Jumping the Air Gap in Industrial Control Systems

Monta Elkins, Air Gap and Industrial Control SystemsFoxGuard Solutions’ very own Hacker In Chief, Monta Elkins was one of the presenters at the ICS SANS Security Summit in January where he shared cyber security concepts needed to defend industrial control systems in critical infrastructure. Specifically he shared his air gap presentation. According to Monta, “Want a real cyber security challenge? In Industrial Control System security you’ll face the newest, incredibly sophisticated, most well financed and executed nation state sponsored attacks on the planet.

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online (https://www.sans.org/press/announcement/2018/01/24/1#addsearch=monta)

Monta shows how air gap does not prevent communication out of and into industrial control system.
He explored various ways to send data across an air-gap in Industrial Control Systems and other environments, including a live demo which you can watch here.

Description:
SANS Summit & Training Event

Speaker:
Monta Elkins, CISSP, GICSP, Hacker-in-Chief, FoxGuard Solutions

Presentation Score:
Attendees at the show rated Monta based on two areas:
1) value of the content presented 
2) presentation skill.

Scores are on a scale of 1-5 where
1 = poor     2 = fair     3 = good      4 = very good     5 = excellent.

FoxGuard Solutions’ Monta Elkins scored:
Overall          Content          Skill 
   4.513                4.377               4.649

 

Read more about the event here.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

The solution often turns out more beautiful than the puzzle

Completing a jigsaw puzzle is certainly a satisfying feat. From 1000’s of individual pieces to a completed masterpiece there is something so rewarding and gratifying in finishing a puzzle. So much so that often times completed jigsaw puzzles get framed and hung on the wall to enjoy as a work of art. We liken a completed jigsaw puzzle to a FoxGuard Patch Management program. Taking 1000’s of individual pieces and fitting them together to what can ultimately be looked at as a work of art. A FoxGuard patch management programs offers our customers assurance in all of the following areas: knowing what needs to be patched (Asset ID), which patches are available for said assets (Patch Availability), which patches apply (Patch Applicability), and most importantly that when said patch is installed it has been thoroughly tested to work in their specific environment (Patch Validation). What’s most substantial in knowing that a FoxGuard Patching program has been implemented is the ease of mind it affords the utility in knowing that the patches and updates are validated before installation – avoiding catastrophic effects.

The box of a jigsaw puzzle gives us an idea of how the pieces are supposed to fit together, but we know in reality that there is certainly a great deal of trial and error as pieces are joined together to form a work of art. Seemingly indistinguishable pieces are one by one evaluated for where they fit in the overall picture. Not a single piece of the puzzle goes untouched. Hours are spent evaluating testing and verifying that the puzzle pieces placed together on the table mirror what the box indicates our completed puzzle will ultimately look like. Piece by piece the puzzle takes shape until in the end it is a masterful work of art.  Really, there isn’t a better way to describe to you patch validation.  FoxGuard Patch Validation includes validating many aspects of a patch including:

  • A file is, indeed, from the identified patch source
  • The applicability of a patch within the scope of our patch management program
  • The patch may be installed without error and we can discern that installation
  • And, above all else, the file does not adversely impact operations.

Validation is the quality assurance that the puzzle pieces have fit the way they were intended and we’re well on our way to a complete masterpiece.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

NIST SP 800-171A and Supplements

Source: Barb Wert, Regulatory Compliance Specialist

Recently, NIST CSRC published an update to NIST SP 800-171 Rev. 1.  On June 13, NIST CRC also published the final version of NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (CUI), along with two very helpful supplements:

  • CUI System Security Plan (SSP) Template
  • CUI Plan of Action (PoAM) Template

The System Security Plan (SSP) is required under NIST SP 800-171 Rev. 1, to outline the applicable security requirements already implemented into the system, and/or describe how the organization plans to meet the requirements not yet implemented.  The template includes fields for system identification, system environment, an assessment of each requirement (whether it has been implemented, or is planned to be implemented, or is not applicable), and a Record of Changes.

The Plan of Action (also known as Plan of Action and Milestones, or PoAM) is also required, to describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.

Organizations can provide the SSP and PoAM in any format; however, the templates provided by NIST provide an easy way to meet the requirements and document the system information.

More information about NIST SP 800-171A can be found at https://csrc.nist.gov/news/2018/nist-publishes-sp-800-171a

FoxGuard provides solutions that are “Built for Security” and built in a secure environment.  FoxGuard’s Information Security Management System (ISMS) includes ISO 27001:2013 certification and compliance with all applicable controls of NIST SP 800-171 Rev. 1.

 

FoxGuard Solutions Receives ISO 27001 Certification

CHRISTIANSBURG, Va June 6, 2018 /PRNewswire/ — FoxGuard Solutions, Inc., a leading technology company developing customized cyber security, compliance and industrial computing solutions, has received the ISO Certification for Information Security Management Systems, ISO 27001:2013, a globally recognized risk-based standard that defines requirements for information security management systems (ISMS).  An effective ISMS enables an organization to identify, prevent and defend against potential security vulnerabilities. Certification to this standard validates that FoxGuard has implemented comprehensive and effective information security practices that protect its products, customers and their information.

“We’re proud to be a recognized leader in information security practices. Security has always been a critical component of our operations,” said FoxGuard Solutions’ Director of IT and Security Operations, Korey Mercier. “Our journey toward ISO 27001 certification has merely provided us with the means to prove to our customers, many of whom are charged with the ongoing maintenance of critical infrastructure, that FoxGuard takes security as seriously as they do.”

FoxGuard’s ISMS was audited by an accredited registrar and certified to this standard.  Maintenance of the certification requires annual surveillance audits and a three-year re-certification, giving FoxGuard’s customers confidence that their information is continuously protected.  To continue their excellence in security and compliance, FoxGuard employs a security management team dedicated to the prevention and monitoring of security threats as well as managing strict policies around escalation and rapid response. Since its founding, security has been top priority and this ISO 27001 certification validates FoxGuard’s commitment to information security.  Other aspects of FoxGuard’s ISMS include compliance to applicable NIST SP 800-171 controls.

FoxGuard Solutions ISO 9001: 2015, ISO 27001:2013

About FoxGuard Solutions

Founded in 1981, FoxGuard Solutions’ team of engineers and developers design, manufacture and integrate innovative cyber security, computing, simulation, and regulatory compliance solutions used in critical infrastructure markets. FoxGuard offers a complete Patch and Update management system – keeping customers secure and compliant.

Media Contact:
Marcie Killen
Marketing Manager
p: 540.382.4234 x152

SOURCE FoxGuard Solutions

 Related Links: CERTIFICATIONS

 

NIST CSRC Publishes SP 800-171 Rev. 1 with updated Errata

Source: Barb Wert, Regulatory Compliance Specialist

On June 7, 2018, NIST CSRC published an update to NIST SP 800-171 Rev. 1.  The update is to the Errata, and includes “minor editorial changes to selected CUI security requirements, some additional references and definitions, and a new appendix that contains an expanded discussion about each CUI requirement”, according to the CSRC’s release notice.

NIST SP 800-171 Rev. 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – is a requirement of DFARS 252.204.7012 for Federal contractors and subcontractors.  The publication sets out confidentiality-oriented controls required for all components of nonfederal information systems that process, store, or transmit CUI (Controlled Unclassified Information).

More information about NIST SP 800-171 Rev. 1, including the newly published version, can be found at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.

FoxGuard provides solutions that are “Built for Security” and built in a secure environment.  FoxGuard’s Information Security Management System (ISMS) includes ISO 27001:2013 certified and compliance with all applicable controls of NIST SP 800-171 Rev. 1.

Vulnerability 101

Source: Trace Bellassai, Client Operations Engineer

As more and more devices are connected to the internet, the number of potential targets rises. With this increase, the number of vulnerabilities that can be exploited also grows. Vulnerability, Exploit and Payload are some of the most used words in the cyber security industry. We wanted to give a quick explanation on how these words are intended to be used. Welcome to our Vulnerability 101 Lesson.

Vulnerability 101

VULNERBILITY – What isn’t working
A vulnerability is a weakness or flaw in a computer system that could allow an unauthorized person to gain access to a system. Common flaws that could be used include race conditions, buffer overflows, input validation errors, and user interface failures. Vulnerabilities come in many forms, including hardware, software, configuration, and even social engineering. This may best be used in an analogy using your home. You have your home locked tight and dead bolted, but unknown to you, your lock can easily be picked. The fact that the lock can easily be picked is a vulnerability in your home security.

Example: In the case of WannaCrypt and ExPetr, which we saw emerge in mid 2017, both used a vulnerability in Microsoft’s SMB protocol to spread to more systems.

There can be more than one way to “get in” and do bad things!

EXPLOIT – How a vulnerability is used
An exploit takes place after a vulnerability is discovered. It utilizes the vulnerability to gain unauthorized access to a system. This generally comes in the form of a piece of software that has been developed to perform the exploit. The kind of control gained depends on the system as well as the seriousness of the vulnerability. For example, a database exploit would allow an attacker to gain access to the information in the database, change information, or delete information. In the example of your home, this would be someone crafting a tool to use against your locks vulnerability, such as a bump key, or lock picks.

Example: WannaCrypt and ExPetr both used the EternalBlue exploit to take advantage of the Microsoft SMB vulnerability. This exploit allowed the attacker to execute remote code on the systems and spread the payloads. Though the two attacks used additional exploits to assist in spreading their infections, they have the Eternal Blue exploit in common, so patching against one would have largely prevented the other from spreading.

PAYLOAD – What is done or taken as a result of an exploit
So now that we have recognized a vulnerability, and created an exploit to take advantage of that vulnerability, the next stage is to create a payload to perform some malicious act. The vulnerability and exploit allow an attacker to gain unauthorized access to a system, but the payload is what is done or taken once the attacker has access. Modern day attacks are very sophisticated and generally utilize any number of exploits and payloads to complete their task. This is where risk assessment comes into play. Total security is impossible, anyone who says that something it totally secure is naive to believe so, as security is a scale and is never absolute. Risk assessment allows you to determine how likely an attack is to occur on your system based on the vulnerabilities in the system, as well as how valuable a system is. Prioritizing these risks is paramount to security management. In the example of your home, the payload could be related to what someone might do once in your home, such as steal your jewelry and TV.

Example: In the case of WannaCrypt and other ransomwares, the payload encrypts people’s data and demands payment for them to get their data back. While this is certainly a terrible thing to do, some attacks have even more malicious intent, such as ExPetr. ExPetr masqueraded itself as a ransomware, but the payload’s intent was really just to cause destruction. The attackers in this case simply wanted to make sure the data on the drives was not recoverable. Going even one step further would be an attack like Stuxnet, which specifically targeted ICS equipment and caused centrifuges to literally spin out of control and tear themselves apart, which only goes to demonstrate the real world affects these attacks can make.


WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT


 

Colors must fit together as pieces in a puzzle

Artists are meticulous in the level of attention and intentionality used when it comes to color(s) for their masterpiece. One does not haphazardly select from the color palette when creating a work of art, or in this case for all intents and purposes setting up a Patch Management program for an Industrial Control System. Each color choice (each patch) has a significant impact in the overall masterwork. FoxGuard takes pride in the art of patching and our ability to bring together the pieces of the patch management puzzle, so that for our utility customer and friend everything comes together seamlessly and they end up with a brilliantly patched work of art (aka Industrial Control System).

For the novice artists reading along, let me introduce you to the concept of Primary, Secondary and Tertiary colors. There are three primary colors – red, yellow, and blue.  When you combine two primary colors you get what is called a secondary color – green, orange, and purple. Another six tertiary colors are created by mixing primary and secondary colors. Analogous, with patch management there are FOUR types of patches that in some way or the other can and often do relate to the other. And one must ensure that they are installing the proper patches in the proper fashion.  The type of patch is critical to understand and track to know which patches apply to each of your devices.  The type of patches are: Primary, Dependent, Standalone, and Cumulative.  A standalone patch much like a primary color has no dependencies and can be installed independently just as with cumulative patches.  A primary patch (like a secondary color) is dependent on another patch.  The Dependent patch (like a tertiary color) has a primary patch that must be installed prior to installing the subsequent dependent patch. In other words, you can’t make cyan without first having blue and green!

To further “complicate” matters, they say that the total number of colors we can see is about 10,000,000 (1000 levels of light-dark, 100 levels of red-green, and 100 levels of yellow-blue for a single viewing condition). So although we can define and clearly articulate the primary, secondary, or tertiary colors our brains see and can interpret the colors in unique ways and the result is an overwhelming number of colors in which to select. Comparably, patch management for industrial control systems can yield a vast and seemingly impossible array of demands.  As the complexity of industrial control systems evolves, so does the number of devices and applications that need to be patched for both security and compliance reasons.  The beauty of the FoxGuard patch management solution is this: FoxGuard has proven excellence in not only meeting compliance requirements but also solving functional issues and security vulnerabilities. We can deliver an automated patch management solution, customized for your operation providing you with a comprehensive and robust program including:  Asset Identification & Baseline, Patch Availability Reporting, Patch Applicability Reporting, Patch Acquisition, Patch Validation, and finally Patch Deployment. Being the masterful artists we pride ourselves as we’ve taken meticulous care to provide a patch management program that is systematic, comprehensive, and provides our customers with both security and compliance – now isn’t that beautiful!

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

FoxGuard Releases New Sentrigard Security Platform™

NIST UPDATES for the RMF

Source: Barbara Wert, Regulatory Compliance Specialist

NIST’s Risk Management Framework (the RMF) replaced DIACAP as the Department of Defense cybersecurity risk management program of choice in 2014, with transition periods ending in 2017. 

The RMF is comprised of a number of publications, with one of the key documents being NIST SP 800-37 – “Guide for Applying the Risk Management Framework to Federal Information Systems – A Security Life Cycle Approach”.

Earlier this month NIST released a draft of Revision 2 of SP 800-37 (formally titled “Draft NIST Special Publication (SP) 800-37 Revision 2”), which, among other things, integrates privacy risk management into the framework. 

The update (Dubbed “RMF 2.0” by Dr. Ron Ross of NIST)(1) is part of the “next generation Risk Management Framework” being developed for information systems, organizations, and individuals, according to an update published by NIST’s Computer Security Resource Center.  In a press release on May 9, NIST explained that, “Previous versions of the RMF were primarily concerned with cybersecurity protections from external threats. The updated version adds an overarching concern for individuals’ privacy, helping to ensure that organizations can better identify and respond to these risks, including those associated with using individuals’ personally identifiable information.”

Revision 2 introduces a new step to the RMF process – Prepare.  Tasks within the “prepare” step include assigning key roles and responsibilities, establishing a risk management strategy, identifying stakeholders, understanding threats, identifying the information life cycle for systems that process PII, and correlating each “system-of-interest” with appropriate business missions, functions, and processes. 

Other facets of Revision 2 concern enhancing communication between the risk management processes at the governance level of the organization and those at the operational level, aligning the RMF with NIST’s Cybersecurity Framework (CSF) by mapping RMF tasks with CSF requirements, integrating system life cycle processes from NIST SP 800-160, and the inclusion of supply chain risk management.

The draft publication, “Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy”, is open for public comment until June 22, 2018.

Other RMF-related publications in revision status include:

  • NIST SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations
  • NIST SP 800-53A, Revision 5 – Assessment Procedures for Security and Privacy Controls
  • FIPS Publication 199, Revision 1 – Minimum Security Requirements

For a current publication schedule, please visit https://csrc.nist.gov/projects/risk-management/schedule.  Questions or comments regarding publications can be submitted to sec-cert@nist.gov.

Reference & Resources:

(1) https://csrc.nist.gov/presentations/2018/rmf-2-0-risk-management-framework

https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft

https://www.nist.gov/news-events/news/2018/05/nist-updates-risk-management-framework-incorporate-privacy-considerations

https://www.nist.gov/news-events/news/2018/05/nist-updates-risk-management-framework-incorporate-privacy-considerations

 

The Art of Simplicity

Douglas Horton once said, “The art of simplicity is a puzzle of complexity.”

At FoxGuard, we pride ourselves in the true art of patching.  For you, our utility friend, we want you to look at our solution as a simple work of art when implemented in your control system environment, but what we all know in the end should look like a masterful art of simplicity is in fact a puzzle of complexity.  For a Patch Management program to be successful in terms of both compliance and most importantly security, there are many pieces of a complex puzzle that must fit together.  Lucky for you, we’ve got all the pieces of the puzzle and bring them together to create a simple work of art.

Let’s start with the first piece(s) of the puzzle (aka our patching masterpiece). The most important pieces of all for this program to take shape is the identification of all assets.  It’s like when you start a puzzle.  You lay out all the pieces on the table and start to search for your corner and border pieces.  This process can be time consuming, and in many cases requires a certain level of intellect to identify and fit together the pieces with straight edges.  Just like with the implementation of a robust patching program, time and technical talent is required to accurately identify critical assets and create a baseline from which to operate.   

It is easy to assume this Asset Identification is as simple as gathering a list of assets like setting aside your straight-edged pieces from the rest of the puzzle. However, the list of assets alone may not be enough. Just like when working a puzzle you have to study and take note of the colors and distinctive attributes of each piece as it relates to the bigger picture.  In order to determine the correct patch for safe installation, it is important to understand the operating system, serial number or other unique characteristic of the device.

Now wouldn’t it be a shame to spread out all the pieces and start to fit together your puzzle only to find out you were missing one or two pieces from the very beginning. Like with patch management understanding the nature of the equipment and/or varying patch levels of each instance of the same piece of equipment means that each item must be inventoried (or counted) and managed independently. For example, some products have patches provided based on the serial number of the device, so even though the make and model number appear to be the same, the serial number may indicate that a different patch applies from one device to the next. Make sure all your pieces of the puzzle are accounted for at the start.

Taking this all important first step of fitting together the outline of your puzzle provides you the bounds with which to continue to operate.  Just like with patch management, having your assets identified and creating a baseline – knowing what you have and what you’re going to track – gives you the capability to move on and start to fit together the remaining center pieces of the puzzle which we all anticipate to come together like a beautiful work of art in the end. 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT