(Eduard Kovacs – SecurityWeek) MITRE on Tuesday announced the initial release of a version of its ATT&CK knowledge base that covers the tactics and techniques used by malicious actors when targeting industrial control systems (ICS).
MITRE’s ATT&CK framework has been widely used by cybersecurity professionals to describe and classify attacker behavior and assess an organization’s risks. The new ATT&CK for ICS knowledge base builds upon it in an effort to help critical infrastructure and other organizations whose environments house ICS.
In addition to a matrix that provides an overview of the tactics and techniques used by adversaries, ATT&CK for ICS covers attack techniques in more detail, the malware used by threat actors, and the threat groups known to have launched ICS-related attacks. It also includes an Assets category in order to help organizations understand which techniques can be applied to their environment.
The knowledge base currently describes 81 attack techniques, 17 pieces of malware, 10 threat groups, and 7 types of assets.
According to MITRE, the framework shows which of the ICS-specific applications and protocols — typically used by operators to interact with physical equipment — can be abused by adversaries.
“The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents,” MITRE said. “With expertise in this domain in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises.”
ATT&CK for ICS was developed with help from over 100 individuals representing 39 organizations, including security and threat intelligence companies focusing on ICS, national labs, industrial product manufacturers, universities, research institutes, government agencies, and Information Sharing and Analysis Centers (ISACs).
“Asset owners and defenders want deep knowledge of the tradecraft and technology that adversaries use in affecting industrial control systems to help inform their defenses,” said Otis Alexander, a lead cybersecurity engineer focusing on ICS security at MITRE. “Adversaries may try to interrupt critical service delivery by disrupting industrial processes. They may also try to cause physical damage to equipment. With MITRE ATT&CK for ICS, we can help mitigate the catastrophic failures that affect property or human life.”
Austin Scott, principal ICS security analyst at Dragos, commented, “[ATT&CK for ICS] is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis.”
MITRE Releases ATT&CK Knowledge Base for Industrial Control Systems
(Eduard Kovacs - SecurityWeek) MITRE on Tuesday announced the initial release of a version of its ATT&CK knowledge base that covers the tactics and techniques used by malicious actors when targeting industrial control systems (ICS). MITRE’s ATT&CK framework has been widely used by cybersecurity professionals to describe and classify attacker behavior and assess an organization’s risks. The new ATT&CK for ICS knowledge base builds upon it in an effort to help critical infrastructure and other organizations whose environments house ICS. In addition to a
Jennifer Leggio Joins Claroty as Chief Marketing Officer
Industrial cybersecurity firm Claroty announced that Jennifer Leggio has taken the role of Chief Marketing Officer (CMO) at the company.
Leadership, Security, and Support at the Clinton White House (Video)
Presented at SecurityWeek's 2018 ICS Cyber Security Conference How would you handle leadership in this the most stressful Chief Information Officer (CIO) job in the World – being the CIO at The White House? Colonel Gelhardt answers this question, and talks about the leadership and mentorship he used and how you can use the same skills in the civilian world. If he can do it so can you! Speaker: Colonel Mark Gelhardt - Former CIO for President Clinton
Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks By Injecting Ladder Logic Code into PLCs
Presented first at SecurityWeek's 2017 ICS Cyber Security Conference, this presentation explains how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility
The Growing Threat of Drones
Drones are an increasing threat to industrial sites, enabling various attacks (cyber and physical) that historically were only possible in close proximity to a facility or device.
Cisco to Acquire OT Cybersecurity Firm Sentryo
Cisco on Thursday announced that it has agreed to acquire privately-held operational technology (OT) cybersecurity firm Sentryo for an undisclosed sum. Founded in 2014 and headquartered in Lyon, France, Sentryo, provides device visibility and security solutions for industrial control system (ICS) networks and OT assets. “Sentryo’s industrial IoT/OT technology solution helps companies like those in the energy, manufacturing, oil and gas and transportation sectors ensure the resilience of their industrial networks and protect against cybersecurity attacks,” said Rob Salvagno, VP Global Corporate Development at
Ransomware Attack Costs Aluminum Giant Norsk Hydro Tens of Millions of Dollars
(Eduard Kovacs - SecurityWeek) - Norwegian aluminum giant Norsk Hydro lost $35-41 million in the first quarter of 2019 as a result of the ransomware attack and expects additional losses of $23-29 million in the second quarter. A piece of file-encrypting ransomware named LockerGoga started infecting Norsk Hydro systems on March 18. The attack caused disruptions at several of the company’s plants, forcing workers to rely on manual processes. Hydro has been highly transparent regarding the impact of the incident. It claimed
NIST Working on IIoT Security Guide for Energy Companies
(Eduard Kovacs - SecurityWeek) - The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems. A draft of the project was published on Monday and the NCCoE is hoping to get some feedback until June 5 that would help it “refine the challenge and scope.” Industrial IoT Security Guide From NIST Designed to
Hackers Behind Triton ICS Malware Hit Additional Critical Infrastructure Facility
Triton Hackers Focus on Maintaining Access to Compromised Systems, Report Says (SecurityWeek - Eduard Kovacs) - The tools and techniques used by the threat group behind the notorious Triton malware show that the hackers are focused on maintaining access to compromised systems, according to FireEye. The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the
Active vs. Passive Network Monitoring: No Longer an Either-Or Proposition
The Opportunity for OT Security Teams to Fill the Gaps in Their Visibility Has Never Been Better (SecurityWeek - Galina Antova) - Most experienced security professionals have heard the axiom, “You can’t protect what you can’t see.” It’s admittedly a truism for cybersecurity… obviously the more you know and understand about your environment, the better equipped you are to detect and investigate suspicious behavior. But it also leads to a classic security conundrum: how do you implement discovery and monitoring in