Posts

WannaCry and What to do for ICS

As we are very certain by now you have heard all about WannaCry and its multitude of possible variants.  What is maybe not so clear is what should you do about it.  To cut to the chase the following should be investigated/executed at a minimum as soon as possible:

  1. Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
  2. Block SMB ports (139 and 445) between IT/OT networks   (no connection between systems since uses data diodes)
  3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
  4. On systems that may require SMB for services that are less important, consider disabling SMB  until patches can be applied
  5. Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
  6. Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.

Now that you have your marching orders here are a couple of other sources of information for you to review.  The first article is one written by our very own Technical Director for EMEA based in the UK.  His article ‘When Worms Attack Critical Infrastructure ‘can be found here.

Additionally our senior advisor and ‘godfather’ of ICS security Eric Byres helped out our friends at ISSource with his article titled ‘How to Protect Against WannaCry’.

And be sure to check back soon – very shortly we will be publishing a more detailed analysis about how an orchestrated tool like our Verve Security Center and its 100% visibility into your assets, their status and the ability to tune end points from our portal could speed future efforts like this.  Stay tuned!

When WORMs Attack Critical Infrastructure

On the 12th May 2017 a malicious/phishing email was received and opened by an unwitting user allowing access for a new breed of malicious worm to infect the users machine. The worm in question, WannaCry (WannaCrypt0r) Crypto Ransomware, was a wrapper around a tool originating from the NSA’s cyber arsenal released into the public domain by a hacking teaming going under the name of ShadowBrokers. The tool which WannaCry wrapped into its own functionality was Eternalblue, this had been designed to compromise a set of previously undisclosed Microsoft SMB vulnerabilities, WannaCry also made use of DOUBLEPULSAR for the ability to deploy extra applications to the compromised endpoint. Once run the worm made use EternalBlue’s ability to traverse the network and hunt down other Windows PCs – once connected to a suitable host it would start its main task of cryptographically encrypting the user’s hard disk. Once complete it would display its ransom notification asking for funds to be transferred in order to release the user’s data.

By Monday the 15th the worm is believed to have propagated to over 230,000 users in over 150 countries with its spread stunted by the accidental discovery of a ‘kill switch’ inside the worm – this kill switch relied on the host being able to reach a check URL, if the URL was found then no more search and deploy would continue from that host. Since this had been discovered variants have been started to emerge with the ‘kill switch’ functionality disabled. It is worth noting that the ability to spread so fast relied on the endpoint being ‘internet facing’ and Microsoft patching not being up to date. Within the UK alone this affected 1 in 5 NHS trusts with 70,000 devices including x-ray machinery running Windows XP becoming useable, causing the NHS to declare an emergency. Interestingly the NHS are trialling a replacement operating system which deployed would have drastically reduced their exposure to this attack.

Let’s shift this into the realms of a Nuclear processing, Electrical generation, chemical processing or any process driven critical process whose control systems are generally by design segregated and hived off from the outside world. If this worm had been introduced into this environment then any Microsoft system, be it a HMI workstation, engineering workstation or SCADA server would have been rendered useless once the encryption had taken place. Given these systems wouldn’t be able to contact the external ‘check URL acting as the kill switch’ would mean the replication would continue. How long these systems could run safely before being shutdown would depend on the type of process running and the ability to effectively deal with and mitigate such an outbreak.

Let’s assume the logic running WannaCry is searching for a machine with a specific function or role and that function isn’t matched on the compromised endpoint chances are it will start the encryption of the machines data followed by requesting a ransom, if on the other hand the logic is matched the encryption component may not be deployed – instead the abilities of the secondary wrapped tool, DOUBLEPULSAR is initiated which halts the spread of rendering the disks inoperable and instead look for a path to the its Command & Control Server in order to deploy extra functionality to allow the remote control of the process system. For these systems, this means anything from introducing sporadic inconsistencies through to placing the system into a unhealthy condition and potentially endangering life by rendering safety systems ineffective through to providing control room staff incorrect information. This could be anything from your local ATM/card payment systems, managed motorway signs, water processing plant or even through to the airplane I’m currently sat on under the control of air traffic control. All it takes is a single point of entry to go undetected.

The mitigation for this type of attack ranges from responsible disclosure to the vendor as is the case with EternalBlue from the NSA inadvertently entering the public domain, through to having a full understanding of the endpoints that exist within your CNI estate. For the latter, this information should consist of verified baselines and backups, security and backup continuity plans and policies which are regularly tested, change and patch management finally not forgetting an effect security monitoring solution to monitor and alert on anomalies detected.

For now, WannaCry is limited to utilising code to attack Windows only endpoints – that’s not to say that version 3 or 4 won’t extend its functionality to make use of the other leaked NSA code modules to create more specialise targeted attacks.

Company Overview – Our History, Values & Experience

 Founded originally as RKNeal Engineering we have amassed over 20+ years of experience with our engineers having worked with nearly every major DCS, PLC, and SCADA system on. Today our legacy lives on in the 1,000+ automation and control system projects we have completed.

We have worked closely with our clients on their most pressing network and data needs. We have helped them evolve their networks to manage the increasing amount of connectivity necessary to drive increased efficiency and reliability. We understand how these networks work, their vulnerabilities, and the unique operational characteristics that separate controls networks (operating technology or OT) from IT networks.

Almost 10 years ago, we identified the risks inherent in these older control systems as more of the networks were exposed to external sources of data – whether through the internet or the simple connection of USB sticks. What really concerned us was that cyber security within the ICS environment was fragmenting across OEM vendors and various cyber threat management software tools. Complexity was getting worse, and risks were getting higher. Managing this complexity in an operating environment requires unique expertise.

As a result, we set out to build a unified monitoring and remediation console that lets you view and manage your cyber security workflow, threats, and compliance from a single, vendor-neutral security suite – what we call the Verve Security Centre.

Our focus with Verve has been to improve and simplify reliability, security and compliance within the operational enterprise, and we designed Verve to enable the best IT software tools to work in the ICS environment. Our proprietary “ICS bus” embedded our years of ICS expertise into an integration platform that would allow these multiple systems to operate in concert with one another – and at no risk to the sometimes-fragile legacy control systems.

We combined this integration with customized data tools to seamlessly integrate today’s and tomorrow’s state-of-the-art capabilities, ensuring that customers are always protected.

Verve Industrial Protection 240 Blackfriars Road London

SE1 8NW

URL

Email LinkedIn

Phone

http://www.verveindustrial.com EMEA@verveindustrial.com https://www.linkedin.com/company/rkneal

+44 (0) 7399 538967

Copyright Verve Industrial Protection 2017

Magion Partners With Verve Industrial Protection

This week Magion announces its partnership with Verve Industrial Protection, an RKNeal Engineering company. Both Magion and Verve have a solid background in process control and automation.

Verve has been in the control engineering business for 25 years. Verve Industrial Protection encompasses three integrated software and service offerings: Design-4-Defense industrial control engineering, Verve Security Center software platform and Managed Asset Protection Services.

Together, these solutions help customers build true defense in depth and cover the critical areas of compliance required by regulators.

This union with Verve is Magion’s step forward into a strategy to move further into industrial cyber security operations, taking advantage of opportunities driven by the Industrial Internet of Things.

For more information regarding this partnership, please contact your Verve Industrial Protection at 1-855-475-6247 or Magion representative.

Verve Industrial Protection is a provider of software and services for the process industries.

Magion is a system integrator in process control & automation engineering, production intelligence and optimization.

 

Industrial Cybersecurity Industry Leader, Eric Byres, Joins Verve Industrial Protection as Senior Advisor

ST. LOUIS and CHICAGO, Jan. 31, 2017:  Verve Industrial Protection, formerly known as RKNeal, is pleased to announce the appointment of Eric Byres P.Eng, ISA Fellow, as Senior Advisor.  Mr. Byres will work with the leadership of the company on product and strategic matters in the arena of industrial cybersecurity and protection.

Mr. Byres has a tremendous track record as a leader in ICS cybersecurity.  As the inventor of the Tofino Security technology, Eric and his partner Joann guided the product through its evolution from academic research project and startup to successful acquisition by Belden Inc. Today it is probably the most widely deployed ICS-specific firewall in the world.

Eric is also known for his leadership in international standards and research for ICS/SCADA security. As the founder of the BCIT Critical Infrastructure Security Centre, he shaped it into one of North America’s leading academic facilities in ICS security, culminating in a SANS Institute Security Leadership Award in 2006. He was the founding chair of the ISA SP-99 Security Technologies Working Group, and the Canadian representative for the IEC TC65/WG10 standards effort.

“We are thrilled that Eric has agreed to join us as we push forward in our vision to help secure industrial control systems.  Eric’s willingness to commit his valuable time to our company will help us expand our leading industrial cybersecurity solutions,” said John Livingston, CEO of Verve Industrial Protection.

Mr. Byres will focus helping expand the capabilities of Verve Industrial’s flagship product, Verve Security Center (VSC).  VSC is a vendor agnostic platform that consolidates antivirus, application whitelisting, change & configuration management, security information & event management (SIEM), patch management, vulnerability assessments, intrusion detection, backup management, and compliance evidence management.   VSC unifies threat intelligence into a single console simplifying the complexity of ICS security and compliance.

“I am excited to help the Verve team expand on the success that they have to date,” said Mr. Byres. “The industrial world really needs a solution like Verve Security Center.  It is the only fully integrated security platform that I have seen that was built by ICS engineers for ICS engineers.  It was designed with the security challenges of the plant floor in mind. Verve’s the foundation that will allow companies to start creating an active defense that truly “closes the loop” on ICS security.”

About Verve Industrial Protection:  Verve has been in the controls engineering business for 25 years. Verve Industrial Protection (“VIP”) encompasses three integrated software and service offerings: 1) Design-4-Defense industrial controls engineering & design, 2) Verve Security Center software platform, and 3) Managed Asset Protection Services.  Together, these solutions help customers build true defense in depth and cover the critical areas of compliance required by regulators.

For more information, visit www.verveindustrial.com or contact Rick Kaun at rkaun@verveindustrial.com or 615-476-1801.

 

RKNeal Launches Verve Industrial Protection

New brand, logo and website reflect growing importance of Industrial Control Protection – cybersecurity, reliability, and compliance

ST. LOUIS, MO and CHICAGO – January 18, 2017 – RKNeal, LLC, a leader in industrial control systems, announces today that it is changing its operating name to Verve Industrial Protection. This new brand reflects the company’s increasing focus on helping industrial clients protect critical assets from cybersecurity threats while maintaining its core strength in industrial automation engineering.

For over 25 years, RKNeal has provided practical, scalable, cost effective industrial control systems solutions to clients in power, chemicals, energy, and basic materials.   The team of control system engineers is recognized by clients for their customer commitment and expertise in all brands of OEM equipment and enjoys a 97% customer retention rate.

Over the past ten years, the company has built on this industrial controls expertise to help clients address the growing challenges of cybersecurity and compliance in control system networks.  The company was the first industrial controls engineering firm to embed cybersecurity and compliance requirements into every engineering project.  In addition, the company built its flagship cybersecurity software product, Verve Security Center, based on its knowledge from 25 years of field-tested engineering.

Today RKNEAL, LLC announced that it is rebranding to now be known as Verve Industrial Protection.  Verve Industrial Protection (“VIP”) encompasses three integrated software and service offerings: 1) Design-4-Defense industrial controls engineering & design services, 2) Verve Security Center software platform, and 3) Managed Asset Protection Services.  Together, these solutions allow Verve to help customers build true defense in depth, protect their critical assets and maximize operational uptime.

The Verve Security Center was “built by ICS engineers for ICS engineers.”  It is a vendor agnostic security suite that consolidates antivirus, application whitelisting, change & configuration management, security information & event management (SIEM), patch management, vulnerability assessments, intrusion detection, backup management, compliance, workflow and document management into a unified solution.   As new technology arises, Verve can adapt to these new features without rewriting complete applications. It simplifies the complexity of protecting these critical assets and is deployed in over a dozen customers and protects thousands of cyber assets.

This rebranding does not indicate a reduced commitment to the traditional industrial controls engineering. “Verve Industrial Protection reflects our commitment to bringing a focus of security, reliability and compliance to all of our clients.  We understand clients need more than just one-time engineering. They are looking for an integrated services and software solution to ensuring their processes continue to operate safely and reliably.” said John Livingston, CEO.

Verve Industrial Protection counts some of the largest and most forward thinking power companies in the US and is currently working with a score of other industries and interested parties in other industries and, most recently, has begun expanding into Europe, the Middle East and Canada.  Bob Bevis, CTO says “We are very proud of what we have built with our clients as our solutions always represent simple yet powerful collaborations and innovations in the way things have been traditionally done.  We are excited to bring these capabilities to global operators of industrial assets.”

###

About Verve Industrial Protection: Verve Industrial Protection is a specialist in designing and protecting industrial control systems.  The company has 25 years’ experience in design and maintenance of control systems.  Its cybersecurity offering, Verve Security Center, is the leading solution to bring together full visibility and protection into one integrated console.  For more information, please email us at sales@verveindustrial.com, or visit us at verveindustrial.com