Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
This document summarizes the industrial cyber threat landscape as of September 2017. It outlines several high-profile cyber attacks on industrial control systems dating back to 2010, including Stuxnet, Shamoon, BlackEnergy, and CrashOverride. These attacks targeted critical infrastructure like power grids, water treatment plants, and an Iranian nuclear facility. The document also discusses the risks and costs of these incidents, which include physical damage, production shutdowns, and an estimated global cost of cybercrime reaching $6 trillion by 2021. Mitigation strategies are proposed, such as using gateways and managed remote access to block malware and unauthorized access to industrial control networks.
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
This document provides an overview of cyber security challenges for industrial control systems (ICS) and introduces Darktrace's Industrial Immune System as an innovative solution. The key points are:
1) ICS networks face growing threats as they increasingly connect to corporate IT networks and the internet, but existing defenses like firewalls are inadequate. Attacks have caused damage at facilities like power plants and a German steel mill.
2) Darktrace's system implements a real-time "immune system" that analyzes network behavior to establish a baseline and detect anomalies, allowing threats to be identified early before they cause disruption.
3) Unlike rule-based systems, Darktrace adapts over time and can detect "unknown unknown"
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
Jim Girouard, Sr. Product Development Manager at Worcester Polytechnic Institute, outlines the growing menace of cyber attacks on utility companies and how to educate yourself to reduce risk.
The document discusses the challenges of cyber defense given the complexity of modern computer networks and constantly evolving threats. Traditional prevention and reaction approaches are no longer effective at addressing sophisticated attacks. The document argues that companies need a continuous, self-learning approach to cyber security to detect threats hiding in networks and take appropriate action. This involves gaining situational awareness and investigating anomalies to identify potential threats before they cause harm.
This document summarizes a presentation on cyber security in real-time systems. It discusses threats to industrial control systems and SCADA systems, and the differences between traditional IT and industrial control system cultures. It provides examples of attacks on industrial control systems and poor monitoring of SCADA systems. It suggests that security operations centers may provide common ground between IT and ICS. Finally, it discusses recent media reports relating to hacking of rail signaling systems and aircraft systems.
Stuxnet was a sophisticated cyber attack targeting Iran's nuclear facilities that changed perceptions of threats to critical infrastructure systems like SCADA. It exploited vulnerabilities in both Windows and Siemens control software to sabotage centrifuges without detection for nearly a year. This highlighted that SCADA/ICS are vulnerable targets due to their use of outdated protocols and legacy systems not originally designed with security in mind. Common security issues with SCADA include lack of access controls, unpatched systems, integration with corporate networks, and human/contractor oversight. Best practices like the NERC standards and updates to protocols like DNP3 can help mitigate risks if properly implemented throughout the SCADA lifecycle.
This document summarizes the industrial cyber threat landscape as of September 2017. It outlines several high-profile cyber attacks on industrial control systems dating back to 2010, including Stuxnet, Shamoon, BlackEnergy, and CrashOverride. These attacks targeted critical infrastructure like power grids, water treatment plants, and an Iranian nuclear facility. The document also discusses the risks and costs of these incidents, which include physical damage, production shutdowns, and an estimated global cost of cybercrime reaching $6 trillion by 2021. Mitigation strategies are proposed, such as using gateways and managed remote access to block malware and unauthorized access to industrial control networks.
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
This document provides an overview of cyber security challenges for industrial control systems (ICS) and introduces Darktrace's Industrial Immune System as an innovative solution. The key points are:
1) ICS networks face growing threats as they increasingly connect to corporate IT networks and the internet, but existing defenses like firewalls are inadequate. Attacks have caused damage at facilities like power plants and a German steel mill.
2) Darktrace's system implements a real-time "immune system" that analyzes network behavior to establish a baseline and detect anomalies, allowing threats to be identified early before they cause disruption.
3) Unlike rule-based systems, Darktrace adapts over time and can detect "unknown unknown"
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
Jim Girouard, Sr. Product Development Manager at Worcester Polytechnic Institute, outlines the growing menace of cyber attacks on utility companies and how to educate yourself to reduce risk.
The document discusses the challenges of cyber defense given the complexity of modern computer networks and constantly evolving threats. Traditional prevention and reaction approaches are no longer effective at addressing sophisticated attacks. The document argues that companies need a continuous, self-learning approach to cyber security to detect threats hiding in networks and take appropriate action. This involves gaining situational awareness and investigating anomalies to identify potential threats before they cause harm.
This document summarizes a presentation on cyber security in real-time systems. It discusses threats to industrial control systems and SCADA systems, and the differences between traditional IT and industrial control system cultures. It provides examples of attacks on industrial control systems and poor monitoring of SCADA systems. It suggests that security operations centers may provide common ground between IT and ICS. Finally, it discusses recent media reports relating to hacking of rail signaling systems and aircraft systems.
Stuxnet was a sophisticated cyber attack targeting Iran's nuclear facilities that changed perceptions of threats to critical infrastructure systems like SCADA. It exploited vulnerabilities in both Windows and Siemens control software to sabotage centrifuges without detection for nearly a year. This highlighted that SCADA/ICS are vulnerable targets due to their use of outdated protocols and legacy systems not originally designed with security in mind. Common security issues with SCADA include lack of access controls, unpatched systems, integration with corporate networks, and human/contractor oversight. Best practices like the NERC standards and updates to protocols like DNP3 can help mitigate risks if properly implemented throughout the SCADA lifecycle.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
Darktrace Antigena is an automated response capability that allows organizations to respond to cyber threats without disrupting normal business operations. As a "digital antibody", Antigena detects threats uniquely identified by Darktrace and automatically takes measured and targeted responses. This includes terminating abnormal connections while leaving normal activities unaffected. Antigena's dynamic boundary enforces each user and device's normal "pattern of life" to combat threats faster than any security team.
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
- Darktrace takes a fresh approach to cyber defense using advanced machine learning and mathematics rather than traditional perimeter-based security.
- Traditional security models that try to distinguish insiders from outsiders no longer work in today's globally connected networks, as threats are already inside networks and boundaries are impossible to define.
- An "immune system" approach that monitors subtle internal changes and behaviors is needed to detect emerging threats, rather than defining "bad" and trying to keep threats out. This embraces probability and understands what is happening inside complex information systems.
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
Tom Blauvelt from Symantec and Sean Telles and Chris Dullea from ForeScout share how both companies together can deliver a unified cyber security solution.
This document discusses 10 important reports for managing vulnerabilities. It begins by explaining the importance of vulnerability management and having an accurate inventory of IT assets. It then describes the top 10 reports:
1. The Network Perimeter Map report provides a graphical view of the network topology and discovered devices.
2. The Unknown Internal Devices report lists devices discovered on the network that have not been approved, to identify rogue devices.
3. The SANS Top 20 Vulnerabilities report identifies the most common and critical vulnerabilities based on the SANS list.
4. The 25 Most Vulnerable Hosts report prioritizes remediation of the most at-risk devices.
5. The High Sever
This dissertation investigates building an automated network reconnaissance device using off-the-shelf hardware that can remotely operate on battery power. The author aims to build a device using a microcomputer with wireless networking, an LCD screen, and battery pack that is capable of performing port scans and capturing Ethernet packets anonymously from inside a network. Testing is done to evaluate the battery life of the device during operation and utilization of hardware components. Results show the device was able to operate for over 24 hours performing tasks before battery depletion.
This document summarizes 10 cyber security trend reports for 2019. Common trends identified across the reports include rises in crypto mining, state-sponsored attacks, security skills shortages, Internet of Things risks, cloud provider attacks, supply chain attacks, phishing as the primary attack vector, and increased regulations. The reports also highlight the importance of user awareness, basic IT hygiene, incident response readiness, and having adequate security resources.
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
The document discusses improving computer network defense using intelligence-based approaches. It outlines three key components: leveraging threat intelligence, considering indicators of compromise, and optimizing and automating incident response. Threat intelligence can be gathered internally from security tools and externally from open sources. Monitoring systems and networks for indicators of compromise can help detect attacks earlier. Response processes can be made more efficient by automating data gathering and analysis to speed incident understanding and focus resources. The goal is more reliable and earlier detection of threats throughout the cyber attack lifecycle.
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
For what reason would it be advisable for you to pick TONEX for your SCADA Security Training?
SCADA Security Training course gives progressed SCADA specialized outline of the developing patterns, propelled applications, activities, administration and security. We have Providing SCADA and Automation and Security Training and counseling for more than 15 years with 20+ man-long periods of improvement encounter.
SCADA Security Training course covers all parts of Industrial Control System (ICS) security for a few kinds of control frameworks including: Supervisory Control and Data Acquisition (SCADA) frameworks, Distributed Control Systems (DCS) and Other control framework arrangements, for example, slide mounted Programmable Logic Controllers (PLC).
#Some of the highlights of the SCADA Security Training:
Understand concepts behind Industrial Control Systems (ICS) and SCADA Security
Learn about DCS, SCADA and Industrial Control Systems technology, Infrastructure, instrumentation, HMI and Data Historians
SCADA and ICS Characteristics, Threats and Vulnerabilities
SCADA and ICS Security Program Development and Deployment
SCADA Network Architecture
SCADA Security Controls
Learn Passive and Active Techniques
Explore the impact of Wireless communications on SCADA System Security Testing
Explore SCADA System Security Testing with Active Techniques
Understand SCADA vulnerabilities and different techniques behind exploiting SCADA Systems
Understand how SCADA defense techniques and procedures work
Identify the weak links and challenges in SCADA cybersecurity
Review the available solutions and standards for secure SCADA architectures
Examine the state of policies on data privacy and Internet security and their impact on SCADA
Define a “To Do” list of action items to secure the SCADA systems
ICS/SCADA Security Essentials Essentials for NERC Critical Infrastructure Protection
ICS Active Defense and Incident Response
Assessing and Exploiting SCADA and Control Systems
Critical Infrastructure and Control System Cybersecurity
SCADA Security Management
#Learn more about the following aspects of SCADA, ICS and DCS Security:
Understanding Control System Vulnerabilities
Understanding and Identifying SCADA and ICS Vulnerabilities
SCADA, Industrial Control System (ICS) and Distributed Control Systems (DCS) Exploitation
Securing and Protecting Industrial Control Systems (ICS)
ICS, DCS and PLC Penetration Testing, Exploiting and Vulnerability Assessments
Hacking SCADA using Nmap, Nessus and Metasploit
Hacking Remote Web Servers
SCADA SQL Injection Attack
Learn more about SCADA security training
SCADA Security Training
https://www.tonex.com/training-courses/scada-security-training/
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
The document discusses Darktrace's Enterprise Immune System technology, which takes inspiration from the human immune system to provide cyber defense. It uses unsupervised machine learning and advanced mathematics to learn what normal network behavior looks like and detect anomalies indicating threats. This self-learning approach can identify new threats that traditional signature-based tools miss. The system also automatically responds to threats with targeted digital responses. Darktrace's technology represents a new approach to cybersecurity that is better suited to today's sophisticated and unpredictable threat landscape.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Explore common vulnerabilities in building automation systems (BAS), how these vulnerabilities could be exploited, and steps that organizations can take to improve the cybersecurity of their BAS.
A look at current cyberattacks in UkraineKaspersky
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
The survey of 524 automotive software professionals found:
1) Security is not fully integrated into development processes and developers lack training on secure development practices.
2) Nearly half believe a major overhaul of automotive technology architecture is needed to improve security.
3) There is uncertainty around whether a hack-proof vehicle can be built, with pressures around costs, timelines, and prioritization of security.
Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
This paper summarizes the experience gained during a series of
practical cybersecurity assessments of various components of Europe’s
smart electrical grids.
Iaetsd identifying and preventing resource depletion attack inIaetsd Iaetsd
This document discusses identifying and preventing resource depletion attacks in mobile sensor networks. It summarizes that ad-hoc wireless sensor networks are vulnerable to denial of service attacks that aim to drain nodes' battery power over time, disabling the entire network. Existing secure routing protocols do not protect against these "Vampire attacks" which use valid network paths and protocol-compliant messages to minimize energy usage. The document proposes modifying an existing sensor network routing protocol to provably bound the damage from Vampire attacks during packet forwarding.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
Darktrace Antigena is an automated response capability that allows organizations to respond to cyber threats without disrupting normal business operations. As a "digital antibody", Antigena detects threats uniquely identified by Darktrace and automatically takes measured and targeted responses. This includes terminating abnormal connections while leaving normal activities unaffected. Antigena's dynamic boundary enforces each user and device's normal "pattern of life" to combat threats faster than any security team.
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
- Darktrace takes a fresh approach to cyber defense using advanced machine learning and mathematics rather than traditional perimeter-based security.
- Traditional security models that try to distinguish insiders from outsiders no longer work in today's globally connected networks, as threats are already inside networks and boundaries are impossible to define.
- An "immune system" approach that monitors subtle internal changes and behaviors is needed to detect emerging threats, rather than defining "bad" and trying to keep threats out. This embraces probability and understands what is happening inside complex information systems.
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
Tom Blauvelt from Symantec and Sean Telles and Chris Dullea from ForeScout share how both companies together can deliver a unified cyber security solution.
This document discusses 10 important reports for managing vulnerabilities. It begins by explaining the importance of vulnerability management and having an accurate inventory of IT assets. It then describes the top 10 reports:
1. The Network Perimeter Map report provides a graphical view of the network topology and discovered devices.
2. The Unknown Internal Devices report lists devices discovered on the network that have not been approved, to identify rogue devices.
3. The SANS Top 20 Vulnerabilities report identifies the most common and critical vulnerabilities based on the SANS list.
4. The 25 Most Vulnerable Hosts report prioritizes remediation of the most at-risk devices.
5. The High Sever
This dissertation investigates building an automated network reconnaissance device using off-the-shelf hardware that can remotely operate on battery power. The author aims to build a device using a microcomputer with wireless networking, an LCD screen, and battery pack that is capable of performing port scans and capturing Ethernet packets anonymously from inside a network. Testing is done to evaluate the battery life of the device during operation and utilization of hardware components. Results show the device was able to operate for over 24 hours performing tasks before battery depletion.
This document summarizes 10 cyber security trend reports for 2019. Common trends identified across the reports include rises in crypto mining, state-sponsored attacks, security skills shortages, Internet of Things risks, cloud provider attacks, supply chain attacks, phishing as the primary attack vector, and increased regulations. The reports also highlight the importance of user awareness, basic IT hygiene, incident response readiness, and having adequate security resources.
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
The document discusses improving computer network defense using intelligence-based approaches. It outlines three key components: leveraging threat intelligence, considering indicators of compromise, and optimizing and automating incident response. Threat intelligence can be gathered internally from security tools and externally from open sources. Monitoring systems and networks for indicators of compromise can help detect attacks earlier. Response processes can be made more efficient by automating data gathering and analysis to speed incident understanding and focus resources. The goal is more reliable and earlier detection of threats throughout the cyber attack lifecycle.
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
For what reason would it be advisable for you to pick TONEX for your SCADA Security Training?
SCADA Security Training course gives progressed SCADA specialized outline of the developing patterns, propelled applications, activities, administration and security. We have Providing SCADA and Automation and Security Training and counseling for more than 15 years with 20+ man-long periods of improvement encounter.
SCADA Security Training course covers all parts of Industrial Control System (ICS) security for a few kinds of control frameworks including: Supervisory Control and Data Acquisition (SCADA) frameworks, Distributed Control Systems (DCS) and Other control framework arrangements, for example, slide mounted Programmable Logic Controllers (PLC).
#Some of the highlights of the SCADA Security Training:
Understand concepts behind Industrial Control Systems (ICS) and SCADA Security
Learn about DCS, SCADA and Industrial Control Systems technology, Infrastructure, instrumentation, HMI and Data Historians
SCADA and ICS Characteristics, Threats and Vulnerabilities
SCADA and ICS Security Program Development and Deployment
SCADA Network Architecture
SCADA Security Controls
Learn Passive and Active Techniques
Explore the impact of Wireless communications on SCADA System Security Testing
Explore SCADA System Security Testing with Active Techniques
Understand SCADA vulnerabilities and different techniques behind exploiting SCADA Systems
Understand how SCADA defense techniques and procedures work
Identify the weak links and challenges in SCADA cybersecurity
Review the available solutions and standards for secure SCADA architectures
Examine the state of policies on data privacy and Internet security and their impact on SCADA
Define a “To Do” list of action items to secure the SCADA systems
ICS/SCADA Security Essentials Essentials for NERC Critical Infrastructure Protection
ICS Active Defense and Incident Response
Assessing and Exploiting SCADA and Control Systems
Critical Infrastructure and Control System Cybersecurity
SCADA Security Management
#Learn more about the following aspects of SCADA, ICS and DCS Security:
Understanding Control System Vulnerabilities
Understanding and Identifying SCADA and ICS Vulnerabilities
SCADA, Industrial Control System (ICS) and Distributed Control Systems (DCS) Exploitation
Securing and Protecting Industrial Control Systems (ICS)
ICS, DCS and PLC Penetration Testing, Exploiting and Vulnerability Assessments
Hacking SCADA using Nmap, Nessus and Metasploit
Hacking Remote Web Servers
SCADA SQL Injection Attack
Learn more about SCADA security training
SCADA Security Training
https://www.tonex.com/training-courses/scada-security-training/
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
The document discusses Darktrace's Enterprise Immune System technology, which takes inspiration from the human immune system to provide cyber defense. It uses unsupervised machine learning and advanced mathematics to learn what normal network behavior looks like and detect anomalies indicating threats. This self-learning approach can identify new threats that traditional signature-based tools miss. The system also automatically responds to threats with targeted digital responses. Darktrace's technology represents a new approach to cybersecurity that is better suited to today's sophisticated and unpredictable threat landscape.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Explore common vulnerabilities in building automation systems (BAS), how these vulnerabilities could be exploited, and steps that organizations can take to improve the cybersecurity of their BAS.
A look at current cyberattacks in UkraineKaspersky
Kaspersky researchers have been monitoring the activity of APT actors, cybercriminals and hacktivists currently involved in the conflict in Ukraine. During this webinar, the Global Research and Analysis Team (GReAT) will share their findings on the most recent cyberattacks targeting Ukraine and present their observations, analysis and top findings.
- The types of attacks that have been targeting Ukraine for the past few months
- The results of analysis on destructive attacks and malware (HermeticWiper, etc...)
- How organizations can defend themselves against cyberattacks
GReAT, Kaspersky’s Global Research and Analysis Team, consists of 40 researchers based around the world that work on uncovering APTs, cyberespionage campaigns, major malware, ransomware and underground cybercriminal trends across the world.
The survey of 524 automotive software professionals found:
1) Security is not fully integrated into development processes and developers lack training on secure development practices.
2) Nearly half believe a major overhaul of automotive technology architecture is needed to improve security.
3) There is uncertainty around whether a hack-proof vehicle can be built, with pressures around costs, timelines, and prioritization of security.
Connected vehicles will communicate vast amounts of sensitive data over networks, but securing these systems faces unique challenges. Hackers could potentially cause accidents, track drivers, or disable safety features. The automotive industry lacks the security expertise of IT, and adding security slows development. However, vehicle-to-vehicle communication shows promise for accident prevention if privacy and security are prioritized through new protocols, like changing identifiers frequently while authenticating messages through a certificate management system. Governments are now mandating security standards for connected cars to address these risks.
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
This paper summarizes the experience gained during a series of
practical cybersecurity assessments of various components of Europe’s
smart electrical grids.
Iaetsd identifying and preventing resource depletion attack inIaetsd Iaetsd
This document discusses identifying and preventing resource depletion attacks in mobile sensor networks. It summarizes that ad-hoc wireless sensor networks are vulnerable to denial of service attacks that aim to drain nodes' battery power over time, disabling the entire network. Existing secure routing protocols do not protect against these "Vampire attacks" which use valid network paths and protocol-compliant messages to minimize energy usage. The document proposes modifying an existing sensor network routing protocol to provably bound the damage from Vampire attacks during packet forwarding.
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings’ facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELijaia
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
SCADA systems are used to monitor and control equipment and processes in industries like oil/gas, water treatment, and manufacturing. They gather data in real-time from remote locations and send control commands back. SCADA has evolved through 3 generations from standalone monolithic systems to distributed systems on local networks to today's networked systems using open standards and wide area networks. Security issues need to be addressed like encrypting communications, securing devices, auditing networks, and implementing threat protection. The future of SCADA involves more sophisticated systems that can handle huge data volumes and territories with some having artificial intelligence capabilities.
IEAACK-Secure Detection System For Packet-Dropping Attack In Manetsijiert bestjournal
MANET is a collection of wireless independent nodes along with transmitter and receiver that communicate with each other via bidirectional link. The self-configuring ability of nodes in MANET made it popular among critical mission applic ations like military use or emergency recovery. But due to the changing topology and open access MANET become vulnerable to problems (such as receiver collision,limited trans mission power,false misbehaviour report,packet dropping) To solve this problem we use three approaches of Intrusion Detection System (IDS) such as Watchdog,TWOACK,and AACK. We have proposed a new protocol design for MANET that is IDS based EAACK which cons ist of ACK,S-ACK and MRA for solving all the problems of Watchdog approach in ID S of MANET.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil pipelines, and nuclear power plants. However, SCADA systems often use outdated protocols and hardware with no security protections. They are vulnerable to attacks that could disrupt important systems or endanger public safety. The document outlines several past attacks on SCADA systems and control failures that highlight the security risks if these systems are not properly protected from cyber threats.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil and gas pipelines, electrical grids, and nuclear power plants. However, SCADA systems often have weak security protections due to using outdated protocols and hardware that cannot be easily upgraded. This makes SCADA networks vulnerable to attacks that could disrupt important systems and endanger public safety. The document outlines several past attacks on SCADA networks and control systems that demonstrate these risks. Improving SCADA security will require collaboration between different fields like control systems engineering and cybersecurity.
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMSGeorge Wainblat
SUMMARY - Current power grids increasingly emerging into smart networked grids and are more accessible from the public internet which poses new cyber threats in the grid. More computer based systems are introduced into power networks in order to monitor and control the network. Future model smart grid and micro grid systems will be based on data flows for communication of system status, usage and control throughout the network infrastructure in addition to the power flow. This creates new security threats on the power grid. Instead of relying mainly on power plants for power generation, there will be a combination of multiple generation sources and at the same time wider use of electrical computer based equipment by consumers. Both increase the amount of data flows in the network as well as introduce additional vulnerable spots. Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of SCADA networks. SCADA networks are more accessible to the internet and lack authentication and authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception, Data alteration and additional hacking threats.
The transition from present to future model has already begun and rapidly growing while it already poses new security challenges which must be attended immediately. It is essential to introduce immediately a single comprehensive security solution which will provide fast detection and prevention tools to cope with a variety of threats with different nature and from multiple sources. The solution should not be tightly coupled with each device in the network so it won’t require upgrade of the devices inside the grid.
The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls, anomaly detection, Big Data analytics, machine learning and more in a network wise combination.
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
The emergence of OpenFlow-capable switches de- couples control plane from the data flow plane so that they support programmable network and allow network administrators to have programmable central control of network traffic via a controller. The controller and its communication with switches and users become a malicious attack target. This paper explores major possible security threats and attacks on the controller of SDN and proposes a new approach to automatically and dynamically detect and monitor malicious behaviors on flow message passing and defend such attacks to ensure the security of SDN. We have built a FlowEye prototype at service level on Mininet API, and simulation tests are done on two feasible attacks on OpenFlow Beacon platform. The paper provides the feasibility study of such attacks and defense protection strategies in SDN security research..
Smart Grid Systems Based Survey on Cyber Security IssuesjournalBEEI
The future power system will be an innovative administration of existing power grids, which is called smart grid. Above all, the application of advanced communication and computing tools is going to significantly improve the productivity and consistency of smart grid systems with renewable energy resources. Together with the topographies of the smart grid, cyber security appears as a serious concern since a huge number of automatic devices are linked through communication networks. Cyber attacks on those devices had a direct influence on the reliability of extensive infrastructure of the power system. In this survey, several published works related to smart grid system vulnerabilities, potential intentional attacks, and suggested countermeasures for these threats have been investigated.
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
SCADA systems control some of the most vital infrastructure in industrial and energy sectors, from oil and gas pipelines to nuclear facilities to water treatment plants.
Critical infrastructure is defined as the physical and IT assets, networks and services that if disrupted or destroyed would have a serious impact on the health, security, or economic wellbeing of citizens and the efficient functioning of a country’s government.
This project is subset to Project SHINE (SHodan Intelligence Extraction), providing one example of what would happen if a device was to be directly connected to the Internet.
At no point in time was this project intended to identify any shortcomings of the manufacturer’s efforts in remediating any of the known vulnerabilities, nor was it intended to place any blame or negligence towards the manufacturer in any manner whatsoever. The choosing of the specific device was to provide a simplified example which could be easily demonstrated as a form of substantiation of our position provided through Project SHINE. It should be noted that the device utilized has an out-of-date version of its firmware that is subject to one or more known vulnerabilities that currently exist. The manufacturer has taken steps previously to remediate those versions of firmware by providing updates; it is strongly suggested that any asset owners running this specific version of firmware update or upgrade to the latest version as a precautionary effort.
The objective of this project is to provide some form of substantiation that directly connecting an ICS device onto the Internet could have consequences. As such, the premise of this project was to:
(1) Obtain current ICS equipment through public sources (eBay), and deploy this equipment as actual cyber assets controlling perceived critical infrastructure environments;
(2) Ascertain any pertinent threat or attack vectors, as well as scope and magnitude of any attacks against the perceived critical infrastructure environments;
(3) Record network access attempts, and analyze captured network packets for any patterns; and,
(4) Report redacted findings for public awareness to governments and media outlets.
Performance Enhancement of Intrusion Detection System Using Advance Adaptive ...ijceronline
Mobile Ad hoc networks (MANETs) consist of a set of mobile nodes which can move about freely and are very sensitive to security threats due to their nature of deployment such as open wireless system. MANETs have self-configuring ability of nodes and infrastructure less nature hence they are preferred in significant applications. This itself emphasizes the importance of security and the need for an efficient intrusion detection system in MANETs. Many IDS have been proposed for detecting malicious nodes. On such different IDS, Enhanced Adaptive Acknowledgment (EAACK) has overcome the drawbacks of Watchdog, ACK and TWOACK. In our proposed work we have identified the inadequate nature of EAACK in scenarios of link breakage, source maliciousness. High mobility of MANET nodes contributes to frequent link breakages in the network which leads to path failures and route discovery processes difficult. Route discovery is initialized through broadcast mechanism usually. In this paper a new intrusion detection system is proposed named Advance EAACK particularly designed for MANETs. Compared to modern approaches, advance EAACK demonstrates higher malicious behavior detection rates in certain conditions while does not affect the network performance greatly. Due to this mechanism data transformation between mobile nodes are done with improved or high security .Parameters going to measure network performance are packet delivery ratio and delay.
The document proposes a new intrusion detection system called EAACK that is designed specifically for MANETs. Existing intrusion detection systems for MANETs like Watchdog and TWOACK have disadvantages like failing to detect malicious nodes that generate false reports or forged acknowledgments. EAACK aims to address these issues by using digital signatures to authenticate acknowledgment packets and thus make the system more secure. It is claimed that EAACK can detect malicious behaviors better than existing approaches in some cases without degrading network performance.
EAACK is an intrusion detection system designed specifically for MANETs that aims to address weaknesses in existing approaches. It adopts digital signatures to authenticate acknowledgment packets and help guarantee they are valid. This helps EAACK tackle issues like false misbehavior reports and forged acknowledgments that other systems fail to detect. Compared to contemporary methods, EAACK demonstrates higher detection rates of malicious behavior in some cases without significantly impacting network performance.
This document summarizes a research paper that proposes a design for a secure and sophisticated electricity meter called an Impregnable Device for Secured Metering (IDSM). The IDSM uses a microcontroller integrated with a smart meter to securely transmit power consumption data via a legacy Wi-Fi system. Random number addressing cryptography (RAC) is used for encryption due to its high speed, low power usage, and security. The IDSM system connects individual household meters to a centralized server that calculates billing amounts and sends updates back to the meters for display. The goal is to provide secure metering and billing that reduces human error and electricity theft while lowering costs.
Similar to CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attack on the Kiev, Ukraine Electric Grid transmission (20)
System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device CommunicationMuhammad FAHAD
Modbus, an industrial protocol used for server to client communication, has been
used for over 40 years and is still widely deployed in new ICS installations (Mostia,
2019). Modbus can be transported over serial mediums of RS232, RS485, or it can be
wrapped in an IEEE 802.3 TCP segment. Within TCP, the typical implementation is
Modbus Remote Terminal Unit (RTU) contained in the TCP/IP stack Application layer,
which can be easily viewed in Wireshark (Sanchez, 2017). Modbus uses simple function
calls combined with data range requests to read and write bits, called coils. Additionally,
it can also read and write integers or floats, called registers. When engineers were
encapsulating Modbus within TCP, cybersecurity concerns were nonexistent and,
therefore, Modbus RTU does not have any built-in security mechanisms (Rinaldi, n.d.).
From an ICS security perspective, Modbus is rife with many vulnerabilities and is subject
to Probe, Scan, Flood, Authentication Bypass, Spoof, Eavesdrop, Misdirect, Read/Copy,
Terminate, Execute, Modify, and Delete attacks (Draias, Serhrouchni, & Vogel, 2015)
This document provides guidelines for establishing effective computer security incident response capabilities. It assists organizations in creating incident response teams and processes for efficiently handling incidents. The guidelines can be applied independently of specific hardware, software, protocols or applications. The document recommends establishing planning, preparation, detection and analysis, containment, eradication and recovery as key phases in the incident response process.
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergyMuhammad FAHAD
Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste
treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. By allowing the collection and analysis of data and control of equipment such as pumps and valves from remote locations, SCADA networks provide great efficiency and are widely used. However, they also present a security risk. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems is often weak. This makes some SCADA networks potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruptions to the nation’s critical infrastructure. Action is required by all organizations, government or commercial, to secure their SCADA networks as part of the effort to adequately protect the nation’s critical infrastructure.
The President’s Critical Infrastructure Protection Board, and the Department of Energy, have developed the steps outlined here to help any organization improve the security of its SCADA networks. These steps are not meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the
protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and actions to establish essential underlying management processes and policies.
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
Common Malware Types Vulnerability ManagementMuhammad FAHAD
The document discusses common types of malware including viruses, worms, Trojan horses, spyware, ransomware, rootkits, adware, bugs, and bots. It provides a brief definition of each type and explains how they spread and the harm they can cause. The document also discusses symptoms of malware infections and recommendations for prevention and removal, including using antivirus software, keeping systems updated, and being cautious of downloads.
Metadata Lakes for Next-Gen AI/ML - DatastratoZilliz
As data catalogs evolve to meet the growing and new demands of high-velocity, unstructured data, we see them taking a new shape as an emergent and flexible way to activate metadata for multiple uses. This talk discusses modern uses of metadata at the infrastructure level for AI-enablement in RAG pipelines in response to the new demands of the ecosystem. We will also discuss Apache (incubating) Gravitino and its open source-first approach to data cataloging across multi-cloud and geo-distributed architectures.
The presentation will delve into the ASIMOV project, a novel initiative that leverages Retrieval-Augmented Generation (RAG) to provide precise, domain-specific assistance to telecommunications engineers and technicians. The session will focus on the unique capabilities of Milvus, the chosen vector database for the project, and its advantages over other vector databases.
Attending this session will give you a deeper understanding of the potential of RAG and Milvus DB in telecommunications engineering. You will learn how to address common challenges in the field and enhance the efficiency of their operations. The session will equip you with the knowledge to make informed decisions about the choice of vector databases, and how best to use them for your use-cases
GDG Cloud Southlake #34: Neatsun Ziv: Automating AppsecJames Anderson
The lecture titled "Automating AppSec" delves into the critical challenges associated with manual application security (AppSec) processes and outlines strategic approaches for incorporating automation to enhance efficiency, accuracy, and scalability. The lecture is structured to highlight the inherent difficulties in traditional AppSec practices, emphasizing the labor-intensive triage of issues, the complexity of identifying responsible owners for security flaws, and the challenges of implementing security checks within CI/CD pipelines. Furthermore, it provides actionable insights on automating these processes to not only mitigate these pains but also to enable a more proactive and scalable security posture within development cycles.
The Pains of Manual AppSec:
This section will explore the time-consuming and error-prone nature of manually triaging security issues, including the difficulty of prioritizing vulnerabilities based on their actual risk to the organization. It will also discuss the challenges in determining ownership for remediation tasks, a process often complicated by cross-functional teams and microservices architectures. Additionally, the inefficiencies of manual checks within CI/CD gates will be examined, highlighting how they can delay deployments and introduce security risks.
Automating CI/CD Gates:
Here, the focus shifts to the automation of security within the CI/CD pipelines. The lecture will cover methods to seamlessly integrate security tools that automatically scan for vulnerabilities as part of the build process, thereby ensuring that security is a core component of the development lifecycle. Strategies for configuring automated gates that can block or flag builds based on the severity of detected issues will be discussed, ensuring that only secure code progresses through the pipeline.
Triaging Issues with Automation:
This segment addresses how automation can be leveraged to intelligently triage and prioritize security issues. It will cover technologies and methodologies for automatically assessing the context and potential impact of vulnerabilities, facilitating quicker and more accurate decision-making. The use of automated alerting and reporting mechanisms to ensure the right stakeholders are informed in a timely manner will also be discussed.
Identifying Ownership Automatically:
Automating the process of identifying who owns the responsibility for fixing specific security issues is critical for efficient remediation. This part of the lecture will explore tools and practices for mapping vulnerabilities to code owners, leveraging version control and project management tools.
Three Tips to Scale the Shift Left Program:
Finally, the lecture will offer three practical tips for organizations looking to scale their Shift Left security programs. These will include recommendations on fostering a security culture within development teams, employing DevSecOps principles to integrate security throughout the development
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Distributed System Performance Troubleshooting Like You’ve Been Doing it for ...ScyllaDB
Troubleshooting performance issues across distributed systems can be intimidating if you don’t know where to start, and it’s even harder when the system is running on hundreds or thousands of nodes. We’re well past the point of logging into random nodes and poking around hoping we spot the problem. It’s critical to have a methodology to follow as well as a deep understanding of the tools that are available to help you prove (or disprove) your mental model.
In this session, we’ll explore how to go about diagnosing performance problems you might run into, and teach you the tools and process for getting to the bottom of any issue, quickly -- even when it’s one of the biggest distributed database deployments on the planet.
How to Improve Your Ability to Solve Complex Performance ProblemsScyllaDB
This talk is really about problem solving. It’s about how we think about problems and how we resolve those problems in a deeply technical context. The main goal of the talk is the relay the lessons learned from a couple of decades working with and observing some of the best performance troubleshooters in the world.
The talk will be broken into 3 main parts.
1. Explain the basic process we must go through to solve a complex performance problem
2. Discuss some of the main factors that can inhibit our efforts
3. Discuss some of the techniques we can apply to improve our chances, including an almost fool proof method to reach a successful outcome
Specific technical examples from large enterprise customers using relational databases (Oracle primarily) will be used to illustrate the concepts.
Artificial Intelligence (AI), Robotics and Computational fluid dynamicsChintan Kalsariya
Dive into the intersection of Artificial Intelligence (AI), Robotics, and Computational Fluid Dynamics (CFD) in pharmaceutical sciences. This presentation provides a comprehensive overview, from the foundational principles to advanced applications in pharmaceutical automation. Explore the transformative impact of AI and robotics on drug discovery, manufacturing, and delivery, alongside CFD's role in optimizing processes. Delve into the advantages and disadvantages of integrating these technologies, uncover current challenges, and envision future directions shaping the future of pharmaceutical innovation.
This presentation will explore the intersection of artificial intelligence, robotics, and computational fluid dynamics in the context of pharmaceutical automation. We will provide an overview of these technologies, discuss their applications in the pharmaceutical industry, highlight the advantages and disadvantages of their use, and examine current challenges and future directions.
The integration of artificial intelligence, robotics, and computational fluid dynamics in pharmaceutical automation has the potential to revolutionize the industry, improving efficiency, safety, and quality control. However, challenges related to data management, standardization, workforce adaptation, and regulatory compliance must be addressed. The future of pharmaceutical automation lies in the continued development and integration of these technologies, leading to more efficient, reliable, and innovative drug manufacturing processes.
AI in Pharmaceutical Industry
Pharmaceutical Automation
Robotics in Pharma
Computational Fluid Dynamics (CFD)
Drug Discovery
Pharmaceutical Manufacturing
Pharmaceutical Applications
Advantages of AI and Robotics
Disadvantages of AI and Robotics
Challenges in Pharmaceutical Automation
Future of AI and Robotics in Pharma
Artificial Intelligence
Robotics
Computational Fluid Dynamics
Pharmaceutical Automation
Drug Discovery
Manufacturing Optimization
AI in Healthcare
Robotics in Pharmaceuticals
CFD Applications
Pharmaceutical Industry
Advantages of AI
Disadvantages of Robotics
Challenges in CFD
Future of AI in Pharma
Automation Trends
this resume for sadika shaikh bca studentSadikaShaikh7
I am a dedicated BCA student with a strong foundation in web technologies, including PHP and MySQL. I have hands-on experience in Java and Python, and a solid understanding of data structures. My technical skills are complemented by my ability to learn quickly and adapt to new challenges in the ever-evolving field of computer science.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/07/intels-approach-to-operationalizing-ai-in-the-manufacturing-sector-a-presentation-from-intel/
Tara Thimmanaik, AI Systems and Solutions Architect at Intel, presents the “Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” tutorial at the May 2024 Embedded Vision Summit.
AI at the edge is powering a revolution in industrial IoT, from real-time processing and analytics that drive greater efficiency and learning to predictive maintenance. Intel is focused on developing tools and assets to help domain experts operationalize AI-based solutions in their fields of expertise.
In this talk, Thimmanaik explains how Intel’s software platforms simplify labor-intensive data upload, labeling, training, model optimization and retraining tasks. She shows how domain experts can quickly build vision models for a wide range of processes—detecting defective parts on a production line, reducing downtime on the factory floor, automating inventory management and other digitization and automation projects. And she introduces Intel-provided edge computing assets that empower faster localized insights and decisions, improving labor productivity through easy-to-use AI tools that democratize AI.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Chapter 3 of ISTQB Foundation 2018 syllabus with sample questions. Answers about what is static testing, what is review, types of review, informal review, walkthrough, technical review, inspection.
Dev Dives: Mining your data with AI-powered Continuous DiscoveryUiPathCommunity
Want to learn how AI and Continuous Discovery can uncover impactful automation opportunities? Watch this webinar to find out more about UiPath Discovery products!
Watch this session and:
👉 See the power of UiPath Discovery products, including Process Mining, Task Mining, Communications Mining, and Automation Hub
👉 Watch the demo of how to leverage system data, desktop data, or unstructured communications data to gain deeper understanding of existing processes
👉 Learn how you can benefit from each of the discovery products as an Automation Developer
🗣 Speakers:
Jyoti Raghav, Principal Technical Enablement Engineer @UiPath
Anja le Clercq, Principal Technical Enablement Engineer @UiPath
⏩ Register for our upcoming Dev Dives July session: Boosting Tester Productivity with Coded Automation and Autopilot™
👉 Link: https://bit.ly/Dev_Dives_July
This session was streamed live on June 27, 2024.
Check out all our upcoming Dev Dives 2024 sessions at:
🚩 https://bit.ly/Dev_Dives_2024
Test Case Design Techniques as chapter 4 of ISTQB Foundation. Topics included are Equivalence Partition, Boundary Value Analysis, State Transition Testing, Decision Table Testing, Use Case Testing, Statement Coverage, Decision Coverage, Error Guessing, Exploratory Testing, Checklist Based Testing
Database Management Myths for DevelopersJohn Sterrett
Myths, Mistakes, and Lessons learned about Managing SQL Server databases. We also focus on automating and validating your critical database management tasks.
2. 2
CRASHOVERRIDE: Threat to the Electic Grid Operations
Contents
Executive Summary 3
Why Are We Publishing This 3
Key Takeaways 4
Background 5
Introduction to Electric Grid Operations 6
Evolution of Tradecraft 8
STUXNET 8
Dragonfly/HAVEX 9
BLACKENERGY 2 10
Ukraine Cyber Attack 2015 10
CRASHOVERRIDE 11
Capabilities 12
Capabilities Overview 12
Module Commonalities 13
Backdoor/RAT Module 13
Launcher Module 15
Data Wiper Module 16
IEC 104 Module 17
IEC 101 Module 21
61850 Module 21
OPC DA Module 21
SIPROTECT DoS Module 22
Capability Conclusions 22
Implications of capability 22
Attack Option: De-energize substation 22
Attack Option: Force an Islanding event 23
Adding Amplification Attacks 24
Using OPC to create a Denial of Visibility 24
Using CVE-2015-5374 to hamper protective relays 25
Defense Recommendations 26
CRASHOVERRIDE
Analyzing the Threat to
Electric Grid Operations
3. 3
CRASHOVERRIDE: Threat to the Electric Grid Operations
Why Are We Publishing This
Security firms must always balance a need to inform the public against empowering
adversaries with feedback on how they are being detected and analyzed. This case is
-
bility described in this report takes advantage of the knowledge of electric grid sys-
tems. It is not an aspect of technical vulnerability and exploitation. It cannot just be
patched or architected away although the electric grid is entirely defensible. Human
defenders leveraging an active defense such as hunting and responding internally to
the industrial control system (ICS) networks can ensure that security is maintained.
Executive Summary
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored mal-
ware on June 8th, 2017. The Dragos team was able to use this notification to find
samples of the malware, identify new functionality and impact scenarios, and con-
firm that this was the malware employed in the December 17th, 2016 cyber-attack
on the Kiev, Ukraine transmission substation which resulted in electric grid opera-
tions impact. This report serves as an industry report to inform the electric sector
and security community of the potential implications of this malware and the appro-
priate details to have a nuanced discussion.
4. 4
CRASHOVERRIDE: Threat to the Electric Grid Operations
Key Takeaways
• The malware self-identifies as “crash” in multiple locations thus leading to the
naming convention “CRASHOVERRIDE” for the malware framework.
• CRASHOVERRIDE is the first ever malware framework designed and deployed to
attack electric grids.
• CRASHOVERRIDE is the fourth ever piece of ICS-tailored malware (STUXNET,
BLACKENERGY 2, and HAVEX were the first three) used against targets and the
second ever to be designed and deployed for disrupting physical industrial pro-
cesses (STUXNET was the first).
• CRASHOVERRIDE is not unique to any particular vendor or configuration and
instead leverages knowledge of grid operations and network communications
to cause impact; in that way, it can be immediately re-purposed in Europe and
portions of the Middle East and Asia.
• CRASHOVERRIDE is extensible and with a small amount of tailoring such as the
-
can grid.
• CRASHOVERRIDE could be leveraged at multiple sites simultaneously, but the
scenario is not cataclysmic and would result in hours, potentially a few days, of
outages, not weeks or more.
• Dragos assesses with high confidence that the same malware was used in the
cyber-attack to de-energize a transmission substation on December 17, 2016,
resulting in outages for an unspecified number of customers.
• The functionality in the CRASHOVERRIDE framework serves no espionage pur-
pose and the only real feature of the malware is for attacks which would lead to
electric outages.
• CRASHOVERRIDE could be extended to other industries with additional pro-
tocol modules, but the adversaries have not demonstrated the knowledge of
other physical industrial processes to be able to make that assessment anything
other than a hypothetical at this point and protocol changes alone would be
• Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM
and assesses with high confidence through confidential sources that ELECTRUM
has direct ties to the Sandworm team. Our intelligence ICS WorldView cus-
tomers have received a comprehensive report and this industry report will not
get into sensitive technical details but instead focus on information needed for
defense and impact awareness.
5. CRASHOVERRIDE: Threat to the Electric Grid Operations
5
Background
On June 8th, 2017 the Slovak anti-virus firm ESET shared a subset of digital hash-
es of the malware described below and a portion of their analysis with Dragos.
The Dragos team was asked to validate ESET’s findings to news publications ESET
had contacted about the story which would be published June 12th, 2017. Dragos
would like to thank ESET for sharing the digital hashes which allowed the Dragos
team to spawn its investigation. Without control of the timeline, it was Dragos’
desire to publish a report alongside ESET’s report to capture the nuance of elec-
tric grid operations. The report also contains new discoveries, indicators, and im-
plications of the tradecraft. Also, because of the connection to the activity group
Dragos tracks as ELECTRUM, it was our decision that an independent report was
warranted. The Dragos team has been busy over the last 96 hours reproducing and
verifying ESET’s analysis, hunting for new samples of the malware and potential ad-
ditional infections, notifying appropriate companies, and informing our customers.
Importantly, Dragos also updated ICS vendors that needed to be made aware of
this capability, relevant government agencies, many national computer emergen-
cy response teams (CERTs), and key players in the electric energy community. Our
many thanks to those involved.
If you are a Dragos, Inc. customer, you will have already received the more concise
and technically in-depth intelligence report. It will be accompanied by follow-on
reports, and the Dragos team will keep you up-to-date as things evolve. It is in
Dragos’ view that the following report contains significant assessments that de-
serve a wide audience in the electric sector. Avoiding hype and fear should always
be paramount but this case-study is of immediate significance, and this is not a
singular contained event. The CRASHOVERRIDE capability is purpose built to im-
pact electric grid operations and has been created as a framework to facilitate the
impact of electric grids in other countries in the future outside the attack that took
place with it December 17th, 2016 in Ukraine. However, as always, the defense is
doable.
6. 6
CRASHOVERRIDE: Threat to the Electric Grid Operations
Introduction to Electric Grid Operations
As with most ICS specific incidents, the most interesting components of the attack
are in how the adversary has demonstrated they understand the physical industri-
al process. Whereas vulnerabilities, exploits, and infection vectors can drive dis-
cussions in intrusion analysis of IT security threats that is not the most important
aspect of an ICS attack. To fully understand the CRASHOVERRIDE framework, its
individual capabilities, and overall impact on ICS security it is important to under-
stand certain fundamentals of electric grid operations.
Simplistically, the electric grid can be categorized into three functions: generation
of electricity at power plants, transmission from the power plants across typically
long distances at high voltage, and then stepped down to lower voltage to distribu-
tion networks to power customers. Along these long transmission and distribution
systems are substations to transform voltage levels, serve as switching stations and
feeders, and fault protection.
systems and communications. As an example, while a power plant feeds energy
into the electric grid there is no one-size-fits-all approach to power plants. There
generation, wind farm, solar farm, gas turbine power, hydroelectric and more. This
means that the electric grid must be a robust, almost living creature, which moves
and balances electricity across large regions. Electric grids use a special type of
industrial control system called a supervisory control and data acquisition (SCADA)
system to manage this process across large geographical areas. Transmission and
distribution owners have their substations in their particular geographical footprint
and control centers manage the cross-territory SCADA systems 24/7 by human op-
erators. These control centers often regularly manage the continual demand and
response of their customers, respond to faults, and plan and work with neighboring
utilities.
This simplistic view of grid operations is similar around the world. There are of-
engineering, and the overall process is largely the same between nations. As an
example, these systems use SCADA and leverage systems such as remote terminal
units (RTUs) to control circuit breakers. As the breakers open and close, substations
are energized or de-energized to balance power across the grid. Some network
protocols such as IEC 104, a TCP-based protocol, and its serial protocol compan-
ion IEC 101, are often regional specific. Europe, some of Asian, and portions of
the Middle East leverage these protocols to control RTUs from the SCADA human
machine interfaces (HMIs).
7. 7
CRASHOVERRIDE: Threat to the Electric Grid Operations
Figure 1: Simplistic Mockup of Electric Grid Operations Systems and Communications Relevant for CRASHOVERRIDE
In North America, the protocol of choice for this is the Distributed Network Proto-
col 3 (DNP3). The various protocols purposes are largely the same though: control
physical equipment through RTUs, programmable logic controllers (PLCs), and
other final control elements via HMIs as a part of the larger SCADA system. Some
protocols have been adopted cross-country including IEC 61850 which is usual-
ly leveraged from an HMI to work with equipment such as digital relays and other
types of intelligent electronic devices (IEDs). IEDs are purpose built microproces-
sor-based control devices and can often be found alongside power equipment
such as circuit breakers. IEDs and RTUs operate in a master/slave capacity where
the slave devices are polled and sent commands by master devices.
8. 8
CRASHOVERRIDE: Threat to the Electric Grid Operations
Substations manage the flow of power through transmission or distribution lines.
Management of energizing and de-energizing of these lines ultimately control
when and where the flow of power moves in and out of the substation. If you
“open” a breaker you are removing the path where the electricity is flowing, or
de-energizing it. If you “close” a breaker then you are energizing the line by closing
the gap and allowing the power to “flow.” This concept is similar to anyone who
may be confused on this terminology as it is opposite to how one would describe
The grid is a well-designed system, and while damage can be done, it is vital to un-
derstand that in nations around the world the electric community has designed the
system to be reliable and safe which has a natural byproduct of increased securi-
ty. In the United States as an example, reliability is reinforced with regular training
and events such as the North American grid’s GridEx where grid operators train for
events from hurricanes, to terrorist incidents, to cyber-attacks and how they will
respond to such outages. There is constantly a balance that must be understood
when referring to grid operations: yes, the systems are vulnerable and more must
be done to understand complex and multi-stage attacks, but the grid is also in a
great defensible position because of the work of so many over the years.
Evolution of Tradecraft
CRASHOVERRIDE represents an evolution in tradecraft and capabilities by ad-
versaries who wish to do harm to industrial environments. To fully appreciate the
malware it is valuable to compare it to its predecessors and the Ukraine 2015 cyber
attack.
STUXNET
The STUXNET malware has been written about extensively and referenced, at
times, unfortunately, in comparison to most ICS related incidents and malware. It
was the first confirmed example of ICS tailored malware leveraged against a tar-
get. The Windows portion of the code with its four zero-day exploits gained a lot
of notoriety. However, it was the malware’s payload that was specific to ICS that
was the most interesting component. The tradecraft exhibited by STUXNET was
the detailed understanding of the industrial process. In IT networks, it is important
for adversaries to identify vulnerabilities and exploit them to load malware and gain
privileges on systems.
9. 9
CRASHOVERRIDE: Threat to the Electric Grid Operations
In ICS networks though, some of the most concerning issues are related to an
adversary’s ability to learn the physical process such as the engineering of the
systems and their components in how they work together. STUXNET’s greatest
strength was leveraging functionality in Siemens equipment to interact with nucle-
ar enrichment centrifuges through abuses of intended functionality. The purpose
of the Siemens equipment was to be able to control and change the speed of the
centrifuges. Stuxnet did this as well but with pre-programmed knowledge from the
attackers on the speeds that would cause the centrifuge to burst from their cas-
ings. ICS tailored malware leveraging knowledge of industrial processes was now a
thing. However, it was specific to Siemens equipment and unique to the Natanz fa-
cility in Iran. While tradecraft and exploits can be replicated, it was not reasonable
to re-purpose the Stuxnet capability.
Dragonfly/HAVEX
control system locations, estimates put it at over 2,000 sites, with a large empha-
sis on electric power and petrochemical asset owners. The Dragonfly campaign
leveraged the HAVEX malware. There are often not many commonalities between
-
mentation, integration, and the physical processes required at each site. One of the
few commonalities across numerous ICS industries though is the OPC protocol.
It is designed to be the universal translator for many industrial components and is
readily accessible in an HMI or dedicated OPC server. The HAVEX malware lever-
aged legitimate functionality in the OPC protocol to map out the industrial equip-
ment and devices on an ICS network. It was a clever use of the protocol and while
the malware itself was not complex the tradecraft associated with the usage of
OPC was sophisticated. However, the Dragonfly campaign was focused entirely on
espionage. There was no physical disruption or destruction of the industrial pro-
cess. Instead, it was the type of data you would want to leverage to design attacks
in the future built for the specific targets impacted with the malware.
10. 10
CRASHOVERRIDE: Threat to the Electric Grid Operations
BLACKENERGY 2
The Sandworm team has targeted numerous industries ranging from western mil-
itaries, governments, research organizations, defense contractors, and industrial
sites. It was their use of the BLACKENERGY 2 malware that caught the ICS indus-
try’s attention. This ICS tailored malware contained exploits for specific types of
HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech We-
bAccess. BLACKENERGY 2 was a smart approach by the adversaries to target in-
ternet connected HMIs. Upon exploitation of the HMIs, the adversaries had access
to a central location in the ICS to start to learn the industrial process and gain the
graphical representation of that ICS through the HMI. The targeting of HMIs alone
is often not enough to cause physical damage, but it is an ideal target for espio-
nage and positioning in an ICS. Gaining a foothold in the network that had access
to numerous components of the ICS while maintaining command and control to
Internet locations, positioned it well for espionage.
Ukraine Cyber Attack 2015
The cyber-attack on three power companies in Ukraine on December 23rd, 2015
marked a revolutionary event for electric grid operators. It was the first known in-
stance where a cyber-attack had disrupted electric grid operations. The Sandworm
team was attributed to the attack and their use of the BLACKENERGY 3 malware.
BLACKENERGY 3 does not contain ICS components in the way that BLACKENER-
GY 2 did. Instead, the adversaries leveraged the BLACKENERGY 3 malware to gain
access to the corporate networks of the power companies and then pivot into the
SCADA networks. While in the environment the adversaries performed their recon-
naissance and eventually leveraged the grids systems against itself. They learned
the operations and used the legitimate functionality of distribution management
systems to disconnect substations from the grid leaving 225,000+ customers
without power for upwards of 6 hours until manual operations could restore pow-
er. However, due to the wiping of Windows systems through the KillDisk malware
and destruction of serial-to-Ethernet devices through malicious firmware updates,
the Ukrainian grid operators were without their SCADA environment, meaning they
lost the ability for automated control, for upwards of a year in some locations. The
most notable aspect of the attack was the adversary’s focus on learning how to
leverage the systems against themselves. Malware enabled the attack, and malware
-
aging the ICS against itself that resulted in the electric power disruptions, not mal-
ware.
11. 11
CRASHOVERRIDE: Threat to the Electric Grid Operations
CRASHOVERRIDE
The CRASHOVERRIDE malware impacted a single transmission level substation
in Ukraine on December 17th, 2016. Many elements of the attack appear to have
been more of a proof of concept than what was fully capable in the malware. The
most important thing to understand though from the evolution of tradecraft is the
codification and scalability in the malware towards what has been learned through
past attacks. The malware took an approach to understand and codify the knowl-
edge of the industrial process to disrupt operations as STUXNET did. It leveraged
the OPC protocol to help it map the environment and select its targets similar to
HAVEX. It targeted the libraries and configuration files of HMIs to understand the
environment further and leveraged HMIs to connect to Internet-connected lo-
cations when possible as BLACKENERGY 2 had done. And it took the same type
of approach to understanding grid operations and leveraging the systems against
themselves displayed in Ukraine 2015’s attack. It did all of these things with added
sophistication in each category giving the adversaries a platform to conduct at-
tacks against grid operations systems in various environments and not confined to
work only on specific vendor platforms. It marks an advancement in capability by
adversaries who intend to disrupt operations and poses a challenge for defenders
who look to patching systems as a primary defense, using anti-malware tools to
spot specific samples, and relying upon a strong perimeter or air-gapped network
as a silver-bullet solution. Adversaries are getting smarter, they are growing in their
ability to learn industrial processes and codify and scale that knowledge, and de-
fenders must also adapt.
12. 12
CRASHOVERRIDE: Threat to the Electric Grid Operations
Capabilities
Capabilities Overview
The CRASHOVERRIDE malware is a modular framework consisting of an initial
backdoor, a loader module, and several supporting and payload modules.
The most important items are the backdoor, which provides access to the infected
payload modules. Dragos focused our analysis on the previously mentioned items
as they are most relevant for defending grid operations.
on the targeted industrial control system. One sample was the IEC 104 protocol
module, and the other sample was the data wiper. Both samples shared common
design characteristics indicative of being part of a broader ICS attack and manip-
ulation framework. ESET was able to uncover an additional IEC 61850 and OPC
module which they have analyzed and shared with Dragos.
Below contains an overview of program execution flow and dependency.
Figure 2. CRASHOVERRIDE Module Overview Including ESET’s Discoveries
13. 13
CRASHOVERRIDE: Threat to the Electric Grid Operations
Module Commonalities
Dragos analysts were able to determine the compile time for both modules ob-
tained as being within 12 minutes of each other just after 2:30 am on December
18th in an unknown time zone although timestamps for both samples were zeroed
out. These times falls in the same timeframe as the Ukraine events. Both mod-
ule samples exported a function named Crash that served as the main function to
begin execution. The common Crash function enables the ability to “plug and play”
additional modules.
Backdoor/RAT Module
Key Features
• Authenticates with a local proxy via the internal network established before the
backdoor installation
• After authentication opens HTTP channel to external command and control
server (C2) through internal proxy
• Receives commands via the external command and control (C2) server
• Creates a file on the local system (contents not determined)
• Overwrites an existing service to point to the backdoor so the malware persists
between reboots
Details
Access to the ICS network flows through a backdoor module. Dragos obtained
four samples which all featured similar functionality. On execution, the malware
attempts to contact a hard-coded proxy address located within the local network.
ELECTRUM must establish the internal proxy before the installation of the back-
door.
The malware expects to communicate to an internal proxy listening on TCP 3128.
This port is a default port associated with the Squid proxy. The beaconing contin-
ues without pause until it establishes a connection. The backdoor then sends a se-
ries of HTTP POST requests with the victim’s Windows GUID (a unique identifier set
with every Windows installation) in the HTTP body. This information authenticates
the targeted machine to the command and control (C2) server. If the C2 server
does not respond, the backdoor will exit.
14. 14
CRASHOVERRIDE: Threat to the Electric Grid Operations
If the authentication is successful to the internal proxy, the malware attempts to per-
form an HTTP CONNECT to an external C2 server via the internal proxy. Across four
December 2016 attack on Ukraine:
195.16.88.6
93.115.27.57
5.39.218.152
A check of the TOR project’s ExoneraTOR service indicates that all of the listed IP ad-
dresses were listed as active TOR nodes during the events in Ukraine.
When performing the HTTP CONNECT, the malware attempts to identify the system
default user agent. If this cannot be determined or does not exist, then a hard-coded
default for the malware is used:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
The malware can be configured to beacon out periodically afterwards via a hard-coded
configuration value. The implant is designed to retrieve commands from the C2 server:
• Create a new process as logged in user
• Create a new process as specified user via CreateProcessWithLogon
• Write a file
• Copy a file
• Execute a command as logged in user
• Execute a command as specified user
• Kill the backdoor
• Stop a service
• Specify a user (log in as user) and stop a service
• Specify a user (log in as user) and start a service
• Alter an existing service to point to specified process and change to start at boot
Execution results in several artifacts left on the host. During execution, the malware
checks for the presence of a mutex value. Mutexes are program objects that name re-
sources to enable sharing with multiple program threads. In this case, CRASHOVERRIDE
checks the following:
Sessions1WindowsApiPortection
15. 15
CRASHOVERRIDE: Threat to the Electric Grid Operations
The backdoor may also create and check a blank mutex name. Reviewing memo-
ry during execution and analysis of other modules in the malware indicates that
Sessions1Windows appears multiple times, indicating that a check may be per-
formed.
The backdoor writes a file to either C:UsersPublic or C:Users<Executing User>
The contents of this file were not discovered during our analysis, and it did not
appear to be vital to the malware functionality. However, this is a good indicator of
the observed activity and may be leveraged to detect this specific sample through
host-based indicator checking.
The service manipulation process is the only persistence mechanism for the mal-
ware. When used, the adversary can select an arbitrary system service, direct it to
refer to CRASHOVERRIDE, and ensure it is loaded on system boot. If this fails, the
malware, although present on disk, will not start when the machine reboots.
When evaluating the options provided to the adversary, an important piece of
functionality associated with most remote access tools is absent: a command to
exfiltrate data. While this functionality could be created via the command execu-
tion options, one would expect this option to be explicit given options to down-
load and copy files on the host if the adversary intended to use the tool as an
all-encompassing backdoor and espionage framework. Instead, the functionality
of this tool is explicitly designed for facilitating access to the machine and execut-
ing commands on the system and cannot reasonably be confused as an espionage
platform, data stealer, or another such item.
Launcher Module
Key Features
• Loads payload modules which manipulate the ICS and cause destruction via
the wiper
• Starts itself as a service likely to hide better
• Loads the payload module(s) defined on the command line during execu-
tion
• Launches the payload and begins either 1 or 2 hours countdown before
launching the data wiper (variant dependent)
16. 16
CRASHOVERRIDE: Threat to the Electric Grid Operations
Details
Within the attack sequence, the ICS payload modules and data wiper module must be
loaded by a separate loader EXE. Dragos obtained one sample of this file called the
Launcher.
The launcher takes three parameters on start:
On launch, the sample analyzed starts a service named defragsvc. It then loads the
module DLL via an exported function named Crash. A new thread is created at the
highest priority on the executing machine. Control then passes from the launcher to
the loaded module while the launcher waits two hours before executing the data wip-
er.
Data Wiper Module
Key Features
• Clears all registry keys associated with system services
• Overwrites all ICS configuration files across the hard drives and all mapped net-
work drives specifically targeting ABB PCM600 configuration files in this sample
• Overwrites generic Windows files
• Renders the system unusable
Details
Once executed, the data wiper module clears registry keys, erase files, and kill pro-
cesses running on the system. A unique characteristic of the wiper is that the main
functionality was implemented within the Crash function.
The first task of the wiper writes zeros into all of the registry keys in:
SYSTEMCurrentControlSetServices
This registry tree contains initialization values for each service on the system. Removal
of these values renders a system inoperable. The next wiper task targets ICS configu-
ration files across the local hard drive and mapped network drives. The malware au-
thors included functionality to target drives lettered C-Z.
17. 17
CRASHOVERRIDE: Threat to the Electric Grid Operations
The wiper also targets file types unique to ABB’s PCM600 product used in substa-
tion automation in addition to more general Windows files. The below table out-
lines some of the unique file extensions used by industrial control systems.
File Extension Usage
.pcmp PCM600 Project (ABB)
.pcmi PCM600 IEC File (ABB)
.pcmt PCM600 Template IED File
.CIN ABB MicroScada
.PL Programmable Logic File
.paf PLC Archive File
.SCL
.cid
.scd
Table 1. File extensions targeted by the data wiper module
IEC 104 Module
Key Features
• Reads a configuration file defining the target (likely an RTU) and action to
take
• ‘Kills’ legitimate the master process on the victim host
• Masquerades as the new master
• Enters one of four modes:
• Sequence mode: continuously sets RTU IOAs to open
• Range mode: (1) Interrogates each RTU for valid IOAs; (2) toggles each
IOA between open and closed state
• Shift mode: unknown at this time
• Persist mode: unknown at this time/not fully implemented
19. 19
CRASHOVERRIDE: Threat to the Electric Grid Operations
Figure 4: Execution Flow of IEC 104 Module in CRASHOVERRIDE
Details
The CRASHOVERRIDE IEC 104 module is a complete implementation of IEC 104 to
serve in a “MASTER” role. This raw functionality creates a Swiss army knife for sub-
station automation manipulation yet also provides tailored functionality. The func-
tions exposed to the malware operator are confined by the options of the configu-
ration file. This report outlines the options analyzed today but notes that extending
and enhancing functionality is straight forward with the robust protocol implemen-
tation.
20. 20
CRASHOVERRIDE: Threat to the Electric Grid Operations
-
ondary group of developers could have been involved. Instead of the exported
crash function containing the primary execution instructions, the function parses
the config file then starts a thread containing the IEC 104 master. The configuration
File Extension Usage
target_ip NONE
target_port NONE
NONE
adsu NONE
stop_comm_service 1
change 1
on
silence 0
uselog 0
stop_comm_service_name <blank>
timeout 1 second
socket_timeout 15 seconds
range NONE
Table 2. IEC-104 module configuration file fields
-
ifications for the device must be provided by the operator in the configuration file
for the module to function. There are no observed automated means of enumerat-
ing the network and then impacting RTUs.
Once the IEC 104 master thread begins, the first action is to try to kill the commu-
nications service process which acts as the master process. Once the module stops
the communications service process, a socket opens with the target IP and desti-
nation port sending data to slave devices and receiving the resulting responses.
21. 21
CRASHOVERRIDE: Threat to the Electric Grid Operations
Depending on the mode defined within the configuration file the module may:
• Set specific values
• Enumerate IOAs on the target devices
• Continuously set the IOA to open, or
• Continuously toggle the IOA between open and closed states.
This module contains no interactive capability.
RTUs and PLCs, in simplistic terms, act on input and output. Each discrete input
and output is tied to a memory address. Depending on implementation these ad-
dresses are referred to as coils, registers, or for IEC 104: information object ad-
or Unsigned Integer values. The 104 module properly understands how to enu-
merate and discover IOAs to operate breakers.
IEC 101 Module
This module was unavailable to Dragos at the time of publication. ESET’s analysis
claims the functionality is equivalent to the IEC 104 module except with communi-
cations over serial. However, Dragos was able to confirm that the module exists.
IEC 61850 Module
This module was unavailable to Dragos at the time of publication. ESET’s analysis
claims once executed the module leverages a configuration file to identify targets
and without a configuration file it enumerates the local network to identify poten-
tial targets. It communicates with the targets to identify whether the device con-
trols a circuit breaker switch. For certain variables (no further information avail-
able) it will change their state while also generating an action log. However, Dragos
was able to confirm that this module does exist.
OPC DA Module
This module was unavailable to Dragos at the time of publication. ESET’s analysis
claims the module does not require a configuration. It enumerates all OPC servers
and their associated items looking for a subset related to ABB containing the string
ctl. It then writes 0x01 twice into the item overwriting the proper value giving the
device a primary value out of limits device status. However, Dragos was able to
confirm that this module exists.
22. 22
CRASHOVERRIDE: Threat to the Electric Grid Operations
SIPROTEC DoS Module
This module was unavailable to Dragos at the time of publication. ESET’s analysis
claims the module sends UDP packets to port 50000 exploiting CVE-2015-5374
causing the SIPROTEC digital relay to fall into an unresponsive state. Dragos could
not validate that this module exists.
Capability Conclusions
ELECTRUM’s ability to adopt a development style described above has several im-
plications: first, developers can integrate new protocols into the overall framework
quickly. Second, ELECTRUM could easily leverage external development teams
skilled at exploiting industrial control systems. Some adversaries would likely ap-
proach capability development through a ‘two-tier’ approach: a core development
team skilled at writing the overall framework and a second team knowledgeable
about a given control system. The platform team would take the control sys-
tem modules and add logic to fit them within the platform. The IEC 104 module
demonstrates this approach.
Given the execution described with secondary threads the team authoring the
Crash function likely did not author the IEC 104 master portion of the code. Both
development teams probably worked together to decide on a log file format for
consumption by the main Crash function and executed in each of the IEC 104
module threads.
Implications of capability
This section describes legitimate CRASHOVERRIDE attack and impact scenarios.
Extensions of these and potential hypothetical scenarios were deemed indetermin-
istic and will not be addressed.
Attack Option: De-energize substation
CRASHOVERRIDE, based on prior knowledge, must have a configuration file for
targeting information of one or multiple RTUs. This configuration option allows for
several types of activities. One operation the configuration option allows is ‘se-
quence.’
.
23. 23
CRASHOVERRIDE: Threat to the Electric Grid Operations
The command sequence polls the target device for the appropriate address-
es. Once it is at the subset of known addresses, it can then toggle the value. The
command then begins an infinite loop and continues to set addresses to this val-
command on their HMI the sequence loop will continue to re-open the breaker.
line(s) preventing system operators from managing the breakers and re-energize
the line(s).
dynamics, power flows, and other variables. In some circumstances, it may have no
immediate impact while in others it could put customers into an outage. It is im-
portant to note that grid operations encompass failure modes and operations can
normally compensate. That is, after all, why humans are ‘in the loop’ to monitor
and maintain the system.
breakers and will be required to send crews to the substation. If the CRASHOVER-
RIDE loop continues unabated, then the crews will likely sever communications as
both a troubleshooting and recovery action. Severing communications puts the
substation in manual operation where a physical presence is now required. This
could result in a few hours of outages
Attack Option: Force an Islanding event
Dragos is currently investigating a separate and more disruptive attack option in
CRASHOVERRIDE as described by ESET. As before, the attacker must have a config-
uration file for targeting information of one or multiple RTUs. This configuration file
now uses the range command to begin a loop that toggles the status of the break-
er between open and close continuously. The changing breaker status will invoke
automated protective operations to isolate (commonly referred to as ‘islanding’)
the substation. This is an intentional self-protective capability of grid operations.
relay scheme’s automated operations causing perturbations of some degree on the
grid as scientific principles define how the behavior interacts with frequencies and
-
ations. Grid operation contingencies become more critical if multiple substations
were under attack likely resulting in many small islanding events. This is assuming
coordinated targeting of multiple electric sites and could result in a few days of
outages.
24. 24
CRASHOVERRIDE: Threat to the Electric Grid Operations
Adding Amplification Attacks
Forcing an islanding of a substation through continual breaker manipulation is sig-
nificant by itself. However, CRASHOVERRIDE has the potential to amplify this attack
Using OPC to create a Denial of Visibility
The OPC module ESET analysis suggests it can brute force values. Module OPC.
exe will send out a 0x01 status which for the target systems equates to a “Primary
Variable Out of Limits” misdirecting operators from understanding protective relay
status.
Bit Mask Definition
0x10 More Status Available – More status information is available via
Command 48, Read Additional Status Information.
0x08 Loop Current Fixed – The Loop Current is being held at a fixed
value and is not responding to process variations.
0x04 Loop Current Saturated – The Loop Current has reached its
upper (or lower) endpoint limit and cannot increase (or decrease)
any further.
0x02 Non-Primary Variable Out of Limits – A Device variable not
mapped to the PV is beyond its operating limits.
0x01 Primary Variable Out of Limits – The PV is beyond its operating
limits.
The outcome of the action infers that various systems can either perform actions
on wrong information or report incorrect information to system operators. This
Denial of Visibility will amplify misunderstanding and confusion while system op-
erators troubleshoot the problem as their system view will show breakers closed
when they are open.
.
25. 25
CRASHOVERRIDE: Threat to the Electric Grid Operations
Using CVE-2015-5374 to Hamper Protective Relays
A second, and more severe, amplifying attack would be to neutralize the auto-
mated protective system by creating a Denial of Service against some or all of the
protective relays. This possibility exists in a tool ESET has claimed to have discov-
ered that implements the known CVE-2015-5374 Denial of Service condition to the
Siemens SIPROTEC relays. Siemens released a patch for this in July 2015 under Sie-
mens advisory SCA-732541. At this time it is believed that CVE-2015-5374 causes a
denial of service (DoS) of the complete relay functionality and not just the network
communications module. Dragos has independent evidence that this module ex-
ists but it cannot be confirmed.
Hampering the protective scheme by disabling the protective relays can broaden
the islanding event and, if done at scale, could trigger a larger event causing multi-
ple substations and lines “islanding” from the electric grid. Siemens SIPROTEC was
likely chosen in this attack only because that was the vendor device at the Ukraine
Kiev site attacked in December 2016. This same tactic against digital relays, albe-
it not the same exploit, could have a similar impact on grid operations. However,
require a significant investment on behalf of the adversary.
26. 26
CRASHOVERRIDE: Threat to the Electric Grid Operations
Defense Recommendations
Doing the basics is always appropriate, and it significantly helps move ICS into a
defensible position. However, they are not worth repeating here, and instead, more
tailored approaches specific to ICS security analysts trying to defend against CRA-
SHOVERRIDE and similar capabilities are presented below:
• Electric utility security teams should have a clear understanding of where
and how IEC 104 and IEC 61850 protocols are used. North American elec-
tric utilities should include DNP3 on this list in case the malware is extended
to impact U.S. systems. Look specifically for increased usage of the proto-
cols against baselines established in the environment. Also, look for systems
leveraging these protocols if they have not before and specifically try to
identify systems that are generating new network flows using these proto-
cols.
• Similarly, understand OPC implementations and identify how the protocol is
being used. It is a protocol that is pervasive across numerous sectors. Also,
CRASHOVERRIDE is the second, out of four, ICS tailored malware suite with
OPC capabilities. OPC will appear abnormal in the CRASHOVERRIDE usage
as it is being used to scan all devices on the network which would generate
• Robust backups of engineering files such as project logic, IED configura-
help reduce the impact of the wiper functionality.
• Prepare incident response plans for this attack and perform table top exer-
cises bringing in appropriate stakeholders and personnel across engineer-
ing, operations, IT, and security. The scenario should include substation
outages with the requirement to do manual operations while recovering the
SCADA environment and gathering appropriate forensics.
• The included YARA rules and other indicators of compromise can be lever-
aged to search for possible infections (IOCs). The YARA rules will provide a
higher confidence towards discovering an infection than the other IOCs and
should be searched for against Windows OT systems especially noting HMIs.
The behavioral analytics to identify the communications on the network
would provide the highest capability to detect this and similar threats.
27. 27
CRASHOVERRIDE: Threat to the Electric Grid Operations
While some defenses and architecture changes may have value in other situations,
the following are responses that are not appropriate for this attack:
• Transmission and distribution companies should not rely on the usage of
other protocols such as DNP3 as a protection mechanism. The complete-
ness of the CRASHOVERRIDE framework suggests there may be other un-
disclosed modules such as a DNP3 module. Also, adding this functionality
into the existing framework would not require extensive work on the part of
the adversary.
• Air gapped networks, unidirectional firewalls, anti-virus in the ICS, and other
passive defenses and architecture changes are not appropriate solutions for
this attack. No amount of security control will protect against a determined
human adversary. Human defenders are required
28. CRASHOVERRIDE: Threat to the Electric Grid Operations
Indicators
TYPE SUBTYPE IOC Description ICS Kill Chain Impact
Host Mutex Value ApiPortection9d3 Mutex value checked Stage 2: Install Recon
Host Mutex Value <Blank Value> Mutex value created Stage 2: Install Recon
Host File C:Users<Public OR Executing User>
imapi
File dropped and deleted after pro-
gram exit
Stage 2: Install Recon
Host Service Name defragsvc Name given to service start Stage 2: C2 Remote Access
Network IP Address 195.16.88.6 External C2 server [DEC 2016] (likely
TOR node at time of attack)
Stage 2: C2 Remote Access
Network IP Address 93.115.27.57 External C2 server [DEC 2016] (likely
TOR node at time of attack)
Stage 2: C2 Remote Access
Network IP Address 5.39.218.152 External C2 server [DEC 2016] (likely
TOR node at time of attack)
Stage 2: C2 Remote Access
Network User Agent String Mozilla/4.0 (compatible; MSIE 7.0; Win-
dows NT 5.1; InfoPath.1)
Default user agent string used in C2
if unable to get system default user
agent string
Stage 2: C2 Remote Access
Host Command Line <Drive>:<name>.exe -ip=<IP_address>
-ports=<ports>
Command line arguments used to
launch custom port scanner observed
with malware. Command line logging
required to track.
Stage 2: Develop Recon
Host Registry Key HKLMSYSTEMCurrentControlSetSer-
vices<target_service_name>ImagePath
<path to malware>
Change in Service Image Path in the
system registry to point to malware
allowing malware to restart on system
reboot.
Stage 2: Installa-
tion
Persistence
Host SHA1 File Hash F6C21F8189CED6AE150F9E-
F2E82A3A57843B587D CONNECT to 5.39.218.152:443. Back-
door/RAT.
Phase2: C2 Remote Access
Host SHA1 File Hash CCCCE62996D-
578B984984426A024D9B250237533 CONNECT to 5.39.218.152:443. Back-
door/RAT.
Phase2: C2 Remote Access
Host SHA1 File Hash 8E39ECA1E48240C01EE570631AE8F-
0C9A9637187
Backdoor/RAT Proxy + HTTP CON-
NECT to 93.115.27.57:443.
Phase2: C2 Remote Access
Host SHA1 File Hash 2CB8230281B86FA944D3043AE-
906016C8B5984D9
Backdoor/RAT Proxy + HTTP CON-
NECT to 195.16.88.6:443
Phase2: C2 Remote Access
29. CRASHOVERRIDE: Threat to the Electric Grid Operations
Host SHA1 File Hash 79CA89711CDAEDB16B0CCCCFD-
CFBD6AA7E57120A
Launcher for payload DLL. Takes input as
three command line parameters – work-
ing directory, module, and config file.
Stage 2: Attack Loss of Control
Host SHA1 File Hash 94488F214B165512D2FC0438A581F-
5C9E3BD4D4C which is invoked by launcher. Functional-
ity requires config file.
Stage 2: Attack Loss of Control
Host SHA1 File Hash 5A5FAFBC3FEC8D36FD57B075EBF-
34119BA3BFF04
Wiper module, wipes list of files by
extension, removes system processes,
and makes registry changes to prevent
system boot.
Stage 2: Attack Destruction
Host SHA1 File Hash B92149F046F00BB69DE329B8457D-
32C24726EE00
Wiper module, wipes list of files by
extension, removes system processes,
and makes registry changes to prevent
system boot.
Stage 2: Attack Destruction
Host SHA1 File Hash B335163E6EB854DF5E08E85026B-
2C3518891EDA8
Custom-built port scanner. Stage 2: Develop Recon
Host SHA1 File Hash 7FAC2EDDF22FF692E1B4E-
7F99910E5DBB51295E6
OPC Data Access protocol enumeration
of servers and addresses
Stage 2: Attack Loss of Control
Host SHA1 File Hash ECF6ADF20A7137A84A1B319C-
CAA97CB0809A8454
IEC-61850 enumeration and address
manipulation
Stage 2: Attack Loss of Control
Host Filename opc.exe OPC Data Access protocol enumeration
of servers and addresses
Stage 2: Attack Loss of Control
Host Filename 61850.exe IEC-61850 enumeration and address
manipulation
Stage 2: Attack Loss of Control
Host Filename haslo.exe Wiper module, wipes list of files by
extension, removes system processes,
and makes registry changes to prevent
system boot.
Stage 2: Attack Destruction
Host Filename 104.dll IEC-104 module Stage 2: Attack Loss of Control
Host Filename haslo.dat Wiper module Stage 2: Attack Destruction
OPC Server OPC Group Aabdul OPC DA Module Stage 2: Attack Loss of Visibility
30. CRASHOVERRIDE: Threat to the Electric Grid Operations
30
Yara Rules
Also found at https://github.com/dragosinc/CRASHOVERRIDE
import “pe”
import “hash”
rule dragos_crashoverride_exporting_dlls
{
meta:
description = “CRASHOVERRIDE v1 Suspicious Export”
author = “Dragos Inc”
condition:
pe.exports(“Crash”) & pe.characteristics
}
rule dragos_crashoverride_suspcious
{
meta:
description = “CRASHOVERRIDE v1 Wiper”
author = “Dragos Inc”
strings:
$s0 = “SYS_BASCON.COM” fullword nocase wide
$s1 = “.pcmp” fullword nocase wide
$s2 = “.pcmi” fullword nocase wide
$s3 = “.pcmt” fullword nocase wide
$s4 = “.cin” fullword nocase wide
condition:
pe.exports(“Crash”) and any of ($s*)
}