5X5PLUO72V2QWCSMOV2ZRNUCTA

First Watch® will protect water, energy and other infrastructure companies from industrial ransomware

Beyond being scary, inconvenient and expensive, ransomware attacks that have hit New Zealand to date – from Lion to Fisher & Paykel Appliances to the Reserve Bank to the Waikato DHB have all had one thing in common.

The hackers have targeted an organisation’s IT systems, Dr Simon Lovatt said. That is, the computers that control the likes of ordering and management systems.

But Lovatt said it is only a matter of time before hackers infiltrate infrastructure and manufacturing systems with potentially dire consequences.

The startup Lovatt chairs, First Watch, has designed a cyber security system to protect vital infrastructure like electricity lines and waste water systems, plus major manufacturing facilities, from cyber attacks.

He said it could save those running critical infrastructure from paying millions in ransom to hackers – as Colonial Pipeline in the US just experienced in a May cyber-attack that led to a regional emergency declaration for 17 states and Washington, D.C. to keep fuel supply lines open – or people suffering days or weeks of disruption to the likes of power or wastewater as industrial control systems are reset and restored.

The industrial control systems used to run the likes of dams and gas lines often look like they’re from the set of a 1950s movie, but they work – and they’ve had the tremendous cyber-security benefit that they were developed in pre-internet times. They’re standalone, and offline. Or, they were.

In the age of cloud computing, infrastructure control systems are increasingly being connected to other systems like accounting and ERP, and through those, to the internet.

“It all makes great sense from an efficiency perspective,” Lovatt said. “But at the same time, it’s making things more vulnerable.” Many have already digitised and connected control systems to the internet. Within a couple of years, it will be common.

Already, control systems for hydroelectric power plants in the US and Norway have been compromised, along with those of multinational beef producer JBS until it paid a US$11m ransom.

First Watch was born out of research at Waikato University, and has been spun out of the varsity’s commercialisation arm, WaikatoLink (of which Lovatt is a director), with support from KiwiNet, which helps to commercialise research and development from universities and Crown Research Institutes.

WaikatoLink has a minority stake in First Watch, and most shares are held by the startup’s commercial partner, the Hamilton-based CTEK Combined Technologies – the largest locally owned installer of industrial control systems.

First Watch’s launch comes as companies are increasingly faced with paying millions of dollars in ransom to cyber attackers.

Pilots have recently been completed with a local wastewater utility and a major manufacturing industry player, and Lovatt said First Watch is now discussions with various NZ water and energy companies, as well as other manufacturing companies.

Potential clients in Australia, the US and Southeast Asia are also in talks, Lovatt said, and the Government Communications Security Bureau (GCSB0 has been monitoring developments and is in discussions with First Watch over its technology, too.

He does concede that First Watch is not the first to this party, however.

“There are quite a number of competitors,” the chairman said.

“They have two major strategies: protecting the periphery of a company and stopping the bad guys from getting in, or monitoring traffic to detect suspicious activity inside the network.

“But sufficiently persistent attackers will always get in eventually so protecting the periphery is no good, and monitoring network activity throws up lots of time-consuming false positives.”

First Watch’s system loads a generic piece of security hardware with its custom software.

“Our approach locks down the core of a control system, thereby making it essentially impossible for the system to do anything other than what it was originally intended to do.

“It also makes it more difficult for a legitimate user to make a change to the system. But our pilot customers think that that’s a worthwhile trade-off.”

He elaborates. “First Watch was designed to work at the core of an industrial control system creating a zero-trust environment, scanning for any data that should not be on the system and refusing to respond to it.

“It stops the system doing anything different than its day-to-day operations unless any new directions are fully and properly authenticated.”

The system was also designed to take a complete inventory of all assets on a network and identify any that have not been updated or pose a risk.

“That’s important because staff might connect to the system from a laptop at home and
unknowingly introduce a virus,” Lovatt said.

Colonial Pipeline attack shows threat is real

Brett Callow, a threat analyst with Emsisoft, an NZ-based company that helps victims decrypt systems hit by ransomware, agrees that the threat to critical infrastructure is ominous and growing.

“As the Colonial Pipeline incident demonstrated, ransomware represents a very real risk to operational technology and industrial control systems,” he tells the Herald.

“Even if ICS is not specifically targeted in a particular attack, it may nonetheless be impacted. Organisations, especially critical infrastructure providers, should ensure that best practices have rigidly adhered and that OT [operational technology] and IT are segmented.

“Organisations should also plan for the worst and ensure ICS can continue to be operated in the event of IT being compromised and unavailable,” Callow said.

Cyber-sleuth challenge

The tech skills squeeze is an ongoing problem for all NZ tech companies, First Watch’s Lovatt said.

To help top up the funnel and get more people interested in the industry, Waikato University is staging the NZ Cyber Security challenge this weekend, with support from the NZ Police cybercrime unit and private security companies Endace, Insomnia and Security Lit.

Around 150 contestants will try to solve a series of puzzles – no deep cybersecurity knowledge required – with the winner taking away a $1000 prize.

Registration (now closed) was open to all-comers, from secondary school and varsity students to anyone interested in trying their hand as a cybersleuth.

By Chris Keall

Business writer, NZ Herald

Darkroom PLC's image

Cyber security in the age of Industry 4.0

The fourth industrial revolution, also known as Industry 4.0, refers to the ongoing automation of traditional manufacturing and industrial practices, using modern smart technology that has the potential to analyse and diagnose issues without the need for human intervention. The interconnected nature of industry 4.0–driven operations, along with the acceleration of digital transformation initiatives, has increased cyber security risks, and Utility spoke to Professor Ryan Ko, Chair and Director of Cyber Security at the University of Queensland, about how utilities can effectively prevent and mitigate cyber attacks.

 

According to Professor Ko, cyber attacks are increasing at a rate never experienced before and will continue to rise.

“For example, on a global scale, there is a new and unique malware created every half a second. On the other hand, most of the cyber response and threat intelligence mechanisms are manual based,” Professor Ko said.

“Evidently, the scale and volume of emerging new threats in comparison to the inadequate speed and effectiveness of responses means that the cyber criminals actually have an upper hand.”

 

Professor Ko explained that two types of malware are pertinent to utilities.

“The first type of malware would be ransomware, which results in infected computing systems getting ‘locked’ cryptographically, resulting in no user access to important systems and files until a ransom is paid to the criminals,” Professor Ko said.

“Today, ransomware infects computers mostly via two avenues: phishing emails or data breaches. While phishing-based ransomware is well-known to the public, the more recent and large-scale attacks on prominent critical infrastructure mostly stem from data breaches, where organisations’ logins and passwords were previously leaked online by hackers, and are reused by ransomware criminals in an attempt to gain access to key systems.

“This is why a regular change of passwords and the use of multi-factor authentication is encouraged. “The second type is malware that targets Operational Technology (OT) equipment such as programmable logic controllers (PLC) or human-machine interfaces (HMI), or network (or internet) connections to this OT equipment.

“This type of malware aims to affect the integrity and availability of the data and signals. An example would be the Stuxnet malware discovered in 2010, which resulted in the Iranian nuclear enrichment control equipment being slowed down without getting detected – damaging the nuclear program of Iran.

“While not every system runs nuclear facilities, the types of control equipment affected are also the same types which control other critical infrastructure such as utilities. “In the past two decades, we have seen an increase in remote management of control systems located across multiple plants or sites, and with that convenience comes the ability for hackers to access these systems via the internet.

“Since most OT configurations and on-site setups are performed by integrators, contractors or automation or control engineers who are not trained in cyber security awareness or expertise, utilities can be configured for remote site management with little consideration for cyber security threats (e.g. no password protection or plaintext data sent between systems).”

Utilities are prime targets for attacks as they are vital for essential services and are highly sensitive to business continuity risks. Professor Ko commented that for every cyber threat, it is important to consider the actor, motivation and vulnerabilities of the system.

“For example, OT malware is usually launched by opportunistic cyber criminals targeting large organisations one at a time, or worse, nation states which aim to control other nations’ critical infrastructure. In 2015, cyber attacks caused power cuts to parts of the Ukrainian capital Kiev, and in 2016, similar attacks were repeated.”

Robust cyber security became more important than ever during the COVID-19 pandemic, with the need for physical distancing accelerating utility digital transformation strategies and priorities, as well as amplifying the risk and security threats related to remote working.

With levels of remote working likely to remain higher than they were pre-COVID, utilities may need to ‘reset’ some of their cyber security protocols and policies.

“With the increase in work-from-home arrangements, the attack surfaces criminals can get access to have massively expanded. Most employees do not really focus on, or are unaware of, how to achieve enterprise-level security at their homes,” Professor Ko said.

“At the same time, employers have no rights to access or ensure that the employees’ home broadband networks are secure to the level of the organisations’ baselines or policies. This introduces a grey area of cyber security responsibilities– which cyber criminals would thrive on.

“As such, companies need to ensure that the staff remotely managing sites or critical information have the appropriate technical support and advice about protecting all aspects of their work-from-home environment.

“Utilities should also consider conducting a thorough security and risk assessment of their current IT and OT environments, and how these environments are remotely managed. The exercise will reveal potential areas of vulnerabilities, and utilities can then address the vulnerabilities directly.

“If required, utilities could offer to help to secure the home networks of the key roles/employees managing assets remotely, or set strict policies and restrictions around access. There should also be cyber awareness campaigns targeted at all utility staff about the dangers of phishing, account compromise and many other threats – with an aim of improving their ‘cyber hygiene’.”

Developing new techniques for detecting vulnerabilities

Professor Ko is leading the research on cyber resilient energy systems as part of a new Industry 4.0 Energy TestLab facility at the University of Queensland (UQ).

Launched in November 2020, the UQ Industry 4.0 Energy TestLab – established in partnership with Siemens and with funding support from the Australian Government –will enhance global knowledge on electricity networks by focusing on power and energy system analytics, microgrid control, energy management and cyber-physical systems security.

“The Industry 4.0 UQ Energy Testlab provides a ‘digital twin’ for researchers, the industry and the government to research cyber and energy resilience challenges, and develop training material for collaborating partners,” Professor Ko said.

“This is made possible as UQ, with its energy neutrality goals, is one of the few universities in the world which has a full range of renewable energy generation (e.g. solar farms at Warwick and Gatton), digitised building management systems, a large array of Tesla batteries and the range of energy equipment at the TestLab.

“The combination of the energy supply and consumption scenarios across UQ’s campuses (e.g. lecture theatres, offices, student accommodation) offer a simulation of smart cities.

“As a digital twin, the UQ Energy TestLab provides Australian researchers with a platform to conduct experiments and invent new cyber security techniques without needing to affect any actual operating utilities or plants.

“This TestLab also trains a new generation of cyber experts who have the abilities and knowledge to protect critical infrastructure, and empowers evidence-based policy making in the energy space.

“In the first few months since the TestLab’s establishment, our researchers have already discovered and reported critical infrastructure vulnerabilities to vendors and integrators, and developed novel techniques for automated vulnerability detection.”

The UQ facility is part of a national network of Industry 4.0 TestLabs, which came about through the strategy and work of the Industry 4.0 Task Force. The six Australian universities aim to provide industries and businesses the support needed to transition and benefit from opportunities presented by the fourth industrial revolution.

Each university Industry 4.0 TestLab has a different focus area to help build complementary capability for Australia.

Professor Ko said that critical infrastructure cyber autonomy and automation – which involves teaching computers how to discover their own vulnerabilities and automatically patch or heal themselves – is the main research priority at the UQ Energy TestLab.

“This is logical since most cyber attacks are automated by criminals or state actors,” Professor Ko said.

“Since 2017, many security vendors have been introducing network automation programs with existing security information and event management (SIEM) tools as cyber autonomy. Others would label security ‘playbooks’ –hardcoded heuristics which script responses according to triggers or a combination of triggers – as automation.

“An example of a ‘playbook’ would be a pre-programmed workflow of actions responding to a variety of cyber-attacks (e.g. a response to a denial of service attack or a network port scan by an unknown source). However, these examples are still a distance from the true potential and vision for cyber autonomy.

“The ‘holy grail’ for cyber autonomy is that we can deter attacks and patch vulnerable computing systems in real time, at scale and without disruption to normal operation.

“The crux of this is the assumption that a computing system handles abstract and virtual executions, and hence has fewer physical limitations and boundaries for dynamic remediation.

“However, from a practical implementation viewpoint, this assumption does not hold strong ground. Software systems, particularly those running critical infrastructure, emergency services and 24/7 manufacturing, have very complex dependencies, and do not have the luxury to be turned off and patched during downtime due to their operational demands. For example, the software running a nuclear power plant should not be shut down abruptly.

“The dilemma between the need to patch system vulnerabilities and the need to maintain business or operational continuity also places pressure on software migration processes.

“Software migration (or modernisation) is the current practice of modernising software to a newer version. The interdependency of processes and software makes this a challenging change management process.

“Proponents of cyber autonomy would argue that with cyber autonomy, the need for systems (in particular, critical infrastructure systems) to be modernised would be reduced since the self-healing aspects of cyber autonomy will address vulnerabilities without disrupting business-as-usual.

“Clearly, there are still a lot of research challenges which need to be addressed before we achieve the true vision of cyber autonomy.”

An evolving threat landscape

To improve their cyber security capabilities and better withstand attacks, utilities need to prioritise security as a top business continuity risk, and ensure buy-in at the board and senior executive level.

Professor Ko explained that board members and senior executives need to understand that cyber threats are not just a concern for the technical colleagues in their organisations, but are the responsibility of all utility employees.

“A top-level focus will allow the utilities to implement thorough security protections, policies and increase investment into appropriate tools such as multi-factor authentication.

“Utilities should also consider the potential threat landscape in the next three to five years by actively engaging with cyber security computer scientists to understand emerging threats. They should work together on research that generates innovations which discover both known and unknown threats, before engaging vendors.

“There are several commonwealth and state government grants to seed such research. From time to time, they should also perform ‘red-teaming’ on their organisations, where a number of their employees attempt to identify policy, process and technology loopholes in their organisations.”

Cyber security is constantly evolving as new threats emerge. To better monitor and adapt to short- and long-term security trends, Professor Ko said that utilities must work with government agencies, such as the Australian Cyber Security Centre, and trusted vendors to develop a threat intelligence and information sharing program.

“They can also join incident response not-for-profit organisations such as AusCERT (Australian Cyber Emergency Response Team) as a member, and obtain threat intelligence and technical assistance,” Professor Ko said.

“It is also important that utilities monitor the statistics of top threats detected, and attempt to mitigate these threats using the Pareto principle. All stakeholders within the utility sector should also be holding sector-wide tabletop and simulation exercises to raise awareness and build information exchange opportunities.”

Read the article in Utility Magazine  here.

_m_v_-ZxQE-mbf9_s-unsplash

An Analytics Framework for Heuristic Inference Attacks against Industrial Control Systems

Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS– especially at the communication channels between human-machine interface (HMIs) and programmable logic controllers(PLCs) – are increasing at a rate which outstrips the rate of mitigation.

In this paper, we introduce a vendor-agnostic analytics frame-work which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool.

Using ‘digital twin’ scenarios comprising industry-representative HMIs, PLCs and firewalls in our test labour framework’s steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of ‘heuristic inference attacks’, a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS.

Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally,we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Index Terms—Industrial control system (ICS) security, critical infrastructure, security analytics framework, Man-in-the-Middle attacks, PLC security, cybersecurity, cyber resilience, Operational Technology (OT)

 

chris-yang-H73k0IUQbn0-unsplash

The Evolving face of modern Network Security

Over the past decade or two, an inevitable digital transformation shift has meant that organisations of various sizes and capacities have started storing assets and information digitally and are now reliant on a plethora of servers and applications to keep their business up and running. Presence of bespoke business applications and system like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Financial and Accounting and Industrial Control Systems etc. has seen an exponential growth. With companies now moving at pace towards achieving this technological excellence to maximise business outcomes, cyber-attacks have also seen a surge with well-resourced bad actors threatening to not only steal sensitive information but also permanently delete or expose said information.  Attackers have become incredibly intelligent in exploiting vulnerabilities and shortcomings in modern day systems and application designs.

Most common cyber-attacks like Malware (trojans, viruses and ransomware), Phishing, Drive-by-attacks, DoS/DDoS, XSS etc. target vulnerable systems and users and threaten to steal, expose or harm/delete sensitive information like financial information and credit card details, user account credentials, logging keystrokes and can even take remote control a victim’s computer.
For an organisation that has hundreds of users and systems relying on the internet to function, and is spread across multiple locations, the prospect of a cyber-attack can be even more devastating.

Hence, it becomes pivotal for all organisations to invest and focus on Cyber Security practices to prevent any mishaps in the future. One of the most effective ways a company can do that is by using Network Firewalls.

A firewall forms the first and the most important line of defence by constantly screening all incoming and outgoing internet connections and filtering out any malicious requests or connections. Most “Next Gen Firewalls” (aka NGFW) now come pre-built with capabilities to handle specific cyber security controls like Intrusion Prevention and Detection (IPS/IDS), Security Zones, Application and Web Filtering etc.

Some of the capabilities of a modern-day Firewall (like Fortigate) are –

1.    Intrusion Prevention and Intrusion Detection: This module or “blade” uses signature-based sensors to detect traffic type and discern legitimate traffic from potential cyber-threats and zero-day attacks. Fortinet’s Threat Intelligence database has thousands of logged signatures of all known and unknown vulnerabilities and threats. In addition to preventing any zero-day attacks, an IPS blade can help prevent attacks like DoS, Brute force attacks and vulnerability exploits on unpatched and outdated systems and applications.

2.    Application Control: Unlike traditional firewalls that only monitor Source and Destination IP address and port numbers, NGFW firewalls can identify applications like Remote Access (TeamViewer, VNC), Video steaming (Youtube, Netflix), Proxy, Torrent engines etc. Using an extensive Application database, Fortinet blocks access to and from risky applications like Keyloggers, Miners, Unauthorised Remote Control, etc.

3.    Web Filtering: This blade is responsible for preventing access to untrusted and malicious websites on the internet. As malicious webpages and insecure web connections become one of the first vectors of initiating cyber-attacks, knowing which websites/pages to not visit becomes a challenge. Fortunately, a good firewall’s Threat Intelligence database  holds the vast majority of known malware download sources which can be implemented using Web Filtering blade thereby preventing any malware related attacks such as ransomware.

4.    Deep Packet Inspection (DPI): As most cyber attacks have evolved from using less secure and non-encrypted channels and now exploit vulnerabilities over HTTPS, the conventional way of only assessing HTTP traffic is obsolete and it becomes imperative to also screen HTTPS traffic.  With Deep Packet inspection also known as Packet Sniffing, Firewalls examine the content of data packets and determine how to handle threats they come across. DPI can actively prevent malware spread and data loss.

As the threat landscape rapidly expands due to co-location and multi-cloud adoption, failure to offer protection at scale can not only lead to a weak security posture but can jeopardise key business assets that can bring an organisation to its knees.  By investing in the right Cyber security measures, companies can move at pace and expand demand with the peace of mind that comes with identifying and safeguarding against the potent threats out in the wild.

dan-meyers-w6X7XaolqA0-unsplash-scaled

Cyber Security in the OT Environment – a brief history

The OT environment started as a standalone piece of machinery being connected to a network to allow devices to be connected remotely to reduce wiring cost and control cabinet size. It allowed machine manufactures to be more flexible.

The networks were ControlNet (open industrial network or fieldbus, Rockwell), DeviceNet (common industrial protocol, Rockwell), Modbus (data communication protocol, Schneider), Data Highway (local area network, Rockwell), Profibus (process field bus, Siemens), CAN bus (control area network, Bosch) and HART (highway addressable remote transducer, Rosemount).

Special communications module were mounted on the main PLC chassis and using either one, two or more cores could connect to other devices remotely from the main process cabinet. You need to have specialist software to connect to the communications modules and configure them with a mapping address using node addressing. That is to say each device on the network was allocate a node number to identify it from other devices on the network.

Input/Output, drives and instrument manufactures started to offer devices to connect to these new networks, but they were still a single network attached to a piece of equipment. You could not access these networks remotely, you had to be connected to the network controller card using specialist software to see anything. One network was not compatible to another so you could not connect a ControlNet to a DeviveNet etc.

The next jump was converters which allowed you to connect these networks to each other. There was an explosion of networks and equipment being able to be connected to each other and whole factories connected to a network. This started a revolution in data collection but still not connected to the outside world.

Then came the internet with the ethernet network. This then started new networks like Ethernet I/P, ProfiNet and Modbus TCP I/P.

This new revolution allowed the old equipment to be connected to the internet for both data collection and remote control because of our increased need for information, production improvement and automation.

Now all networks module and remote devices had their own web interface page where you could remotely access information about the devices.

Little did we know what a monster we were creating, ripe for the picking.

About five years ago we started to see cyber security being applied to these networks and devices to prevent or reduce remote access to these devices on the various networks by external adversaries.

PLC started to have password protected access, removal of web interface pages and other efforts to reduce potential attacks from outside the organisation.