS). ISIS has issued threats against the North American electric grid, for example. While the cyber capability of ISIS is thus far unsophisticated, advanced attack capabilities are readily purchased.Other security challenges will be the topic of heated debate. FERC has requested comments regarding supply chain integrity and remote access rules. The Industrial Internet of Things (IIoT) is gaining steam as well, especially control system vendor “remote monitoring and diagnostics” services that concentrate many control system VPN connections deep

November news roundup: Why the energy sector is at the heart of cybersecurity discussions In the wake of the ISIS-perpetrated Paris attacks and cyber threats against the U.K., government agencies are stepping up cybersecurity in a bid to detect and defend their critical infrastructure against a cyberattack by ISIS or other hacker groups. At the top of that list is the energy sector. Cybersecurity leaders from several countries have stated their concerns about a cyberattack against the power grid, refineries and oil or gas pipelines, and many of these infrastructures show serious vulnerabilities. For more on these and other stories that