隨著工業 4.0、物聯網 IoT、智慧製造概念的崛起，工業自動化與智慧化引入資訊與通訊科技，故工業生產設施、物聯網 IoT、以及關鍵的產業基礎設施，成為黑客新一波鎖定攻擊的目標。近年來 ICS 工業控制系統（Industrial Control System）資安攻擊事件頻傳，而與 IT（Information Technology）系統有顯著的差異，就是 OT（Operational Technology）網絡控制的是影響國家關鍵基礎設施（如石油、水、電廠等），鑒於越來越多的關鍵基礎設施依賴網絡設備進行控制運行，這使得針對於此的攻擊破壞力愈加增大，未來需要提防由其引發的大規模 DDoS 攻擊、勒索軟件及 APT 等網絡攻勢，而如何有效針對 OT 網絡進行資安分析與威脅偵測，預警惡意程式的攻擊，進而提供有效的防護資訊，來避免關鍵性基礎設施與互聯網造成嚴重的影響，是這幾年各國企業組織與政府機關最重視的議題，也被列為未來資安重要趨勢之一，預計到 2022 年工控安全的需求更將接近 140 億美元。

Version 2 Limited 獨家代理之 SCADAfence，旨在確保工業（ICS / SCADA）網絡的運營連續性，擅長整合工業物聯網，分析、即時監控和機器與機器間的連接，為生產網絡提供具擴展性的網絡安全解決方案。透由整合 IT 和 OT 網絡的檢測可見性和回應速度，使企業能夠比以往更加準確因應 IT 和 OT 網絡中的所有安全事件，進而在這場網絡戰爭中獲得優勢，SCADAfence 已作為三菱電子、西門子⋯⋯等全球跨國大廠之合作夥伴，目前在全球獲得許多製藥、化學、食品飲料和汽車業等客戶的採用，產品得到客戶的高度評價。

SCADAfence OT 高端網路安全解決方案：https://version-2.com/scadafence/

Over the last few days, cybersecurity journalists and the ICS security community have been discussing the Oldsmar Florida water system cyber attack, almost ad nauseam. While many people have been talking about this “news” topic, we’ve actually been treating this issue with many of our customers over the past few years. In this post, I will explain what we’ve learned from this cyberattack, but most importantly, I will share how we’ve been busy solving these issues over the last few years with actual examples from our range of industrial cybersecurity products.

The Oldsmar Water Facility Attack

On February 5th, a hacker gained access into the water treatment system of Oldsmar, Florida, and hijacked the plant’s operational controls. He was able to temporarily drive up the sodium hydroxide content in the water to poisonous levels. The Oldsmar facility is the primary source of drinking water for the city’s 15,000 residents. Luckily, a plant operator was able to return the water to normal levels. The incident has nonetheless launched many conversations about the state of security in global critical infrastructure. 

But that wasn’t the whole story. 

A security advisory released earlier this week by the state of Massachusetts’s Department of Environmental Protection, referred to additional unsafe practices or behaviors at the Oldsmar water treatment plant that significantly increased the risk further. Like many other facilities of its kind, Oldsmar uses a SCADA (Supervisory Control And Data Acquisition) system that allows staff to monitor and control conditions within the facility. At the same time, the staff was using TeamViewer, a fairly common remote access program, which can be used to monitor and control systems within the SCADA network. Sadly, cybersecurity was not a priority for the facility, as is the case occasionally with critical infrastructure. Not only was the Oldsmar facility using Windows 7 – an outdated software that is no longer supported by Microsoft, but all of their employees shared the same password to access TeamViewer. Additionally, the facility was connected directly to the internet without any type of firewall protection installed.

The Current Situation With Water Systems

In the United States alone, there are about 54,000 distinct drinking water systems. The vast majority of those systems serve less than 50,000 residents. They mainly rely on some type of remote access to monitor and/or administer their facilities. Many of their facilities are also unattended, underfunded, and do not have someone watching the IT operations 24/7. Finally, many facilities have not separated their OT (operational technology) networks from their safety systems that are in place in order to detect intrusions or potentially dangerous changes by threat actors.

While the attempt was spotted and taken care of by a plant operator before it could do any damage, it raises questions about how serious a threat this sort of terrorist or nation-state action could be in the future.

Why Don’t We See More Stories Like This On The News?

So, despite how easy it is to find ways to remotely interact with such OT networks, we aren’t seeing more incidents like the one in Oldsmar making the news. One reason may be that these facilities don’t have to disclose such events right when they happen. Additionally, many companies, especially in the public sector want to avoid bad publicity and do what they can to avoid their company name smeared in cyber-attack news headlines. We’ve seen many companies, especially publicly traded companies lose stock value and brand trust after a cyberattack.

But the main reason you don’t see more of these attacks on the news is that SCADAfence protects many of these critical infrastructure facilities. 

Over the last seven years, SCADAfence has been working with many critical infrastructure organizations, including water & wastewater facilities to keep their OT networks safe. We do this by providing them with full network visibility, we accurately detect any anomalous behavior and malicious activities – including anomalies that originate in remote access. We were ready for 2020 before remote access security was required (due to the lockdowns) and it’s been paying off dividends.

Here’s How SCADAfence Secures Water Treatment Facilities  

Let me show you a few key examples, (with actual screenshots) of how we have prevented identical attacks over the last seven years for our customers.

1. With the SCADAfence Platform’s continuous network monitoring we have been easily been able to detect any remote access into OT networks, specifically, detailed alerts for TeamViewer connections in OT networks.

2. We also immediately alert on value level changes, once they pass a certain threshold to prevent unauthorized changes or process manipulation. The platform is also so flexible that users can create specific firewall-like rules for variables such as this one: “Sodium Hydroxide ppm Anomalous Value” alert. This will raise an alert in case the value of Sodium Hydroxide in the water exceeds the max value of (for example) 40 ppm (parts per million) or goes below 1 ppm.

3. The SCADAfence Platform also provides visual exposure maps that can spot malicious activities – weeks, or even months in advance. At another similar incident (that didn’t hit the news), we monitored a water treatment facility during normal operations. As you can see in the screenshot below, there was no connectivity between the remote access group and the DMZ group.

During an attack on the facility, the security team was immediately able to see new connections forming from the remote access group to the DMZ group and from the DMZ to the operator network group (see below). As soon as that alert was issued, the security team was notified of that change and the remote access connection was disconnected, stopping the attackers immediately.

4. It’s really easy to set automated rules that will alert in case there is connectivity between specific network groups. In this case, we set an alert if there is a connection from the DMZ to the operator network and a similar rule in case there is a connection from the remote access to the DMZ group.

5. This incident at Oldsmar, highlights what we’ve been saying for years. Remote access in OT networks provides a big risk. And the thing is, remote access is not going away. 

The SCADAfence platform also provides security staff with the correlation between their users and their activities while performing remote work.

In addition to alerts on anomalous or unauthorized actions in the OT network, the SCADAfence Platform provides security teams with the association details – including the user name, the originating workstation, and the application to provide a holistic view into remote access activities, hop-to-hop.

6. This also ties into the issue of compliance with industrial standards. SCADAfence offers a governance portal that enables operators to define compliance enforcement policies, and continuously monitor compliance enforcement status for most ICS standards, frameworks, and regulations.

Don’t Be Scared, Be Prepared

Many water & wastewater utilities are already using continuous network monitoring and remote access technologies to get visibility into their OT networks and keep their critical infrastructure networks secure. 

With this holistic approach, of network monitoring, anomaly detection, remote access visibility, and compliance, many water & wastewater are already reducing 95% of their risk level of future attacks.

The best part is that these solutions are all agentless, are not intrusive, and can perform superhuman tasks at a fraction of the cost of one human worker. 

If your organization is looking into securing their industrial networks, the experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about these products and see short product demos, click here: https://l.scadafence.com/demo

This Week, Ransomware Slams Westrock & Other industrial Organizations

Earlier this week, the operations at $17 billion packaging firm WestRock were disrupted by a ransomware attack that impacted both its IT and OT (operational technology) networks. Two days later, a massive $27 billion chain operator Dairy Farm Group was also attacked by ransomware, with the attackers demanding a $30 million ransom. Those are just a sample of successful ransomware attacks from this week alone.

Since the outbreaks of Wannacry & NotPetya ransomware attacks in 2017, we’ve been witnessing daily occurrences of attacks affecting OT networks that originated in the IT side. The U.S. National Security Agency (NSA) also highlighted this issue for this very simple reason. It works.

Ransomware Works

That’s the simplest way to explain why incidents of ransomware attacks have sharply increased over the last year — with no end in sight. The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent this year, downtime is up by 200 percent and the average cost per incident is on the rise, according to a recent report from PurpleSec.

Threat actor groups with names such as Ryuk, Egregor, Conti, Ragnar Locker, and many others are ruthless, well-funded and are willing to target anyone; from COVID-19 vaccine manufacturers, automotive manufacturers, critical infrastructure, governments and hospitals to get their payday. In fact, the first ransomware related death happened this past September, when a German hospital was infected with ransomware and couldn’t treat patients during the Covid-19 outbreak.

As part of SCADAfence’s mission to protect the lives and safety of civilians, we’ve put together this guide to help you prevent ransomware in your industrial organization.

The Ransomware Encryption Process

Let’s go back to the beginning, and discuss how these attacks encrypt systems in the first place.

From the previous ransomware attacks we’ve researched, we learned that from the minute the attackers get initial access, they can encrypt the entire network in a matter of hours. In other cases attackers would spend more time in assessing which assets they want to encrypt and they’d make sure they get to key servers such as storage and application servers.

Most of the recent ransomware attacks you’re reading about in the news try to terminate antivirus processes to make sure that their encryption process will go uninterrupted. Recent ransomware variants such as SNAKE, DoppelPaymer and LockerGoga even went further by terminating OT related processes like Siemens SIMATIC WinCC, Beckhoff TwinCAT, Kepware KEPServerEX, and the OPC communications protocol. This made sure the industrial process was interrupted, and this increased the chances that the victims paid the ransom. These types of ransomware attacks were seen in the recent attacks of Honda and ExecuPharm.

Diagram #1 – An OT Security Challenge: Industrial Components Exposed to Encryption

From what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines – such as Historians, HMIs, Storage, Application Servers, Management Portals and OPC Client/Servers.

In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices means a higher monetary ransom demand from the attackers.

Organizations must be able to monitor & detect threats across the IT/OT boundary in order to effectively identify risks before reaching process-critical end-points.

Diagram #2 – Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial Networks 

Some of the tools and techniques that ransomware operators are using are on the same level that nation-state threat actors are using on targeted espionage campaigns.

Diagram #3 – Tactics, Techniques & Procedures most commonly used in Ransomware Attacks

We recommend that organizations practice these common security procedures to minimize their risk of ransomware infection on each step of the kill chain:

Initial Access:

1. RDP
   1. If possible, replace RDP with a remote access solution that requires two-factor authentication, many VPNs now support that. This will require attackers to be verified by, for example, a code sent via SMS.
   2. If you choose to still use RDP, make sure its Windows Update is enabled and is working.
2. Email Phishing
   1. Educate the organization’s employees about phishing attacks. Employees should be suspicious of emails that don’t seem right and not click on suspicious links.
   2. Install an Anti-Phishing solution.
3. Software vulnerabilities of internet-facing servers
   1. Scan your organization’s IP range from outside the network. Verify that all exposed IP/ports are what you expect them to be.
   2. Make sure that automatic security updates are enabled for your exposed services. If one of your services (such as web servers, for example) does not have that feature, consider changing it to a similar one that has this feature.

Lateral Movement:

1. Firewalls & Windows Update – Enable firewalls on all of your workstations and servers.
   Make sure that Windows Update is enabled. This will ensure that your machines will be patched for the latest vulnerabilities and will also be less prone to lateral movement techniques. Microsoft constantly updates their security policies and their firewall rules.
   One good example is that they disabled the remote creation of processes using the Task Scheduler ‘at’ command.
2. Endpoint Protection

Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have defenses against ransomware and will protect your assets from encryption.

1. Network Segmentation
   Ideally, you would want to minimize the risk of your industrial network being impacted when suffering a ransomware attack.
   1. To the possible extent, separate the IT network from the OT network segment. Monitor and limit the access between the segments.
   2. Use different management servers to the OT and IT networks (Windows Domains, etc). By doing so, compromising the IT domain will not compromise the OT domain.
2. Constant Network Monitoring
   A constant network monitoring platform (we happen to know a really good one), will help you identify threats while analyzing network traffic and will help you see the bigger picture of what’s happening in your network.
3. Data Exfiltration
   Monitor your network for unusual outbound traffic. Everyday user activity should not generate uplink activity higher than about 200MB/daily per user.

How SCADAfence Helps You

We provide a comprehensive solution – The SCADAfence’s platform which was built to protect industrial organizations like yours from industrial cyber attacks (including ransomware). It also helps you implement better security practices amongst its built in features. Some of these include:

• Asset Management
• Network Maps
• Traffic Analyzers

These tools will help your organization to implement better network segmentation, to make sure that your firewalls are functioning properly, and that every device in the OT network is communicating only with the ones that they should be communicating with. You will also be able to spot assets that are not where they’re supposed to be, for example, forgotten assets in the DMZ.

The platform, which is also the highest rated OT & IoT security platform, also monitors the network traffic for any threats, including ones that are found in typical ransomware attacks; such as:

• Security exploits being sent across the network.
• Lateral movements attempts using latest techniques.
• Network scanning and network reconnaissance.

In an event of a security breach, SCADAfence’s detailed alerts will help you to contain these threats as quickly as possible. Ultimately, we built this tool to help industrial organizations to understand their attack surface, to implement effective segmentation and constant network monitoring for any malicious or anomalous activity.

Video: The Anatomy of a Targeted Ransomware Attack:

We’d like to share with you a true story of a recent incident response to an industrial ransomware cyberattack. SCADAfence’s incident response team assists companies in cyber security emergencies. In this video, we will review a recent incident response activity in which we took part. This research has been published with the goal of assisting organizations to plan for such events and reduce the impact of targeted industrial ransomware in their networks.

For more detailed information on this story, we prepared a full whitepaper here: https://www.scadafence.com/resource/anatomy-of-a-targeted-ransomware-attack/

Additional credits: Yossi Reuven and Michael Yehoshua have also contributed to this comprehensive guide.