Industrial Controls Expert, Jennifer Love, joins Verve Industrial Protection as Customer Officer

Love has broad experience in helping clients find innovative security and controls solutions in process controls

ST. LOUIS, MO and CHICAGO – May 25, 2017 – Verve Industrial Protection, is pleased to announce the appointment of Jennifer Love as Customer Officer. Ms. Love will work with Verve’s clients to help them get the most out of the company’s software and services.

Ms. Love joins Verve Industrial Protection from ABB.  As a process control engineer she has worked for Invensys, Honeywell and ABB.  She has helped dozens of clients significantly reduce cost of service through the introduction of secure and reliable remote service offerings.  She is a committed advocate in the pursuit of solving her clients most challenging operational needs.
“We are excited to welcome Jenny to our team.  Verve prides itself on bringing deep industrial controls experience to all of our clients.  Jenny is steeped in ICS.  She will bring great insights to our clients of how to ensure their systems are secure and reliable,” said John Livingston, CEO of Verve Industrial Protection.

Ms. Love will help clients bring together the power of Verve Industrial Protection’s integrated set of protection and security solutions.  1) Design-4-Defense 2) Verve Security Center, and 3) Managed Asset Protection Services.  Together, these solutions allow Verve to help customers build true defense in depth and cover the critical areas of security as well as compliance.

“I am excited to be part of a team of experienced industrial controls experts who are bringing cybersecurity and reliability solutions that are “built by ICS engineers, for ICS engineers.  I have seen firsthand the challenges that large industrial companies face in protecting their critical assets.  Verve has built the kind of solutions that I know these customers need,” said Ms. Love.

_______________________________________________________________________________________

About Verve Industrial Protection:  Verve, formerly known as RKNeal Engineering, has been in the industrial controls engineering business for approximately 25 years. The company’s flagship software product, Verve Security Center (VSC) is a vendor agnostic security suite that consolidates antivirus, application whitelisting, change & configuration management, security information & event management (SIEM), patch management, vulnerability assessments, intrusion detection, backup management, compliance, workflow and document management into a unified solution.   VSC brings together threat intelligence into a single console so users can quickly and simply understand their security posture and compliance status. The company also offers industrial controls engineering and managed asset protection services to industrial clients.

 

For more information, please email us at sales@verveindustrial.com, visit us at verveindustrial.com

WannaCry and What to do for ICS

As we are very certain by now you have heard all about WannaCry and its multitude of possible variants.  What is maybe not so clear is what should you do about it.  To cut to the chase the following should be investigated/executed at a minimum as soon as possible:

  1. Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
  2. Block SMB ports (139 and 445) between IT/OT networks   (no connection between systems since uses data diodes)
  3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
  4. On systems that may require SMB for services that are less important, consider disabling SMB  until patches can be applied
  5. Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
  6. Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.

Now that you have your marching orders here are a couple of other sources of information for you to review.  The first article is one written by our very own Technical Director for EMEA based in the UK.  His article ‘When Worms Attack Critical Infrastructure ‘can be found here.

Additionally our senior advisor and ‘godfather’ of ICS security Eric Byres helped out our friends at ISSource with his article titled ‘How to Protect Against WannaCry’.

And be sure to check back soon – very shortly we will be publishing a more detailed analysis about how an orchestrated tool like our Verve Security Center and its 100% visibility into your assets, their status and the ability to tune end points from our portal could speed future efforts like this.  Stay tuned!

When WORMs Attack Critical Infrastructure

On the 12th May 2017 a malicious/phishing email was received and opened by an unwitting user allowing access for a new breed of malicious worm to infect the users machine. The worm in question, WannaCry (WannaCrypt0r) Crypto Ransomware, was a wrapper around a tool originating from the NSA’s cyber arsenal released into the public domain by a hacking teaming going under the name of ShadowBrokers. The tool which WannaCry wrapped into its own functionality was Eternalblue, this had been designed to compromise a set of previously undisclosed Microsoft SMB vulnerabilities, WannaCry also made use of DOUBLEPULSAR for the ability to deploy extra applications to the compromised endpoint. Once run the worm made use EternalBlue’s ability to traverse the network and hunt down other Windows PCs – once connected to a suitable host it would start its main task of cryptographically encrypting the user’s hard disk. Once complete it would display its ransom notification asking for funds to be transferred in order to release the user’s data.

By Monday the 15th the worm is believed to have propagated to over 230,000 users in over 150 countries with its spread stunted by the accidental discovery of a ‘kill switch’ inside the worm – this kill switch relied on the host being able to reach a check URL, if the URL was found then no more search and deploy would continue from that host. Since this had been discovered variants have been started to emerge with the ‘kill switch’ functionality disabled. It is worth noting that the ability to spread so fast relied on the endpoint being ‘internet facing’ and Microsoft patching not being up to date. Within the UK alone this affected 1 in 5 NHS trusts with 70,000 devices including x-ray machinery running Windows XP becoming useable, causing the NHS to declare an emergency. Interestingly the NHS are trialling a replacement operating system which deployed would have drastically reduced their exposure to this attack.

Let’s shift this into the realms of a Nuclear processing, Electrical generation, chemical processing or any process driven critical process whose control systems are generally by design segregated and hived off from the outside world. If this worm had been introduced into this environment then any Microsoft system, be it a HMI workstation, engineering workstation or SCADA server would have been rendered useless once the encryption had taken place. Given these systems wouldn’t be able to contact the external ‘check URL acting as the kill switch’ would mean the replication would continue. How long these systems could run safely before being shutdown would depend on the type of process running and the ability to effectively deal with and mitigate such an outbreak.

Let’s assume the logic running WannaCry is searching for a machine with a specific function or role and that function isn’t matched on the compromised endpoint chances are it will start the encryption of the machines data followed by requesting a ransom, if on the other hand the logic is matched the encryption component may not be deployed – instead the abilities of the secondary wrapped tool, DOUBLEPULSAR is initiated which halts the spread of rendering the disks inoperable and instead look for a path to the its Command & Control Server in order to deploy extra functionality to allow the remote control of the process system. For these systems, this means anything from introducing sporadic inconsistencies through to placing the system into a unhealthy condition and potentially endangering life by rendering safety systems ineffective through to providing control room staff incorrect information. This could be anything from your local ATM/card payment systems, managed motorway signs, water processing plant or even through to the airplane I’m currently sat on under the control of air traffic control. All it takes is a single point of entry to go undetected.

The mitigation for this type of attack ranges from responsible disclosure to the vendor as is the case with EternalBlue from the NSA inadvertently entering the public domain, through to having a full understanding of the endpoints that exist within your CNI estate. For the latter, this information should consist of verified baselines and backups, security and backup continuity plans and policies which are regularly tested, change and patch management finally not forgetting an effect security monitoring solution to monitor and alert on anomalies detected.

For now, WannaCry is limited to utilising code to attack Windows only endpoints – that’s not to say that version 3 or 4 won’t extend its functionality to make use of the other leaked NSA code modules to create more specialise targeted attacks.

Company Overview – Our History, Values & Experience

 Founded originally as RKNeal Engineering we have amassed over 20+ years of experience with our engineers having worked with nearly every major DCS, PLC, and SCADA system on. Today our legacy lives on in the 1,000+ automation and control system projects we have completed.

We have worked closely with our clients on their most pressing network and data needs. We have helped them evolve their networks to manage the increasing amount of connectivity necessary to drive increased efficiency and reliability. We understand how these networks work, their vulnerabilities, and the unique operational characteristics that separate controls networks (operating technology or OT) from IT networks.

Almost 10 years ago, we identified the risks inherent in these older control systems as more of the networks were exposed to external sources of data – whether through the internet or the simple connection of USB sticks. What really concerned us was that cyber security within the ICS environment was fragmenting across OEM vendors and various cyber threat management software tools. Complexity was getting worse, and risks were getting higher. Managing this complexity in an operating environment requires unique expertise.

As a result, we set out to build a unified monitoring and remediation console that lets you view and manage your cyber security workflow, threats, and compliance from a single, vendor-neutral security suite – what we call the Verve Security Centre.

Our focus with Verve has been to improve and simplify reliability, security and compliance within the operational enterprise, and we designed Verve to enable the best IT software tools to work in the ICS environment. Our proprietary “ICS bus” embedded our years of ICS expertise into an integration platform that would allow these multiple systems to operate in concert with one another – and at no risk to the sometimes-fragile legacy control systems.

We combined this integration with customized data tools to seamlessly integrate today’s and tomorrow’s state-of-the-art capabilities, ensuring that customers are always protected.

Verve Industrial Protection 240 Blackfriars Road London

SE1 8NW

URL

Email LinkedIn

Phone

http://www.verveindustrial.com EMEA@verveindustrial.com https://www.linkedin.com/company/rkneal

+44 (0) 7399 538967

Copyright Verve Industrial Protection 2017