The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

securing industrial control systems

While the former has received many update through the years (this newer version is v8.0), the whitepaper is a “modernized” version of a document that has been first released in 2009.

Both tools are offered for free, in the hope that they will be widely used.

Cyber Security Evaluation Tool

The Cyber Security Evaluation Tool is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system and information technology network security practices.

securing industrial control systems

It does so by asking questions about system components, architectures, operational policies and procedures, and so on. The questions will depend on which government and industry cybersecurity standards the operators want their systems to adhere to.

“When the questionnaires are completed, CSET provides a dashboard of charts showing areas of strength and weakness, as well as a prioritized list of recommendations for increasing the site’s cybersecurity posture. CSET includes solutions, common practices, compensating actions, and component enhancements or additions,” ICS-CERT explains.

The team also offers onsite training and guidance to asset owners (in the US) who might encounter problems while using CSET. This help also comes at no cost. For instructions on how to download and install the tool, go here.

The whitepaper

ICS-CERT works to reduce risks within and across all critical infrastructure sectors – chemical, emergency services, energy, critical manufacturing, healthcare, IT, transportation, and so on.

This newest report will be helpful for organizations in each of those sectors, and concentrates on defense-in-depth strategies and a holistic approach to security.

“The concept of Defense in Depth is not new — many organizations already employ many of the Defense-in-Depth measures discussed in this document within their information technology (IT) infrastructures; however, they do not necessarily apply it to their ICS operations,” the experts who penned the report noted.

“In the past, most organizations did not see a need to do so. Legacy ICSs used obscure protocols and were largely considered ‘hack proof’ because of their separation from IT and because of having physical protection measures in place. But with the convergence of IT and ICS architectures, recent high-profile intrusions have highlighted the potential risk to control systems.”

Another problem that the defense-in-depth approach can minimize is the fact that there is a distinct lack of ICS-specific security solutions.

The report includes an overview of the current state of ICS cybersecurity, ICS defense-in-depth strategies, an overview of possible attacks against critical infrastructures, and recommendations for securing ICS. The latter includes adopting a proactive security model, key security countermeasures, and a variety of available services and tools (CSET is among them).

Help Net Security

Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation Ghoul, these cybercriminals use spear-phishing emails and malware based on a commercial spyware kit to hunt for valuable business-related data stored in their victims’ networks.

Operation Ghoul

In June 2016, researchers spotted a wave of spear-phishing e-mails with malicious attachments. These messages were mostly sent to the top and middle level managers of numerous companies. The e-mails sent by the attackers appeared to be coming from a bank in the UAE: they looked like payment advice from the bank with an attached SWIFT document, but in reality the attached archive contained malware.

Further investigation showed that the spear-phishing campaign has most likely been organized by a cybercriminal group which has been tracked by company researchers since March 2015. The June attacks appear to be the most recent operation conducted by this group.

The malware in the attachment is based on the HawkEye commercial spyware that is being sold openly on the Darkweb, and it provides a variety of tools for the attackers. After installation it collects interesting data from the victim’s PC, including:

  • Keystrokes
  • Clipboard data
  • FTP server credentials
  • Account data from browsers
  • Account data from messaging clients (Paltalk, Google talk, AIM)
  • Account data from email clients (Outlook, Windows Live mail)
  • Information about installed applications (Microsoft Office).

This data is then sent to the threat actor’s command and control servers. Based on information received from the sinkhole of some command and control servers, the majority of the victims are organizations working in the industrial and engineering sectors, others include shipping, pharmaceutical, manufacturing, trading companies, educational organizations and other types of entities.

These companies all hold valuable information that could be subsequently sold on the black market – financial profit is the main motivation of the attackers behind Operation Ghoul.

More campaigns around the world

Operation Ghoul is only one among several other campaigns that are supposedly controlled by the same group. The group is still active, and in total more than 130 organizations from 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and other countries, were successfully attacked by this group.

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” said Mohammad Amin Hasbini, security expert, Kaspersky Lab. “This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer.”

Protect your company from Operation Ghoul

In order to protect your company from Operation Ghoul and other threats like this, the researchers recommend businesses implement the following measures:

  • Educate your staff so they are able to distinguish a spear phishing email or a phishing link from real emails and links.
  • Use a proven corporate grade security solution, in combination with anti-targeted attack solutions, capable of catching attacks by analyzing network anomalies.
  • Provide your security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.

Help Net Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Apple Launches Bug Bounty with Maximum $ 200,000 Reward

August 4, 2016 , 8:30 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Threatpost | The first stop for security news