Blog

Norsk Hydro has been hit by a ransomware attack. The firm reports that some aluminum smelting plants have switched to manual operations, and some metal extrusion plants have halted production altogether. There are theories that the ransomware was deliberately planted in a corporate Active Directory controller in such a way as to infect most Windows hosts at the company. This sounds like a combination of attacks #3 and #4 from The Top 20 Cyberattacks on Industrial Control Systems. The lessons here are simple:Even messages from trusted IT domain controllers can host, or be part of, a cyber attack. Firewalls do not

Waterfall Security is pleased to announce our Industrial Security Podcast featuring interviews with world-recognized experts on a wide range of industrial cybersecurity topics. The podcast will address current and developing ICS topics such as: Do expert ICS penetration testers target live/running systems? (cheat: not always, but yes, they do, carefully) What questions should boards of directors be asking their CIO/CSO’s about industrial/OT cybersecurity? What changes is the Industrial Internet of Things (IIoT) bringing about in the next few years? What does the latest industrial cyber risk assessment methodology from EPRI look like? All of these questions are answered in episodes

I am pleased to announce the general availability of my new book, Secure Operations Technology (SEC-OT). SEC-OT is a perspective, a methodology and a set of best practices that document what thoroughly-secured industrial sites actually do. What these sites do differs sharply from what most industrial sites do.Most industrial sites practice IT Security (IT-SEC) whose focus is to "protect the information" - the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure

Much has been written and debated regarding communicating cyber risk to boards and other key corporate decision makers. Conveying to a non-technical audience the criticality of cyber vulnerabilities in IT systems that support business functions can be a daunting task; but what if the systems don’t just support the business, what if they are the business?For businesses who supply critical services and infrastructure to their customers, risk to the control systems from a cyber source is a relatively new concept, and industrial cyber risk dramatically increases the severity of worst-case scenarios. Information technology that supports business functions and protects confidential

The Carbon Black Quarterly Incident Response Threat Report for 2018 shows that destroying forensic evidence to hide attack sources and attack capabilities is becoming increasingly common. The report quotes an incident response professional as observing that “We’ve seen a lot of destruction of log data, very meticulous cleanup of antivirus logs, security logs and denying IR teams the access to data they need to investigate.” More specifically, the report finds that in the last 90 days:32% of investigated attacks included attackers wiping entire machines to hide evidence 72% of all IR professionals reported seeing deleted logs in at least one

Governments all over the world are beginning to toughen cyber regulations imposed on industry to respond to the increasing threat of cyber attacks on national critical infrastructure. This class of cyber attack does not just limit itself to enterprise systems. If the control systems of a digitized petro-chemical plant, for example, fall in the hands of a threat actor, not only can the national energy supply be in danger, but the physical plant itself could be at risk of explosion or fire. This clear and present danger is considered a serious threat in Israel, where several such attacks attempted on industrial

The CEO of TSMC - the manufacturer of key chipsets for Apple's iPhones, and for many other global companies - reported Monday that the company was forecasting a drop of 2% in Q3 revenues, or about $160M, due to an infection of its manufacturing facilities by a variant of the Wannacry ransomware.  The malware entered the manufacturing network when a new piece of fab tool equipment was installed. The malware appears to have spread rather quickly, as the CEO indicated that at the peak of the infection, 10,000 machines were impaired at several manufacturing sites. The CEO maintained that the

OT remote access is efficient and convenient - for attackers Remote access might look like a good idea. Every computer on an enterprise network certainly has some sort of Remote Desktop capability: tech support takes control of my laptop routinely to install new software or to fix issues. Sometime our vendors have remote access into our servers and other systems, to provide remote support. When we are talking about the enterprise network, this is a great capability, reducing costs, reducing headcount per campus, sometimes even reducing travel time. When migrating to the OT world of industrial networks, this type of solution does

“The beginning of wisdom is the definition of terms.” - Socrates (470 – 399 B.C.) Definitions are important - good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition: pen: a tube of ink with a tiny ball bearing at the tipHow useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition: pen: a tool for writing or drawing with inkSomeone new to the language would likely hear this second definition and say “ahh - so that's what those things are called,” because

Different continents point to similar concerns The Black Hat Asia 2018 attendee survey polled IT and security professionals from 12 East Asian countries, Australia and elsewhere, asking about the threats and challenges they are most concerned with, the attacks and attackers they fear most, as well as their cybersecurity posture. The main takeaway from the survey is that security professionals across the globe are reaching a growing consensus, sharing a high level of concern over targeted cyberattacks and potential breaches of critical infrastructure. The same concern was echoed in the previous BlackHat survey that polled European security professionals several months ago,