Explore common vulnerabilities in building automation systems (BAS), how these vulnerabilities could be exploited, and steps that organizations can take to improve the cybersecurity of their BAS.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Commissioned by ForeScout, the IoT Enterprise Risk Report
employed the skills of Samy Kamkar, one of the world’s leading ethical hackers, to investigate the security risks posed by the Internet of Things (IoT) devices in enterprise environments. Check out his findings.
For more information visit: http://resources.forescout.com/insecurity_of_things_lp_social.html.
1) The number of IoT devices is expected to grow dramatically from around 6 billion in 2015 to over 21 billion by 2020, with businesses accounting for 63% of spending on these devices.
2) As IoT devices proliferate, increased visibility into these devices through profiling, monitoring, and flexible enforcement is needed to secure networks from threats. Network Access Control (NAC) can provide this visibility and control to protect enterprises.
3) NAC provides essential context awareness and control capabilities to block, quarantine, or redirect compromised endpoints, and its integration abilities allow for improved network security orchestration across multiple environments including cloud and data centers.
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
Tom Blauvelt from Symantec and Sean Telles and Chris Dullea from ForeScout share how both companies together can deliver a unified cyber security solution.
The document summarizes the results of a study on IT security managers' needs and realities:
- IT security managers want security systems to share information and automate threat mitigation, but very few current systems do this.
- While nearly all managers see the benefits of integrated security controls, less than half of organizations actually implement continuous monitoring and mitigation.
- The study found a huge gap between what managers need and want from their security systems, and the fragmented state of most organizations' current security postures.
Sponsored by ForeScout, Webtorials surveyed IT professionals worldwide who are responsible for enterprise communications networks regarding their view about the prevalence and security of the Internet of Things (IoT). Here are some of the findings. For the full report, visit: https://www.forescout.com/iot-security-survey-results/
Along with the burgeoning Internet of Things comes a new reality: billions of invisible devices connected to private networks. These “shadow devices” enlarge your attack surface and, if left in the dark, expose your organization to malware propagation and theft of critical resources. Learn more: https://www.forescout.com/shining-light-shadow-devices/
Solution: Block Armour Secure Remote Access for WFHBlock Armour
The Covid-19 pandemic has compelled organizations to allow large sections of the workforce to work from home. A majority of enterprises have deployed a VPN to provide remote access and ensure business continuity. However, traditional VPNs were never designed for today's highly distributed and hybrid IT environments and could expose enterprise applications and sensitive data on the corporate network to malware, ransomware, and other cyberattacks. Learn how Block Armour's #ZeroTrust security solution with integrated 2-factor authentication mitigates the risk of unauthorized access, prevents malware propagation and enables secure and compliant remote access for employees working from home due to Covid-19.
Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
Commissioned by ForeScout, the IoT Enterprise Risk Report
employed the skills of Samy Kamkar, one of the world’s leading ethical hackers, to investigate the security risks posed by the Internet of Things (IoT) devices in enterprise environments. Check out his findings.
For more information visit: http://resources.forescout.com/insecurity_of_things_lp_social.html.
1) The number of IoT devices is expected to grow dramatically from around 6 billion in 2015 to over 21 billion by 2020, with businesses accounting for 63% of spending on these devices.
2) As IoT devices proliferate, increased visibility into these devices through profiling, monitoring, and flexible enforcement is needed to secure networks from threats. Network Access Control (NAC) can provide this visibility and control to protect enterprises.
3) NAC provides essential context awareness and control capabilities to block, quarantine, or redirect compromised endpoints, and its integration abilities allow for improved network security orchestration across multiple environments including cloud and data centers.
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
Tom Blauvelt from Symantec and Sean Telles and Chris Dullea from ForeScout share how both companies together can deliver a unified cyber security solution.
The document summarizes the results of a study on IT security managers' needs and realities:
- IT security managers want security systems to share information and automate threat mitigation, but very few current systems do this.
- While nearly all managers see the benefits of integrated security controls, less than half of organizations actually implement continuous monitoring and mitigation.
- The study found a huge gap between what managers need and want from their security systems, and the fragmented state of most organizations' current security postures.
Sponsored by ForeScout, Webtorials surveyed IT professionals worldwide who are responsible for enterprise communications networks regarding their view about the prevalence and security of the Internet of Things (IoT). Here are some of the findings. For the full report, visit: https://www.forescout.com/iot-security-survey-results/
Along with the burgeoning Internet of Things comes a new reality: billions of invisible devices connected to private networks. These “shadow devices” enlarge your attack surface and, if left in the dark, expose your organization to malware propagation and theft of critical resources. Learn more: https://www.forescout.com/shining-light-shadow-devices/
Solution: Block Armour Secure Remote Access for WFHBlock Armour
The Covid-19 pandemic has compelled organizations to allow large sections of the workforce to work from home. A majority of enterprises have deployed a VPN to provide remote access and ensure business continuity. However, traditional VPNs were never designed for today's highly distributed and hybrid IT environments and could expose enterprise applications and sensitive data on the corporate network to malware, ransomware, and other cyberattacks. Learn how Block Armour's #ZeroTrust security solution with integrated 2-factor authentication mitigates the risk of unauthorized access, prevents malware propagation and enables secure and compliant remote access for employees working from home due to Covid-19.
The Frost & Sullivan report found that 72% of networks experienced 5 or more security incidents in the past 12 months. It questions whether traditional methods using agents can adequately monitor all devices, including BYOD, IoT, and computers, and invokes predetermined security controls. The report suggests network access control as a method to help address these challenges through continuous monitoring and threat mitigation.
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)Andris Soroka
Network Access Control is used to control access to enterprise networks. Mobile Device Management is used to manage and secure mobile devices. Put them together and your customers can set network access policies based on knowledge of the device - the Power of Two!
Forescout is global leader in NAC. MobileIron is global leader in MDM/MCM/MAM and Secure Mobile IT.
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
Space infrastructure has become an integral part of everyday life, with individuals, businesses and governments relying overwhelmingly on it. However, despite the space industry’s technical sophistication, its cybersecurity efforts have lagged behind that of other high-tech sectors.
Block Armour has developed a next-gen Zero Trust Cybersecurity solution explicitly designed for connected devices, integrated IoT systems and related communication networks. And, is extending the solution to deliver Zero Trust Cybersecurity for Software-defined Space based Systems.
Make presence in a building or area a policy in accessing network resources by integrating physical and network access through the Trusted Computing Group's IF-MAP communications standard.
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
Due to the #covid19 pandemic, organizations were faced with an unprecedented, novel challenge of ensuring business continuity without endangering employee health and safety. Presenting our latest case study about how we enabled secure remote access to on-premise as well as SaaS applications for the employees of a Fortune 500 Oil and Gas firm subsidiary with minimal changes in their existing IT environment.
This document discusses Internet of Things (IoT) security. It defines IoT as interconnecting physical devices via communication technologies. It categorizes IoT devices and lists common technology vendors. It then describes why IoT devices are vulnerable in terms of cost, processing power, history of neglecting security, proprietary technologies, and inability to update. Examples of IoT attacks are also provided such as using webcams for DDoS attacks and hacking home routers and cars. The document concludes with recommended countermeasures like leveraging existing frameworks, segmentation, not relying on users, and building in automatic updates.
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuityBlock Armour
This document discusses how IOT Armour uses blockchain technology and software defined perimeters to securely manage identity and access for IoT devices and critical infrastructure. It proposes using digital signatures on blockchain to authenticate devices, establish secure communication channels, and authorize access to core systems. This creates cryptographically secure device identities, encrypted access, microsegmentation of systems, and immutable logs of activity. The solution aims to protect smart cities by applying these techniques to digital IDs, infrastructure, control decentralization, and access monitoring.
The document discusses the formation of an IoT Security Task Force by the IoT Forum and CISO Platform to develop threat models, controls, and arrangements to improve IoT security. It proposes a "SECURENET" concept involving managed security network providers that would monitor IoT traffic and devices, block suspicious activity, and collaborate to identify security issues. The task force aims to provide fresh thinking around technical and legal approaches to attribute attacks and enable self-defense in IoT networks through a regulatory sandbox and cross-border response protocols. Critiques and improvements are invited.
The Nozomi Networks solution improves ICS cyber resiliency and provides real-time operational visibility. Major customers have improved reliability, cybersecurity and operational efficiency using our technology. Learn more about our solutions and technology here and how they can bring immediate benefit to your industrial control system (ICS)
Top 7 Security Measures for IoT Systems Zoe Gilbert
Since, IoT systems of interrelated computing devices, mechanical or digital machines, which enables data transfer over a network without requiring human to human or human to computer interaction. So these are top 7 security measures which are most effective in order to enhance productivity for delivering better customer experience by minimizing the operational costs.
Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).
The document discusses cyber attacks against operational technology (OT) environments and industrial control systems. It notes that attacks have already compromised safety critical systems, including Stuxnet in 2010 and Triton/HatMan in 2017. The Triton attack targeted a safety instrumented system controller and demonstrated the ability of attackers to gain control of industrial processes. The document advocates a combined safety and security approach for OT according to standards like IEC 61508 and 62443. Organizations are advised to conduct risk assessments and deploy defense-in-depth protections including technical, process, and physical controls to improve the security and safety of operational environments.
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour
The rapid adoption of Cloud technology and employees working from home due to Covid-19 has resulted in highly distributed and hybrid IT ecosystems. Cyberattacks are on the rise and legacy tools like VPNs are unable to deliver secure access for today’s modern enterprise-IT environments
Block Armour offers a Unified Secure Access solution to provide secure and compliant access to enterprise-IT systems for users working within the office or remotely. The integrated solution - based on Zero Trust principles - delivers secured access to on-prem and Cloud / multi-Cloud based systems
It replaces four traditional point products (VPN, NAC, Cloud Firewall, and Multi-Factor Authentication) while additionally delivering next-gen Zero Trust Network Access and Server Protection.
Presented at Internet of Things Stream Conference 2015 in San Francisco by Mark Benson on April 2nd, 2015.
ABSTRACT: The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the world’s most well known OEMs to deploy connected product fleets.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
The document discusses the Mirai botnet attacks of 2016 and subsequent variants. It provides details on:
1) The 2016 Mirai attack that took down major websites by exploiting vulnerabilities in IoT devices like IP cameras and routers.
2) How Mirai and other botnets work by compromising internet-connected devices into a botnet that can be used to launch DDoS attacks.
3) Updates on the evolution of Mirai variants that target new devices and architectures, incorporating more sophisticated techniques.
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxfarrahkur54
Part3: Offline traffic monitoring In this part will use a PCAP file to examine the network traffic (offline traffic monitoring) using three IDS tools - Snort - Suricata - Zeek The PCAP file with the name part3.pcap (attached with the project files) containing a captured network traffic for some company having a web site and 256 addresses in the range (192.168.6.0 - 192.168.6.255). The IP address for the network gateway (edge router) is ( 192.168.6.1 ) . The captured network traffic is for some period of time when an attacker started to perform intrusion against the company network. The suspicious address is 192.168.5.55, which conducted a multi-stage attack starting with reconnaissance. A kill chain representing multi-stage attack is a systematic process to target and engage an attacker to perform the desired attack. The following steps are the typical stages followed by any professional attacker. 1. Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. 2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable. 3. Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media. 4. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders' code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. 5. Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. 6. Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C 2 channel establishes, intruders have "hands on the keyboard" access inside the target environment. 7. Actions on Objectives - Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may.
The document analyzes the cybersecurity of 5 building management system (BMS) components from 4 vendors. It finds that a significant number of BMS devices are directly accessible from the internet, and the components share common design flaws like default credentials, lack of input sanitization, and insecure firmware updates. The research uncovered over 100 vulnerabilities in total, demonstrating how an attacker could achieve unauthenticated remote code execution on the systems and potentially impact over 10 million people. It recommends vendors improve security standards for BMS products.
The Frost & Sullivan report found that 72% of networks experienced 5 or more security incidents in the past 12 months. It questions whether traditional methods using agents can adequately monitor all devices, including BYOD, IoT, and computers, and invokes predetermined security controls. The report suggests network access control as a method to help address these challenges through continuous monitoring and threat mitigation.
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)Andris Soroka
Network Access Control is used to control access to enterprise networks. Mobile Device Management is used to manage and secure mobile devices. Put them together and your customers can set network access policies based on knowledge of the device - the Power of Two!
Forescout is global leader in NAC. MobileIron is global leader in MDM/MCM/MAM and Secure Mobile IT.
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
Space infrastructure has become an integral part of everyday life, with individuals, businesses and governments relying overwhelmingly on it. However, despite the space industry’s technical sophistication, its cybersecurity efforts have lagged behind that of other high-tech sectors.
Block Armour has developed a next-gen Zero Trust Cybersecurity solution explicitly designed for connected devices, integrated IoT systems and related communication networks. And, is extending the solution to deliver Zero Trust Cybersecurity for Software-defined Space based Systems.
Make presence in a building or area a policy in accessing network resources by integrating physical and network access through the Trusted Computing Group's IF-MAP communications standard.
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
Due to the #covid19 pandemic, organizations were faced with an unprecedented, novel challenge of ensuring business continuity without endangering employee health and safety. Presenting our latest case study about how we enabled secure remote access to on-premise as well as SaaS applications for the employees of a Fortune 500 Oil and Gas firm subsidiary with minimal changes in their existing IT environment.
This document discusses Internet of Things (IoT) security. It defines IoT as interconnecting physical devices via communication technologies. It categorizes IoT devices and lists common technology vendors. It then describes why IoT devices are vulnerable in terms of cost, processing power, history of neglecting security, proprietary technologies, and inability to update. Examples of IoT attacks are also provided such as using webcams for DDoS attacks and hacking home routers and cars. The document concludes with recommended countermeasures like leveraging existing frameworks, segmentation, not relying on users, and building in automatic updates.
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuityBlock Armour
This document discusses how IOT Armour uses blockchain technology and software defined perimeters to securely manage identity and access for IoT devices and critical infrastructure. It proposes using digital signatures on blockchain to authenticate devices, establish secure communication channels, and authorize access to core systems. This creates cryptographically secure device identities, encrypted access, microsegmentation of systems, and immutable logs of activity. The solution aims to protect smart cities by applying these techniques to digital IDs, infrastructure, control decentralization, and access monitoring.
The document discusses the formation of an IoT Security Task Force by the IoT Forum and CISO Platform to develop threat models, controls, and arrangements to improve IoT security. It proposes a "SECURENET" concept involving managed security network providers that would monitor IoT traffic and devices, block suspicious activity, and collaborate to identify security issues. The task force aims to provide fresh thinking around technical and legal approaches to attribute attacks and enable self-defense in IoT networks through a regulatory sandbox and cross-border response protocols. Critiques and improvements are invited.
The Nozomi Networks solution improves ICS cyber resiliency and provides real-time operational visibility. Major customers have improved reliability, cybersecurity and operational efficiency using our technology. Learn more about our solutions and technology here and how they can bring immediate benefit to your industrial control system (ICS)
Top 7 Security Measures for IoT Systems Zoe Gilbert
Since, IoT systems of interrelated computing devices, mechanical or digital machines, which enables data transfer over a network without requiring human to human or human to computer interaction. So these are top 7 security measures which are most effective in order to enhance productivity for delivering better customer experience by minimizing the operational costs.
Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).
The document discusses cyber attacks against operational technology (OT) environments and industrial control systems. It notes that attacks have already compromised safety critical systems, including Stuxnet in 2010 and Triton/HatMan in 2017. The Triton attack targeted a safety instrumented system controller and demonstrated the ability of attackers to gain control of industrial processes. The document advocates a combined safety and security approach for OT according to standards like IEC 61508 and 62443. Organizations are advised to conduct risk assessments and deploy defense-in-depth protections including technical, process, and physical controls to improve the security and safety of operational environments.
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour
The rapid adoption of Cloud technology and employees working from home due to Covid-19 has resulted in highly distributed and hybrid IT ecosystems. Cyberattacks are on the rise and legacy tools like VPNs are unable to deliver secure access for today’s modern enterprise-IT environments
Block Armour offers a Unified Secure Access solution to provide secure and compliant access to enterprise-IT systems for users working within the office or remotely. The integrated solution - based on Zero Trust principles - delivers secured access to on-prem and Cloud / multi-Cloud based systems
It replaces four traditional point products (VPN, NAC, Cloud Firewall, and Multi-Factor Authentication) while additionally delivering next-gen Zero Trust Network Access and Server Protection.
Presented at Internet of Things Stream Conference 2015 in San Francisco by Mark Benson on April 2nd, 2015.
ABSTRACT: The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the world’s most well known OEMs to deploy connected product fleets.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
The document discusses the Mirai botnet attacks of 2016 and subsequent variants. It provides details on:
1) The 2016 Mirai attack that took down major websites by exploiting vulnerabilities in IoT devices like IP cameras and routers.
2) How Mirai and other botnets work by compromising internet-connected devices into a botnet that can be used to launch DDoS attacks.
3) Updates on the evolution of Mirai variants that target new devices and architectures, incorporating more sophisticated techniques.
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxfarrahkur54
Part3: Offline traffic monitoring In this part will use a PCAP file to examine the network traffic (offline traffic monitoring) using three IDS tools - Snort - Suricata - Zeek The PCAP file with the name part3.pcap (attached with the project files) containing a captured network traffic for some company having a web site and 256 addresses in the range (192.168.6.0 - 192.168.6.255). The IP address for the network gateway (edge router) is ( 192.168.6.1 ) . The captured network traffic is for some period of time when an attacker started to perform intrusion against the company network. The suspicious address is 192.168.5.55, which conducted a multi-stage attack starting with reconnaissance. A kill chain representing multi-stage attack is a systematic process to target and engage an attacker to perform the desired attack. The following steps are the typical stages followed by any professional attacker. 1. Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. 2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable. 3. Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media. 4. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders' code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. 5. Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. 6. Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C 2 channel establishes, intruders have "hands on the keyboard" access inside the target environment. 7. Actions on Objectives - Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may.
The document analyzes the cybersecurity of 5 building management system (BMS) components from 4 vendors. It finds that a significant number of BMS devices are directly accessible from the internet, and the components share common design flaws like default credentials, lack of input sanitization, and insecure firmware updates. The research uncovered over 100 vulnerabilities in total, demonstrating how an attacker could achieve unauthenticated remote code execution on the systems and potentially impact over 10 million people. It recommends vendors improve security standards for BMS products.
The document summarizes a cyber attack on a SCADA system in Ukraine in December 2015 that caused widespread power outages. Attackers first infiltrated the system 6 months prior using a phishing email with a malicious macro. They then spent time reconnoitering the network, stealing credentials, and testing their abilities to control system components. On the day of the attack, they deployed "kill disk" malware to disable workstations and took control of HMIs to open circuit breakers and shut down power stations, cutting power to 250,000 people. They also sabotaged backup systems to prevent restoration of service and launched a social engineering campaign to overload emergency responders. The sophisticated and coordinated attack exploited numerous security weaknesses in the outdated
This document discusses the creation of a backdoor to gain unauthorized access to a Windows computer. It begins with an abstract that outlines creating an advanced backdoor file that works like normal files but allows an attacker to retain access and make changes. The document then covers how backdoors work by bypassing authentication, different types of backdoors like Trojans and web shells, an overview of the proposed backdoor system using Python sockets and commands, and requirements for the system.
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
This presentation is an attempt to present the complex Subject of Cybersecurity in a concise format with main focus to present the core of Cybersecurity and best practises and standards to protect an enterprise Network.Comments of readers welcomed.Thank You (Wajahat Iqbal)
Email: Wajahat_Iqbal@yahoo.com
This document discusses the development of a cross-platform penetration testing suite that compiles standard penetration testing tools into a single mobile application. The suite aims to provide easy access to penetration testing tools on any Android device, improving portability for ethical hackers. It does not require root access of the user's phone. The suite is designed to perform tasks like port scanning, vulnerability scanning, payload generation, and more. It consolidates typical tools used for information gathering, vulnerability assessment, exploitation, and covering tracks into a single interface. This allows ethical hackers to conduct basic penetration tests using only their mobile device.
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
INTRODUCTION
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a
network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense
teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
Recommendations from ICS-CERT, the Industrial Control System Cyber Emergency Response Team, a division of Department of Homeland Security. Seven basic steps to follow that will substantially boost cyber security and generate awareness of the threat potential
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems for industrial processes and operations.
Defending Industrial Control Systems From CyberattackCTi Controltech
Industrial control systems of all types and vintages likely are exposed to some level of unauthorized intrusion. Individuals and organizations with nefarious intent will try to gain access to information or control elements, stealing data or causing a range of inappropriate operations.
This document outlines seven strategies that can be implemented to defend industrial control systems (ICSs) against cyber intrusions: 1) application whitelisting, 2) proper configuration/patch management, 3) reducing attack surface area, 4) building a defendable environment through network segmentation, 5) managing authentication securely, 6) implementing secure remote access, and 7) monitoring networks and having an incident response plan. The document estimates that implementing these strategies could have prevented 98% of incidents responded to by ICS-CERT in 2014-2015. It concludes that a layered defense approach is needed to protect internal systems and components.
This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems. Length is 6 pages.
The document summarizes a security solution called OTPS that is designed to protect utility control systems from vulnerabilities. It notes that control systems have become more vulnerable as they integrate with corporate networks and use commercial operating systems. The OTPS solution uses security event management, intrusion detection, and other tools to monitor systems for breaches, protect critical infrastructure, and detect and prevent security issues across networks, protocols, processes and system health. It is presented as a customizable, scalable solution to implement security best practices for utility control environments.
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...mordechaiguri
Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack.
In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals.
While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).
Whenyour computer isconnected to the Internet, you expose your computer to a variety of potentialthreats. The Internet isdesigned in such a waythat if you have access to the Internet, all other computers on the Internet canconnect to yourcomputer.Thisleavesyouvulnerable to variouscommonattacks. This isespeciallytroubling as severalpopular programs open services on your computer thatallowothers to view files on your computer! Whilethisfunctionalityisexpected, the difficultyisthatsecurityerrors are detectedthatalwaysallow hackers to attackyour computer with the ability to view or destroy sensitive information stored on your computer. To protectyour computer fromsuchattacksyouneed to "teach" your computer to ignore or resistexternaltestingattempts. The commonname for such a program is Firewall. A firewall is software thatcreates a secureenvironmentwhosefunctionis to block or restrictincoming and outgoing information over a network. These firewalls actually do not work and are not suitable for business premises to maintain information securitywhilesupporting free exchange of ideas. Firewall are becoming more and more sophisticated in the day, and new features are beingadded all the time, sothat, despitecriticism and intimidatingdevelopmentmethods, they are still a powerfuldefense. In thispaper, weread a network firewall thathelps the corporateenvironment and other networks thatwant to exchange information over the network. The firewall protects the flow of trafficthrough the internet and limits the amount of external and internal information and provides the internal user with the illusion of anonymous FTP and www online communications.
The session with highlight Intel’s vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
The document discusses cybersecurity issues related to critical infrastructure sectors. It notes that there are 16 critical infrastructure sectors designated by the US Department of Homeland Security that are vital to national security and safety. These sectors include chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation, and others. The document expresses concern about the lack of security for industrial control systems and SCADA systems that monitor and control critical infrastructure. It provides examples of past cyber attacks on these systems and notes that the majority of attacks in 2014 targeted advanced persistent threats. The document concludes that as industrial systems increasingly connect to the internet and migrate to web-based interfaces, they represent an growing security risk due to vulnerabilities.
This document provides an overview of SCADA (Supervisory Control and Data Acquisition) systems. It discusses what SCADA is, its architecture and components, functionality, and how it is used to control industrial processes. Security issues are also covered, along with the evolution of SCADA systems from early monolithic designs to modern distributed and networked architectures. The future of SCADA is described as incorporating more sophisticated capabilities through artificial intelligence and greater network integration.
Analysis of exposed ICS//SCADA/IoT systems in EuropeFrancesco Faenzi
The proliferation remote accessible applications and always connected systems, including Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) networks, real-time remote control systems, IoT devices and all the distributed management technologies, means that the risk of cyber attacks and potentially dangerous threats are increasing and it can only increase in the next years.
In this report will be analyzed the distribution and the exposition of these systems, found alive inside the european cyber perimeter, and their services along with a deep analysis of evident bad configurations, easy exploitable vulnerabilities, public and private indicators of compromise and even real and known compromissions already happened.
The “Lutech Operational Intelligence - Analysis of exposed ICS, SCADA and IoT systems in Europe” report hereby presented is based on information provided by Lutech Threat Management Service for Cyber Threat Intelligence (L-TMS/CTI).
This document discusses advanced persistent threats (APTs) and analyzes recent APT attack techniques to propose effective countermeasures. It describes the lifecycle of a generic APT attack and analyzes several popular past APTs, including Stuxnet and Flame. The document also discusses steps for detecting APTs, mounting proper responses, and developing secure networks against APT attacks. Additionally, it briefly introduces advanced volatile threats (AVTs) and argues why enterprises should prepare for them.
Similar to How Secure Is Your Building Automation System? (20)
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Infrastructure Challenges in Scaling RAG with Custom AI models
How Secure Is Your Building Automation System?
1. 1
KNOW YOUR SECURITY
RISK
How Secure Is
Your Building
Automation
System (BAS)?
The Forescout Building Automation
Risk Report explores the common
systems that make organizations
vulnerable to cyberattacks and how
these systems could be exploited.
2. 2
Evolution of BAS (1/3)
1980 1990 2000 2010 2020 2030
BMS
ELEVATOR
LIGHTING
HVAC
Yesterday’s BAS
Buildings offered very basic services, consisting of only a central building management
system (BMS) and one or two subsystems, such as HVAC, elevators or lighting systems,
that were isolated from each other and outside networks.
3. 3
Evolution of BAS (2/3)
LIGHTING
LOCAL BMS
CENTRAL BMSREMOTE CONTROL
CCTV
HVAC
SOLAR PANEL
ELEVATOR
ACCESS
CONTROL
LIGHTING
LOCAL BMS
CCTV
HVAC
SOLAR PANEL
ELEVATOR
ACCESS
CONTROL
Today’s BAS
Today’s buildings are smart buildings, with a central BMS that can integrate with the local
BMS of multiple buildings within its network. Each local BMS connects to many different
subsystems, including HVAC, surveillance, access control, and energy systems.
4. 4
Evolution of BAS (3/3)
LIGHTING
LOCAL BMS
CCTV
HVAC
SOLAR PANEL
ELEVATOR
ACCESS
CONTROL
Tomorrow’s BAS
Smart cities are the inevitable next step in this evolution of BAS. Smart buildings’ local
BMS will soon be able to integrate with any other building’s local BMS, as well as the
industrial infrastructure around them.
5. 5
BAS Explosion
The number of
identified vulnerabilities in
BAS has increased over
500%
in the past three years. [2]
By 2026,
there will
be over
56 million
new BAS devices. [1]
[1]
ABI Research, 2019, BAS Wireless Field Equipment Shipments
[2]
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf
5
6. 6
39.3% of publicly reachable BAS devices
are vulnerable [1]
Devices publicly reachable
and vulnerable to the 0-days
discovered in our research
Total devices publicly
reachable*
39.3%*
22,902 devices
9,103 devices
* Of the models used in our research
[1]
Forescout, The Current State of Smart Building Cybersecurity, 2019: https://www.forescout.com/securing-building-automation-systems-bas/
Vulnerable devices include:
HVAC PLCs, Access Control PLCs, Protocol Gateways
7. 7
Research Overview
Forescout BAS Risk Report
Industry attention has recognized the threat of commonly known Internet of
Things (IoT) devices. What may go unnoticed is the potential safety and business
risks to building automation systems (BAS).
Research into three key areas of BAS:
Surveillance HVAC Access Control
revealed that their core technologies, fundamental development methods
and legacy implementations make implementing proper security an often
overlooked, but critical, task.
8. 8
Key Findings
Discovered and responsibly
disclosed previously unknown
vulnerabilities in building
automation devices, ranging from
controllers to gateways.
Debunked the myth that malware
for cyber-physical systems must
be created by actors that are
sponsored by nation-states and
have almost unlimited resources.
Developed a proof-of-concept
malware that persists on devices at
the automation level, as opposed to
persisting at the management level
as most OT malware does.
Concluded that improved device
visibility into vulnerable BAS
networks is one of the best ways to
reduce risk.
8
10. 10
IP-Cameras publicly reachable and
vulnerable to exploits used in our research
Total IP-Cameras publicly reachable*
91.5%
Area 1: Surveillance
11,269 devices
10,312 devices
Malicious actors can leverage this channel to move laterally and:
• Gain control of other subsystems at the automation level.
• Gain control of the management level to orchestrate a larger, coordinated attack.
Attacker
Initial
Access
Lateral
Movement 1
Lateral
Movement 2
IP Camera Workstation
HVAC PLC
Protocol
Gateway
Access Control
PLC
* Of the models used in our research
11. 11
Area 2: HVAC
Malicious actors can use HVAC systems to bypass “air gaps” via a covert thermal channel [1]
and move
laterally to:
• Raise the temperature setpoint in a data center to cause business disruption.
• Gain access to the management network to orchestrate a larger, coordinated attack.
Attacker Command & Control Internet Central A/C
management unit
A/C end unit
Public domain Airgapped domain
Targeted hosts
[1]
Y. Mirsky, M. Guri and Y. Elovici, “HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System,” 2017. [Online]. Available: https://arxiv.org/abs/1703.10454.
12. 12
Area 3: Access Control
Malicious actors can use access control systems comprised of access badges, badge readers, controllers,
and databases that store user credentials to:
• Control the doors and gain access to forbidden areas.
• Lock building occupants in and demand ransom.
• Gain access to the management network to orchestrate a larger, coordinated attack.
Attacker
Initial
Access
Lateral
Movement 1
Lateral
Movement 2
IP Camera Workstation
HVAC PLC
Protocol
Gateway
Access Control
PLC
14. 14
Methodology
Cyber Attack Lifecycle (Mandiant)
RECON RESEARCH WEAPONIZE COMPROMISE PERSISTENCE
• Gather
information on
the target
• Research
networks &
technologies
• Find access
means
• Procure
existing
exploits
• Find 0-days
• Plan a stealth
attack
• Develop
• Compromise
• Move laterally
• Execute
• Persist after
reboots
• Clean traces
14
15. 15
Potential Attack Paths
IoT
Device
Subsystem 1 Management Subsystem 2...n
Workstation
Internet
Physical Building
Subsystems
Attacker
PLC
Sensor
Actuator
1. Publicly reachable PLCs: Using this path, the malware can enter directly from the Internet and exploit the programmable
logic controllers (PLCs) controlling the sensors and actuators at the field level, so there is no need to perform any lateral
movement from other devices.
2. Publicly reachable workstations: Using this path, the malware can enter a workstation from the Internet at the
management level and move laterally to the PLCs.
3. Publicly reachable IoT devices: Using this path, the malware can enter an IoT device, such as an IP camera or a WiFi router,
from the Internet and use that entry point to gain access to the internal network, usually moving to the management level first
and then to other subsystems.
4. Air gapped network: Using this path, the attacker must have physical access to the building network (which could be
accomplished via the HVAC system) and move laterally to reach the PLCs.
16. 16
Attack Path Goals
# Step Goal Possible Target
1
2
3
4
5
Initial Access
Lateral Movement 1
Lateral Movement 2
Execution
Persistence
Establish an initial foothold in the
network
Move to the management level
Move to another subsystem in the BAS
Disrupt the normal functioning of the
PLCs
Persist in the infected automation level
devices
PLCs (path 1)
Workstations (path 2)
IoT devices (path 3)
Workstations or networking equipment
PLCs or IoT devices
PLCs
PLCs
16
Possible steps of an attack on building automation networks
17. 17
The Attack Plan
Attacker
1. Initial
Access
2. Lateral
Movement 1
3. Lateral
Movement 2
5. Persistence
4. Execution
IP Camera Workstation Access Control
PLC
Step 1 – Initial Access
The IP Camera can be exploited using a combination of
CVE-2018-10660 [1]
, CVE-2018-10661 [2]
, and
CVE-2018-10662 [3]
. The vulnerabilities and our exploit are
based on the work of Or Peles [4]
and the available Metasploit
module [5]
.
STEP 2 - Lateral Movement 1
Once on the camera, the malware cleans its tracks by editing
the files /var/volatile/log/{auth,info}.log, calls netstat to
find the workstation connected to it (used for network video
recording) and moves from the camera to the workstation by
exploiting the misconfigured MS-SQL server.
Step 3 – Lateral Movement 2
While running on the workstation, the malware looks for an
instance of the Access Control PLC workbench and reads
its configurations files to find the devices connected to and
being managed by that workstation.
Step 4 – Execution
After being dropped on the target device, the first goal of the
final payload is to disrupt the normal behavior of the PLC by
adding a new user and a new badge to the database, giving
access to an otherwise unauthorized person.
Step 5 – Persistence
After the final payload has been executed, the malware has
to persist on the device after reboots.
[1]
“CVE-2018-10660,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10660
[2]
“CVE-2018-10661,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10661.
[3]
“CVE-2018-10662,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10662.
[4]
O. Peles, “VDOO Discovers Significant Vulnerabilities in Axis Cameras,” 2018. [Online]. Available: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-
in-axis-cameras/.
[5]
Rapid7, “Axis Network Camera .srv to parhand RCE,” [Online]. Available: https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.
18. 18
Vulnerabilities Discovered (1/2)
# Product Vulnerability Type Notes
1 Protocol Gateway XSS 0-day patched by the vendor and CVE assigned
2 Protocol Gateway Path traversal 0-day patched by the vendor and CVE assigned
3 Protocol Gateway
Arbitrary file
deletion
0-day patched by the vendor and CVE assigned
4 HVAC PLC XSS 0-day patched by the vendor and CVE assigned
5 HVAC PLC
Authentication
bypass
0-day patched by the vendor and CVE assigned
6
Access Control
PLC
XSS 0-day patched by the vendor and CVE assigned
7
Access Control
PLC
Hardcoded secret
Not 0-day, the vulnerability was known and patched by
the vendor, but never disclosed.
8
Access Control
PLC
Buffer overflow
Not 0-day, the vulnerability was known and patched by
the vendor, but never disclosed.
19. 19
Vulnerabilities Discovered (2/2)
• XSS vulnerabilities allow an attacker to inject malicious scripts into
trusted web interfaces running on the vulnerable devices, which
may be executed by the browser of an unsuspecting user to access
cookies, session tokens, or other sensitive information, as well as to
perform malicious actions on behalf of the user.
• Path traversal and file deletion vulnerabilities allow an attacker to
manipulate path references and access or delete files and directories
(including critical system files) that are stored outside the root folder
of the web application running on the device.
• Authentication bypass vulnerability allows an attacker to steal
the credential information of application users, including plaintext
passwords, by manipulating the session identifier sent in a request.
The most severe vulnerabilities are issues #7 and #8, which allow a remote attacker to execute arbitrary code on the target
device and gain complete control of it.
• Hardcoded secret: The Java framework used on the Access Control PLC and on its control software stores system
configurations in a file called daemon.properties and application configurations in a file called config.bog, which is a
compressed xml. These files contain usernames and passwords, among other information. The passwords are hashed or
encrypted depending on the version of the framework.
• Buffer overflow: There is a binary daemon running on the Access Control PLC that exposes multiple HTTP endpoints that
remote users can access to manage the device.
“A myriad of
these affected
BAS devices are
available online
and can still be
exploited because
they are unpatched.”
20. 20
How to Reduce Risk for BAS Networks
Implement security solutions that offer:
• Passively and
automatically establishes
asset inventory with full
device fingerprinting
• Documents the network
baseline of normal
communications
• Automatically assesses
common vulnerabilities &
exposures (CVEs) for BAS
devices
• Continuously monitors the
network for changes in
behavior
• Automatically checks
device behavior against
threat indicators and
protocol compliance
standards
• Alerts in real time with
interactive visualizations
of threats and risks
• Monitors both IT and OT
networks from a single
screen
• Offers extensive, cross-
functional automation
capabilities
• Is agentless and
infrastructure-agnostic
Complete Device
Visibility
Real-Time Threat
Detection
Converged IT-OT
Security
21. 21
Conclusion
Building automation systems (BAS) may be as critical as industrial control
systems (ICS) in terms of safety and security, yet receive much less
attention from the security community.
Enhancing BAS cybersecurity programs with device visibility and network
monitoring can give organizations a thorough understanding of the
environment and its connections, making it easier to design effective
security architectures, identify attack vectors, and locate blind spots.
21
22. 22
About the Researchers
Daniel dos Santos holds a PhD in Computer Science from the University of Trento and has
experience in security consulting and research. He is a researcher at Forescout, focusing on
vulnerability research and the development of innovative features for Forescout OT products.
Clément Speybrouck holds a post-master degree in Security in Computer Systems
and Communication from EURECOM and worked as an intern at Forescout during the
development of this research project.
Elisa Costante holds a PhD in Computer Science from the Eindhoven University of
Technology. She is an expert in IT and OT security and privacy. As Head of Industrial and
OT Research at Forescout, she manages the internal and external research activities. Her
responsibilities include the management of national and international projects, the planning
of research strategy and the supervision of prototype development activities for innovative
features to be added to Forescout OT products.
Acknowledgement: the authors would like to thank Andrés Castellanos-Páez and
Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability.
23. 23
Download the full research
report to learn more about the
current state of smart building
cybersecurity
DOWNLOAD
24. 24
About Forescout
Connect with us
Forescout Technologies is the leader in device visibility and control.
Our unified security platform enables enterprises and government
agencies to gain complete situational awareness of their extended
enterprise environments and orchestrate actions to reduce cyber and
operational risk. Forescout products deploy quickly with agentless,
real-time discovery and classification, as well as continuous
posture assessment.
www.forescout.com @Forescout Forescout Technologies