The ’85 Bears of Cyber Physical Security

A few days ago, our elite cybersecurity team of defenders, faced over 50 of the world’s top hackers and security practitioners in the Hack the Building event. 

The event was born from a joint partnership between MISI (Maryland Innovation and Security Institute) and USCYBERCOM (the United States Cyber Command), is an unrivaled, hands-on live facilities critical infrastructure cybersecurity challenge. 

Hackers, federal labs, building automation companies, academia and government agencies all competed to infiltrate, disrupt or take over a connected smart building and the computing systems and data inside of a government-owned building. 

 

A Real-World Target

The event is built around a specially-designated, real-world target: A live, fully-equipped 150,000 square-foot “smart” office building near Annapolis, Maryland that teams on-site and remote are challenged to attack through its diverse IT, control systems, Internet of Things (IoT), access control, surveillance camera, building automation and other systems.

 

The Attack Scenarios

The event was split into two parts, two days each. On the first part, 13 pre-planned attack scenarios took place, and on the second part, the network was open to any type of attack, allowing attackers and defenders to play in a more chaotic cyber war zone.

The building was equipped with many types of assets, such as PLCs, BAS controllers, industrial robots, power distribution units (PDU), IoT controllers, IP cameras & NVRs, serial to ethernet converters, and many other devices.

Each scenario targeted different assets and required different methods to reach the targets. For example, in one scenario the attackers broke into the data center’s cooling system, shutting it down, resulting in server shutdown. In another scenario, the fire alarm system has been disabled.

The full list of scenarios is available here. 

To simulate a real scenario, many details about the network were unknown to the defensive team. Moreover, some details that were provided were plain wrong, due to outdated network maps. These missing details made the defender’s job more difficult.

 

Vulnerabilities Discovered by SCADAfence 

The network had a number of common security issues:

• The network map was inaccurate and had missing information.
• The network was protected by firewalls, but many known and unknown connections between segments were possible.
• Some network segments had a mix of devices in them, for example a conference room camera and engineering stations resided in the same network.
• Some Windows/Linux devices had monitoring/security agents on them, but many devices weren’t covered by monitoring.

The SCADAfence Platform was deployed on a NPB (network packet broker) that was monitoring multiple SPAN ports and network taps. Using the Platform, we were able to monitor the network in real time, and a SOC team was provided by SCADAfence to monitor the Platform and detect attacks.

 

Over 50 Hackers Attacked the Network at the Same Time

This event is a rare opportunity to stress-test your security product. It’s a lot harder to defend than a normal cyber attack. Over 50 hackers attacked the network at the same time, with each team targeting different assets and arrived from a different place in the network. Some attackers came from the internal network and took over legitimate hosts, then used them to attack other assets. Some came from the company’s VPN, and from other places.

They used a large variety of attack tools and tactics, including physical attacks – hacking an access control system with badge readers.

We were happy to see that the SCADAfence Platform was able to detect the broad spectrum of attacks over the course of these 4 days.

The findings from the SCADAfence Platform were presented to the audience in two live streaming sessions (the full videos will be shared as soon as they become available to us). We were interviewed by Armando Seay, Co-Founder of MISI, and together explained the attack tactics used by the attackers.

 

Adversaries Play Dirty Using Social Engineering

At one point, one of the red team members was able to infiltrate the blue team live discussion channel, and alerted the red team about our actions. He was able to infiltrate the channel using social engineering, by identifying as a member of one of the blue teams.

When we (the blue team) found out we have a mole in our channel, we started a mole hunt and finally figured out who the adversary was. We’re not sure if it was part of the planned surprises in the exercise, but regardless – it was an important drill that can happen in real life.

This has been a wonderful event, and a rare opportunity to showcase our product and exercise attack/defense scenarios on real industrial hardware, running real processes. We want to thank MISI (Armando, Mark, Alexander, Karissa, Joseph) and USCYBERCOM for planning and executing this event.

We want to thank the red team for the creativity and for the interesting challenges and surprises they had for us, and to the blue team (which we were part of) for the collaboration.

 

To learn more about SCADAfence’s advanced capabilities, you can watch some short product demos here: https://l.scadafence.com/demo

SCADAfence Researchers Discover A Sensitive Information Leak Vulnerability in Canon Printers As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques. CVE-2020-16849 is a remote information disclosure vulnerability in Canon printers that was discovered by SCADAfence researchers Maayan Fishelov, Dan Haim and Ofer Shaked. The vulnerability allows a remote attacker to leak the address book and administrator password, unauthenticated, over the network. Canon is one of the world’s leaders in cameras, photocopiers, printers and broadcasting equipment. SCADAfence has been working with Canon for the last few months in handling this vulnerability, and on October 1st, Canon published an official security advisory reporting this vulnerability and its mitigations. About The CVE-2020-16849 Vulnerability The vulnerability exists inside the printer’s IP protocol stack, which is used by Canon Laser Printers and Small Office Multifunctional Printers. The potential for a third-party attack exists on the devices when they’re connected to a network that allows fragments of the “Address book” or/and “administrator password” to be acquired through an unsecured network. It should be noted that when HTTPS is used for the communication of Remote UI, data is secured by encryption. To date, there have been no confirmed cases of the vulnerability being exploited to cause harm. However, in order to ensure that Canon’s customers can use their products securely, new firmware will be available for affected Canon products.

What SCADAfence Recommends Vendors To Do

Prevent Unauthorized and Untrusted Access – Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. – Use within a LAN and block access from untrusted networks and hosts through firewalls.   Perform an IoT Vulnerability Management Process Tools such as the SCADAfence IoT Security platform can help you identify vulnerable devices. Monitor for Unauthorized Network Activity and Exploitation Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network. Upgrade to the Latest Firmware Canon issued a new firmware that users are able to upgrade to.   Special Thanks & Recognition The SCADAfence Research team would like to thank the Canon team for a speedy vulnerability reporting process even during the challenging COVID-19 times. SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.   Exploit PoC We wrote a Python POC (GPLv3) script of the exploit in action. The exploit is only available for educational and legal research purposes. Warning: The script might crash the printer – do not use it in production. To get this python exploit, please send an email to research@scadafence.com, identify yourself and explain how you’re going to use the exploit. We reserve the right to refuse any request.

The first Israeli high-tech delegation to the Emirates departed this morning (Sunday), led by Jerusalem Venture Partners Fund and entrepreneur Erel Margalit. Over the next four days, the delegation is set to hold high-level meetings with senior officials as well as innovation and investment counterparts in Dubai and Abu Dhabi, to build cooperation between Israeli and Emirati hi-tech, and deepen the newly found relationship between the two countries.

Erel Margalit, CEO and founder of the Jerusalem Venture Partners (JVP), February 18, 2019. / Hadas Parush/Flash90

On Tuesday, participants will join first of their kind ’round table’ meetings between entrepreneurs from the two countries– both of which are renowned internationally as leaders in the field. Ahead of the visit, the delegation was honored to have received the warm welcome of the UAE Government and was looking forward to the opportunity to meet senior ministers during the visit.

“Hi-tech is the locomotive engine that leads the Israeli economy, so we have a key role in leading relations and cooperation with the Emirates, with an emphasis on partnership,” commented JVP founder and chairman of Margalit Startup City Erel Margalit.

He added, “I am proud to lead the first Israeli hi-tech delegation to the Emirates. Our companies have been in business contact with the Emirates for a number of years, and now an opportunity has arisen to expand this network of relationships, deepen the ties significantly, and allow more and more Israeli companies and entrepreneurs to be part of this connection and success.”

Margalit stressed, “This is not just a business opportunity, but a political opportunity for a new page between the Israeli hi-tech community and the entire Middle East. With us in the delegation, are the CEOs of emerging Israeli hi-tech companies from every field, and I am sure we will create real partnerships here that will contribute to building successful Israeli companies that will propel the Israeli economy forward, precisely during this period, and create more and more new jobs.”

The delegation was invited to the Emirates by the DIFC (Dubai International Financial Center), the body that manages the free trade area in the financial heart of Dubai – which is one of the global financial centers. Members of the delegation will also receive a comprehensive tour of the financial center.

Among the companies participating in the delegation: Earnix, one of the world’s leading companies in insurtech and personalization of insurance and banking, an area with great interest in the Emirates, which is considered a powerhouse in the field of insurance in the Middle East; Up Control, an emerging Israeli company leading a revolution in the management of remote work networks; Morphisec, from Beer Sheva, which is a leader in innovative technology for protecting endpoints in organizations, which is a particularly relevant development for the protection of banks and infrastructure; and Secret Double Octopus, also from Beer Sheva, which provides a leading biometric solution for passwords.

Also of significant interest to the Emirati Government, companies, and investors is the field of foodtech. Among the delegation in the field is InnovoPro, a company that produces a protein substitute from chickpeas with high nutritional values. One of the most interesting companies in the world in the field, it is already a major player in dairy products in some of Europe’s leading chains, with products from ice-cream to mayonnaise. The company is now preparing for a breakthrough in the Middle East. Another company participating in the delegation is Agrint, which has developed technology to identify diseases in trees before they cause damage. One of the most serious infections in the world is the palm bacteria that destroys entire palm groves. Agrint’s solution for this has significant potential for agriculture in the Middle East.

Members of the delegation included: Entrepreneur, and former senior official in the Mossad, David Meidan; Udi Ziv, CEO of Earnix; FrankZvi, CEO of Copilot; Elad Ben-Meir,-CEO of SCADAfence; Dror Liwer – Co-Founder& Chief Security Officer of Coronet; Asaf Ganot, CEO of Control Up; Omri Kohl, CEO of Pyramid Analytics; Gal Rimon, CEO of Centrical; Ronen Yehoshua, CEO of Morphisec; Raz Refaeli, CEO of Secret Double Octopus; Mark Gazit, CEO of Thetaray; Yaron Ravkaie, CEO of Teridion; Tali Nehushtan, CEO of InnovoPro; Yehonatan Ben Hamozeg, CEO of Agrint; they were joined by JVP partners Yoav Tzruya, Fiona Darmon, Gadi Porat, Michal Drayman, and Rinat Remler, senior VPs Shimrit Kenig, Guy Pross, Pnina Ben Ami, and communications director Omri Sheinfeld.

Source from: https://www.jewishpress.com/news/business-economy/first-israeli-hi-tech-delegation-takes-off-for-the-emirates/2020/10/25/