Het Coronavirus (COVID-19) treft ons allemaal in de dagelijkse werkzaamheden en vereist maatregelen om verspreiding te voorkomen. De gezondheid van onze medewerkers, klanten, relaties en partners blijft onze eerste prioriteit. We volgen daarom strikt de richtlijnen op van de overheid. Onze producten en diensten, zoals we deze dagelijks uitvoeren, worden zo veel als mogelijk decentraal uitgevoerd vanuit ons kantoor en we maximaliseren het thuiswerken conform de instructies en mogelijkheden. Zo kunnen wij u optimaal blijven ondersteunen en verzekeren wij dat CR-Team ook in deze moeilijke periode, de continuïteit van de dienstverlening aan u levert zoals u deze van ons gewend bent. De vergaderingen met de projectteams kunnen plaatsvinden per Skype of telefoon en zullen voorlopig de fysieke meetings beperken tot het strikt noodzakelijke.

Mocht u inhoudelijk vragen hebben over de impact op uw project, neem dan gerust contact op.

Nist security functionsThe US Cert has reported on multiple critical vulnerabilities in Rockwell Automation PLC’s. The affected systems are:

  • MicroLogix 1400 Controllers,
  • MicroLogix 1100 Controllers,
  • RSLogix 500 Software

The bugs could allow an attacker to gain access to sensitive project file information, including passwords. Rating 9.8 out of 10 on the CVSS v3 severity scale, the bugs include the use of hard-coded cryptographic key; use of a broken or risky algorithm for password protection; use of client-side authentication; and clear text storage of sensitive information.

Bugs and vulnerabilities are a fact of our OT life. It all comes down to how recognizing you have vulnerabilities and how you respond to it. Doing nothing is not an option and therefore:

  • Know which assets you have,
  • Know their vulnerabilities,
  • Understand your threats,
  • Have a maintenance service plan,
  • Respond and solve the vulnerabilities.

Whereas visibility is the basis of security management, in practice we see the industry is struggling to produce an up-to-date asset inventory. CR-Team can help you to obtain visibility of all assets and connections in your OT network. Please check this page about security scans or reach out to us for more information.

Cyber ResilienceThis week it became public that multiple industrial facilities had interrupted operations due to ransomware attacks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

These were incidents that could have been prevented.

Segregation of IT and OT networks is a crucial security measure. But that is easier said than done…

Sure you can propagate a complete air gap but in reality that proves not to be practical strategy for the majority of companies. Firewalls are the right mitigation against cross-networks connectivity. Sounds like a straight forward solution: buy the hardware and licenses, install and done. Protection is in place! In practice however there is much more to managing this critical piece of infrastructure; the firewalls must be industry grade, configure following the default-deny principle and, very important, maintain them with patching and health assessments.

Make it periodic activity to review the configuration, policies and rules to ensure that your OT network is still properly separated. CR-Team can assist you with the review, assess your OT network for rogue access points, unauthorized remote access, unmanaged assets, active malware and other flaws in your protection.

Please reach out to us, we secure OT.

 

 

CR-Team has presented at the latest edition of the FERM-Rotterdam Port Cyber Café about the “impact of cyber on the OT domain”. After the difference between IT and OT security was explained using the CIA triad the focus shifted to the challenges of securing OT. The well known Triton attack was used to demonstrate and explain the methods and techniques of the  incident. A cyber incident in OT will likely have physical impact like for example the shutdown of machinery operations. But as the Triton example shows, it is very realistic that an incident can have impact on safety too. We must protect the health of our colleagues, neighbors and the environment. Let’s secure OT!

Please contact us if you would like to learn what we can do to enhance your resilience.

Every year the number of reported ICS vulnerabilities increases with about a third. In an IT world that is cumbersome but can be solved with an -automatic- patch round or scheduled update. In OT however we are not this flexible and need to work with our vulnerable systems for a longer period, until the impact of the update is extensively tested. Even that does not have to be a problem either because we take additional security measures and protect the OT from threats from IT and internet.

But what if our additional security measures are not effective? Or if we have more vulnerabilities than for which we have designed mitigating controls? That is the real problem. The OT environment is left under-protected which causes business continuity and product quality to be at risk.

 

 

Statistics of we issues we find in an average OT environment show that no less than a third of the issues can be classified as high/critical risk. These are issues that need immediate attention.

If we breakdown these issues to their cause we get the following chart.

 

 

 

These ‘usual suspects’ are causing serious threat to your OT environment:

  • systems and packages are missing security updates (33%)
  • access control is failing. For example because of default passwords (admin:admin), hard-coded credentials and insecure remote access. (25%)
  • misconfigurations and insecure services are present (10%)
  • the network is not segmented properly and allowing unrestricted traffic (11%)

It is a huge task not only to know your vulnerabilities but also to understand the best way to solve them. This is the expertise of CR-Team and we can support you.

We will start with performing a full inventory of your OT environment, because: “We can not protect what we do not know”. After adding context and discussing what we found we will propose a security remediation plan. Through our structured project approach it will be clear who is responsible for the actions and when the end state is delivered.

Reach out to us if you want to know how we can help you.

TrendMicro HoneypotA recent research paper about an ICS honeypot is great in several ways:

  1. It shows how easy it is to set up a fake company. These ‘companies’ can then be used for fraud and phishing (terminal spoofing for example) but also for malware distribution.
  2. You learn which vulnerabilities attract attackers.
  3. It describes perfectly how hackers exploit an exposed OT network.
  4. The impact of a hack becomes clear. Your OT network becomes compromised causing discontinuation of business.

The researchers make use of common design errors and configuration mistakes (vulnerabilities). The OT network design is incorrect leaving your critical network connected to the internet. If you allow remote access then make sure that the appropriate security controls are taken and that they are effective. Information like P&ID’s and network topologies are business confidential and must therefore not be shared through fileshares like Dropbox or sent to generic mailboxes. Information like this is gold in the hands of adversaries.

Contact us, we will be happy to explain how we can protect your IACS.

Read more about the research on the researchers website

Emerson presentatie Had a great day with colleagues from CR-Team and KH-Engineering at Emerson’s innovation day “Industry 4.0 in action”. They showcased some great developments and clearly develop their products with security in mind.

So, all good? Well between acquisition and actual implementation an awful lot can go wrong…

Make sure that shortcuts in architectural design and configuration and setup flaws don’t ruin your operations. We will be happy to advice about ISA99/IEC 62443, purdue and secure architecture principles. With our passive OT scan we can detect and remediate any vulnerabilities before the project goes live.

The International event ‘Cyber security for critical industries was on the 26th and 27th of March in Amsterdam. Interesting was the different approach in Europe for this matter. In these two days event people from different countries paid contributions to the presentations and discussions. The consultant of the Cyber Resilience Team was present and available for networking.

On the 29th of November 2018 our consultant Ewald Coenraad gave a awareness presentation about cyber security for Operational Technology (OT). Together with a speaker of DCMR, Ewald informed the members of Deltalinqs about the threats in the Industry and the relation with process safety. For more information about this presentation or how your company can be more resistant for cyber attacks? Please contact the Cyber Resilience Team via info@cr-team.eu.