Tag Archives: security hardening

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

=======================
I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.

Linux Foundation Issues Security Checklist for Sys Admins

The Linux Foundation recently made available a set of best security practices specifically aimed at Linux system administrators to assist them with protecting the systems they are responsible for from compromise.

The advice is divided into 4 severity levels categories: low, moderate, critical, and paranoid. The list of recommendations should help you better defend any Linux systems that you administer in your corporate environment and can be used to supplement your existing defences/procedures.

I hope that you find this list useful. The checklist can be viewed here. Further advice on hardening Linux workstations is provided at the end of a previous blog post

Thank you.

Siemens Updates Simatic Products Against “Ghost” (glibc) Security Flaw

Earlier this week security updates were made available by Siemens for its Simatic products (Industrial Data Network Controllers) to resolve an issue in the GNU C library that was reported in January this year. Updates were already available for its Ruggedcom (industrial routers) and its SINUMERIK controllers in March. These products are deployed in industrial sectors to provide data networking capabilities within large production lines and processing facilities e.g. water treatment.

Please follow the instructions within the ICS CERT security advisory to update any affected industrial Siemens products that you may be using.

Background on the Ghost Flaw

In January of this year a buffer overflow affecting the gethostbyname() and gethostbyname2() functions within the GNU C library was discovered by security researchers at Qualys. Both functions are considered deprecated since a newer function getaddrinfo() replaces them. This is a denial of service flaw (in the context of the above mentioned industrial networking components) but there is a possibility of remote code execution.

This flaw was caused by an efficiency improvement within the gethostbyname(). If this function receives an IP address, it will not have to resolve a hostname to an IP address for you (by using a DNS lookup) since the parameter passed is already an IP address. However this code does not check the length of the IP address passed to it as a parameter and this causes the buffer overflow. Please note that the parameter being passed to this function would need to be specifically chosen to crash the code in a way that allows remote code execution for that specific software and hardware platform. Thus such attacks would need to more targeted and would not be trivial to exploit.

Updates to resolve this flaw were released in January by Red Hat, SUSE Linux, Ubuntu and Debian (among others). If you have not already done so, please apply any security updates to your Linux systems and restart those systems for the updates to take effect.

Update: 29th May 2015:
Further defence in-depth advice concerning how to defend a Linux system from attack is provided in this blog post.

Update: 7th September 2015: In addition, as mentioned in this more recent blog post, the Linux Foundation has published a security checklist (intended for Linux system administrators) to harden Linux systems against attack.

Thank you.