All Articles by Joseph Agres
Vulnerabilities Leave Automated Mobile Robots Susceptible to Attack
ICS Advisory (ICSA-21-280-02) details multiple vulnerabilities in Mobile Industrial Robots’ (MiR’s) line of Automated Mobile Robots (AMRs) [1]. Significant vulnerabilities include improper access control, missing authentication, missing encryption, weak encoding for passwords, and incorrect default permissions. For example, two application programming interfaces are accessible from both wired and wireless network interfaces. An actor could use the vulnerability to take control of a robot, cause a denial-of-service condition, or exfiltrate data over the web interface. MiR has produced more than 5,000 AMRs used to transport pallets and other loads. These AMRs operate in manufacturing facilities, logistics centers, and hospitals in more than 60 countries [2]. As attackers could exploit these vulnerabilities to disrupt and delay the movement of materials across facilities, affecting overall production levels. We recommend MiR users plan to upgrade to the latest software version and change default credentials upon configuring the robots.
US Government Agencies Issue Joint Cybersecurity Advisory Updates Threats to U.S. Water and Wastewater Systems
Several US Government agencies issued a joint advisory highlighting malicious cyber activity targeting U.S. Water and Wastewater Sector (WWS) [1]. Common threat tactics identified in WWS facilities include: 1) spearfishing personnel to deliver malware or ransomware, 2) exploitation of unsupported or outdated operating systems and software, and 3) exploitation of outdated control system devices or firmware versions. The advisory reported that remote access to operational technology (OT) networks increased due to the COVID-19 pandemic, which has created additional access points for malicious actors. It also confirmed that ransomware was discovered on supervisory control and data acquisition (SCADA) systems at three different WWS facilities just this year. We recommend personnel in all 16 critical infrastructure sectors use this joint advisory to identify vulnerabilities within their networks and physical systems to adopt appropriate mitigations.
Vulnerabilities in AUVESY Versiondog Data Management Software May Affect Industrial Environments
CISA ICS Advisory warns of vulnerabilities in AUVESY versiondog data management software that could allow attackers to execute remote code and acquire complete remote control over industrial machines [1]. AUVESY versiondog is an automated change management application providing backup and compare functions to monitor, track, and store changes. Versiondog supports devices from all major industrial control system manufacturers and is used by more than 1,200 customers worldwide [2]. Claroty Team82 disclosed the critical vulnerabilities to AUVESY last year. The security flaws may allow an attacker to execute arbitrary code. AUVESY reports that 8.1 fixes these vulnerabilities [3]. Affected organizations may contact AUVESY to obtain the appropriate update.
Cyberattack Disrupts Wisconsin Milk Distribution
Schreiber Foods, one of the largest milk producers in Wisconsin, was affected by an undisclosed “cyber event” that halted operations at the company’s plants and distribution centers. Attackers reportedly demanded a $2.5 million ransom after the attack [1]. The cyber event impacted systems starting on Friday, October 25, and lasted through the weekend [2]. The attack affected Schreiber’s ability to receive raw materials, or ship and produce products. Furthermore, some employees were unable to get inside buildings to work. This event is the latest in a series of ransomware attacks against the food and agricultural sector. In particular, it highlights the vulnerability of the dairy industry, due to the perishable nature of the raw product. We recommend that companies within the sector evaluate their corporate and operational network security to reduce effects on production. In addition, companies need to develop, maintain, and rehearse a response plan to minimize production delays following attacks.
Industrial Automation Companies Announce Partnerships to Improve Cybersecurity
Claroty and Rockwell Automation announced a new integration between the former's Continuous Detection Solution (CDS) and the latter's FactoryTalk AssetCentre to protect and manage industrial networks [1]. Within 24 hours, Palo Alto Networks and Siemens announced a partnership to sell Siemens' Ruggedcom networking and security platforms with Palo Alto Networks VM-Series firewalls built-in [2]. In addition to these announcements we note that traditional IT security vendors including Microsoft, Forescout, and Cisco have acquired Operational Technology (OT) and Internet of Things (IoT) startups to potentially compete in the growing industrial cybersecurity market.
Johnson Controls Receives ISASecure® Component Security Assurance Certification
Johnson Controls announced it earned the world’s first ISASecure CSA certification for a smart buildings product with its YORK YK and YZ chillers [1]. YORK YK and YZ chillers are advertised as water-cooled, centrifugal chillers for use in any facility, ranging from schools to data centers. The ISASecure Component Security Assurance (CSA) is a certification program for control system components that focus on the security of software applications, embedded devices, host devices, and network devices (per IEC 62443-4-2) [2]. ISASecure currently lists 50 IEC 62443-4-2 certified components from various manufacturers on its website. Industrial manufacturers are increasingly advertising cybersecurity capabilities with traditional factors, such as flexibility, performance, and efficiency. The ISASecure CSA adds legitimacy to a vendor’s claim of a secure product but does not absolve the user from exercising due diligence. In addition, the user should understand the specific requirements to obtain an ISASecure CSA certification. The user must still determine how the secure device fits into a more extensive system and what vulnerabilities still exist.
Caroty Highlights ICS Lesson Learned from 250 Published CVEs
The industrial cybersecurity company Claroty released a blog post highlighting the achievements of its white-hat researchers, Team82 [1]. The post calls attention to significant trends and best practices within Industrial Control System (ICS) and Operational Technology (OT) cybersecurity. It also stresses the importance of collaboration between researchers and vendors to address vulnerabilities before they are exploited and improve all-around security response efforts. The report emphasizes that professionals should articulate when and why software and firmware patches are unnecessary and how other controls can better mitigate risk with the ultimate goal of improving security for the end-user.
Tardigrade Malware Targets Biomanufacturing Firms
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) released an advisory concerning an advanced persistent threat (APT) specifically targeting bioeconomy companies and the biomanufacturing sector [1]. BioBright researchers identified the malware, nicknamed Tardigrade, after a ransomware attack locked computers across a biomanufacturing facility in the spring [2]. Tardigrade is highly customizable, adapts to the environment it infects, and can act autonomously if cut off from the attacker’s command-and-control server. The malware is delivered primarily via phishing emails and infected USB drives [3]. Suspected motivations for attacks include intellectual property theft, persistence, and ransomware preparation. We recommend scanning networks for indicators of compromise identified by BIO-ISAC. In addition, companies should review their biomanufacturing network to verify proper segmentation between corporate, guest, and operational networks. Companies should also test and perform offline backups for critical biological infrastructure, including ladder logic for biomanufacturing instrumentation, SCADA and historian configurations, and the batch record system.
Energy and Commerce Committee Hearing on Pipeline Reliability Bill
The Energy and Commerce Committee will hold a hearing on Tuesday, December 7, at 10:30 a.m. (EST) entitled “Securing our Energy Infrastructure: Legislation to Enhance Pipeline Reliability.” The committee and subcommittee chairs released a joint statement highlighting the importance of pipeline security and reliability in the wake of the Colonial Pipeline ransomware attack, and the failure of Texas’ natural gas infrastructure during a winter storm. The congressmen proposed creating a new entity charged with developing enforceable pipeline reliability standards, including cybersecurity, similar to the electric sector [1]. This hearing builds on a DHS Security Directive issued on July 20, 2021, mandating cybersecurity measures for critical pipelines transporting hazardous liquids and natural gas [2]. We recommend that parties in the pipeline industry and industrial cybersecurity sector stay abreast of the hearing and potential legislation. Increased government regulation of critical pipelines offers increased opportunities for those industrial cybersecurity firms positioned to provide essential services.