Chinese Spies are retiring: Spanish Waste & Drinking Water services don't need them

Industrial Control engineers do their work for them Critical Infrastructure protection law is being deploying in Spain and new essential sectors will be covered this year. One of those sectors is Water and I have began to study that sector in depth. My first findings are amazing and I will talk about them in my next posts.

This week I will show you how things have changed with social networks in these last years. Nowadays, everyone seems to find for celebrity through social network presence: Facebook, Twitter, LinkedIn and any other platform that let you show to the entire world how cool you are. (By the way, you could think this is what I am doing, but this is just Cyber Work).

Making some Internet spidering on Waste water plants around Spain I have found some "funny" staff.

In one SCADA control engineer personal blog I have found his complete CV describing all the projects he has been working in through his career. This is not bad by itself but when deep description on SCADA plant systems is present, it is getting worse....

Information you can find there is:

• Plant Name and location
• Automation elements description:
• SCADA application redundant systems (Schneider Electric Monitor Pro)
• 3 Telemecanique Unity devices (MODICOM PLCs)
• Other PLC to control engines
• Ethernet interconnection between them and a Modbus Gateway
• Interconnection Diagram
• Advantsys I/O modules 

Sure you can find many plants worse documented than this !!!!

Awareness is something we have to improve in the next months if we want to get a better Security Level in our critical infrastructure.

In the meantime, no Chinese spies required ......

New threats, Old vectors

In the last weeks I have been making some presentations on different Cyber Security Events in different Cities and with different attendants, but there is always a common question in all of them:

- "Can you talk us about the new Threats?".

My response is always the same:

- "Don't you have enough with the old ones?"

I understand people can be worried about all Cyber espionage, Cyber Crime, Cyber attacks campaigns, but at the end of the day everything remains the same: "Nobody reads the F#@ Manual".

When talking about Dragonfly we have been dealing with old attack vectors:

• Phising
• Compromising vulnerable Web Sites

Nothing new in these attacks. Nothing a good awareness policy can't stop. Nothing a basic OWASP compliance test can not detect. Nothing has been done in those organizations in the last years on the security posture.

In the last 8 ENISE congress, some representative from the NATO Security Network Area was describing the top attacks NATO was registering, and surprisingly they were: Phising and DDOS.
May be the malware associated with the phising campaigns is more sophisticated (on the second round), but there must be always someone who press the attach link to activate the malware.

Why don't we stop the old attack vectors before proceeding to the new threats defenses ?

Spanish Smart Meters under risk?

I love Paella, but not in these terms:

"We will talk about a device that is present in all houses, a smart power meter. This model is being installed in all houses and buildings, and it's already present in the 65% of the "paella" country."

Alberto Garcia Illera and Javier Vazquez Vidal are going to scare one big Spanish Electric Company with their presentation and their findings:

• Each device stores the same pair of symmetric AES-128 encryption keys
• With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices
• It is simple to spoof the identifier code on each device.
• Turn off and on the lights remotely
• Know power consumption in a house

Who could ask for more? Availability, Integrity and confidentiality broken in one movement.

Once again, an small team with not to much resources defeats a huge company security organization.
What are we doing wrong?. Are we reading the F... Manual in every project we start? I don't think so.
If we take a serious approach to security when designing architectures and solutions we didn't find later these kind of things.

In Madrid we still remember the BiciMad Penis Video on rental Kiosks for a whole weekend:

Both incidents have the same root causes: Lack of deep risk analysis and strong security requirements on Design Phase.

Time for a Paella.

ICS SCADA Mobile: BYOD (Bring Your Own Disaster) to your control network

I have to confess I'm an "Apple Funboy". I used my iPads everyday to browse news, twitter, Cyber Security Blogs, etc.
Some days ago, I was browsing exploit-db.com as I used to do when working in IT Security projects. One of the first exploits I saw was related with an iPad application to transfer contents using WIFI (Air transfer from Darinshoft).

When I saw the description I couldn't believe it could be so easy and dangerous, so I downloaded and installed the App on my iPad. I try the exploit from my MacBook and ..... Bingo!!
I could crash the application and get contents although the web interface access was password protected.
(Exploit was communicated on August the 19th and Application is not yet patched)

All that made me think about the Mobile Apps to connect to SCADA systems and the IoT solutions big Automation Companies are designing.
Then I remember a nice article from Eric Byrnes that described the Software Quality problem the ICS have to face in a daily basis.

"Academic research tells us that most commercial software contains 3 - 10 defects for every thousand lines of code (KLOC), and that 1% to 5% of these result in vulnerabilities. That works out to between 0.03 and 0.5 vulnerabilities per KLOC."

Translating those concepts to the Apple Store (September 2014) we could find the following:

So even supposing the smallest App size and the smallest vulnerability  impact rate, we are talking about millions of vulnerabilities only in the Apple Mobile Apps world.
If we do the same with Google Play, results roughly could doubled this.

We need to go back to basics and define security requirements from the very beginning in every App development  (Server, Desktop or Mobile), and be very cautious when thinking in applying these fancy iPads Apps in ICS. Even if your CEO is asking for the same solution he saw in his last meeting with other colleagues.

Who the hell are you trusting on your Cyber Security Team?

Recently I found some paper published by one Center dependent from the US Department of Homeland Security:

In this paper they advised about the insiders threat and they gave some clues to detect strange behavior on your inner personnel:

It was very impressive:  100% of my Cyber Security consultants team match these indicators !!!!!

Now I am looking for good Cyber Security engineers that never access networks at odd times, only works 8 hours on labors days, never attend cell phone when out of the office or in Holidays, never read classified material, never show any interest on anything outside his perimeter and, most important, never enjoy a good beer after a long day of tapping, sniffing, tag classification and graph creation day!!!!

Surprisingly I am not finding any candidate !!!! Do you know why is this?

(You can find the whole paper Here )

"Close the Door Campaign" is becoming popular

Surprisingly, today I found this tweet from John Matherly ‏@achillean 

We are Top 10 !!!
I will continue the campaign until every Spanish ICS open port disappear from the Map!!!

The Dragonfly campaign hangover in Spain (II)

I know Internet ICS open ports were not Dragonfly attack vectors but, in my opinion, that's not a good practice. There are a lot of open source and commercial solutions to access your industrial control devices over Internet in a secure and controlled way.

So, what the results were? .....

In this table you can see that the number of devices with these four open ICS protocol ports grew in the period.
On the other hand, the percentage of spanish open port devices compared with the total worldwide open port devices grew for ICCP and MODBUS TCP protocols, but decrease when talking about EthernetIP and BacNET protocols.

The summary data for the period is the following:

• Total open ports worldwide
• Total open ports in Spain
• Percentage of Spanish devices over worldwide devices

Some findings:

• Having in mind that the Spanish Gross Domestic Product on 2013 was just 1,83% of the worldwide GDP, every percentage protocol is over that. (Sometimes 3 or 4 times over)
• Although the growth in the period is not big, it is a tendency just one month after a serious incident on industrial control systems organizations. Is our Cyber Security awareness growing in Spain? (I don't think so)
• Most of the systems recorded by SHODAN were installed in critical sectors (as the banners showed). 

Some easy advices:

• Shodan yourself!!!!. (It's Free and easy)
• Ask your ICS provider for secure remote access solutions if you really need it.
• Read this Blog peridically. (It's Free as well)

The Dragonfly campaign hangover in Spain

Living in Spain and working in the Critical Infrastructure protection sector is a Risky Business.
On July I was very busy trying to know what the Dragonfly real impact in Spain was and writing some articles to increase Cyber Security awareness in Spanish Utility Companies.

Seems like after being "World Champions" on infections, companies should have taken some basic counter measures. (Maybe the simplest one could be an external black box audit to check the external visibility for the company infrastructure and services.)

But after twenty years trying to improve our Security level and knowing how things use to be managed here, I decided to try a little experiment.

From August the 14th and until Today I have been making some Shodan searching once a day to collect the worldwide and Spanish number of Internet open ports for the most famous industrial control protocols:

• ICCP/S7 (102 TCP)
• Modbus (502 TCP)
• EthernetIP (44818 TCP)
• BacNET (47808 UDP)

My bet was that situation would improve in the weeks to come, but if you want to know what the results were, stay tuned until my next post.

ICS Cyber Security and the Occam's Razor principle

Occam's Razor principle states that among competing hypotheses, the one with the fewest assumptions should be selected. Other, more complicated solutions may ultimately prove correct, but—in the absence of certainty—the fewer assumptions that are made, the better.

In the ICS Network area should be the same. With smaller, documented and repetitive functions Networks, Best Cyber Security solutions should be the simplest ones.
If you know the desired behavior for your ICS Network, everything that diverges from that is something to log and investigate. (Network Whitelisting).

In this video I will show you how knowing the operations you need to execute over your ICS Network (MODBUS TCP in this case), you can detect any abnormal behavior and take actions on that. This is the only technology to detect insiders intentional or unintentional actions on your control infrastructure.

I hope you enjoy.

Nasty things to do when Home Alone

May be all these cheap WIFI connected devices we use to buy on big stores are not very well hardened. This is something I have been suspecting when going to other houses of non "dark people" and getting access to their WIFI network. Lot of devices connected (sometimes over 12) and with non clear security measures configuration since they had been installed "Out of the box".
This guy had the same suspects and he has decided to test it own home network.

IoT: How I hacked my home

(Call me paranoid, but I am monitoring inbound and outbound traffic at home)

And the best of all: Who is going to patch those devices when critical vulnerabilities arise ?

Good luck with your own vulnerability test at home (Of course, when Alone).

Re-Assessing the Risk for the Energy Sector

Raj Samani has made a good comment on the espionage Dragon Fly Campaign in the Intel Security Blog.

Working in Spain, and being “World champions” on DragonFly Campaign we were very active on that. (In fact, I translated the Joel Langill and SecurityMatters  White paper to Spanish just to raise some concerns on the Spanish Energy companies. Cyberespionage campaign hits energy companies (Spanish)).

Spain is deploying right now the Critical Infrastructure Protection Law for the Energy sector but, in my personal opinion, we are facing three main problems:

• Lack of budget for new Cyber Security controls in these Companies
• Lack of Detailed Protection Measures (That should include DLP) on ICS Networks from the Spanish Administration.
• The “Political will” on CIP Law enforcement. (We don't still have a clear measures auditing Framework)

On the other hand, We are executing projects out of Europe (Middle East), where DLP and AWL are being deployed  on ICS Networks. (In our case many of the Intel Security/McAfee solutions). Most of the times because we design the Defense-in-depth architecture contemplating these solutions, but sometimes because the IT CSO is asking for that.

I think Raj Samani has done a great reflection and I agree 100% his approach.

ICS Network anomalies detection

Deep Protocol Behavior Inspection

This technology  is based in a revolutionary approach to ICS Network monitoring that is able of building, in a shelf-learning way, the Behavioral Network Blueprint (Normal behavior).

The Behavioral Blueprint defines communication patterns, protocols, message types, message fields, and field values which are allowed in your network (i.e. the Network whitelist). Then, whenever a communication that diverges from the Behavioral Blueprint occurs, sensor system reports it, pinpointing the exact source of the problem.

This technology is known as Deep Protocol Behavior Inspection (DPBI).

Lets see some examples in this video:

ICS Network Behavior monitoring

Security level for all infrastructures that bring essential services to society must be reviewed and supervised in a continuous way.

This supervision must be based on indicators able of offering objectives and sustainable values through time, due the robust and lasting design this infrastructures should had.

In this post I will focus on the first set of indicators to define and manage, all related with the right Industrial Control Network behavior for these infrastructures.

White Paper (Spanish) : Protecting Critical Infrastructure through Network Behavior Management
White Paper (English): Protecting Critical Infrastructure through Network Behavior Management