CybatiWorks ICSsec Education Platform Released
Cybati has been hard at work building their CybatiWorks education platform. The platform’s first public release includes a virtual machine running a variety of systems, architected as a typical IT/OT network.
At the heart of CybatiWorks is CORE (the Navy Research Lab’s Common Open Research Emulator), which presents an easy way to draft up a network architecture of lightweight virtual machines (essentially sandboxed systems running the host operating system). Of course, with some fancy scripting CORE can swap out these lightweight virtual machines for ‘heavy’ machines (virtual or physical) running real ICS software.
Researchers and ops folks alike can take the virtual network and learn how protocols work, determine the best network architecture, and apply networking rules to separate systems. They can also set up virtual mirror ports, attach intrusion detection systems, and deploy other compensating controls. The effectiveness of the security controls can be tested by launching real attacks.
One of the nice things about launching attacks is that the default lightweight virtual machines are sandboxed clones of the host operating, which is based on Kali. This means that Kali’s default toolset comes for free -- so you can run the usual suspect exploits against specific target machines. The attacks will follow virtual routes through the network.
Setup and teardown of systems is a snap. The platform aims to teach a long list of skills in attacking control systems, including using existing exploits and developing your own custom tools to attack (and detect attacks against) insecure protocols. The sample control system can be expanded using a Raspberry Pi with PiFace board to give it physical IO for a much lower cost than using a PLC.
CybatiWorks promises to be a way to inexpensively introduce OT and ICS security to the masses.
A beta of the VM platform is available on the CybatiWorks-1 Google Group, as well as an image for use on Raspberry Pi devices for integration into the network.
Matthew Luallen will be holding a CybatiWorks overview telecon and webcast on June 11th, which includes some HOWTOs on setting up a network, attaching a Raspberry Pi, and other tricks. Register at the webcast url: https://attendee.gototraining.com/r/8568936485435068417
Hospira Infusion Pump Highlights Medical Device Problems
Billy Rios performed an assessment of Hospira’s LifeCare drug infusion pumps and found their security to be among the worst in the business; which is to say, typical of any industrial field device.
The pump, which features an Ethernet interface, contained backdoors that could allow drug dosages to be modified by an attacker. Performing forensics on such an attack would be difficult due to the system’s design.
While ICS-CERT has an advisory, it is notable that the Food and Drug Administration released a safety alert of their own. This marks the first time that the FDA has issued a security advisory targeting a specific product.
The FDA currently has published guidance for security in networked medical devices. While it provides a reasonable set of recommendations, they are just that -- recommendations. It is interesting that the medical field has no requirements in this area.
To hear more about this listen to Dale Peterson's interview with Billy Rios on the Unsolicited Response Podcast.
SSH Botnet Takedown: Reducing Attacks on the Critical Infrastructure
Threatpost reported that L3 and Cisco are working together to block SSH bruteforce attacks from a series of compromised networks. This SSH Botnet is responsible one third of all SSH brutefroce attacks on the internet, according to Threatpost.
When ICS-CERT announced massive SSH attacks against critical infrastructure control systems in 2012, we were curious: were these really targeted attacks, or were they simply detections of the background noise that is the modern Internet? Our conclusion was to be a bit critical of the assumption that the attacks were truly ‘targeting’ ICS.
We posted an initial analysis of one our personal internet-facing servers at the time of the ICS-CERT alert. Indeed when we look at our logs, we see a sizable (roughly 15%) reduction in SSH attacks since the L3/Cisco maneuver. Attack rates are consistently moving upwards again, as the attackers change ISPs and change tactics.
We recommend using tactics such as fail2ban to protect yourself from distributed intrusion attempt attacks. As we noted in 2012, even distributed attacks tend to come primarily from a few compromised hosts. Blocking those hosts is an easy way to protect your remote access and prevent a curious attacker from discovering what is connected to the interior of your network.