The HAVEX worm is making the rounds again. As Cisco first reported back in September 2013, HAVEX specifically targets supervisory control and data acquisition (SCADA), industrial control system (ICS), and other operational technology (OT) environments. In the case of HAVEX, the energy industry, and specifically power plants based in Europe, seems to be the primary target. See Cisco’s security blog post for technical details on this latest variant.
When I discuss security with those managing SCADA, ICS and other OT environments, I almost always get the feedback that cybersecurity isn’t required, because their systems are physically separated from the open Internet. This practice, referred to in ICS circles as the “airgap”, is the way ICS networks have been protected since the beginning of time; and truth be told, it’s been tremendously effective for decades. The problem is, the reality of the airgap began to disappear several years ago, and today is really just a myth.
Today, networks of all types are more connected than ever before. Gone are the days where only information technology (IT) networks are connected, completely separated from OT networks. OT networks are no longer islands unto themselves, cut off from the outside world. Technology trends such as the Internet of Things (IoT) have changed all of that. To gain business efficiencies and streamline operations, today’s manufacturing plants, field area networks, and other OT environments are connected to the outside world via wired and wireless communications – in multiple places throughout the system! As a result, these industrial environments are every bit as open to hackers and other cyber threats as their IT counterparts. The main difference, of course, is that most organizations have relatively weak cybersecurity controls in these environments because of the continued belief that an airgap segregates them from the outside world, thereby insulating them from cyber attacks. This naivety makes OT environments an easier target.
The authors of HAVEX certainly understand that OT environments are connected, since the method of transmission is via a downloadable Trojan installed on the websites of several ICS/SCADA manufacturers. What’s considered a very old trick in the IT world is still relatively new to those in OT.
It’s absolutely essential that organizations with ICS environments fully understand and embrace the fact that IT and OT are simply different environments within a single extended network. As such, cybersecurity needs to be implemented across both to produce a comprehensive security solution for the entire extended network. The most important way to securely embrace IoT is for IT and OT to work together as a team. By each relinquishing just a bit of control, IT can retain centralized control over the extended network – but with differentiated policies that recognize the specialized needs of OT environments.
We’ll never completely bulletproof our systems, but with comprehensive security solutions applied across the extended network that provide protection before, during, and after an attack, organizations can protect themselves from most of what’s out there. A significant step in the right direction is to understand that the airgap is gone forever; it’s time to protect our OT environments every bit as much as we protect our IT environments.
Tags: Cisco, cybersecurity, HAVEX, ICS, Industrial Control Systems, Internet of Everything, internet of things, IoE, IoT, IoT Security, operational technology, OT, SCADA, security
In my last post, I talked about the need for a paradigm shift from point-in-time detection technologies to a new model that combines a continuous approach with a big data architecture. This new model lets Cisco deliver a range of other innovations that enhance the entire advanced malware protection process across the full attack continuum—before, during, and after an attack.
One of these innovations, unique to Cisco AMP for Endpoints, is Attack Chain Weaving which introduces a new level of intelligence not possible with point-in-time detection technologies.
We all know that attackers are making it their job to understand traditional point-in-time detection technologies and innovate around their limitations to penetrate endpoints and networks. However, as these attacks unfold, they leave in their wake massive volumes of data. Attack Chain Weaving allows defenders to use this data to their advantage. A big data architecture handles the ever-expanding volume of data that is essential to effective malware detection and analytics, and a continuous approach uses that data to provide context and, most importantly, prioritization of events when and where you need it.
Read More »
Tags: AMP, Attack Chain Weaving, Big Data, security
I’m often asked how to deal with the security threat landscape within the context of running a business. The security threat landscape can seem like a highly complex challenge, yet as I’ve looked at it through my work with Cisco and the broader industry, it can actually be boiled down into three simple phases: before, during and after attack.
It sounds simple in theory, but in practice the conversation often focuses predominantly on the “before” phase; that is, minimizing a hacker’s chances of success. While this is clearly the most important phase, it’s also crucial to have a clear threat containment strategy for “during” an attack, and a visibility and forensics plan for “after” it as well. It seems complex, but it can be surprisingly simple. Take a look at a recent video blog I did on the topic.
Tags: Attack, Cisco, forensics, John Stewart, security
During the past ENTELEC event held in Houston, I had the opportunity to chat with Shawn Birch – Partner Development Consultant At Tait Communications to ask him about his impressions of the shows and what would be the key care-abouts of IT people during this Oil and Gas event.
Shawn Birch in the Cisco ENTELEC booth
Tait Communications is a multinational global radio communications company with headquarters based in Christchurch, New Zealand. The company has offices in 20 countries and employs approximately 1000 staff. Tait develops voice and data radio technologies, exporting about 95% of products from its Christchurch manufacturing base.
Tait specializes in designing, deploying, supporting, and servicing complete mission-critical unified communication solutions in industries such as Oil and Gas and it is a Global Advance technology partner of Cisco around collaboration solutions and #IoT.
Here it is a short transcript of the things I found very relevant from our conversation:
Cisco booth during ENTELEC
From your experience and point of view what were the key concerns and topics of interest of the customers during ENTELEC? “Convergence of voice, video and data and secure networks for digital oilfield.”
What did we showcase together in the show floor and the key benefits for the customers? “Tait showcased Unified Critical Communication two- way radio solutions integrated together as one through the power of Cisco IPICS (Interoperability and Collaboration System). This is a robust solution that enables and allows improvements in operational efficiency without compromising security. The approach of this solution is to protect the investment in legacy systems and migrate to the next generation of critical communications”
What was the overall reaction of the customers to our demo/presentation? “Excited about the opportunity to blend state of the art Tait two-way radio solutions into the secure umbrella of the Cisco network in support of Unified Critical Communications with multi-modal integration of PTT, (Push to Talk) technology from anywhere, anytime and with any device.”
What will be a key takeaway/final thought you would like to share with our blog-readers? “Be prepared for the future, the IoT solutions will transform the way the people do business in digital oilfields as we continue to merge technologies trough unified critical communications.”
Cisco Focused on the same care-abouts: Security and Collaboration. You can read more about ENTELEC from Peter Granger (Heads up on What You’ll See) here, and Roberto De La Mora here (What Does it Mean to You?) . During the event Cisco showcased two new use case solutions as well, but those topics deserve a whole blog. We will keep you posted!!!….
Tags: collaboration, DigitalOilfield, enetgy, entelec, IT, oil and gas, Operational Technologies, OT, security
The fire alarm went off in my building again, but fortunately, it was only a drill. By now, we are all used to the periodic fire drills for emergency preparedness in our workplaces. But have you ever wondered if there is a similar exercise possible for a cyber attack? The same logic applies. Your team will be better prepared to handle a disaster if they are trained for it.
Seeing is believing: Today I am excited to share this video from our Cisco Korea team that showcases Cisco CyberRange.
Read More »
Tags: certification, cisco cybersecurity, cyber threat, cybersecurity, security