Register Now at www.phoenixcontact.com/
Are your cities and buildings ready for IoT?
Join Phoenix Contact for a one-day thought leadership event designed to bring you up-to-date on the latest legislative and technological developments in today’s smart world.
Learn from renowned technical experts and civic leaders.
- Gather, organize, and analyze relevant data
- Secure your communication infrastructure
- Implement smart technologies and automation in your communities
|Date||August 20, 2019|
|Time||8:00 a.m. – 3:30 p.m.|
IoTium's OT Access is your Remote Access Solution!
Operations Technology (OT) teams need to provide employees, trusted third parties, and technicians secure remote access to on-site systems for OT installations, monitoring, and maintenance. Click here for more!
Provision, authenticate, manage, and audit secure remote access for third-party vendors and technicians to all your assets across the globe through a single pane of glass using ioTium’s OT-Access. OT-Access is a remote access management infrastructure offered as-a-service that puts you in control to enable scalable agent-less secure third-party remote access to your mission-critical assets. This enables a uniform methodology for you to manage and monitor which technicians from which vendors are accessing which subsystems and touching which applications across all your assets globally in verticals including Building Automation, Oil & Gas, Power and Utilities, Manufacturing, Healthcare, and Smart Cities.
Uniform Global Secure Access
Streamlined secure third-party remote access to all your assets globally.
Plug & Go
Simply plug in the ioTium iNode and leave all the heavy lifting to ioTium’s OT-Net infrastructure. Use OT-Net to provision, authenticate, manage, and audit secure third-party remote access in minutes.
Requires no new software download or install by vendors and technicians to securely connect to industrial subsystems and assets across the globe.
Monitoring and Audit
Continuous centralized monitoring and audit of access, with reports on who accessed the network and when.
Ease of access management through centralized enforcement to grant or revoke technician/vendor access to assets.
Shields vulnerable devices from exposure to public internet by enabling secure remote access to vendors while the devices continue to remain in private networks.
Agenda (All times listed are in ET)
- 10:00-11:00 AM Expert Panel: How does cybersecurity affect safety, and what should you do about it?
- 11:30-12:00 PM Chat with the Expert: Mitigating Cyber Risk for Critical Infrastructure
- 12:00-1:00 PM Expert Webinar: Cybersecurity for Smart Building Control Systems
- 1:00-2:00 PM Expert Panel: Defending Against The 3 Biggest Cyber Threats
- 2:15-3:15 PM Expert Webinar: The Power of Connecting: Secure Connected Electrical Systems with EcoStruxure Power
- 3:30-4:30 PM Expert Webinar: Modernizing Your Operation For A Cyber Safe Environment
Niagara Framework — Your Head Start on the Journey to Cybersecurity. There are now more devices that connect to building control systems than the last generation of building engineers could have ever imagined — more consumer- and occupant-owned mobile devices, more enterprise software systems, and more IP-enabled edge devices. [Read more…]
Episode 255: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 18, 2018 features our interview and cyber security discussion with two of our industry’s most venerated experts from Intelligent Buildings, Darryl Benson and Fred Gordy. Darryl and Fred offer the ControlTrends Community some astute advice and pose an interesting question to system integrators: Do you want to maintain the cyber security risks [Read more…]
By Josh Fruhlinger, CSO. The “dark web” is a phrase strikes an ominous tone, conveying an impression of a marketplace where anything is for sale: hacking tools, weapons, drugs, child pornography, even freelance assassination services. And according to experts we spoke to, all of that’s still true. But something has changed in the way the dark web does business. If there was a time when venturing online to buy these illegal items was like taking your life in your hands in a dark alley, today the experience in quite different.
Take drugs, just as an example category. “The best analogy I can give for the expanse of dark web drug offerings is that it would be like walking into a major supermarket for the first time having only ever shopped at a corner store,” says Emily Wilson, director of analysis at Terbium Labs. “Almost anything you want is available from a huge host of vendors—all of whom are competing to assure buyers that their product is the freshest, purest, safest, most readily assured high available. People like to compare and contrast their experiences in detailed write-ups, and the vendors are incentivized to develop loyalty: ‘Check out this freebie of my new product,’ or ‘Hey, sorry about the slow shipping—I threw in a little extra for you.'”
And it’s not just drugs where the dark web has gone corporate. It’s happening across the board—and what most of the experts we spoke to wanted to talk about was especially the various hacking and shadowy technology services available. In hearing the details, it’s hard to avoid the realization that the various criminals on the dark web are taking their cues from the practices of corporate IT.
Products: Malicious code for sale, with instructions
Exploits and attack code can be devilishly complex to discover or build from scratch. The dark web provides a marketplace that connects programmers with the needed skills with those with motivations to unleash them. Ido Wulkan, intelligence team lead at IntSights, points to several malware packages for sale on the dark web, including Dr0p1t-Framework, a trojan that downloads other malware, and the Silent Word exploit, which converts a malicious .EXE file into an innocent-seeming .DOC.
Buyers of these exploits don’t need to be master hackers themselves. “If you have relatively little technical knowledge,” says John Shier, senior security expert at Sophos, “there are guides on how to spread your malware, and also phishing and carding tutorials.”
Services: No need to do it yourself
But just as many enterprises no longer build or even deploy their own in-house tools, so too do many criminals outsource the deployment of their misdeeds. Even if you’re sick of the endless “-as-a-service” acronyms in IT (Software-, Infrastructure-, Platform-), you’ll need add another one: RaaS, or ransomware-as-a-service.
“RaaS providers give their customers fully functional ransomware with a dashboard to track victims and support services should they need it,” says Shier. “In exchange, the authors of the RaaS portal ask for either a percentage of the ransom or a flat fee. The only thing left is for the customer to distribute the ransomware, possibly using the services of a spammer purchased separately or by doing it themselves using the knowledge they gained from the tutorials.” And if you need more evidence of this in the real world, experts are now beginning to see the Petya ransomware as a RaaS attack.
Evolving Towards a Homogenous Society: The Risk of the New Digital Economy
Understanding how information technologies, services, configurations, controls, and behaviors change over time is important to monitoring, anticipating, and preventing new exploits, malware, and botnets.
Ransomware is only one of a variety of attack options, of course. Nathan Wentzler, chief security strategist at AsTech, says that on the dark web you can pay for “more targeted arrangements that can cross the line from mischievous or ‘just another attack’ to illegal attacks to obtain specific intellectual property, national defense or military information, and other very sensitive (and valuable) data.”
Infrastructure: Why buy if you can rent
There are plenty of more mundane IT services that cybercriminals need, and naturally these are also available on the dark web. Email servers, for instance: “The ability to send and receive your mail in an anonymous way is crucial for many, for good and for bad,” says Chris Roberts, chief security architect at Acalvio. You can also buy computer time on other types of servers. “Think of them as AWS for the dark net,” says Roberts. “Some care what content you have and some don’t.”
And if you’re looking to set yourself up as the next Dread Pirate Roberts—well, you’re going to need infrastructure to sell things, and again, the dark web can provide. “A group calling itself ‘TeamZero’ is selling a black market framework, which allows ‘merchants’ to sell just about anything on the dark web,” says Wulkan. “They provide a turnkey infrastructure, just like eBay or Shopify—but for illegal goods and services.”
Blueprints, consulting, and more
If you’re looking to avoid work (and avoid getting your hands dirty), the dark web will connect you with hackers willing to consult on specific tasks for a specific price. Say you’re looking to breach a particular organization. “While you may not find organization-specific attack blueprints, like the stereotypical fraternity test file, you can find things like IP addresses, server locations, or device passwords as well as instructions for executing specific attack types on the deep web,” says Stu Bradley, VP of cybersecurity solutions at SAS. “These are enough for the skilled adversary to begin a successful campaign. Or, if you’re too busy or perhaps lack the skill to execute an attack yourself, why not subcontract it out to a hacker? You can easily find a hacker to conduct the attack with a guaranteed service level and money back if you’re not satisfied.”
Mike Viscuso, co-founder and CTO of Carbon Black, points to the Xdedic dark web marketplace, where you can connect with criminals who offer up already compromised servers on a platter. “Authorized sellers provide compromised systems and credentials for the systems in bulk to the marketplace,” says Viscuso. “The marketplace operators then validate access to the system and record details about it, such as the antivirus used, browsers available, whether the system is virtualized, and the physical characteristics of the system like the CPU model and speed, amount of RAM, and the OS installed.”
Service with a smile
Any wary IT pro who’s tangled with consultants and contractors knows that deals can go sour even when the business is above board. How can you be sure that you’ll get what you pay for when you’re dealing with, well, actual criminals? The dark web also provides plenty of ways to establish honor among thieves. Ross Lasley, chief geek at The Internet Educator, says that many web defacements are proofs of concept, perpetrated by hackers to show they have the skills and access for the real jobs.
Users also have access to Yelp-style reviews of products and services (this tutorial on buying from the AlphaBay market gives a glimpse). And then there are business incentives. “Sellers on these forums are incentivized to not engage in fraud or deceptive practices, because their reputation as legitimate sellers is at stake and therefore their ability to continue selling and making money would be jeopardized,” says Armond Caglar, principal with Liberty Advisor Group. “Some professional sellers request that any complaints or inquiries be first resolved directly with the seller over encrypted channels first, so that the seller would have time to redress a grievance prior to a buyer officially publishing a negative review.”
Caglar explains that there are even mechanisms for resolving disputes and fixing problems that any IT pro would recognize: “Some of the more professional marketplaces have a mechanism in place for buyers and sellers to submit trouble tickets, which could include complaints about a buyer or a seller. If there is a dispute with an unhappy customer, theoretically that person could submit a trouble ticket and complain, and the Bitcoin they used to purchase the good would not be released to the seller.”
Grown up, but not well-behaved
From one point of view, this is a fascinating transition, and it says volumes about how the practices of modern business have arisen to meet the real needs of buyers and sellers. But none of it mitigates the illegal and dangerous nature of what happens on the dark web. If anything, the message here is that criminals are getting more efficient. It may be that the only thing worse than hacking services for sale online are hacking services for sale online in a frictionless marketplace that let those with ill intent harness the skills of advanced programmers with some Bitcoin and a single click.
On August 1, 2017, the U.S. Government took a significant “lead by example” step forward in the battle of Internet of Things (IoT) security. Chief among the vendor commitments — that must be made to the U.S.Government: That their IoT devices are patchable; that the devices don’t contain known vulnerabilities; and that the devices don’t contain hard-coded passwords.
While ‘Internet of Things’ (IoT) devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges.
Thus far, there has been a significant market failure in the security of these devices.
Sometimes shipped with factory-set, hard-coded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Additionally, the sheer number of IoT devices – expected to exceed 20 billion devices by 2020 – has enabled bad actors to launch devastating Distributed Denial of Service (DDoS) attacks. This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices.The legislation requires vendor commitments:
§ That their IoT devices are patchable.
§ That the devices don’t contain known vulnerabilities.
• If a vendor identifies vulnerabilities, it must disclose them to an agency, with an explanation of why the device can be considered secure notwithstanding the vulnerability and a description of any compensating controls employed to limit the exploitability/impact of the vulnerability.
• Based on this information, an agency CIO could issue a waiver to purchase the device.
§ That the devices rely on standard protocols.
• Outside experts emphasize the importance of having the vendor disclose what network protocols are in use, for instance to assist Department of Homeland Security (DHS)’s Einstein program.
§ That the devices don’t contain hard-coded passwords.
Recognizing that it may be infeasible for certain devices to meet those requirements, and in consideration of network-based technologies that can help manage risks from insecure devices:
§ Agencies may ask the Office of Management and Budget (OMB) for permission to purchase non-compliant devices if they can demonstrate that certain compensating controls have been employed.
§ The legislation empowers OMB, working with National Institute of Standards and Technology (NIST) and industry, to specify particular measures (such as network segmentation, use of gateways, utilization of operating system containers and microservices) for agencies to employ. While the legislation establishes modest new device security requirements, it offers flexibility to agencies to waive these requirements in the event that:
§ Agencies employ their own equivalent, or more rigorous, device security requirements; or
§ Industry develops third-party device certification standards that provide equivalent, or more rigorous, device security requirements (as determined by NIST).
The legislation directs the DHS National Protection and Programs Directorate (NPPD) to:
§ Work with industry to develop coordinated disclosure guidelines for vendors selling IoT to the US government, which vendors would then adopt, allowing researchers to uncover vulnerabilities in those products and responsibly share them with the vendor, without fear of liability under the Digital Millennium Copyright Act (DMCA) or Computer Fraud and Abuse Act (CFAA).
• Vulnerabilities found and reported to vendors must be patched (or devices must be replaced) in a timely manner.
The legislation requires that agencies maintain an inventory of IoT devices in use.
§ Requires OMB to submit a report to Congress after 5 years on effectiveness of guidelines and any recommendations for updates.
The legislation allows OMB to waive, in whole or in part, any of the requirements after 5 years.
Lynxspring’s Cyber Security expert, Marc Petock reminds us that October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about cyber security.
From Marc Petock: We live in a world that is more connected than ever before. The Internet touches all aspects of our business and personal life. From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures and procedures to increase the cyber security posture of your systems, far outweigh the risk of not making them secure.
Here are a few questions to ask yourself this month:
Who has a specific plan in place in case of a cyber instance?
Are discussions around cyber security regular within your organization?
Are you secure?
How do you know you were not compromised today?
How would you know?
What would you do about it if you were?
What is your organization’s sensitive data, and where is it?
Are you prepared to face a threat(s)?
Do you have a cyber security statement for your organization?
How about the companies in your supply chain, are they secure?
When was the last time you did an audit of your building systems to find our “what’s in your closet? Do you know how and what your smart building devices are connected to?
For your future BAS projects—new, upgrades, change outs, and is cyber security addressed? Is it part of the discussion and project?
Is the technology you purchase patchable?
Do you have a patch management process and procedure?
Who and what is involved?
When a vulnerability is discovered, have you made it clear to your providers what you expect?
When it comes to a discovered vulnerability, what is the manufacture’s responsibility? What do you expect of them?
Is cyber security a board room discussion at your organization?
Cyber security can no longer be thought of as a “nice to have”. The operational, financial and reputational impact to a business is tremendous. Security must be considered a fundamental requirement. Take this month to get engaged or get re-engaged with good cyber security practices.
Vice President, Marketing
1210 NE Windsor Drive
Lee’s Summit, MO 64086
There are free tools readily available to anyone that can not only scan BACNet networks, it gives the user the ability make changes to individual control points, set schedules, review logs, view alarms and acknowledge, and turn your BACNet devices into “bricks”.
What Can The Tool Do?
The first thing I found was the ease of use of this program. In order to scan the network all I needed was one BBMD. First, use an IoT search engines to find a publicly exposed BBMD (there are literally thousands of exposed BBMD’s worldwide). The image below shows the results of taking one of these IP’s and entering it into the tool. As you can see from the one found using the IoT search engines, the scan revealed even more IP’s that are not listed on the IoT search engine. In addition to finding other BACNet IP devices, it discovered MSTP (serial communicating devices) BACNet devices as well. There can be hundreds of devices attached to the system and thousands of points underneath the devices that can be controlled with this tool.
All the devices and points can be accessed without using a user/password.
By clicking on device in the top left window (image below) the device’s associated points will be displayed in the bottom left window. These points can be dragged into the middle window and their value and status are displayed along with device ID, object ID, name, and update time.
Clicking on a point in the bottom left window will display its properties in the window on the far right.
You have full control of the properties to be able to write to it.
The point property window allows for editing of the point parameters. In the image below the call-outs show what is editable (in black) and parameters that could take the point offline (in red). Depending on the point type, command and control of these points/devices could lock operators out, change VFD speeds to an unsafe level, modify setpoints, etc.
There are many more things that this program can do and below is a couple of examples.
Edit Notification Settings
View Trend Logs