12.7.17

Industrial control security practitioners worry about threats … for a reason


Last month, ESET researchers confirmed the discovery of a new type of sophisticated malware now known as Industroyer, highlighting the threat posed to industrial control systems. Indeed, this is considered to be the first-ever designed to affect ICS industrial control systems directly, and is thought to be behind the December 2016 cyberattack on Ukraine’s power grid.
Further research from the SANS Institute, the “global leader in information security training and certification”, confirms that security of industrial control systems is increasingly seen and understood to be a serious issue.
Their recent paper, Securing Industrial Control Systems—2017, is based on polling hundreds of professionals in the field of ICS security. Its goal is to gather related information and map the attitudes of industrial control security practitioners in regard to the security of their systems, threats and attack vectors, and defense measures.
The research shows that, predictably, the respondents’ highest priority is keeping their operational technology running. Answering the question “What are your primary business concerns when it comes to the security of your control systems?”, nearly a quarter put “Ensuring reliability and availability of control systems” first; among the top three priorities is this one for over 50% of respondents.
To measure the real scope of ICS security, the question “Have your control systems been infected or infiltrated in the past 12 months?” was included in the survey. The most common response, “Not that we know of,” was selected by 40%, while less than a half of respondents, 19%, chose “No, we’re sure we haven’t been infiltrated”.
“The SANS survey shows that ICS security experts seriously worry about security.”
As for the overall security, the respondents answered the same key question as in the previous years: “How serious does your organization consider the current threats to control system cybersecurity to be?” 69% of respondents rated the perceived level of threat as severe/critical or high – a two percentage point increase compared to last year’s survey.
The biggest three threats cited by the respondents were one, devices and “things” (that cannot protect themselves) added to networks; two, internal threats (accidental); and three, external threats (hacktivism, nation states). Extortion, ransomware and other financially motivated crimes came in fourth place, while external threats, via a supply chain or partnerships was far behind at number eight (out of 10 options offered to the respondents).
As for the defense measures that the respondents currently have in use, anti-malware technologies emerged as the most relied-upon measure, followed by access control solutions. The top three wanted technologies or solutions were industrial intrusion detection, control system network security monitoring and security awareness training for staff, contractors and vendors.
For interpreting the survey’s results, it should be noted that the responses were collected in February-March of 2017 (as its editors told WeLiveSecurity). This means that the respondents’ attitudes were not influenced by the news about the discovery of Industroyer – arguably the most important recent news story that is related to ICS security, which appeared in the industry’s media in May.
“The SANS survey shows that ICS security experts seriously worry about security,” commented Robert Lipovský, Senior Malware Researcher at ESET. “It will be interesting to see if the discovery of Industroyer pushes these worries to an even higher level – future reports will show.”
Industroyer was first analyzed by ESET researchers who discovered its capability to disrupt industrial processes – in the case investigated, precisely targeting a particular energy transmission infrastructure.
As a highly configurable tool, Industroyer can be easily refitted to attack similar energy infrastructures and even re-purposed to attack industrial control systems in other industries such as transportation or manufacturing.
“It is a reminder to all those responsible for critical systems around the world, many of which were designed without security in mind. Now’s the time to take measures for securing them – and the SANS research shows that security experts are taking this issue seriously,” concludes Lipovský.


Adobe Flash Player users should update their software NOW

One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.
Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have it installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.
Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.
It doesn’t matter if a hacker doesn’t have zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.
Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.
The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.
Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.
The updates are said to address critical vulnerabilities that could potentially allow an attacker to take control of a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over their device.
Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 26.0.0.137 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.
Continued on: