The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.
Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.
Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of
“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like
Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.”
“Hackers can move much more quickly than industry.
Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of
“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target
ICS patching issues
Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.
Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”
“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically
Emily Miller, director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the
Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.
“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and
Habibi agreed that isolating ICS is no longer a sufficient security strategy.
“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over
Miller said the
“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”