Following article has been re-published with the permission of Energy Wire
(original text available at http://www.eenews.net/energywire/stories/1060031555/)
Experts compete to find Ukraine grid hack 'smoking gun'Blake Blake Sobczak, E&E reporter
Published: Monday, February 1, 2016
A six-hour blackout in western Ukraine has continued to puzzle investigators weeks after the lights came back on.
The Dec. 23 power outage in Ukraine's Ivano-Frankivsk region was minor by most standards, severing electricity to 80,000 households. Half a world away, windstorms were busy knocking out power to more than twice as many utility customers in northern Michigan.
But Ukraine's outage that day resulted from a complex attack combining malware, a flood of telephone calls and, perhaps, a few unwitting accomplices in grid control centers.
Ukrainian officials are dissecting the BlackEnergy strain of malware found to have infected energy, media and government organizations across the country. Authorities haven't yet offered a detailed account of Dec. 23's events, so security researchers have pieced together their own -- sometimes competing -- versions of what happened.
Friday, February 5, 2016
Friday, January 16, 2015
A unique opportunity to learn both ICS implementation and cyber security skills is now available !!!
The interest in the intense, immersion 10-day program on ICS implementation and security has been
overwhelming. This course is not currently scheduled for public offerings. However ...
Joel Langill (founder of SCADAhacker.com)
has joined forces with leading system integrator Lin & Associates of Phoenix, Arizona to offer
a unique opportunity to learn the basics of ICS configuration and operation, in a public 3-day workshop
scheduled for March 3-5 (optional 1-day ICS workshops available on March 6). These 4-days provide both
lecture and hands-on modules, and provide an opportunity for attendees to get "up close and personal" with
the systems really used to control critical infrasturture. No virtual PLCs, Raspberry PI, or "toy" SCADA equipment -
real ICS equipment used at the heart of the industrial automation and control industry.
Thursday, July 10, 2014
Cyber Espionage Campaign Hits Energy Companies
Over the past couple of weeks, cybersecurity vendors have announced the uncovering of a successful cyber espionage campaign carried out by the Dragonfy hacking group. In the most recent string of attacks, Dragonfly (also referred to by the name Energetic Bear) has targeted multiple US and European energy companies, successfully looting valuable process information in what appears to be the next step in the cyber warfare campaign against critical infrastructure organizations, after Stuxnet in 2010. Cybersecurity vendors have scrutinized the campaign and presented an analysis of the malware employed by Dragonfy to steal information from the infected computers.
Yesterday, a short paper I co-authored with Security Matters was released. This short paper revisits the main points of this investigation, including additional details into the specifics of the components of the campaign that exploit industrial control systems. This paper also illustrates why the implementation of a defense-in-depth (DiD) strategy is key to successfully counter cyberthreats like Dragonfly. One of the key aspects of improved DiD involves improving situation awareness within industrial architectures. SilentDefense ICS is one key element in the overall process of gaining insight into your ICS architectures allowing early detection and rapid mitigation of cyber threats.
A complete copy of the paper is available by clicking here.
I am currently actively engaged in research of the campaign and the malware employed. In the coming weeks, I will also be releasing another paper that will discuss in details the overall campaign, how the various pieces of the attack are being deployed, and how they are being used against companies relating to industrial automation and control. Stay tuned to SCADAhacker.com and follow watch my Twitter feed for additional release details.
Yesterday, a short paper I co-authored with Security Matters was released. This short paper revisits the main points of this investigation, including additional details into the specifics of the components of the campaign that exploit industrial control systems. This paper also illustrates why the implementation of a defense-in-depth (DiD) strategy is key to successfully counter cyberthreats like Dragonfly. One of the key aspects of improved DiD involves improving situation awareness within industrial architectures. SilentDefense ICS is one key element in the overall process of gaining insight into your ICS architectures allowing early detection and rapid mitigation of cyber threats.
A complete copy of the paper is available by clicking here.
I am currently actively engaged in research of the campaign and the malware employed. In the coming weeks, I will also be releasing another paper that will discuss in details the overall campaign, how the various pieces of the attack are being deployed, and how they are being used against companies relating to industrial automation and control. Stay tuned to SCADAhacker.com and follow watch my Twitter feed for additional release details.
Tuesday, July 1, 2014
DragonFly/Havex Resource Page Now Available on SCADAhacker.com
Today, I am happy to announce the launch of a new page on SCADAhacker.com devoted to provided timely and relevant information relating to the Dragonfly/Havex campaign. Like resource pages developed in the past for Stuxnet and Duqu, this page will provide a one-stop location for key resources pertaining to industrial control systems as used in this campaign, including Technical Reports, White Papers, ICS-CERT Advisories and Alerts, Press Reports, and other pertinent information.
The site will also include a dynamic Twitter feed tracking related posts utilizing hashtags #havex, #dragonfly, and #energeticbear.
If there is anything that you find that could be of use to the general community, please feel free to share this by sending me an email.
Dragonfly/Havex Resource Page on SCADAhacker.com
The site will also include a dynamic Twitter feed tracking related posts utilizing hashtags #havex, #dragonfly, and #energeticbear.
If there is anything that you find that could be of use to the general community, please feel free to share this by sending me an email.
Dragonfly/Havex Resource Page on SCADAhacker.com
Monday, May 5, 2014
Presentation for upcoming ICSJWG "Can you hear me now? Standing up a Security Event Management System to improve Situational Awareness"
I am honored to again be presented at the Industrial Control System Joint Working Group (ICSJWG) meeting scheduled for June 3-5 in Indianapolis, Indiana. I will be participating in a panel discussion on Heartbleed and its impact to control systems where I will be sharing some of my research findings and sharing with you my point-of-view based on ICS systems at large.
I will also have a session presentation entitled "Can you hear me now? Standing up a SEM to improve Situational Awareness". This sessions in tentatively scheduled for Wednesday, June 4 at 1:00-2:00pm.
I am looking forward to seeing many of you
I will also have a session presentation entitled "Can you hear me now? Standing up a SEM to improve Situational Awareness". This sessions in tentatively scheduled for Wednesday, June 4 at 1:00-2:00pm.
I am looking forward to seeing many of you
Thursday, April 17, 2014
Why "Heartbleed" will only require a Band-Aid in more most ICS installations
(This article was originally posted on ISSSource on April 16, 2014 by Gregory Hale with contributions from Joel Langill)
Heartbleed may need a band aid to fix various small wounds in the industrial control environment, but it surely does not need open heart surgery.
Tuesday, March 18, 2014
Recent development of ICS exploits continues upward trend of security research
In performing my daily rounds on news feeds and websites, I noticed a
lot of recent developments in open-source exploit modules targeting
industrial control systems. One very important part of a well-rounded
ICS Security Management System (IACS-SMS per ISA 62443
terminology) is situational awareness of the actual risks facing
industrial systems in terms of both vulnerabilities disclosed and the
ease in converting these proof-of-concept (PoC) disclosures into
workable exploit modules.
Wednesday, January 22, 2014
Gleg releases Ver 1.31 of the SCADA+ Exploit Pack for Immunity Canvas
Gleg
announced last week (January 16) the release of version 1.31 of the SCADA+
Exploit Pack for the Immunity Canvas framework.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.30 was released on December 13, 2013
- Version 1.29 was released on November 22, 2013
- Version 1.28 was released on October 7, 2013
- Version 1.27 was released on September 6, 2013
- Version 1.26 was released on August 14, 2013
- Version 1.25 was released on July 5, 2013
- Version 1.24 was released on May 14, 2013
- Version 1.23 was released on April 22, 2013
- Version 1.22 was released on February 27, 2013
- Version 1.21 was released on February 7, 2013
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Friday, November 8, 2013
"Stop the Madness!!!" - Mr. Wonderful, Shark Tank
For those that attended, it was a great week in Rockville at the recent ICSJWG Fall Meeting. I was very much hoping that so many of these "alarmists" who continue to "cry wolf" of these DNP3 vulnerabilities would attend so that we could once and for all resolve some of the issues around how this is being communicated to the broader ICS security community. Unfortunately, none seemed to show their faces, except for Adam Crain which provided me the opportunity to have a very detailed discussion around these vulnerabilities (unfortunately, the contents of these discussions will remain private).
Tuesday, October 8, 2013
Gleg releases Ver 1.28 of the SCADA+ Exploit Pack for Immunity Canvas
Wow ... they are really providing a steady stream of updates as Gleg announced today (October 8) the release of version 1.28 of the SCADA+ Exploit Pack for the Immunity Canvas framework.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.27 was released on September 6, 2013
- Version 1.26 was released on August 14, 2013
- Version 1.25 was released on July 5, 2013
- Version 1.24 was released on May 14, 2013
- Version 1.23 was released on April 22, 2013
- Version 1.22 was released on February 27, 2013
- Version 1.21 was released on February 7, 2013
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Tuesday, September 17, 2013
Gleg releases Ver 1.27 of the SCADA+ Exploit Pack for Immunity Canvas
Like clockwork, Gleg announced on September 6 the release of version 1.27 of the SCADA+ Exploit Pack for the Immunity Canvas framework.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.26 was released on August 14, 2013
- Version 1.25 was released on July 5, 2013
- Version 1.24 was released on May 14, 2013
- Version 1.23 was released on April 22, 2013
- Version 1.22 was released on February 27, 2013
- Version 1.21 was released on February 7, 2013
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Thursday, September 5, 2013
InteVyDis releases Ver 10 of the VulnDisco Exploit Pack for Immunity Canvas with ICS Modules
On September 4, InteVyDis announced version 10.0 of their VulnDisco Exploit Pack for the Immunity Canvas framework. It appears for the first time that this pack contains ICS modules, including 0-days.
Wednesday, August 14, 2013
Gleg releases Ver 1.26 of the SCADA+ Exploit Pack for Immunity Canvas
Right on schedule with their next release just one month after their previous update ... Gleg announced on August 14 the release of version 1.26 of the SCADA+ Exploit Pack for the Immunity Canvas framework.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.25 was released on July 5, 2013
- Version 1.24 was released on May 14, 2013
- Version 1.23 was released on April 22, 2013
- Version 1.22 was released on February 27, 2013
- Version 1.21 was released on February 7, 2013
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Thursday, July 11, 2013
Gleg releases Ver 1.25 of the SCADA+ Exploit Pack for Immunity Canvas
Gleg announced on July 5 the release of version 1.25 of the SCADA+ Exploit Pack for the Immunity Canvas framework. This is keeping with their unofficial schedule of continuing to release updates to this exploit pack approximately every month.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.24 was released on May 14, 2013
- Version 1.23 was released on April 22, 2013
- Version 1.22 was released on February 27, 2013
- Version 1.21 was released on February 7, 2013
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Monday, April 22, 2013
Gleg releases Ver 1.23 of the SCADA+ Exploit Pack for Immunity Canvas
Gleg announced this morning (April 22) the release of version 1.23 of the SCADA+ Exploit Pack for the Immunity Canvas framework. This is keeping with their unofficial schedule of continuing to release updates to this exploit pack approximately every month.
A summary of recent releases includes:
A summary of recent releases includes:
- Version 1.22 was released on February 27, 2012
- Version 1.21 was released on February 7, 2012
- Version 1.20 was released on December 21, 2012
- Version 1.19 was released on November 8, 2012
Monday, December 24, 2012
Gleg releases Ver 1.20 of the SCADA+ Exploit Pack for Immunity Canvas
In keeping with their previous record of releasing updates on a regular basis, Gleg announced on December 24 the release of version 1.20 of the SCADA+ Exploit Pack for the Immunity Canvas framework.
Version 1.19 was released on November 8, 2012.
Thursday, November 8, 2012
Gleg releases Ver 1.19 of the SCADA+ Exploit Pack for Immunity Canvas
On November 8, reference on the Gleb website indicates that they will be releasing version 1.19 of the SCADA+ Exploit Pack for the Immunity Canvas framework offer by Gleg. On November 9, the Immunity Inc. listserver provided confirmation that the update is now available.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, with this release coming just 4 weeks after v1.18!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Both ICS systems included in this release represent reasonable risk to critical infrastructure and manufacturing facilities within the USA.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, with this release coming just 4 weeks after v1.18!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Both ICS systems included in this release represent reasonable risk to critical infrastructure and manufacturing facilities within the USA.
Wednesday, October 10, 2012
Gleg releases Ver 1.18 of the SCADA+ Exploit Pack for Immunity Canvas
On October 10, Gleg released version 1.18 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.17 of the Agora Exploit Pack.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.
Thursday, April 5, 2012
What do March Madness and Cyber Security have in common?
(this blog was originally posted by Bryan Owen on the vCampus Blog and is copied here for wider distribution)
OSIsoft User Conference 2012: Cyber Security Line Up
March Madness is a wrap, did your picks do well? You can consider the Pwn2Own competition at CanSecWest as a cyber security version of March Madness.
In continuation of a global trend, this year signaled a change in the 'sport of hacking'. Move over undergrads. Pwn2Own has become a professional contest. It was Vupen's dedicated exploit team versus Google's Chrome security team (both declared victory but Vupen's story won better news coverage).
So yes, cyber security is a team sport. It is complete with talented athletes, coaches, and trainers. Let's not forget the fans, institutions, regulators, media and the rest of the eco system. Do you have PI System security superstars on your team?
I'm very pleased to call out a strong cyber security line up for User Conference 2012:
OSIsoft User Conference 2012: Cyber Security Line Up
March Madness is a wrap, did your picks do well? You can consider the Pwn2Own competition at CanSecWest as a cyber security version of March Madness.
In continuation of a global trend, this year signaled a change in the 'sport of hacking'. Move over undergrads. Pwn2Own has become a professional contest. It was Vupen's dedicated exploit team versus Google's Chrome security team (both declared victory but Vupen's story won better news coverage).
So yes, cyber security is a team sport. It is complete with talented athletes, coaches, and trainers. Let's not forget the fans, institutions, regulators, media and the rest of the eco system. Do you have PI System security superstars on your team?
I'm very pleased to call out a strong cyber security line up for User Conference 2012:
Wednesday, November 30, 2011
Hackers accessed city infrastructure via SCADA
(This article was originally written by Hal Hodsen on November 29, 2011 via Information Age and has been copied here for reference purposes only.)
The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems
Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their SCADA (supervisory control and data acquisition) systems, the deputy assistant director of the FBI's Cyber Division said today.
The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems
Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their SCADA (supervisory control and data acquisition) systems, the deputy assistant director of the FBI's Cyber Division said today.
Subscribe to:
Posts (Atom)