FoxGuard Solutions provides OEM customers one-stop shop for custom configured computers.
CHRISTIANSBURG, Va. (September 20, 2017) – FoxGuard Solutions, Inc. and Lenovo today announced approval of FoxGuard Solutions, Inc. as a North American OEM reseller, further strengthening Lenovo’s support to OEM customers. “We are extremely pleased to include Lenovo products in our custom configured OEM solutions as part of Lenovo’s one-stop-shop approach to serving businesses,” said Patrick Patterson, V.P. of Industrial Computing at FoxGuard. “FoxGuard shares Lenovo’s customer-first approach, and this partnership enhances our ability to design and integrate custom computer solutions that meet our clients’ application, budget and preferences.”
Utilizing more than 35 years’ experience configuring computer solutions, integrating racks, developing images, securing licenses and ensuring hardware, software and OS compatibility, FoxGuard’s turnkey solutions enable customers to free up internal resources and focus on growth.
“OEM customers rely on Lenovo OEM partners to help manage their product from concept to launch to life cycle. We are pleased to add FoxGuard Solutions to the OEM reseller team,” said Nathan Blom, Director, North American OEM at Lenovo.
About FoxGuard Solutions:
FoxGuard Solutions, Inc. has been bridging the gap between IT and OT technology environments for over 35 years via integrated hardware, software and security solutions. Based in Southwest Virginia, FoxGuard serves customers in more than 60 countries from their secure, ISO-certified, ITAR-registered facility. Providing configuration, testing, certification, integration, kitting, regulatory/export compliance and life cycle management programs, FoxGuard’s solutions are “Built for Security.”
National Newswire Release:
The Equifax security breach exposing sensitive information of approximately 143 million consumers is one that we now know could have been prevented with the installation of a security patch that was made available two months before the breach occurred.
Equifax has indicated, “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is a framework for developing Java-based applications that run both front-end and back-end Web servers. Many industries including internet companies, banks, government agencies, and many large Fortune 500 companies rely on Apache Struts.
It’s been reported that Equifax failed to update its web applications, despite proof that the bug gave cyber-thiefs an easy way to take control of sensitive sites and consumer information. Patching the security hole would have been labor intensive and difficult because it involved downloading an updated version of Struts and rebuilding all associated applications. There were websites which depended on dozens or even hundreds of such applications which likely were stored on many servers scattered across multiple continents. Plus, you don’t just release rebuilt applications into production without extensive testing to ensure that the updates don’t break key functions of the unit itself.
The bottom line is that cybersecurity, and more specifically patch management, isn’t always easy or convenient but it is worth it. And, we feel that our Patch Management program sets-up companies like Equifax for success to prevent these and other types of attacks.
For more information related to Apache Struts CVE-2017-5638:
WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.
RESERVE YOUR SPOT
If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.
TALK TO AN EXPERT
FoxGuard continues to monitor Dragonfly and its effects on critical infrastructure. Dragonfly is a campaign by (possibly Russian) actors targeting US and European critical infrastructure. Dragonfly has been active as early as 2010, but according to Symantec, has seen a resurgence in activity within the last year2. This new campaign has been dubbed “Dragonfly 2.0” by security researchers at Symantec. Several different attack vectors are used in the Dragonfly campaign, including spear phishing emails, watering-hole attacks, and Trojan software. Phishing emails are emails sent out masquerading as someone else to try and get you to divulge sensitive information, or clicking a link to download a malicious file. Spear phishing is targeting those emails to specific people to increase the likelihood of success. In the case of Dragonfly, emails including a New Year’s Eve party invitation were sent out. A watering hole is when an attacker compromises a website that is visited frequently by their target. Once compromised, the attacker can load malicious code into the site with the possibility of the user never knowing anything has changed. Using these attacks, actors were able to steal credentials from employees which they used to gain remote access to the machines. Though no interruptions in service have been attributed to this campaign, the attackers appear to have had the ability to cause harm if they wanted. Screenshots of the user interface for industrial control systems, such as circuit breakers, have been found. Access to these types of controls would allow attackers to open circuit breakers, cutting the flow of electricity to potentially millions of U.S citizens. So, why haven’t they used these capabilities to wreak havoc? Security researcher Eric Chien of Symantec believes that the attackers are waiting for the most strategic time to use the attack, such as to deter threats from the US of attack2.
Isn’t there a way to prevent this? Well, security is not an absolute, and while there are mitigation techniques, nothing is certain. An important concept in the security industry is “defense in depth” which means that layers of security should be implemented, and not just one measure should be relied on. A hardware firewall is extremely important to have on a network, but assuming no one will get through that firewall, and therefore you need no additional protection, is a huge mistake. Instead, standards such as antivirus, least privilege, encryption, firewalls, intrusion detection, honey pots, etc., should all be used together for cyber defense. These measures should be thought of as a fire door. They may not hold off the problem indefinitely, but they can help delay the problem, giving you time to react. The more of these you can practically use in your system, the harder it will be for an attacker to get through, leaving more time for security experts to mitigate the attack. If your intrusion detection system picks someone up at the firewall, they may still have several more layers to get through, which means security professionals have time to re-write rules, or shut down access to machines to prevent the attack.
Another common ideology used commonly in industrial control systems is “air gapping”. Air gapping is the idea that a controls network should be completely separate from a business or corporate network. The business network has no control over the functions of the equipment, and the controls network has no remote or internet access. Theoretically, this would protect against a virus coming into a machine on the controls network, if they never talk to anything but themselves. The problem here is that operational demands mean that a system is never completely isolated, so the idea that the air gap alone will keep you safe is a myth. Even if your systems are not networked together, you may need to pull configuration files down from your corporate network. Even if this network is not accessible from the control network, a flash drive may be used to transport the configuration file between a machine connected to the corporate network and one connected to the control network. This lends the opportunity for malicious code to jump from the machine connected to the corporate network, to the flash drive, and ultimately to the machine connected to the controls network, thus “jumping” the air gap. If a 16GB flash drive is used only once per day and taken from an infected machine to a machine on the controls network, this is roughly the same data bandwidth capability as a 24/7 1.5mbps network connection. The latency may be high in this case, but the throughput is possible. This particular jump could be prevented by locking down which USB devices are allowed to connect to a machine, or even physically disabling USB ports on a machine if they are not needed. This is just one of many ways an air gap can be jumped.
One famous example of jumping an air gap is in that of the Stuxnet virus. Stuxnet was an infection that targeted Iran’s nuclear program by infecting centrifuges and changing the operating frequencies of the centrifuges. This caused stress to the machines, causing aluminum tubes to expand and forcing contact with other parts, which caused destruction to as many as 1,000 centrifuges. Natanz, the Iranian research site being used to enrich the Uranium, had their control systems air gapped, with no network connection to the outside world. So, how did the virus make its way into the research center? A flash drive, possibly from an Iranian double agent, or possibly by the mistake of one of the researchers in the facility, was plugged into the internal systems, and the virus made the jump onto the controlled network.
At this point, it would appear that no nuclear sites have been affected by Dragonfly, which is possibly due to the stricter requirements nuclear sites have for the separation of their internet-connected networks, and operational controls. Dragonfly is not been seen to jump total air gaps at this point, but as you can see, air gapping alone should not be relied upon to prevent any attack. FoxGuard recommends a “Defense in Depth” strategy to help prevent against infection. Making sure only designated flash drives can connect to a machine is an important security step to take, or if operationally feasible, no USB access at all. Control networks should ideally not be connected to any other network, nor any client on the control network also be connected to an external network. Patch management is also of great importance, since even an offline machine can be infected, having the most recent patches installed to close vulnerabilities can mitigate many potential attacks.
To find virus signatures, more examples and more details take a look at the the links below:
Last month, Compliance & Risks* published its quarterly regulatory growth charts for July 2017. The overall growth in the number of regulations in the past 15 years has climbed from just over 2,000 to just under 16,000. This constitutes a total increase of over 700%!
Regulatory Growth by Subject
The first chart depicts regulatory growth by subject, including Batteries, Climate Change, Packaging, Product Safety, Energy, Waste, and Substances. Results show the highest number of regulations in the area of Substances, at just over 6,000, with regulations concerning Batteries having the lowest count, at approximately 1,000.
Regulatory Growth by Region
The second chart depicts regulatory growth by region, including International Organizations; Latin America with the Caribbean; Asia Pacific; the United States and Canada; and Europe, the Middle East, and Africa, with Central Asia (EMEA). Results show the highest growth in Latin America with the Caribbean, and the EMEA regions, at approximately 500% each! Asia Pacific regulations have climbed approximately 300% over the past 15 years, and the United States and Canada have multiplied regulations by approximately 340%!
Recent RoHS regulatory additions that impact Information Technology are Taiwan RoHS (already in force for certain products), Singapore RoHS (already in force for certain products), and UAE (United Arab Emirates) RoHS, which has its first enforcement date on January 1, 2018, for certain products.
Over the past few years, we have seen additional legislative changes and new legislation in various regions, including the following:
- Mercury ban in Canada;
- China RoHS 2;
- The G mark in the Gulf Cooperation Council and Yemen;
- Changes from C-Tick and A-Tick in Australia to RCM;
- Change from GOST-R in the Russian Federation to EAC in the Eurasian Customs Union;
- K-Reach in Korea;
- Changes in the European Union’s directives and standards in the areas of Low Voltage and EMC;
- Numerous additions to the European Union’s Substances of Very High Concern list (REACH).
FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.
WANT TO LEARN MORE ABOUT FOXGUARD’S SIMULATION CAPABILITIES?
FoxGuard has 35+ years’ experience configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software and OS compatibility to free up your resources to pursue growth. We can configure and ship a turnkey solution to your designated solution.
As military tensions rise between the US and North Korea, so too do tensions rise on the battlefield of the twenty first century. This is, of course, in the cyber realm. The FBI and Homeland Security are currently monitoring denial of service capabilities in North Korea and targeted at US businesses including critical infrastructure. The malicious activity is being referred to by the US government as “Hidden Cobra” and leverages a malware known as “DeltaCharlie.” DeltaCharlie is a DDoS bot that is being used to by the North Korean government to control its botnet. A botnet is a network of infected machines that can be used to flood a targeted system with requests, which overloads the targeted system and causes legitimate requests for resources on that system to be denied. It is capable of launching attacks using the Domain Name System (DNS), Network Time Protocol (NTP), and Character Generation Protocol (CHARGEN). The malware is capable of updating itself, updating its configuration, downloading additional executables, terminating itself, and launching/stopping a DDoS attack. Although no new DDoS attacks have been discovered that can be attributed to this malware, the US Computer Emergency Readiness Team has warned to be on the lookout for suspicious network and computer behavior that may be indicative of an attack. If users or administrators detect anything the appears to be from Hidden Cobra, they are encouraged to report it immediately to the Department of Homeland Security Cybersecurity Communications and Integration Center, or the FBI Cyber Watch and begin best practices for mitigation. In addition to using DeltaCharlie for the botnet, it is also believed Hidden Cobra actors are using keyloggers, remote access Trojans, and wiper malware including tools such as Destover, Wild Positron, and Hangman. The DHS and FBI have identified IP addresses used in the botnet and are distributing them so that administrators can take the proper steps to mitigate the possibility of an attack.
Additionally, known vulnerabilities exploited by Hidden Cobra include:
• CVE-2015-6585: Hangul Word Processor Vulnerability
• CVE-2015-8651: Adobe Flash Player 184.108.40.2064 and 19.x Vulnerability
• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
• CVE-2016-1019: Adobe Flash Player 220.127.116.11 Vulnerability
• CVE-2016-4117: Adobe Flash Player 18.104.22.168 Vulnerability
Hidden Cobra commonly targets systems running older operating systems and outdated software. As always, FoxGuard recommends keeping you system up to date with the latest security patches to help eliminate vulnerabilities and prevent attacks.
More information, including the list of IP’s associated with this warning, can be found on the us-cert.gov site (links below).
THE DANGERS OF OVERLOOKING DEVICE DRIVERS IN PATCH MANAGEMENT
Drivers are software that can contain vulnerabilities. As such, it is just as important to monitor them in the same way and with the same diligence that we patch every other aspect of our systems.
FoxGuard Solutions, Inc. and partner TDi Technologies unveil joint solution for
U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems
CHRISTIANSBURG, Va. July 13, 2017 – FoxGuard Solutions, Inc. and partner TDi Technologies recently completed a multi-year project to create a safer national power grid by simplifying the process of patching and updating energy delivery control system devices. The solution is the result of a $4.3 million Cooperative Agreement awarded in 2013 from the U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems (CEDS) division.
“This is exactly why FoxGuard Solutions exists and this is where our team excels,” FoxGuard President & CEO, Marty Muscatello, said. “The solution developed comprises several elements that can each stand alone to improve security posture and, when integrated, provide a comprehensive solution to meet energy sector patch and update needs.”
Believing the nation’s security, economic prosperity, and the well-being of its citizens depends on reliable energy infrastructure, the DOE solicited FoxGuard Solution’s expertise to develop the patch and update management project for energy delivery systems. The energy sector places an emphasis on the availability and reliability of energy delivery operations. While best practice avoids the connection of energy delivery system devices to external networks, their increasing interconnectivity poses greater risk to cyber vulnerabilities, making proper and timely patches and updates critically important to maintaining system cybersecurity.
FoxGuard Solutions was tasked with researching, developing, and demonstrating technology and techniques to identify and verify the integrity of updates and patches for energy delivery systems software, hardware and firmware, while also facilitating the deployment of those updates.
• Patch & Update Data Aggregator & Web Portal
• Patch & Update Authentication
• Validation Techniques
• Query Engine
The Patch and Update Management Program simplifies the process of understanding what patches are available for energy delivery industrial control system devices for both end users and equipment vendors, while also simplifying a utilities adherence to NERC CIP v6 requirements involving patching, ultimately leading to a safer grid.
About FoxGuard Solutions, Inc.
FoxGuard Solutions develops custom cyber security, compliance and industrial computing solutions. FoxGuard provides reliable, secure and configurable patch management reporting services, which include availability reporting and applicability analysis for information technology (IT) and operational technology (OT) assets used in critical infrastructure environments. Visit foxguardsolutions.com to learn more.
About TDi Technologies
TDi Technologies, based in Plano, TX, is the first solution provider to offer a unified system for cybersecurity/operation. Their patented technology provides flexibility, automation, optimization, control and management capabilities that dramatically improve the ability to meet operation and security demands. Visit tditechnologies.com to learn more.
About U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems
In today’s highly interconnected world, reliable energy delivery requires cyber-resilient energy delivery systems. In fact, the nation’s security, economic prosperity, and the well-being of our citizens depends on reliable energy infrastructure. As such, a top priority for the Office of Electricity Delivery and Energy Reliability (OE) is to make the nation’s electric power grid and oil and natural gas infrastructure resilient to cyber threats. Visit energy.gov to learn more.
National Newswire Release:
Local News Coverage:
Open House Blog:
p. 540.382.4234 x152
PATCH GAP ANALYSIS – SECURING CRITICAL INFRASTRUCTURE
There is a moment when even the most seasoned IT professional’s heart stops. After a new patch or a new update is installed on some critical piece of hardware he reaches out, flips the reset switch, and waits with bated breath. There is a moment of darkness and then, the lights come on, the disk spins up, and the spell is broken. Usually.
VALIDATION TECHNIQUES AND GUIDELINES FOR ICS
Validation is not an indefinite stamp of approval; it is “proof that something is based on truth or fact, or is acceptable.” However, a time limit is attached to any proclamation of validation and this time limit has ended when a change has occurred. When something changes, such as software/firmware revisions, operating system, host hardware or peripherals, the validation life cycle must be reentered.
TEN LESSONS LEARNED
FoxGuard Solutions has been providing patch management solutions for industrial control systems via original equipment vendors (OEMs), as well as directly to energy utilities for many years. We have a long history of doing this work which provides us with a unique perspective, as well as gives us extensive knowledge of the patching burden. As such, we want to share our insight and some “lessons learned” along the way.