Ransomware effects spilling over into the real world.
A press release from Colonial Pipeline: “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware… In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems”
NSA issued Advisory: Guidance to Stop Malicious Cyber Activity Against Connected Operational Technology
“While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems”
In essence, recommendation are as follows:
- Manage, encrypt and authenticate all remote access connections
- Add sensors and actively monitor all remote connections. Disconnect remote access until this is in place!
- Create an OT map, validate unknown assets and create baseline configurations
- Create a known OT communication baseline
- Create short, medium and long term improvement plans
- Maintain offline “gold copy” baselines for OT networks and devices to enable recovery from a known good source.
PDF available here.
OpENer is an EtherNet/IP stack for I/O adapter devices, frequently embedded into control systems.
Various Denial of Service and Remote Code Execution vulnerabilities have been disclosed for this ENIP implementation.
Patches are available which can be incorporated into internally developed systems, however vendors may take some time to cover components relying on this stack.
US CISA recommends the following mitigations:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Splice provides all above mitigations as well as vulnerability shielding and behavioural profiling.
US CISA released an advisory for easy to exploit, remote authentication bypass (with a CVSS score of 10) for multiple Rockwell Logix controllers. No patches seem to be forthcoming. Rockwell recommends mitigations in the form of configuration hardening and isolation.