Archive for the ‘critical infrastructure’ Category
Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents.
There had been compromises of critical infrastructure sites before. What was unprecedented in this attack—and of considerable concern to some researchers and critical infrastructure operators—was the use of an advanced piece of malware that targeted the unidentified site’s safety processes. Such safety instrumented systems (SIS) are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, a SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.
By focusing on the site’s SIS, the malware carried the threat of physical destruction that depending on the site and the type of accident had the potential to be serious if not catastrophic. The malware was alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. It’s development was ultimately linked to a Russian government-backed research institute.
Malware that caused a dangerous operational failure inside a Middle Eastern critical infrastructure facility was most likely developed by a Russian government-backed research institute, researchers from US security firm FireEye said Tuesday.
The malware, alternately dubbed Triton and Trisis, was most likely designed to cause physical damage inside critical infrastructure sites, such as gas refineries and chemical plants, FireEye researchers said in a report published in December. The attack worked by tampering with a safety instrumented system, which the targeted facility and many other critical infrastructure sites use to prevent unsafe conditions from arising. FireEye’s December report said a nation state was most likely behind the attack, but stopped short of identifying the country.
In a report published Tuesday, FireEye said its researchers now assess with high confidence that the malware used in the attack was developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. The assessment was based on a variety of evidence that not only implicated the institute, which in Russian is abbreviated as CNIIHM, but also a specific professor who works there. Evidence linking the CNIIHM to the attack—which FireEye now calls TEMP.Veles—included malware that was tested inside the institute, artifacts left inside the malware used in the attack, an IP address belonging to CNIIHM, and the malware developer’s operating hours, which showed them observing the work a normal work schedule in Moscow.
NIST is raising awareness that security through obscurity has become a thing of the past – but are we doing enough to protect infrastructure such as dams and power plants?
In-brief: Close to five billion “fuzzing” tests conducted during 2016 reveal protocols used by industrial control systems, vehicles and Internet of Things devices to be weaker, on average, with many crashing hundreds of times and revealing vulnerabilities that could be used by malicious actors. A study of 4.8 billion automated…
Posted in connected devices, critical infrastructure, fuzzing, Internet of things, protocol, published research, Reports, software, software development, supply chain, survey, Top Stories, trends, vulnerabilities | Comments (0)
ICS-CERT published advisories this week warning users of Siemens molecular imaging products of publicly exploits for Windows 7 versions of those devices.
Three radiation monitoring device vendors will not patch a handful of vulnerabilities that could be abused by hackers, including a backdoor that affords high privileges on one device.
Posted in Black Hat, critical infrastructure, Digi, firmware vulnerabilities, hardware hacking, IOActive, Ludlum Portal Monitors, Mirion WRM2 protocol, nuclear power plant security, radiation monitoring devices, RF analysis, Ruben Santamarta, vulnerabilities | Comments (0)
Siemens patches four vulnerabilities, including a critical authentication bypass flaw, in its SiPass integrated access control server.
Posted in authentication bypass, critical infrastructure, Man in the middle, Siemens, Siemens patches, Siemens SIMATIC Sm@rtClient for Android, Siemens SiPass integrated server, vulnerabilities | Comments (0)