Verve’s OT Cyber Security Solution: A Quarter Century in Review

In 2020, Verve Industrial celebrates our 25th year in business. We are reflective of this quarter-century mark and thankful to our clients, teammates and partners as we embark on the second quarter of our hundred-year journey.

The results of this evolution have been nothing short of astounding. Just in the past year alone, Verve has:

  • increased our new customer introduction by 5x
  • expanded assets under management by 3x
  • helped clients remediate tens of thousands of vulnerabilities and configuration errors, at least doubling their cyber security maturity
  • all leading to an increase in bookings of 3x

Read the full post to learn about Verve’s evolution in ICS and what we attribute our growth to.

Fundamentals of ICS Security – US CERT TA17-164A


The United States Computer Emergency Readiness Team recently revised Alert TA17-164A, detailing technical details on the tools and infrastructure used by cyber actors of the North Korean government.  While the alert was written to address the specific actors, the mitigating actions recommended in this alert are effective against similar techniques used by any actors.  As these techniques become well known by the user community, other actors may use them or derive similar techniques for use in their own campaigns against other targets.

The alert should be of particular concern to owners and operators of industrial control systems because these actors “commonly target systems running older, unsupported versions of Microsoft operating systems.”  The actors have also used vulnerabilities targeting the Adobe Flash Player and Microsoft Silverlight applications.  The versions of Microsoft Windows commonly used in industrial control systems typically lags those used in commercial environments, and are not always replaced or upgraded when Microsoft ends support.  The Adobe Flash Player and Microsoft Silverlight applications are sometimes used in support of machine interface or supervisory applications in operational technology environments.

The alert encourages all network administrators to apply several mitigation strategies.  These strategies work best when integrated together to form a stronger security fabric. A few of these strategies are particularly applicable to industrial control systems:

  1. Patch applications and operating systems
  2. Use application whitelisting
  3. Restrict administrative privileges
  4. Segment networks and segregate them into security zones
  5. Understand firewalls

Patch Applications & Operating Systems

Owners and operators should take every opportunity to patch their control system assets.  Traditional claims that patching activities are a greater risk than the vulnerabilities neglect the experience of the last several years, beginning with the revelations of the Stuxnet software and continuing with its derivatives and a steady drumbeat of vulnerabilities specific to industrial applications, controllers, and common support equipment.  Any owner or operator of an industrial control system should have an active program to periodically evaluate and install patches to applications and operating systems for all devices in their environment, even if the period is annual or semi-annual, depending on the downtime requirements and perceived risk of process disruption.

Application Whitelisting

The use of application whitelisting and the restriction of administrative privileges in operational technology environments is becoming a best practice, particularly on systems using Microsoft operating systems.  Controllers and common support equipment don’t typically support whitelisting (or the function is effectively supplied by the manufacturer at varying degrees of effectiveness).  Application whitelisting can be particularly effective in a controls environment because the application use is relatively limited and static.  Many of the biggest issues with whitelisting in the IT context, i.e., whitelisting “bloat”, is significantly lower in control systems.

Restricting Administrative Privileges

Restricting administrative privileges is a security best practice.  However, the increased risk of denying support personnel ready access to these devices may offset the benefits of restricting the privileges against this threat. There are several means of achieving this objective – from installing more advanced and limited password usage, to alerting on new admin account access, to review of admin account usage on a regular basis. Importantly, these solutions must depend on the type of device at issue.  We find that employing a range of “alerting & review” solutions along with true restriction on certain devices is the most balanced approach to security and operational reliability.

Network Segmentation & Understanding Firewalls

Segmenting networks and use of effective firewalls are critical elements to any cybersecurity or reliability solution, for that matter. Segmentation can improve overall reliability of industrial control systems, harden these systems against lateral movement of malicious actors within the environment, and aid in managing the scope of an incident response effort.  Further, continual review and updating of rules and protocols on how to control network traffic, enforce communications protocols, and provide central intrusion detection functionality enables the network administrator to apply the principles of continuous improvement to the network’s security profile over time.

Critical to segmentation is a thorough understanding of firewalls and routers.  In certain cases routers can be used as less functional firewalls where complex networks can benefit from less traffic control between closely interdependent segments.

One can segment networks into security zones in many ways.  Two common strategies are to segment networks by service provided to the facility or to segment networks by class of asset.  Both of these strategies can be equally effective, although it may be less costly to use one over another depending on the details of the environment.

Segmenting networks by service provided allows each service to the facility to be isolated during an incident, whether the incident is non-malicious (such as a simple broadcast storm) or malicious (worm activity spreading by the SMB protocol).  When an incident occurs, a router or firewall can provide some warning of unusual activity to network administrators or security analysts and possibly prevent an incident from directly impacting more than one service to the facility.  Many facilities have storage or redundancy of utility services that can allow for the continued provision of at least limited service during an incident.  While the use of a large storage tank may be independent of the segmentation strategy, conscious decisions should be made about the co-location of redundant services within a segment.  Spanning parallel networks (either physical or virtual) throughout a large facility is no longer considered a standard practice in commercial network design, but still finds widespread use in industrial control systems.

Segmenting networks by class of asset isolates threats to individual platforms.  Machine interfaces typically need to communicate with controllers, but not with each other.  Placing all machine interface hosts in a common segment and using private virtual networking begins to apply micro-segmentation to the environment; each machine interface host can easily communicate with its controllers but not with other similar hosts.  By keeping the controllers on a separate segment, the firewall has the opportunity to limit communications between the host and the controllers to only those protocols used for control functions.  Malicious code introduced to any host will be unable to compromise the dissimilar platform using any protocol; many denial of service attacks targeting controllers from the machine interface hosts also become ineffective in this case.

A key consideration in designing network segments is the definition of security zones.  Zones can be defined using the NIST guidance.  Common zones used in operational technology environments include but are not limited to

* Process Information Network (aka Demilitarized Zone, providing process information to the commercial environment)

* Remote Access Network

* Management or Supervisory Network (providing management workstations and supervisory network services such as log collection, performance monitoring, and event analysis servers)

* Process Control Networks (Distributed Control Systems, Supervisory Control and Data Acquisition Systems, or hybrid machine interface, controller, and instrumentation networks)

* Operational Networks

** Operational Supervisory Network

** Basic Control Network (typically machine interfaces, alarming, and controllers)

** Safety Network (independent safety controllers and instrumentation)

** Process Network (networked instrumentation, including both sensors and control elements


Security vendors and the press often discuss all of the more advanced security features of new products and technologies. And all of these solutions can potentially help make a network more secure. However, this recent CERT release explains how critical the fundamentals of cybersecurity are, especially in critical industrial control systems. Patching, application whitelisting, admin privilege management, segmentation are all critical to get right to ensure you can both protect as we as detect potential threats.

Dragonfly, Energy Targets and General ICS Security Hype


Just the other day Symantec published an article about the recent ‘re-discovery’ of a group known as ‘Dragonfly’.  Now the article itself is a decent analysis of the threat/attack vectors this group uses and even has a handy chart displaying their ‘progress’ since the last time they were discovered.  My only real critique is the fact that Symantec says twice in this article that “Symantec customers are protected against the activities of the Dragonfly group.”  This I have a problem with.  On many fronts.  Symantec is a good company that does good things.  They even have the ability with their suite of products to likely prevent or minimize damage to their clients’ assets.  But this statement provides a false sense of security because in an ICS network you cant deploy all the tools a product like Symantec has to offer with the level of automatic updating and intervention it provides.  In reality you are maybe able to use half of its features (AV but not end point or end point but limited to specific systems or scaled down functions like alert but don’t block, etc).  This is not the fault of Symantec but rather a consequence of the reality of OT equipment and OEM vendor control/support.

What would provide an appropriate level of security comfort is something that very few currently have and that is a detailed, up to date profile of their asset fleet.  There are a few qualifiers to that statement so lets walk through them.


When I say asset list I don’t mean a list of IP addresses.  That is just a base level ‘head count’.  I mean detail.  Like what is the device (relay, controller, PLC, engineering station….)?  What is running on it (hardware, firmware, serial number, software, OS, etc).  And where is it located physically and functionally in your plant or where along the process?  I am talking about the sort of detail that lets you truly understand what is really out there and how it is configured.


Too many times we see an ‘asset list’ from a client and they are pretty sure it is ‘reasonably’ accurate.  Like 90% accurate but this is rarely the case.  In the last 5 client asset lists I have seen in the last 3 months only one was 90% accurate.  At the other end of the spectrum, we found there were 590% more IP enabled assets at a particular site than they thought.  The only way to combat this is to be active.  I don’t mean actively scanning an OT network but I do mean implementing a proactive set of data collection and asset inventory tools.  They can be native to that system, they can be passive in listening (though this does lack system specific details) and/or they can make use of agents on OS based devices.  More likely, however, it is a combination of multiple data profiling techniques and technologies that will provide you an accurate inventory.


Once compiled the data in this asset list/database is invaluable.  It allows for you to create profiles of assets or classes of assets.  These profiles then enable more accurate creation and tuning of security tools like white listing, vulnerability scanning and change management.  But what is most beneficial is the ability to query the database for a specific risk.  By being able to show only those devices that are in scope for a current or emerging threat you are refining your work load to only that which is truly at risk.  For example the recent WannaCry threat which we wrote about as well: imagine if you could query your asset database to show just those systems with SMB ports 139 and 445 enabled?  You don’t need to run around with a windows disk patching all systems, you could just disable the ports on those systems.  Crisis averted!


Best in class IT tools are great for the function they provide assuming you are able to take advantage of them.  However for a more robust, more accurate ability to act and react to threats to ICS networks you need to start with a much more inclusive view of what you have installed in the first place.  Visibility is what lifts the veil of uncertainty and allows ICS security teams to focus their very limited resources to what is truly at risk in a way that is safe for OT.



WannaCry and What to do for ICS

As we are very certain by now you have heard all about WannaCry and its multitude of possible variants.  What is maybe not so clear is what should you do about it.  To cut to the chase the following should be investigated/executed at a minimum as soon as possible:

  1. Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
  2. Block SMB ports (139 and 445) between IT/OT networks   (no connection between systems since uses data diodes)
  3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
  4. On systems that may require SMB for services that are less important, consider disabling SMB  until patches can be applied
  5. Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
  6. Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.

Now that you have your marching orders here are a couple of other sources of information for you to review.  The first article is one written by our very own Technical Director for EMEA based in the UK.  His article ‘When Worms Attack Critical Infrastructure ‘can be found here.

Additionally our senior advisor and ‘godfather’ of ICS security Eric Byres helped out our friends at ISSource with his article titled ‘How to Protect Against WannaCry’.

And be sure to check back soon – very shortly we will be publishing a more detailed analysis about how an orchestrated tool like our Verve Security Center and its 100% visibility into your assets, their status and the ability to tune end points from our portal could speed future efforts like this.  Stay tuned!

When WORMs Attack Critical Infrastructure

On the 12th May 2017 a malicious/phishing email was received and opened by an unwitting user allowing access for a new breed of malicious worm to infect the users machine. The worm in question, WannaCry (WannaCrypt0r) Crypto Ransomware, was a wrapper around a tool originating from the NSA’s cyber arsenal released into the public domain by a hacking teaming going under the name of ShadowBrokers. The tool which WannaCry wrapped into its own functionality was Eternalblue, this had been designed to compromise a set of previously undisclosed Microsoft SMB vulnerabilities, WannaCry also made use of DOUBLEPULSAR for the ability to deploy extra applications to the compromised endpoint. Once run the worm made use EternalBlue’s ability to traverse the network and hunt down other Windows PCs – once connected to a suitable host it would start its main task of cryptographically encrypting the user’s hard disk. Once complete it would display its ransom notification asking for funds to be transferred in order to release the user’s data.

By Monday the 15th the worm is believed to have propagated to over 230,000 users in over 150 countries with its spread stunted by the accidental discovery of a ‘kill switch’ inside the worm – this kill switch relied on the host being able to reach a check URL, if the URL was found then no more search and deploy would continue from that host. Since this had been discovered variants have been started to emerge with the ‘kill switch’ functionality disabled. It is worth noting that the ability to spread so fast relied on the endpoint being ‘internet facing’ and Microsoft patching not being up to date. Within the UK alone this affected 1 in 5 NHS trusts with 70,000 devices including x-ray machinery running Windows XP becoming useable, causing the NHS to declare an emergency. Interestingly the NHS are trialling a replacement operating system which deployed would have drastically reduced their exposure to this attack.

Let’s shift this into the realms of a Nuclear processing, Electrical generation, chemical processing or any process driven critical process whose control systems are generally by design segregated and hived off from the outside world. If this worm had been introduced into this environment then any Microsoft system, be it a HMI workstation, engineering workstation or SCADA server would have been rendered useless once the encryption had taken place. Given these systems wouldn’t be able to contact the external ‘check URL acting as the kill switch’ would mean the replication would continue. How long these systems could run safely before being shutdown would depend on the type of process running and the ability to effectively deal with and mitigate such an outbreak.

Let’s assume the logic running WannaCry is searching for a machine with a specific function or role and that function isn’t matched on the compromised endpoint chances are it will start the encryption of the machines data followed by requesting a ransom, if on the other hand the logic is matched the encryption component may not be deployed – instead the abilities of the secondary wrapped tool, DOUBLEPULSAR is initiated which halts the spread of rendering the disks inoperable and instead look for a path to the its Command & Control Server in order to deploy extra functionality to allow the remote control of the process system. For these systems, this means anything from introducing sporadic inconsistencies through to placing the system into a unhealthy condition and potentially endangering life by rendering safety systems ineffective through to providing control room staff incorrect information. This could be anything from your local ATM/card payment systems, managed motorway signs, water processing plant or even through to the airplane I’m currently sat on under the control of air traffic control. All it takes is a single point of entry to go undetected.

The mitigation for this type of attack ranges from responsible disclosure to the vendor as is the case with EternalBlue from the NSA inadvertently entering the public domain, through to having a full understanding of the endpoints that exist within your CNI estate. For the latter, this information should consist of verified baselines and backups, security and backup continuity plans and policies which are regularly tested, change and patch management finally not forgetting an effect security monitoring solution to monitor and alert on anomalies detected.

For now, WannaCry is limited to utilising code to attack Windows only endpoints – that’s not to say that version 3 or 4 won’t extend its functionality to make use of the other leaked NSA code modules to create more specialise targeted attacks.

Company Overview – Our History, Values & Experience

 Founded originally as RKNeal Engineering we have amassed over 20+ years of experience with our engineers having worked with nearly every major DCS, PLC, and SCADA system on. Today our legacy lives on in the 1,000+ automation and control system projects we have completed.

We have worked closely with our clients on their most pressing network and data needs. We have helped them evolve their networks to manage the increasing amount of connectivity necessary to drive increased efficiency and reliability. We understand how these networks work, their vulnerabilities, and the unique operational characteristics that separate controls networks (operating technology or OT) from IT networks.

Almost 10 years ago, we identified the risks inherent in these older control systems as more of the networks were exposed to external sources of data – whether through the internet or the simple connection of USB sticks. What really concerned us was that cyber security within the ICS environment was fragmenting across OEM vendors and various cyber threat management software tools. Complexity was getting worse, and risks were getting higher. Managing this complexity in an operating environment requires unique expertise.

As a result, we set out to build a unified monitoring and remediation console that lets you view and manage your cyber security workflow, threats, and compliance from a single, vendor-neutral security suite – what we call the Verve Security Centre.

Our focus with Verve has been to improve and simplify reliability, security and compliance within the operational enterprise, and we designed Verve to enable the best IT software tools to work in the ICS environment. Our proprietary “ICS bus” embedded our years of ICS expertise into an integration platform that would allow these multiple systems to operate in concert with one another – and at no risk to the sometimes-fragile legacy control systems.

We combined this integration with customized data tools to seamlessly integrate today’s and tomorrow’s state-of-the-art capabilities, ensuring that customers are always protected.

Verve Industrial Protection 240 Blackfriars Road London



Email LinkedIn


+44 (0) 7399 538967

Copyright Verve Industrial Protection 2017

Verve Industrial Protection partners with Magion for Benelux Industrial Cybersecurity

Verve Industrial Protection partners with Magion in the Benelux Countries for Industrial Cybersecurity
This week Magion announces its partnership with VERVE Industrial Protection, a RKNeal Engineering company. Both Magion and Verve have a solid background in process control and automation.
Verve has been in the controls engineering business for 25 years. Verve Industrial Protection encompasses three integrated software and service offerings: Design-4-Defense industrial control engineering, Verve Security Center software platform and Managed Asset Protection Services.
Together, these solutions help customers build true defense in depth and cover the critical areas of compliance required by regulators.
This union with Verve is Magion’s step forward into a strategy to move further into industrial cyber security operations, taking advantage of opportunities driven by the Industrial Internet of Things.
For more information regarding this partnership, please contact your Verve Industrial Protection or Magion representative.
Verve Industrial Protection is a provider of software and services for the process industries.
Magion is a system integrator in process control & automation engineering, production intelligence and optimization.


magion verve partnership

RKNeal Orchestration Concept Published in ARC View

The risk of cyber incidents remains high for industrial plants and critical infrastructure. Many operators have invested in sophisticated cyber de-fenses, but most struggle to sustain them. Staffs are overwhelmed with the complexity of managing a never-ending stream of product patches and updates for a multitude of assets and security products.

Verve Security Center helps to cut through the confusion, minimize the effort and maximize accuracy and efficiency of an operational based cyber security program. Recently Verve worked with ARC to define and describe what has been coined an ‘orchestrated approach’ to cybersecurity. To read the full ARC view report click here.

Where To Find ICS Security Breach Data

It can be a struggle to find real data regarding what is going on in the ICS threat landscape. But if you know where to look, the data is out there. A recent article highlights 6 great resources:

For more for background on these ICS threat data sources, and the full article see: Where-to-Find-Hard-to-Get-Industrial-Security-Data

Protecting Industrial Control Systems: An Integrated Approach

Technical white paper

Through our work with critical infrastructure operators we have studied a significant number of security solutions offered to meet both the minimum regulatory requirements as well as the more stringent security requirements of industry leading companies. Our findings are not unsurprising, but unfortunately we did not find a solution that was comprehensive or offered the defense-in-depth strategy necessary for adequate protection.

The purpose of this white paper is to present a novel cyber security framework for deploying and managing best-in-breed cyber threat management products across multiple OEM vendors.

To read the full white paper, please click here.