Cisco Blogs


Cisco Blog > Energy - Oil & Gas and Utilities

Utility and Energy Security: Responding to Evolving Threats

With the increased interest in cybersecurity and the recent news that utilities are being targeted around the world I’m making sure our readers have seen the latest white paper to come out of the Cisco ‘Brain-Trust’ on security in utilities and the energy industry.

As the white paper announces, “Utilities and energy organizations are part of the critical infrastructure of any nation, which makes them a high-profile target for cyber terrorists and hackers alike. Modernization brings gains in efficiency, but it also increases the attack surface through which threat agents can target utility infrastructure.”

It’s tough being a utility. Constant regulations, standards compliance, security and safety issues. Our security experts analyzed the IT security capabilities of the utilities sector in general, using specific data from the Cisco Capabilities Benchmark Study. They looked at the views of both chief information security officers (CISOs) and security operations (SecOps) managers and, different to other industries, seem closely aligned. What are the differences then, versus other industries? Here are some findings:

  • 73% percent of IT security professionals at utilities say they’ve suffered a public security breach, compared with 55% in other industries.
  • 56% percent of the IT security professionals in utilities say they use cloud-based web security, compared with 36% of the respondents in other industries.
  • 64% percent of CISOs and SecOps managers in the utilities sector say they make use of mobile security tools, compared with 50% of security professionals in other industries.

One important note: The study focused primarily on IT security capabilities, not on the state of operational technology (OT) security. There is a growing trend of convergence between IT and OT, and I and others in Cisco have talked about the ramifications of that trend.

Utility and Energy Security small

Click the image to download the whitepaper

Despite my earlier claim that the data supports a similarity of views between CISOs and SecOps managers, interestingly the opinions of CISOs and SecOps managers diverge somewhat when the conversation turns to IT security controls. For example, 67% of CISOs say that their organizations have adequate systems for verifying that security incidents have actually occurred, but only 46% of SecOps managers say they have such systems in place. Also, 73% of CISOs say they have well-documented processes for incident response and tracking, while just 54% of SecOps managers say they have such systems. That’s worrying to me.

The white paper has lots of charts and supporting documentation, and discusses the differences between the utility industry and other industries, especially the readiness of using tools and the availability of funds focused on security. One things for sure: utilities are frequently a target of cyber attacks because of their high public profile and the potentially damaging effects of a data breach or service disruption. That explains the figures in my first bullet above (73% versus 55%). This vulnerability further highlights the security challenges that utilities are facing. In many countries, utilities have to report breaches by law, a requirement that may have contributed to the high number of recorded breaches. Perhaps due to their tightly regulated environment, utilities are also slightly more likely than other industries to use internal security incident teams.

At any rate, utilities seem, in many cases, to learn the hard way. What do I mean? Well, publicly breached utility companies lean more heavily on tools such as network security, firewalls, and intrusion prevention systems (IPS), instead of distributed denial-of-service (DDoS) defenses or VPN security tools. For example:

  • 76% of utilities that have dealt with a public breach say they use firewalls and IPS tools, but only 53% of utilities that have not dealt with a public breach use them.
  • 64% of publicly breached utilities use vulnerability scanning tools, compared with 44% of non-publicly-breached utilities.

Breach Status

The figure above illustrates the point. Utilities’ Use of Various Security Threat Defenses (in %)

Interesting, eh? Also, public breaches appear to encourage utilities to more closely examine their security processes. For example: Read More »

Tags: , , , , , ,

Looking Into a Crystal Ball for the Future of Cybersecurity

Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.

Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:

  • Specificity of (constraints on) propagation method
  • Manner of movement in target network (e.g. lateral, higher value targets)
  • Specificity and severity of exploits (e.g. higher CVSS scores), and
  • Customization of payload (code and tools used).

Read More »

Tags: , ,

SYNful Knock: Protect Your Credentials, Protect Your Network

Interest in IT security has never been higher. So when a new type of attack comes along, it attracts the attention of our customers and others in the industry.

Earlier this week Cisco and Mandiant/Fireye released information about the so-called SYNful Knock malware found on Cisco networking devices. You can read my earlier blog on this subject here: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks.

This attack isn’t caused by a problem or vulnerability with a Cisco product. It results from an attacker stealing administrative credentials or getting physical access to a networking device, allowing them to load a modified version of operating system software.

Just as technology advances, so too do the nature and sophistication of attacks. Although Mandiant’s research focuses on a specific piece of malware, we believe that it is an example of an evolution of attacks. Attackers are no longer focusing just on disruption, but on compromising credentials to launch an undetected and persistent attack.

For many years we’ve known that networking devices and their credentials are high-value targets for attackers. There has always been a need to protect them accordingly. This was something we reinforced last month in this security bulletin: Evolution in Attacks Against Cisco IOS Software Platforms

We know this is an important topic for our customers, so have created an on-demand webcast outlining how to detect and remediate this type of attack:

 

The webcast also continues the conversation about good operating procedures, like network hardening and monitoring, that can help prevent this type of attack. The resources it describes can also be found on our Event Response Page.

If you have any additional questions about SYNful Knock, including how we can help implement some of these recommendations, please speak with your Cisco account manager.

If you are experiencing immediate technical challenges and require support, the Cisco Technical Assistance Center (TAC) is here to help.

And if you’re a member of the press with questions, please contact my PR friends at media_pr@cisco.com.

Tags: , , , , ,

SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks

Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.

Recently, the Cisco Product Security Incident Response Team (PSIRT) has alerted customers around the evolution of attacks against Cisco IOS Software platforms.

Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.

The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.

SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.

Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.

 

ios compromise

We thank Mandiant/FireEye for their focus on protecting our shared customers, and for adding their voice to calls for greater focus on network security.

Tags: , , , , , ,

NAB 2015 Attendees: Is Your Security Model Threat-Centric?

Cyber-Security: it has always been important for video entertainment companies. But times have changed- now it’s mission critical. Top of mind again this last few days, the events of the last 6 months have proven this point. If cyber-protection is not bullet-proof, any video entertainment company is living on borrowed time… and that bill is going to come due with potentially disastrous consequences.

There is a second change going on: security at video entertainment companies used to focus on protecting content in the distribution chain – DRM, CAS and the like. But there are many more ways to lose content – many more places in the “connected” production chain where content can be stolen. For instance, as has happened in the last few months, if an attacker can gain access to Read More »

Tags: , , , , , , , , , , , ,