We are the CR-Team – Cyber Resilience Team and are an independent cyber security provider with a focus on securing Industrial Automation & Control Systems (IACS). With a broad spectrum of security services, we can improve the resilience of your OT infrastructure and defend the continuity of your operations. Our cyber specialist Ewald Coenraad has years of experience and decades of OT expertise. As a result, he understands the concerns within your company. Click here to read more about cyber security in the KH Engine.
The Coronavirus (COVID-19) affects us all in our daily work and requires measures to prevent it from spreading. The health of our employees, customers, business relations and partners remains our first priority. We therefore strictly follow government guidelines. Our products and services, as we carry them out on a daily basis, are decentralised from our offices as much as possible and we maximise working from home in accordance with instructions and possibilities. In this way we can continue to provide you with optimal support and we ensure that CR-Team, also in this difficult period, will provide the continuity of service to you as you have come to expect from us. The meetings with the project teams can take place by Skype or telephone and for the time being we will limit the physical meetings to what is strictly necessary.
Should you have any questions regarding the impact on your project, please do not hesitate to contact us.
The US Cert has reported on multiple critical vulnerabilities in Rockwell Automation PLC’s. The affected systems are:
- MicroLogix 1400 Controllers,
- MicroLogix 1100 Controllers,
- RSLogix 500 Software
The bugs could allow an attacker to gain access to sensitive project file information, including passwords. Rating 9.8 out of 10 on the CVSS v3 severity scale, the bugs include the use of hard-coded cryptographic key; use of a broken or risky algorithm for password protection; use of client-side authentication; and clear text storage of sensitive information.
Bugs and vulnerabilities are a fact of our OT life. It all comes down to how recognizing you have vulnerabilities and how you respond to it. Doing nothing is not an option and therefore:
- Know which assets you have,
- Know their vulnerabilities,
- Understand your threats,
- Have a maintenance service plan,
- Respond and solve the vulnerabilities.
Whereas visibility is the basis of security management, in practice we see the industry is struggling to produce an up-to-date asset inventory. CR-Team can help you to obtain visibility of all assets and connections in your OT network. Please check this page about security scans or reach out to us for more information.
This week it became public that multiple industrial facilities had interrupted operations due to ransomware attacks.
This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.
These were incidents that could have been prevented.
Segregation of IT and OT networks is a crucial security measure. But that is easier said than done…
Sure you can propagate a complete air gap but in reality that proves not to be practical strategy for the majority of companies. Firewalls are the right mitigation against cross-networks connectivity. Sounds like a straight forward solution: buy the hardware and licenses, install and done. Protection is in place! In practice however there is much more to managing this critical piece of infrastructure; the firewalls must be industry grade, configure following the default-deny principle and, very important, maintain them with patching and health assessments.
Make it periodic activity to review the configuration, policies and rules to ensure that your OT network is still properly separated. CR-Team can assist you with the review, assess your OT network for rogue access points, unauthorized remote access, unmanaged assets, active malware and other flaws in your protection.
Please reach out to us, we secure OT.
CR-Team has presented at the latest edition of the FERM-Rotterdam Port Cyber Café about the “impact of cyber on the OT domain”. After the difference between IT and OT security was explained using the CIA triad the focus shifted to the challenges of securing OT. The well known Triton attack was used to demonstrate and explain the methods and techniques of the incident. A cyber incident in OT will likely have physical impact like for example the shutdown of machinery operations. But as the Triton example shows, it is very realistic that an incident can have impact on safety too. We must protect the health of our colleagues, neighbors and the environment. Let’s secure OT!
Please contact us if you would like to learn what we can do to enhance your resilience.
Every year the number of reported ICS vulnerabilities increases with about a third. In an IT world that is cumbersome but can be solved with an -automatic- patch round or scheduled update. In OT however we are not this flexible and need to work with our vulnerable systems for a longer period, until the impact of the update is extensively tested. Even that does not have to be a problem either because we take additional security measures and protect the OT from threats from IT and internet.
But what if our additional security measures are not effective? Or if we have more vulnerabilities than for which we have designed mitigating controls? That is the real problem. The OT environment is left under-protected which causes business continuity and product quality to be at risk.
Statistics of we issues we find in an average OT environment show that no less than a third of the issues can be classified as high/critical risk. These are issues that need immediate attention.
If we breakdown these issues to their cause we get the following chart.
These ‘usual suspects’ are causing serious threat to your OT environment:
- systems and packages are missing security updates (33%)
- access control is failing. For example because of default passwords (admin:admin), hard-coded credentials and insecure remote access. (25%)
- misconfigurations and insecure services are present (10%)
- the network is not segmented properly and allowing unrestricted traffic (11%)
It is a huge task not only to know your vulnerabilities but also to understand the best way to solve them. This is the expertise of CR-Team and we can support you.
We will start with performing a full inventory of your OT environment, because: “We can not protect what we do not know”. After adding context and discussing what we found we will propose a security remediation plan. Through our structured project approach it will be clear who is responsible for the actions and when the end state is delivered.
Reach out to us if you want to know how we can help you.
A recent research paper about an ICS honeypot is great in several ways:
- It shows how easy it is to set up a fake company. These ‘companies’ can then be used for fraud and phishing (terminal spoofing for example) but also for malware distribution.
- You learn which vulnerabilities attract attackers.
- It describes perfectly how hackers exploit an exposed OT network.
- The impact of a hack becomes clear. Your OT network becomes compromised causing discontinuation of business.
The researchers make use of common design errors and configuration mistakes (vulnerabilities). The OT network design is incorrect leaving your critical network connected to the internet. If you allow remote access then make sure that the appropriate security controls are taken and that they are effective. Information like P&ID’s and network topologies are business confidential and must therefore not be shared through fileshares like Dropbox or sent to generic mailboxes. Information like this is gold in the hands of adversaries.
Contact us, we will be happy to explain how we can protect your IACS.
Read more about the research on the researchers website
Had a great day with colleagues from CR-Team and KH-Engineering at Emerson’s innovation day “Industry 4.0 in action”. They showcased some great developments and clearly develop their products with security in mind.
So, all good? Well between acquisition and actual implementation an awful lot can go wrong…
Make sure that shortcuts in architectural design and configuration and setup flaws don’t ruin your operations. We will be happy to advice about ISA99/IEC 62443, purdue and secure architecture principles. With our passive OT scan we can detect and remediate any vulnerabilities before the project goes live.
The International event ‘Cyber security for critical industries was on the 26th and 27th of March in Amsterdam. Interesting was the different approach in Europe for this matter. In these two days event people from different countries paid contributions to the presentations and discussions. The consultant of the Cyber Resilience Team was present and available for networking.
On the 29th of November 2018 our consultant Ewald Coenraad gave a awareness presentation about cyber security for Operational Technology (OT). Together with a speaker of DCMR, Ewald informed the members of Deltalinqs about the threats in the Industry and the relation with process safety. For more information about this presentation or how your company can be more resistant for cyber attacks? Please contact the Cyber Resilience Team via email@example.com.