Wednesday, October 25, 2017

More Industrial Control Network Problems - What I am reading 10/25/2017

The Register - Legacy kit, no antivirus, weak crypto. Yep. They're talking critical industrial networks

Traffic analysis on 375 industrial networks worldwide has confirmed the extent to which hackers target industrial control systems (ICS).
The study by CyberX also found that industrial networks are both connected to the internet and rife with vulnerabilities including legacy Windows boxes, plain-text passwords and a lack of antivirus protection.

  • 33% - Internet Connected
  • 75% - EOL'd OS running (i.e. XP or Win2K)
  • 50% - No AV protection
  • 60% - Weak Passwords or Plain Text Passwords
  • 50% - Rogue Devices
  • 20% - Wireless Access Points installed
  • 82% - Allow Remote Access via RDP, VNC, SSH

In response to the threat on industrial control systems, CyberX advises organisations to provide security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviours such as clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
Using compensating controls and multi-layered defences – such as continuous monitoring with behavioural anomaly detection — to provide early warnings of hackers inside your OT network, and the mitigation of critical vulnerabilities that might take years to fully remediate are also recommended.

This is an ongoing issue, it is expensive to replace the legacy equipment, especially when some of the applications may not be supported in new operating systems or the manufacturer of a particular widget has gone out of business and there is no easy solution for replacement.  Also in many cases the lack of passowrds or weak passwords is justified by a need for immediate access in the case of an emergency (an actual legitimate concern).  

Rogue devices, wireless access points, and remote access appear because of a need to align with business concerns and increase efficiency.  All we can do as security professionals or ICS experts (and I lay very tenuous claims to the first title and no claim to the second) is to provide the best advice we can to mitigate impacts.  

Business needs will always win unless you can show why it will cost the company more to implement the newest iOS app that allows you to shift load from Bumfuck Egypt than they would save by doing so.  This means good Risk Assessment and Business Impact Analysis.

ZDNet - Kaspersky admits to reaping hacking tools from NSA employee PC -

The way the story is written it is hard for me to pull a short money quote, but basically what Kaspersky is claiming is that the NSA employee had a pirated copy of MS Office installed.  This lead to the installation of a trojan.  When Kaspersky AV was turned on it detected the trojan and the code the NSA employee was working on and sent them both to Kasperky for analysis.  Kaspersky says once the realized what was detected it was deleted and not shared with anyone.

Post a Comment

There are No Secrets (James Mickens)