Controlco’s Chip Cummings tells the ControlTrends Community about the KODARO’s packaged analytics for contractors, which is coupled with the TOSIBOX for an encrypted secure network, and OPTIGO, for speed of light data processing and integrity, and the Dell Edge Gateway with ported Niagara 4. Visit KODARO for more information.
Introducing Cyber Power Systems Power Management Solutions from the Edge to the data center. REGISTER NOW!
• Introduction of CyberPower
• BAS34U24V Product Launch / market relevance/IT vs OT networks
• Learn about the importance of powering and protecting equipment and controls at the edge
• Partner Benefits / Product training
• Question & Answer
Dan Niewirowicz, Special Projects Group
Scott Koller, Vice President of Channel Sales
Who Should Attend? CGNA Customer Contractors are welcome!
Cyber Power Systems (USA), Inc., Shakopee, Minn. – Cyber Power Systems (USA), Inc., a leader in power protection and management products, today introduced an uninterruptible power supply (UPS) system designed to protect building and industrial controls and devices from power failure, interruptions, over-voltages and surges. The CyberPower BAS34U24V protects controller and server platforms, networking devices, data loggers, remote facility monitors, and other equipment from power disruptions to avoid loss of vital data and service failures. The UPS system is the first in a series of automation power-protection products to safeguard equipment within building automation systems (BAS), energy management systems (EMS) and other production-related systems which run smart buildings and factories.
CyberPower is launching the product at the 2018 ASHRAE Winter Conference and AHR Expo for the HVAC and controls industries, January 22-24, at McCormick Place in Chicago. During the AHR Expo, CyberPower will feature product briefings at booth #4058 in the Building Automation and Control Showcase at McCormick Place. The product is compliant to the Construction Specification Institute (CSI) Division 25 standard for integrated building automation regarding facility controller backup.
The CyberPower BAS34U24V serves the growing shift from siloed building systems to an interconnected system of Internet of Things (IoT) devices and sensors that collect and share data within and across portfolios. According to research by IHS Markit, there are more than 4.3 million IoT devices in use in the commercial and industrial electronics sector which includes smart buildings and factories, contributing to more than 27 billion connected IoT devices worldwide in 2017.
A UPS system engineered for control panels and edge networks
Designed for IoT technologies, the BAS34U24V is a UPS system featuring line-interactive topology to regulate voltage without having to switch to the battery.
“Today’s smart buildings and industrial systems rely on computing and analytics placed close to the network edge. The CyberPower BAS34U24V protects connected edgedevices on the plant or building floor, such as controllers and sensors, from damaging power events like surges, spikes and black-outs. The unit provides a continuous flow of clean power to ensure efficient building and equipment operation that, in turn, will flow clean data and analytics to maintain accurate building management,” said Tim Derochie, director of product management at CyberPower.
The UPS system provides DC power supply, surge protection and an internal, space-saving backup battery for long-lasting protection. Features of the CyberPower BAS34U24V include:
Compact form factor and DIN rail mount allows for secure installations inside controller cabinets.
A high density lithium-ion battery and an innovative electronic design with DC output yields an extended battery runtime of up to four hours at 80 percent rated capacity. SNMP internet-standard protocol provides critical information and alerts, such as remaining battery runtime and power conditions. Regulatory and safety certifications for the UPS system include UL 60950-1 and FCC Class B.
About Cyber Power Systems (USA), Inc.
CyberPower designs and manufactures uninterruptible power supply systems, power distribution units, surge protectors, remote management hardware, power management software, mobile chargers and connectivity products. The company serves customers in enterprise, corporate, industrial, government, education, healthcare and small office/home office environments. CyberPower products are available through authorized distributors and sold by value-added resellers, system integrators, managed service providers, select retailers and online resellers.
For more information, visit: www.cyberpowersystems.com.
Cyber Power Systems (USA), Inc.
Tim Madsen, 952-403-9500
It’s not smart buildings – but any commercial building built or renovated in the past 30 years are what you should worry about.
Before the smart buildings concept, digital, Internet-connected controls systems, such as HVAC, lighting, and elevators have been installed and managed by non-IT persons from architects, engineers, contractors and property managers. Without IT best practices, much-less cybersecurity requirements, there is significant exposure to:
* Life Safety Risks
* Equipment Failure
* Productivity Loss
* Network Hopping
* Brand Damage
This webinar will address the cybersecurity condition that afflicts nearly all commercial building stock, what you can do about it and how to get started. We will cover:
* Legacy Building Controls Technology and Connectivity
* Risk Areas and Consequences
* Stakeholders Roles and Responsibilities
* Case Study Examples
* Step by Step Plan to Remediate
Episode 255: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 18, 2018 features our interview and cyber security discussion with two of our industry’s most venerated experts from Intelligent Buildings, Darryl Benson and Fred Gordy. Darryl and Fred offer the ControlTrends Community some astute advice and pose an interesting question to system integrators: Do you want to maintain the cyber security risks [Read more…]
Mitigating Meltdown and Spectre Vulnerabilities
Dear valued partner,
On January 3, 2018, a group of researchers from Google Project Zero, Cyberus Technology and several universities revealed two major flaws in computer chips that could leave a huge number of computers and smartphones vulnerable to security concerns. Called “Meltdown” and “Spectre,” the flaws exist in processor families and could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer. Researchers indicate almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by these flaws.
Tridium takes the security of our customers and products seriously. Upon learning about this CPU issue, we began a company-wide product review to determine which of our devices are affected, and what corrective actions are necessary. Our findings to date are summarized below.
IMPACTED TRIDIUM PRODUCTS:
Niagara Supervisor running on Windows or Linux
If you have a Niagara Supervisor that runs on Windows or Linux, your machine may be affected.
Recommended Customer Actions:
* Update your operating systems with the latest patches, making sure that your organization has a patch management plan that is always executed.
* For Windows, please follow the instructions from Microsoft for patching your systems. You may access this information via this link.
* For Linux, please follow the instructions for Red Hat for patching your systems. You may access this information via this link.
* Ensure anti-virus software is up-to-date.
* Ensure that your Supervisor machine, which is a mission-critical system, is not being used for email access or general web browsing. The Spectre/Meltdown threats require malware be executed on a target machine. Malware attacks typically come from malicious web links, malware-based email attachments and infected USB disks.
* Control physical access to your mission critical systems to prevent attackers from using infected USB disks to infect your machines. Physical security is critical, and your systems must be protected.
We are continuing to work with our vendors in our investigation, but at this point, we know the following:
* The JACE 2/3/6/7 families use a much older PPC architecture, and the processor vendor has determined that they are not susceptible to Spectre and Meltdown.
The JACE-8000 is not affected by Meltdown.
The JACE-8000 uses an ARM chip that is reportedly vulnerable to a Spectre The vendor of the operating system of the JACE is doing further investigation into what patches could possibly apply. Tridium will be working closely with them to determine what OS changes, if any, should be made to mitigate any threat. In the meantime, Tridium has employed significant security measures that mitigate the threat of malware executing on a device.
A Spectre attack requires malware execution. The security controls that are employed by the JACE-8000 include (but are not limited to) the following:
* Niagara’s JACE-8000 employs a “secure boot” process, providing integrity validation of the image at boot time, providing non-repudiated assurance that the root image wasn’t tampered with.
* Niagara 4 employs integrity validation of the core framework at run-time, validating the digital signatures of all Niagara run-time components, ensuring that core Tridium Software has not been tampered with.
* Niagara 4’s Security Manager provides malware prevention by “sandboxing” third party modules, restricting installed software to a limited set of permissions, and terminating execution of any installed software that attempts unauthorized privileges.
* Niagara limits administrative controls and access to sensitive areas of Niagara to authenticated administrators with platform access.
It is important to understand that the security of your Niagara system also revolves around how your system is configured on your network. Please refer to the following documents to ensure that your systems are up-to-date with best practices:
* Niagara AX Hardening Guide (Step-by-Step Guidance for securing your AX systems)
* Niagara 4 Hardening Guide (Step-by-Step Guidance for securing your Niagara 4+ systems)
* TridiumTalk on Cybersecurity – “Defending Your Business Against Cyber Threats” (One hour webinar on Cybersecurity best practices in your organization)
* Q&A from TridiumTalk on Cybersecurity
* Tridium Cybersecurity White Paper
If you have any questions, please contact your Tridium account manager or contact Customer Support via firstname.lastname@example.org.
Homeland Security Advisory TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer. Original release date: November 14, 2017. Systems Affected: Network systems
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
MAR IOCs (.stix)
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
India (772 IPs) 25.4 percent
Iran (373 IPs) 12.3 percent
Pakistan (343 IPs) 11.3 percent
Saudi Arabia (182 IPs) 6 percent
Taiwan (169 IPs) 5.6 percent
Thailand (140 IPs) 4.6 percent
Sri Lanka (121 IPs) 4 percent
China (82 IPs, including Hong Kong (12) 2.7 percent
Vietnam (80 IPs) 2.6 percent
Indonesia (68 IPs) 2.2 percent
Russia (68 IPs) 2.2 percent
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service’s registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
alert tcp any any -> any any (msg:”Malformed_UA”; content:”User-Agent: Mozillar/”; depth:500; sid:99999999;)
description = “Malformed User Agent”
$s = “Mozillar/”
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
The Active Cyber Defense Certainty Act (ACDC) amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.
A BILL To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Active Cyber Defense Certainty Act’’.
Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.
This new webinar focused on organizational best practices to mitigate risk.
There’s only one day left to register for our new TridiumTalk webinar focused on cybersecurity. Join us September 19 at 11:00 a.m. Eastern U.S. to learn how to develop a strategy to defend against cyber threats.
Tridium chief architect Kevin T. Smith, author of our new white paper Cybersecurity and the IoT—Threats, Best Practices and Lessons Learned, will be leading the TridiumTalk. Recognized industry expert James Johnson will be moderating and taking questions.
With the game-changing IoT, cybersecurity should be a concern for everyone.
Adding network connectivity to any “thing” adds tremendous value, but also brings potential risks to an organization.
Click here to download our new white paper. Kevin and James will cover this material and provide additional insight during the TridiumTalk.
We look forward to you joining us on September 19.
Though each of us, in our own way and at our speed, has willingly or unwillingly, become more acclimated and accepted the rapid proliferation of IoT devices connecting us to the data bases in the clouds, it is still a challenge to fully comprehend the impact this hatching reality will have on our personal lives and professional careers — and we probably should know a lot more. Among the many sources of valuable insight and guidance available to ControlTrends Community, the NIST’s Cybersecurity for the Internet of Things is certainly one of the best. And for those of you already on top of this challenge, NIST wants to hear from you! The Cybersecurity for IoT program is looking for feedback and potential collaborators.
Summary: NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and promote U.S. leadership in IoT.
IoT on the Rise: The rapid proliferation of internet-connected devices and rise of the IoT come with great anticipation. These newly connected devices bring the promise of enhanced business efficiencies and increased customer satisfaction. IoT devices could include wearable fitness trackers, “smart” televisions, wireless infusion pumps, and cars—among many others. Internet-connected devices generally sense, collect, process, and transmit a wide array of data, ranging from consumer personally identifiable information to proprietary company data to infrastructure data used to make critical real-time decisions or to effect a change in the physical world.
Just as there are a variety of new uses, the IoT ecosystem’s nature brings new security considerations. These considerations include—but are not limited to—constrained power and processing; the ability to manage, update, and patch devices at scale; and a diverse set of new applications across consumer and industrial sectors.
Source: Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015.
PC WORLD FROM IDG. Credit: Mark Hachman
This was twittered to us via cyber security guru, Fred Gordy, and was too interesting and too important not to pass on to the ControlTrends Community, especially those with smart thermostats.
What happens if a bad actor turns off your heat in the middle of winter, then demands $1,000 to turn it back on? Or even holds a small city’s power for ransom? Those kinds of attacks to personal, corporate, and infrastructure technology were among the top concerns for security experts from the SANS Institute, who spoke Wednesday during the RSA conference in San Francisco.
Some of these threats target consumers directly, but even the ones that target corporations could eventually “filter down” to consumers, though the effects might not be felt for some time.
Here are the seven most dangerous attack vectors, according to SANS, and what, if anything, you can do about them:
1. Ransomware: Ransomware surfaced more than 20 years ago, but it has since evolved into a seriously scary form of malware: crypto-ransomware, which encrypts your files and demands payment to unlock them. It’s an ideal way for bad guys to attack: Ransomware spreads like a virus, locks up your data independently, and forces you to contact the criminals for payment and recovery, according to Ed Skoudis, an instructor at the SANS Institute.
What you can do: Practice “network hygiene:” patching your system, using antimalware, and setting permissions and network-access controls to limit exposure—once a PC is infected, you don’t want the infection spreading to other PCs on the network. Remember that ransomware is being monitored by actual people, with whom you can negotiate: “Your best bet is to appear small and poor,” Skoudis said, to try to reduce the amount you’ll pay.
2. The Internet of Things. The next stage of the evolution in consumer products is connectedness: Everything from baby cameras to toothbrushes are using wireless protocols to connect to each other and the internet. That, in turn, has left them vulnerable to hacks. Worse still, IoT devices are now attack platforms, as the Mirai worm demonstrated.
What you can do: Change the default passwords. If your smart-home gadget doesn’t allow it, either return it or wait (or petition the manufacturer) for firmware that allows a custom password. You can also take further steps to insulate connected devices by disabling remote access, using a separate dedicated home LAN for IoT devices, as well as a dedicated cloud account for controlling them, Skoudis said.
3. The intersection of ransomware and IoT. Last year, an Austrian hotel was hacked, disrupting its keycard system. Such attacks could eventually migrate to your home, holding your smart thermostat hostage (and set at 40 degrees, say) until you pay up.
What you can do: Right now, this sort of attack is more theoretical than anything else. But it’s something to think about as you start building out your home: How much automation is too much? “You have to ask yourself, what is the right balance between man and machine?” said Michael Assante, director of industrials and infrastructure for SANS.
4. Attacks against the industrial Internet of Things. In 2015 and again in 2016, unknown hackers took down power stations in the Ukraine, leveraging the growing trend of automated, distributed systems against the power company. Fortunately, first responders were quickly able to manually flip the breakers and restore power. But there’s no guarantee that will always be the case—and what happens if Pacific Gas & Electric or Con Edison’s infrastructure is hacked?
What you can do: As consumers, not much. Infrastructure organizations are going to have to decide whether to operate with intelligent systems, or shut them down. Scaling up with increased automation can help lower your power costs—but the penalty may be increased vulnerability to outside attacks, Assante warned.
5. Weak random number generators. Truly random numbers are the basis of good encryption, securing Wi-Fi and a broad range of security algorithms, according to Johannes Ulrich, the director of the SANS Internet Storm Center. But “random” number generators aren’t truly random, which makes the encryption they’re based upon easier to crack. This gives an edge to criminals, who may exploit this and unlock “secure” encrypted connections.
What you can do: This is a problem for device manufacturers to solve. Just keep in mind that your “secure” network may in fact be weaker than you think.
6. An over-reliance on web services. More and more, apps and software are talking to and incorporating third-party services, such as Docker or Azure. But there’s no real certainty that those apps are connecting to the expected entity, or whether an attacker is stepping in, stealing data, and returning false information.
What you can do: Again, this is a problem for developers. But Ulrich warned that mobile apps are becoming increasingly vulnerable—so even if an app isn’t trying to steal your data, the “service” that it thinks it’s connecting to may be.
7. SoQL Attacks against NoSQL databases. This is another developer problem, but it could affect data collected about you. For years, SQL injections, where executable code was forced inside of a SQL database entry field, were one of the scourges of the internet. Now, as developers move away from SQL to NoSQL databases like MongoDB, they’re finding that those databases aren’t as secure as they should be.