The increased adoption of high-speed internet for private, commercial and industrial use delivers a wealth of benefits. But these new levels of interconnectivity bring risks and dangers. As connectivity is increasingly integrated at the core of our industrial complexes, the threats of malicious cyberattacks become more acute. And with more and more of our industrial infrastructure now connected to the internet, the repercussions of successful penetrations become a matter of life and death, on a massive scale.
As a leading OT cybersecurity provider, OTORIO is a strong believer in the power of the industrial cybersecurity community. Extensive experience protecting the industrial cybersecurity space has clearly demonstrated the value of combining our capabilities with that of others in the OT cybersecurity space. The recent release of the open-source tool, Chronos, exemplifies this commitment by extending a new, free resource to the community that simplifies indexing of artifacts and logs into the ElasticSearch DB.
To support the community, OTORIO operates on a variety of collaborative fronts. Specifically, our researchers develop open-source industrial cybersecurity tools, share their research results, contribute to threat intelligence knowledge bases and also join forces with other companies as part of a collaborative effort to share resources and knowledge for the greater good.
The best way to effectively combat the threats described above is a collaborative approach. Across the world, industrial cybersecurity companies and professionals are rising to the challenge, forming security communities that share resources and data sets. As the tactics that bad actors use evolve, so do the measures to thwart them. By openly sharing methods for threat detection, incident response, vulnerability analysis, and more, security professionals can eliminate silos and leverage lessons learned from others for the benefit of all.
We have a responsibility to share our experience and collaborate with the wider industrial cybersecurity community. Our intelligence groups freely contribute their findings, tools and collaborate with other cybersecurity as part of our commitment to developing cohesive, community-driven set of tools.
As part of our commitment to the industrial cybersecurity community, OTORIO takes pride in the release of open-source tools created for their free use.
As such, we recently launched our new open-source tool, Chronos. Chronos is a simple to use python-based framework that simplifies the investigative work of analysts within the context of incident response use cases.
Incident response has two main goals -- discovering the root cause of the incident and documenting the entire story of the incident. This is achieved by collecting logs and artifacts from the system’s data sources, saving and indexing them and investigating suspicious indicators -- from both before and after the event that led to the incident -- to better understand the tactics used to perpetrate the incident.
Chronos converts artifacts and logs into unified records and then indexes the results to Elasticsearch DB for more convenient analysis. This empowers faster, more efficient analysis by offering different visualizations and advanced analytics through different scripting capabilities.
Chronos is accessible on GitHub.
A great example of an open-source, community-driven tool is the MITRE ATT&CK framework. This feely accessible knowledge base aggregates adversary tactics and techniques using real-world observations. It is used as a foundation in the development of threat models and methodologies for private use, security vendors and different government departments. Their valuable framework provides data sources that outline vulnerable systems and detail the logs that should be collected to identify abusive techniques. Using MITRE ATT&CK framework, the detection of common patterns, authors and threat tracking is simplified.
MITRE CALDERA, which is based on MITRE ATT&CK is an open-source cybersecurity framework designed for autonomous breach-and-attack simulations. It’s also used to run manual red team engagements or automated incident response.
OTORIO has adapted CALDERA for the industrial cybersecurity space by developing the world’s first industrial adversary emulation platform for OT environments, OT CALDERA. Our research group developed dozens of attack scenarios dedicated to OT cyber security to enable our colleagues to test security systems in the ICS environment.
To ensure that it’s not used by malicious actors, OT CALDERA is not freely accessible. However, we encourage our colleagues and researchers to reach out to our team to learn more about OT Caldera and to share their knowledge.
CIMPLICITY is a well-known HMI/SCADA system developed by GE Digital. Highly scalable, this automation platform delivers visualization and control for industrial systems. It’s widely used across almost every industry and is a key component that controls and monitors manufacturing operations. Although GE Digital and its customers expend significant efforts, securing such a complex system is a challenge. Multiple connections and data flows at different levels of the manufacturing facility present a complicated cybersecurity environment.
OTORIO’s security hardening open-source tool for CIMPLICITY verifies the security setup of the different CIMPLICITY configurations. It provides 16 OT security insights derived from GE’s security recommendations. The hardening tool can also be used to confirm that the CIMPLICITY installation was executed in a secure environment and to ensure that the system remains secure over time.
A misconfigured security configuration on a target endpoint is relatively simple to exploit. As such, we believe that addressing configuration issues is just as important -- if not more -- than vulnerability scanning and mitigation.
OTORIO’s Siemens PCS 7 hardening tool was designed to verify that all the servers used in the PCS environment were installed securely. It provides 15 OT security insights based on Siemens's security recommendations that help ensure the integrity of the operations layer within the OT environment.
OTORIO’S PCS 7 hardening tool is available here.
As part of our efforts to join forces with other industrial cybersecurity companies and professionals, OTORIO shares its knowledge with the community.
The OTORIO Research group is dedicated to continuously investigating a variety of commercial, open-source and dark web sources to better understand the digital footprint of industrial companies. Our efforts have resulted in the creation of an unparalleled ICS threat knowledge base that leverages knowledge gained from active threat hunting on our customers’ premises.
This knowledge is openly shared on the ATT&CK for ICS knowledge base.
Remote access is increasingly becoming a critical need in the Industry 4.0 era. This demand has only intensified during COVID-19, as more and more organizations rely on remote workforces that connect from a distance to keep operations up and running. Among the more widely used remote access tools currently used in the industrial arena are B&R's SiteManager and GateManager, and mbConnect’s mbConnect24.
While performing penetration tests, OTORIO researchers discovered dozens of critical security flaws in the MBConnect and B&R solutions. By exploiting the detected vulnerabilities, OTORIO pen-testers were able to take over servers and gain access to sensitive customer information and even proprietary source code. This was only one of the numerous potential attack techniques discovered by our team.
OTORIO collaborates with other leading companies to generate valuable research critical to understanding cyber threats, and develop security measures to combat them.
OTORIO researchers, in collaboration with Check Point, successfully analyzed and researched a large-scale phishing campaign to better understand the overall infection chain, infrastructure and email distribution methodology.
The phishing campaign in question used emails posing as normal Xerox scan notifications bypassed Microsoft Office 365 Advanced Threat Protection filtering and tricked more than a thousand corporate employees into providing their credentials.
By working with researchers from CheckPoint, OTORIO was able to uncover significant details into how the phishing campaign worked, clearly outline the WordPress infrastructure that was used and draw conclusions about the Tactics Techniques and Procedures (TTP) leveraged. Additionally, the research discovered the identity of the victims across different industries and found correlations to previous phishing campaigns executed by the same authors by comparing their TTPs.
Read more about our discoveries here.
In a reality defined by increasingly frequent cyber attacks, risk prioritization and mitigation is essential to ensuring business continuity. Accenture Labs and OTORIO use their extensive knowledge in the OT Cyber Digital Twin and OT cybersecurity domains to develop tools that address this critical need.
The collaboration resulted in the creation of a number of tools that successfully analyzed potential attack paths and estimated their operational and business impact. The teams used an OT Cyber Digital Twin to develop a combined attack graph that demonstrates possible risks to an OT network. To support prioritization, the teams then measured the production impact of each vulnerability using a process-aware attack graph. This enabled clear business context visibility over the entire OT and IT network, so that mitigation actions are evaluated and prioritized according to their ability to reduce business impact.
Image provided by Accenture Labs
OTORIO’s belief in a collaborative, community-driven approach to OT cybersecurity has led to quite a few successful initiatives. These initiatives can be classified across three different categories, including contribution to open-source knowledge bases and development of open-source tools, and private research collaboration with other enterprises.
As we continue our groundbreaking work that is vital to the protection of our core industrial infrastructure, we are proud to share the fruits of our labor. Our hope is that other cybersecurity professionals, companies and communities will leverage our work to help make the world safer and more secure for the greater good of everyone.