Keeping Infrastructure Strong and Secure

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to keep our Nation’s critical infrastructure secure and resilient. FoxGuard Solutions has committed to building awareness of the importance of critical infrastructure.

Industrial control systems in critical infrastructure are high-risk targets for attack and exploitation. FoxGuard combines its engineering and software services talent to develop unique cyber security solutions that protect industrial control systems (ICS)  in critical infrastructure markets bridging the gap between information technology (IT) and operational technology (OT) environments.  FoxGuard’s Patch & Update Management Services include asset analysis and monthly patch reporting.  Consistently monitored patches & updates can help resolve security vulnerabilities, functional issues and meet regulatory compliance requirements (NERC CIP).

During November, we focus on engaging and educating public and private sector partners to raise awareness about the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the Internet and communication systems we rely on to stay in touch with friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks, and staying ever-vigilant and informed.

This November, help promote Critical Infrastructure Security and Resilience Month by training your employees on cyber awareness, taking part in the Hometown Security effort, engaging with your community partners or supporting long term investments in critical infrastructure. We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

For more information, visit www.dhs.gov/cisr-month

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

FoxGuard partners with BISIM in new simulation facility

FoxGuard Solutions is proud to be a part of Bohemia Interactive Simulations’ (BISim) opening of a new, state-of-the-art simulation technology demonstration facility for its customers and partners. The facility will bring together the latest technology in the simulation industry from a group of leading simulation software and hardware providers. Take the opportunity to preview innovative simulation technologies that will be unveiled at I/ITSEC 2017.

The BISim Tech Dev and Demo facility, located at BISim’s Orlando headquarters, includes the following technologies:

  • High-end and high-performance computer hardware supplied by FoxGuard Solutions.
  • VBS Blue IG, BISim’s new 3D whole-earth rendering technology for Image Generation applications, and VBS3, BISim’s virtual learning environment and flagship of the U.S. Army’s Games for Training program.
  • Emerging Virtual and Augmented Reality solutions created using the VBS platform including an F-18 Trainer developed for the US Navy and an AC-130 check-list trainer developed in partnership with Vertex Solutions Group and SA Simulations for Air Force Special Operations Command.
  • A 4-meter dome from QuantaDyn Corp. The system incorporates powerful high-fidelity 4K projectors and an AudioCue directional sound system from Barco and uses VBS Blue IG for visuals, Battlespace Simulation’s MACE software as the simulation host, and QuantaDyn’s DIScover software for interoperability.
  • A D-BOX Motion Cueing System and an Ausimtech Motion Platform combined for flight simulation applications including an F/A-18 Hornet and attack helicopter simulation.
  • Demonstrations of TerraSim database creation technology for BISim’s whole-earth technology, VBS Blue.

Demonstrations will be offered hourly and attendees will have time to test out the technologies themselves or ask questions.

Event Information:

The event will be held at BISim’s Orlando Headquarters Nov. 1st through Nov. 3rd from 9 a.m. to 5 p.m. with demonstrations on the hour and opportunities to experience the latest in cutting-edge VBS technology for yourself.

If you are interested in attending please email Lucas Sumners, lsumners@foxguardsolutions.com or call him at 540-382-4234 Ext. 184.

WANT TO LEARN MORE ABOUT FOXGUARD’S SIMULATION CAPABILITIES?

FoxGuard has 35+ years’ experience configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software and OS compatibility to free up your resources to pursue growth. We can configure and ship a turnkey solution to your designated solution.

LEARN MORE

 

 

Has your WI-FI been KRACKed?

WHAT IS KRACK
Key Re-Installation Attack (KRACK) is the newest attack to Wi-Fi, and one of the most serious to date. This attack allows malicious actors to infiltrate a wireless network and decrypt packets sent across that network. These vulnerabilities exist in the Wi-Fi Protected Access II (WPA2) security protocol, and not any individual implementation of it. Therefore, any WPA2 implementation is likely affected. This hits hard because WPA2 is one of the most commonly used wireless security protocols, and is the most secure among the other commonly used protocols. Similar to previous WPA2 attacks, KRACKs primary target is the WPA2 four way handshake, which is used in the protocol to authenticate the client with the wireless access point without actually disclosing the key. During the the packet exchange of the four way handshake, an attacker can use KRACK to trick a victim machine into re-installing a key that is already in use by replaying the handshake packets. These keys should only be used once, which promotes security, but this exploit has found the the WPA2 protocol is not immune from forced key reuse. Once key reuse has been forced, an attacker can decrypt any network traffic encrypted by WPA2, which allows attackers, in combination with other tools such as sslstrip, to steal sensitive information such as username and passwords by performing a man in the middle attack. The attack also allows them to not only view, but even inject malicious code into unencrypted http sites, opening the victim up to another range of attacks.
Android and Linux devices are especially vulnerable due to their implementation of the Wi-Fi standard, which suggests that the encryption key should be cleared from memory after it has been installed for the first time. This essentially forces these devices to install an all zero encryption key, rather than reusing the previous key, making it even easier for an attacker to decrypt, and inject malicious data. This extra vulnerability affects roughly half of the 2 billion android devices currently in use, which goes to show the enormous scale this exploit could have. Additionally, when updates do start rolling out for this vulnerability, both the wireless access point and the wireless client need to be patched to prevent against the exploit. One patched without the other still leaves equipment open to the KRACK exploit.

WHAT YOU CAN DO
There are several steps FoxGuard recommends users and IT Professionals take to help mitigate the vulnerability. Firstly, a Virtual Private Network (VPN) should be used whenever possible. This encrypts all traffic between the access point and the wireless client, and connects you back to either a server at work, or a public server and provides a reasonable layer of security. Being as this exploit does not actually allow the attacker to gain network access, but rather decrypt the wireless traffic, any traffic communicating via hardwired Ethernet cable would not be affected, therefore, wired connections should be used where feasible. Users should also be on the lookout to make sure their login sites are using HTTPS. This exploit coupled with a tool such as sslstrip could allow an attacker to force use of non secure websites, which allows them to easily capture passwords and other sensitive data. A properly configured web server should prevent this from happening, but users should always check to make sure they are using a secure HTTPS site before logging in. Lastly, as with any vulnerability, FoxGuard recommends remaining vigilant about released patches and updates that address the issue.

AVAILABLE PATCHES
Some vendors, such as Microsoft, have already released patches for the exploit. A list of vendors and their known responses to the exploit can be found here:
https://github.com/kristate/krackinfo#vendor-response-complete

MORE INFORMATION
Additional information on the attack can be found using the links below:
https://www.krackattacks.com/
https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
https://www.us-cert.gov/ncas/current-activity/2017/10/16/CERTCC-Reports-WPA2-Vulnerabilities

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 4

“Private” Patches 

So far, we’ve learned that there is a difference in patching IT vs. OT equipment and that all patches are not created equal.  Our next lesson learned is that not all patches are readily available on the Internet. In many cases, product vendors will require a support contract in order to receive ongoing support and access to patches. As such, the utilities are required to know which vendors require this level of support in order to track and retrieve patches on an ongoing bases. For some vendors, this information may be provided on a customer-specific portal, through a newsletter or email or perhaps even a direct phone call. A variety of contact methods may be required for ongoing patch due diligence to confirm whether or not a patch was released during a designated time period.

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 3

All Patches are not Created Equal 

In our last post we learned that there is a difference between IT and OT environments. Now it is important to know that to ensure that you are installing the proper patches in the proper fashion, you must understand all patches are not created equal.  It is critical to know the four different types of patches and track which of the four types of patches apply to each of your devices:a. Primary – This is a patch that has dependent patches.b. Dependent – A primary patch exists that must be installed prior to installing the subsequent dependent patch.c. Standalone – These patches can be installed independently and have no other stipulations.d. Cumulative – These patches are also sometimes referred to as “roll-up”. This means that the latest release of a patch includes the features and bug fixes from all previous releases. 

 

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 2

 Information Technology (IT) vs. Operational Technology (OT)

Our last post focused on the definition of a “patch” and why “patching” is important.  Today, we are sharing some of our lessons learned with regard to building a healthy patch management program.For starters, all systems are not the same and should not be treated as such.

There IS a difference when it comes to patching in the Information Technology (IT) vs. Operational Technology (OT) environments.  With a common office desktop, if you have an issue with your computer, it may simply be rebooted after patch installation and, in many cases that will resolve the issue. However, with OT equipment, timing and validation are critical to patch installation on a critical asset. Additionally, many of these devices cannot be rebooted or turned off at will, as there could be grave consequences to doing so cavalierly. 

 

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

What’s a “Patch” and Why is It Important?

This is the first post in a series that we’ll be sharing with regard to Patch Management “lessons learned”.

FoxGuard Solutions has been in business since 1981 and has been serving the energy industry for over 25 years. We have also been providing patch management solutions for industrial control systems via original equipment vendors (OEMs), as well as directly to energy utilities for many years. We have a long history of doing this work which provides us with a unique perspective, as well as gives us extensive knowledge of the patching burden. As such, we want to share our insight and some “lessons learned” along the way.

It is important to level set on what a “patch” really is. According to Wikipedia (https://en.wikipedia.org/wiki/Patch_(computing), a patch can be defined as follows:A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes.

In the instance of industrial control systems, patches are applied to firmware, operating systems and software applications installed as part of the control system suite. It is important to understand the scope and depth of equipment which is susceptible to needing a software patch applied.

Scope is defined in NERC CIP based on the User’s ability to apply an update and may include: 

    –    Devices (network, field, and other single-purpose devices that run firmware)
    –    Appliances (usually an embedded or full OS with a controlled set of installed applications and services)
    –    Workstations
    –    Servers

Each of these items may have their own unique way of managing, validating, installing and monitoring for patches, making it difficult to manage a healthy and comprehensive patch management program. When patching is so involved and difficult, it is worthwhile to talk through WHY it is so important. It may be obvious, but energy utilities are high-risk targets. Attacks such as Stuxnet and the one in Ukraine show that the “bad guys” (funded Nation States, not just casual hackers) have their eyes on this industry. In addition, patches are crucial to protect against vulnerabilities.

According to Kaspersky Labs Industrial Control Systems Vulnerabilities Statistics, there were: 

    –    4,189 known vulnerabilities in ICS in 2015
    –    426 had exploits available
    –    4,170 had patches available

If protecting critical assets from vulnerabilities is not motivation enough, regulatory standards, such as NERC CIP-007-6, R2.1, 2.2, 2.3 and 2.4, have clear requirements surrounding patch management with large fines threatened as consequence for failure to comply. Now that we understand what needs to be patched and why, check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

CUSTOM INDUSTRIAL COMPUTING LEADER ANNOUNCES OEM RESELLER AGREEMENT WITH LENOVO

FoxGuard Solutions provides OEM customers one-stop shop for custom configured computers.

CHRISTIANSBURG, Va. (September 20, 2017) – FoxGuard Solutions, Inc. and Lenovo today announced approval of FoxGuard Solutions, Inc. as a North American OEM reseller, further strengthening Lenovo’s support to OEM customers. “We are extremely pleased to include Lenovo products in our custom configured OEM solutions as part of Lenovo’s one-stop-shop approach to serving businesses,” said Patrick Patterson, V.P. of Industrial Computing at FoxGuard. “FoxGuard shares Lenovo’s customer-first approach, and this partnership enhances our ability to design and integrate custom computer solutions that meet our clients’ application, budget and preferences.”

Utilizing more than 35 years’ experience configuring computer solutions, integrating racks, developing images, securing licenses and ensuring hardware, software and OS compatibility, FoxGuard’s turnkey solutions enable customers to free up internal resources and focus on growth.

“OEM customers rely on Lenovo OEM partners to help manage their product from concept to launch to life cycle. We are pleased to add FoxGuard Solutions to the OEM reseller team,” said Nathan Blom, Director, North American OEM at Lenovo.

About FoxGuard Solutions:
FoxGuard Solutions, Inc. has been bridging the gap between IT and OT technology environments for over 35 years via integrated hardware, software and security solutions. Based in Southwest Virginia, FoxGuard serves customers in more than 60 countries from their secure, ISO-certified, ITAR-registered facility. Providing configuration, testing, certification, integration, kitting, regulatory/export compliance and life cycle management programs, FoxGuard’s solutions are “Built for Security.”

###

National Newswire Release: 
http://www.prnewswire.com/news-releases/custom-industrial-computing-leader-announces-oem-reseller-agreement-with-lenovo-300523361.html?tc=eml_cleartime

Media Contact: 
Patrick Patterson
p. 887.446.4732
e. ppatterson@foxguardsolutions.com

Security Patch could have prevent breach.

The Equifax security breach exposing sensitive information of approximately 143 million consumers is one that we now know could have been prevented with the installation of a security patch that was made available two months before the breach occurred.
Equifax has indicated, “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is a framework for developing Java-based applications that run both front-end and back-end Web servers. Many industries including internet companies, banks, government agencies, and many large Fortune 500 companies rely on Apache Struts.
It’s been reported that Equifax failed to update its web applications, despite proof that the bug gave cyber-thiefs an easy way to take control of sensitive sites and consumer information. Patching the security hole would have been labor intensive and difficult because it involved downloading an updated version of Struts and rebuilding all associated applications. There were websites which depended on dozens or even hundreds of such applications which likely were stored on many servers scattered across multiple continents. Plus, you don’t just release rebuilt applications into production without extensive testing to ensure that the updates don’t break key functions of the unit itself.
The bottom line is that cybersecurity, and more specifically patch management, isn’t always easy or convenient but it is worth it. And, we feel that our Patch Management program sets-up companies like Equifax for success to prevent these and other types of attacks.

For more information related to Apache Struts CVE-2017-5638:
https://nvd.nist.gov/vuln/detail/CVE-2017-5638

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Dragonfly 2.0 targets Critical Infrastucture

FoxGuard continues to monitor Dragonfly and its effects on critical infrastructure. Dragonfly is a campaign by (possibly Russian) actors targeting US and European critical infrastructure. Dragonfly has been active as early as 2010, but according to Symantec, has seen a resurgence in activity within the last year2. This new campaign has been dubbed “Dragonfly 2.0” by security researchers at Symantec. Several different attack vectors are used in the Dragonfly campaign, including spear phishing emails, watering-hole attacks, and Trojan software. Phishing emails are emails sent out masquerading as someone else to try and get you to divulge sensitive information, or clicking a link to download a malicious file. Spear phishing is targeting those emails to specific people to increase the likelihood of success. In the case of Dragonfly, emails including a New Year’s Eve party invitation were sent out. A watering hole is when an attacker compromises a website that is visited frequently by their target. Once compromised, the attacker can load malicious code into the site with the possibility of the user never knowing anything has changed. Using these attacks, actors were able to steal credentials from employees which they used to gain remote access to the machines. Though no interruptions in service have been attributed to this campaign, the attackers appear to have had the ability to cause harm if they wanted. Screenshots of the user interface for industrial control systems, such as circuit breakers, have been found. Access to these types of controls would allow attackers to open circuit breakers, cutting the flow of electricity to potentially millions of U.S citizens. So, why haven’t they used these capabilities to wreak havoc? Security researcher Eric Chien of Symantec believes that the attackers are waiting for the most strategic time to use the attack, such as to deter threats from the US of attack2.
Isn’t there a way to prevent this? Well, security is not an absolute, and while there are mitigation techniques, nothing is certain. An important concept in the security industry is “defense in depth” which means that layers of security should be implemented, and not just one measure should be relied on. A hardware firewall is extremely important to have on a network, but assuming no one will get through that firewall, and therefore you need no additional protection, is a huge mistake. Instead, standards such as antivirus, least privilege, encryption, firewalls, intrusion detection, honey pots, etc., should all be used together for cyber defense. These measures should be thought of as a fire door. They may not hold off the problem indefinitely, but they can help delay the problem, giving you time to react. The more of these you can practically use in your system, the harder it will be for an attacker to get through, leaving more time for security experts to mitigate the attack. If your intrusion detection system picks someone up at the firewall, they may still have several more layers to get through, which means security professionals have time to re-write rules, or shut down access to machines to prevent the attack.
Another common ideology used commonly in industrial control systems is “air gapping”. Air gapping is the idea that a controls network should be completely separate from a business or corporate network. The business network has no control over the functions of the equipment, and the controls network has no remote or internet access. Theoretically, this would protect against a virus coming into a machine on the controls network, if they never talk to anything but themselves. The problem here is that operational demands mean that a system is never completely isolated, so the idea that the air gap alone will keep you safe is a myth. Even if your systems are not networked together, you may need to pull configuration files down from your corporate network. Even if this network is not accessible from the control network, a flash drive may be used to transport the configuration file between a machine connected to the corporate network and one connected to the control network. This lends the opportunity for malicious code to jump from the machine connected to the corporate network, to the flash drive, and ultimately to the machine connected to the controls network, thus “jumping” the air gap. If a 16GB flash drive is used only once per day and taken from an infected machine to a machine on the controls network, this is roughly the same data bandwidth capability as a 24/7 1.5mbps network connection. The latency may be high in this case, but the throughput is possible. This particular jump could be prevented by locking down which USB devices are allowed to connect to a machine, or even physically disabling USB ports on a machine if they are not needed. This is just one of many ways an air gap can be jumped.
One famous example of jumping an air gap is in that of the Stuxnet virus. Stuxnet was an infection that targeted Iran’s nuclear program by infecting centrifuges and changing the operating frequencies of the centrifuges. This caused stress to the machines, causing aluminum tubes to expand and forcing contact with other parts, which caused destruction to as many as 1,000 centrifuges. Natanz, the Iranian research site being used to enrich the Uranium, had their control systems air gapped, with no network connection to the outside world. So, how did the virus make its way into the research center? A flash drive, possibly from an Iranian double agent, or possibly by the mistake of one of the researchers in the facility, was plugged into the internal systems, and the virus made the jump onto the controlled network.
At this point, it would appear that no nuclear sites have been affected by Dragonfly, which is possibly due to the stricter requirements nuclear sites have for the separation of their internet-connected networks, and operational controls. Dragonfly is not been seen to jump total air gaps at this point, but as you can see, air gapping alone should not be relied upon to prevent any attack. FoxGuard recommends a “Defense in Depth” strategy to help prevent against infection. Making sure only designated flash drives can connect to a machine is an important security step to take, or if operationally feasible, no USB access at all. Control networks should ideally not be connected to any other network, nor any client on the control network also be connected to an external network. Patch management is also of great importance, since even an offline machine can be infected, having the most recent patches installed to close vulnerabilities can mitigate many potential attacks.

To find virus signatures, more examples and more details take a look at the the links below:
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
http://thehackernews.com/2017/09/dragonfly-energy-hacking.html
https://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/
https://hacked.press/2017/06/23/wikileaks-cias-malware-brutal-kangaroo-jumping-air-gap/