Nist security functionsThe US Cert has reported on multiple critical vulnerabilities in Rockwell Automation PLC’s. The affected systems are:

  • MicroLogix 1400 Controllers,
  • MicroLogix 1100 Controllers,
  • RSLogix 500 Software

The bugs could allow an attacker to gain access to sensitive project file information, including passwords. Rating 9.8 out of 10 on the CVSS v3 severity scale, the bugs include the use of hard-coded cryptographic key; use of a broken or risky algorithm for password protection; use of client-side authentication; and clear text storage of sensitive information.

Bugs and vulnerabilities are a fact of our OT life. It all comes down to how recognizing you have vulnerabilities and how you respond to it. Doing nothing is not an option and therefore:

  • Know which assets you have,
  • Know their vulnerabilities,
  • Understand your threats,
  • Have a maintenance service plan,
  • Respond and solve the vulnerabilities.

Whereas visibility is the basis of security management, in practice we see the industry is struggling to produce an up-to-date asset inventory. CR-Team can help you to obtain visibility of all assets and connections in your OT network. Please check this page about security scans or reach out to us for more information.

Cyber ResilienceThis week it became public that multiple industrial facilities had interrupted operations due to ransomware attacks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

These were incidents that could have been prevented.

Segregation of IT and OT networks is a crucial security measure. But that is easier said than done…

Sure you can propagate a complete air gap but in reality that proves not to be practical strategy for the majority of companies. Firewalls are the right mitigation against cross-networks connectivity. Sounds like a straight forward solution: buy the hardware and licenses, install and done. Protection is in place! In practice however there is much more to managing this critical piece of infrastructure; the firewalls must be industry grade, configure following the default-deny principle and, very important, maintain them with patching and health assessments.

Make it periodic activity to review the configuration, policies and rules to ensure that your OT network is still properly separated. CR-Team can assist you with the review, assess your OT network for rogue access points, unauthorized remote access, unmanaged assets, active malware and other flaws in your protection.

Please reach out to us, we secure OT.

 

 

Every year the number of reported ICS vulnerabilities increases with about a third. In an IT world that is cumbersome but can be solved with an -automatic- patch round or scheduled update. In OT however we are not this flexible and need to work with our vulnerable systems for a longer period, until the impact of the update is extensively tested. Even that does not have to be a problem either because we take additional security measures and protect the OT from threats from IT and internet.

But what if our additional security measures are not effective? Or if we have more vulnerabilities than for which we have designed mitigating controls? That is the real problem. The OT environment is left under-protected which causes business continuity and product quality to be at risk.

 

 

Statistics of we issues we find in an average OT environment show that no less than a third of the issues can be classified as high/critical risk. These are issues that need immediate attention.

If we breakdown these issues to their cause we get the following chart.

 

 

 

These ‘usual suspects’ are causing serious threat to your OT environment:

  • systems and packages are missing security updates (33%)
  • access control is failing. For example because of default passwords (admin:admin), hard-coded credentials and insecure remote access. (25%)
  • misconfigurations and insecure services are present (10%)
  • the network is not segmented properly and allowing unrestricted traffic (11%)

It is a huge task not only to know your vulnerabilities but also to understand the best way to solve them. This is the expertise of CR-Team and we can support you.

We will start with performing a full inventory of your OT environment, because: “We can not protect what we do not know”. After adding context and discussing what we found we will propose a security remediation plan. Through our structured project approach it will be clear who is responsible for the actions and when the end state is delivered.

Reach out to us if you want to know how we can help you.

TrendMicro HoneypotA recent research paper about an ICS honeypot is great in several ways:

  1. It shows how easy it is to set up a fake company. These ‘companies’ can then be used for fraud and phishing (terminal spoofing for example) but also for malware distribution.
  2. You learn which vulnerabilities attract attackers.
  3. It describes perfectly how hackers exploit an exposed OT network.
  4. The impact of a hack becomes clear. Your OT network becomes compromised causing discontinuation of business.

The researchers make use of common design errors and configuration mistakes (vulnerabilities). The OT network design is incorrect leaving your critical network connected to the internet. If you allow remote access then make sure that the appropriate security controls are taken and that they are effective. Information like P&ID’s and network topologies are business confidential and must therefore not be shared through fileshares like Dropbox or sent to generic mailboxes. Information like this is gold in the hands of adversaries.

Contact us, we will be happy to explain how we can protect your IACS.

Read more about the research on the researchers website