An action-packed cyber news section with multiple ’standards-based' recommendations from NIST, CERT, ISO, NCCoE. Reports and surveys from CarbonBlack, ASUG and DNV GL. New EU MISP alert sharing project announced. Commercial news and novelties from Honeywell, Rockwell, Marlink and IBM.
The latest quarterly incident response report from Carbon Black sees nation-state cyber attackers becoming more sophisticated and increasingly destructive. Attacks now frequently wipe log files from compromised machines to avoid forensic analysis and detection. Attacks are ‘industry agnostic’ and affect a wide range of industries. Some 11% are reported as directed at the oil and gas sector. Attackers direct their best capabilities at industrial bases and tech service providers - especially high-tech researchers in aerospace, power generation, oil and gas, and nuclear. Moreover, half of all leverage ‘island hopping’, putting customers and partner’s systems at risk.
A survey carried out by the Americas’ SAP Users’ Group (ASUG) found 80% of IT/security practitioners to be ‘very or extremely concerned’ about internal security of their SAP systems. Executives were much more sanguine, with only 25% concerned. The survey concludes that ‘many companies using SAP may overestimate the security of their SAP-based workload’. The survey also pinpointed difficulties in consistent review of access security and governance, with current manual review tending towards ‘rubber stamping’. The ASUG report suggested replacing manual access review with for instance, ERP Maestro’s automated solution.
At the 2018 GBC IIoT in oil and gas conference, Sam Alderman-Miller presented Darktrace’s’self-learning’ cyber defense application for IIoT/SCADA environments. Today’s scada systems typically expose ‘massively outdated’, unpatched protocols. Cyber, as experienced by the IT community, is a novelty in the scada world where attacks have risen sharply. Making AI work across ‘wonderfully unique’ control systems required more than a cookie-cutter approach. There are ‘no training sets of data’ and their is ‘no time for a three-month proof of concept’. Darktrace’s industrial immune system use AI to crunch massive data sets, define ‘normal’ and watch for anomalies in real time. Darktrace also deploys Bayesian estimation and unsupervised machine learning on network traffic.
NCCoE, the US National cybersecurity center of excellence has released an online repository of some 6,700 key information security terms and definitions extracted from its publications and interagency reports. NIST has also published SP 1800-5, ‘IT Asset Management’, an ‘example solution’ that allows an organization to centrally monitor its IT asset portfolio and to determine, for example, which devices are vulnerable to the latest threat. NCCoE also kicked-off a project to study cyber security in utilities and oil and gas. A 13 page project description is available. Initial project partners are ForeScout Technologies, Tripwire, Dragos, Splunk, KORE Wireless, TDi Technologies, FoxGuard Solutions and Veracity Industrial Networks.
The newly revised ISO/IEC 27005:2018, IT security techniques provides a framework for managing cyber risk in compliance with the earlier ISO/IEC 27001 recommendations.
NIST Internal Report (NISTIR 8179) describes a criticality analysis model to prioritize programs and systems according to their importance to the organization and the impact of failure to implement. The methodology is said to apply to organizations that rely on third-party products and services from IT/OT suppliers.
Speaking at the 2018 Honeywell User Group meeting Eric Knapp showed how to protect against USB-borne cyber-attacks with secure media exchange (SMX). USB devices are the entry point for almost 40% of control system penetrations. Most malware comes as a Trojan inside a PDF or Office document. Despite widespread awareness of the issue, real world tests have shown that most all ‘found’ drives are indeed connected to the system. Enter Honeywell’s Secure media exchange which monitors systems for ‘rubber ducky’, ‘bash bunny’ and other USB-vectored exploits. Download Knapp’s presentation here.
In a separate announcement, Honeywell has released a multi-site industrial cybersecurity solution leveraging its ICS Shield solution for industrial control system cybersecurity. The new managed security services protect connected sites from evolving cyberthreats. Honeywell acquired ICS Shield developer Nextnine in 2017 and now claims over a million industrial nodes globally.
The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University has released SCALe, a source code analysis application, the first release of the tool as open-source software. SCALe audits software in any source code language to alert programmers to flaws that may lead to vulnerabilities. CERT also provides guidance for secure development in C, C++, Java, and Perl.
A Rockwell Journal article describes open, unsegmented networks as a ‘gift to cyber attackers’. Author Josh Kass paints network segmentation as a damage limitation exercise that avoids a possible ‘pivot’ from a vulnerable point of entry to access more sensitive data or devices. Segmentation also limits damage from internal threats such as a disgruntled employee or human error, such as an incorrect system change. Network segmentation should be part of every company’s industrial security strategy.
Marlink has announced a real-time cyber threat detection solution, ‘Cyber Detection’, for the maritime industry. Cyber Detection monitors outbound and inbound network traffic to display threats via a web-based dashboard. Compromised assets may be remedied using Marlink’s Cyber Guard solution with optional assistance from Marlink’s Security Operations Centre (SOC).
For the record, a publication from DNV-GL which escaped our notice when published in 2017. DNVGL-RP-G108 is a 53 page instruction manual for the implementation of cyber security in the oil and gas industry based on IEC 62443.
The EU-backed MISP project is an open source platform for sharing threat intelligence. MISP creates software, develops taxonomies, warning-lists and galaxies and releases practical standards to solve information sharing challenges. MISP is funded under the Connecting Europe program.
If all of the above has you a little worried, reflect on this additional pitfall. At the 2018 IBM ‘Think’ event held in Paris, a short and dramatic presentation had a ‘hacker’ boast that with a ‘small black box’ he could take over every smartphone in the room. The ‘hacker’ then whipped off his hoodie to reveal that he was IBM’s EU head of computer security. All very amusing. Less so was another boast, that IBM holds 8,000 patents on computer security! Quite a change in tack from the days when IBM was a goodie-goodie in the open source community with a ‘$1 billion’ investment in open source. One wonders how much of this investment has ended up in the proprietary, patent-protected offering that is Watson for Cybersecurity.
Finally, an observation. Have you noticed that whenever a serious hack occurs, or a new piece of nasty malware is discovered, it is invariably referred to as being ‘almost certainly’ produced by an unfriendly government – North Korea, Iran, Russia. This respect for the power of governments in the field of cyber insecurity contrasts with the poor light in which government is held more generally in (often) the same circles.
© Oil IT Journal - all rights reserved.