Sep 08 2023


Category: OT/ICS,Scada Security,Security Toolsdisc7 @ 7:23 am

MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone –recursive

Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

  1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
  2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
  3. Modbus Supporting the Modbus protocol.

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

Cyber Defence Strategy using NIST and MITRE ATT&CK Frameworks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Caldera, MITRE ATT&CK, MITRE Caldera

Feb 17 2023

How hackers can cause physical damage to bridges

Category: OT/ICS,Scada SecurityDISC @ 11:48 am

In this Help Net Security video, Daniel Dos Santos, Head of Security Research at Forescout, talks about recent research, which has revealed how attackers can move laterally between vulnerable networks and devices found at the controller level of critical infrastructure. This would allow them to damage assets such as movable bridges physically.

This lateral movement lets attackers access industrial control systems and cross often-overlooked security perimeters to cause physical damage. From sensors that measure and detect pressure, temperature, flow and levels of liquids, air, and gases, to analyzers that determine chemical compositions and actuators that enable machines to move. Moving through these devices at the lowest levels, attackers can circumvent built-in functional and safety limitations to cause significant damage or disruption to services, or worse, pose a potential threat to life.

To demonstrate the potential implications, Forescout has built an industry-first proof-of-concept (PoC) which shows how attackers can move laterally on the controller level (Purdue level 1) to cause cyber and physical impact, as illustrated through the scenario of damaging a movable bridge during a closing sequence.

As part of the research, two new vulnerabilities are also being disclosed for the first time – CVE-2022-45788 and CVE-2022-45789 – which allows for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon Unity Programmable Logic Controllers (PLCs).

Modicon PLCs are used in a wide range of industrial processes and critical infrastructure, including in industries such as water and wastewater, mining, manufacturing, and energy. Whilst these devices should not be accessible online, Forescout has found that close to a thousand PLCs have been exposed, with France (33%), Spain (17%), Italy (15%), and the United States (6%) revealed as the countries with the most exposed devices.

The number of devices visible is just a small indication of the popularity of these PLCs, but these devices also highlight some of the critical facilities that rely on them. For example, several devices were connected to hydro power plants, solar parks and airports.

bridge open

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Industrial Cybersecurity, OT/ICS critical infrastructure

Apr 14 2022

US gov agencies e private firms warn nation-state actors are targeting ICS & SCADA devices

Category: OT/ICS,Scada SecurityDISC @ 8:35 am

The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.

“APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices” reads the advisory.

“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”

The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (“AsrDrv103.sys“) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devices’ operation.

Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.

“PIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.” reads the report published by Dragos. “Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.”

Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.

“The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.” reads the analysis published by Mandiant. “INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;”

The joint report also included the following recommendations for all organizations with ICS/SCADA devices:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation. 
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 

Cisa ICS

Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: ICS & SCADA devices, Industrial Cybersecurity

Mar 23 2022

US critical infrastructure operators should prepare for retaliatory cyberattacks

Category: Cyber Attack,OT/ICS,Scada SecurityDISC @ 9:13 pm

The warning

“Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” he noted, and advised those that have not yet done it to harden their cyber defenses by implementing security best practices delineated earlier this year.

“[This warning is] based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” he added.

US Deputy National Security Advisor Anne Neuberger has followed up the warning with a press briefing, during which she stated that “there is no certainty there will be a cyber incident on critical infrastructure,” but that owners and operators of critical infrastructre have the ability and the responsibility to harden the systems and networks the country relies on.

She shared that last week, federal agencies hosted classified briefings with several hundred companies in sectors they felt would be most affected, and “provided very practical, focused advice.”

Previously, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help critical infrastructure owners and operators identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives.

Neuberger also said that US agencies have not yet attributed the recent attack on satellite communications company Viasat. Nevertheless, the attack has been followed by a CISA alert advising SATCOM network providers or customers on how to upgrade their defenses.

A trigger for important conversations

US critical infrastructure cyberattacks

Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook

Tags: Critical infrastructure, Critical Infrastructure Risk Assessment

Dec 14 2021

Modern cars: A growing bundle of security vulnerabilities

Category: OT/ICS,Scada SecurityDISC @ 9:55 am
Cars are becoming increasingly smart and an extension to our mobile phones. How is this impacting users’ security and privacy?

With the expansion of our technology in use, our vulnerability surface increases dramatically. Ultimately, this is yet another vulnerability to keep in mind for your own safety and security. As we grow in our technology and dependence thereon, that inherently expands the opportunity for bad actors to take advantage of the dependence. The difference with car vulnerability, however, is you’re not just talking about your personal data being compromised, but rather the influence over your car while driving could affect your immediate physical safety.

In terms of privacy, the onboard computers of used, rented, or crashed/totaled vehicles can contain sensitive residual data from previous drivers such as contact and calendar details, unencrypted videos, and more.

What are the biggest vulnerabilities of today’s modern cars?

The lack of one single “gate keeper” is a substantial issue when it comes to modern car vulnerability. The patchwork of various technologies being meshed together for the overall car means not only is there not one single overseer of that technology but also that protocols are set without security in mind because they need to be able to easily communicate with each other.

In addition, we see the same vulnerabilities that you have with your phones and computers: protocol vulnerability. The difference is what the bad actors could have access to: electronic control units (ECUs) which all communicate to access and control the subsystems in a car such as your braking or navigation system. Not only could the hacker access the vehicle information resulting in influence on the car such as the alert systems within the vehicle, but could also access personal information such as home addresses or phone IPs.

What are the techniques hackers could use to compromise a car?

Hacking Connected Cars: Tactics, Techniques, and Procedures

Tags: cars security, Hacking Connected Cars

May 17 2021

Is 85% of US Critical Infrastructure in Private Hands?

Category: OT/ICS,Scada SecurityDISC @ 9:20 am

When this problem is discussed, people regularly quote the statistic that 85% of US critical infrastructure is in private hands. It’s a handy number, and matches our intuition. Still, I have never been able to find a factual basis, or anyone who knows where the number comes from. Paul Rosenzweig investigates, and reaches the same conclusion.

Public Private Partnerships (PPP): Construction, Protection, and Rehabilitation of Critical Infrastructure

Discuss objectives and legal requirements associated with PPPs, the potential advantages and limitations of PPPs, and provide guidance as to how to structure a successful PPP for infrastructure investment.

Critical Infrastructure Risk Assessment

Tags: Critical infrastructure

May 13 2021

Security at Bay: Critical Infrastructure Under Attack

Category: OT/ICS,Scada SecurityDISC @ 10:33 pm

The attack perpetrated by hackers on oil company Colonial Pipeline highlights the dangers that are facing Industrial Control Systems (ICS) and the need for change in the information security landscape,

The attack took place on May 7th where hackers used ransomware to cripple the defense of the company. As a result, all operations were forced to shut down as well as operating systems used by the company. A group named DarkSide claimed to be responsible for Colonial Pipelines attack.

The hacker group is active since august and are part of a professional crime industry that have caused damage of billions of dollars. President Biden has delivery remarks that point out to the involvement of Russia in the development of the ransomware. It is not clear if the Colonial company has paid the demands.

The attack brought to light how critical national infrastructure (CNI) is vulnerable and the need of new methodologies to address new menaces that are evolving on a daily basis on many different ways. As far as we know this attack have proved that the understanding of information security has become outdated as well the solutions that were supposed to protect companies assets.

The impact of the attack was far beyond then expected. Consumers were directely impacted with a hike on prices. Also, in South east some drivers started to stocking up as available oil dropped down in fuel stations. About 5,500 miles of pipeline were shutdown. To figure it out in numbers it represents 45% of fuel comsumed from texas to new york.

As reported by Recorded Future ransomware attack groups are gainning momentum and wide spreading throughout every and all sector. From industry to education everyone is on target of ransomware. It is importante to notice that hackers are publishing part of the data and demanding money to do not publish all the data stolen.

While the United States leads the attack of ransomware hackers are aiming to make other countries victims. Freedom and security are deeply rooted in the american dream, but today all the nation see this rights going down with the dangers of information security.

The US Department of Justice and a group of companies have created a task force to manage the issue of ransomware threat. However, the tools that were released by equation group in the past can be the tipping point to new attacks or development of new ways to bypass known protections.

Little is known yet how the company was breached but it was certanly that the goal was to obtain money instead of corrupting the system. Some parts of the system were restored and the company said it will update their systems. Part of operations are manual at this time but its not sure when the supplies will return to normal.

The question now is if the available supplies will be enough. The disruption of the supplies could lead to an impact on many sectors. Bitdefender released a decryption tool on january for an older version of the ransomware, but they said that for this new version the tool do not work. According to Bloomberg 100GB was stolen in just two hours. This is a remarkable event to be considered as the largest and successful act of cyberwarfare.

Finally we need to develop new systems and new tecnologies as this could be the starting of a surge of new threat actors and new attacks that can not be stopped by the actual protection solutions.  


May 30 2020

Steganography Anchors Pinpoint Attacks on Industrial Targets

Category: Scada SecurityDISC @ 11:36 pm

Ongoing spear-phishing attacks aim at stolen Windows credentials for ICS suppliers worldwide.

Source: Steganography Anchors Pinpoint Attacks on Industrial Targets

Steganography Tutorial | How To Hide Text Inside The Image | Cybersecurity Training | Edureka

The Four Types of Threat Detection and Use Cases in Industrial Security

Download a Security Risk Assessment Checklist paper!

Subscribe to DISC InfoSec blog by Email

Sep 27 2019

State of OT/ICS CyberSecurity

Category: OT/ICS,Scada SecurityDISC @ 6:42 pm

State of OT/ICS Cybersecurity 2019 [Infographic via SANS Institute]

State of ICS/OT CyberSecurity: pdf

Guide to Industrial Control Systems (ICS) Security

Independent Study Pinpoints Significant SCADA/ICS Security Risks

Cyber-Security and Governance for Industrial Control Systems

NIST Releases Cybersecurity Guide for Energy Sector to Improve Operational Technology

NSM/threat hunting in OT/ICS/SCADA environments

The Convergence (and Divergence) of IT and OT Cyber Security

ICS Security Assessment Methodology, Tools & Tips

Subscribe to DISC InfoSec blog by Email

Jan 29 2019

Cyber attacks: China and Russia can disrupt US power networks warns intelligence report | ZDNet

Category: Scada SecurityDISC @ 5:54 pm

3D Electric powerlines over sunrise

Countries could launch damaging attacks against gas pipelines and electricity grid, says assessment.

Source: Cyber attacks: China and Russia can disrupt US power networks warns intelligence report | ZDNet