Friday, July 31, 2020

Ten Years After Stuxnet Went Public - And Now?

One of the senior experts in cyber security wrote today:

"Recently many of us noted the 10th Anniversary of when Stuxnet went public. Some commentators think it was for cyberspace a “Hiroshima” type of event. Some have been saying that there have been no other events like it since and this puzzled me. So I wrote my thoughts down to share."

Another senior expert is wondering why there is little information disclosed and lack of guidance about control system cyber security incidents that can affect multiple facilities in multiple industries:

Both are worth to read!

Tuesday, July 28, 2020

IEDScout 5.00 Available - One of the Most Crucial Test Tools for IEC 61850

IEDScout is a well known test tool for most of the needed support in the communication with IEC 61850 compliant devices.
Omicron has released the version 5.00 ... providing crucial extensions compared to version 4.2:

IEDScout is a versatile software tool for working with IEC 61850 devices. With Version 5.0, IEDScout offers a new level of cyber security and powerful simulation utilizing the new MBX1/RBX1 hardware.
Additional improvements are:

  • IEDScout now supports function-related naming for logical devices
  • The icon set has been updated to provide a smooth user experience when used together with StationScout/StationGuard.
  • When writing data to an IED, IEDScout will now automatically update the “t” attribute of the data object.
  • Improved screen scaling for better readability on high resolution screens.
  • License information is now available in the configuration dialog.
  • OMICRON’s IEC 61850 library has been updated to include the latest developments in standardization and improve interoperability.
  • The usability of IEDScout is continuously improved based on expert reviews and customer feedback.
  • Several smaller tweaks and bug fixes improve overall performance and stability.

Click HERE for more information on IEDScout 5.0

Monday, July 20, 2020

PhD Student Working On Cyber Security In Critical Infrastructures

Fredrik Heiding (PhD Student) wrote the other day:

Fredrik Heiding, PhD StudentNetwork and Systems Engineering
KTH, Royal Institute of Technology

I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.
Here are the Questions from Fredrik and Answers from a very senior expert:
Cybersecurity consulting
See also:
Vytautas Butrimas wrote in the introduction to his answers:
This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers.  If you wish to further discuss them with me then we can do so offline.
Question 1:
What concerns for the future do you have regarding cyber security in critical infrastructure?

Answer 1:
How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.

Question 2:
Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?

Answer 2:
There are some signs that things will get better but at the same time they will get more complicated.  Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room.  ** One more thing we should not just be focused  on „ATTACKS“.  We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***

Question 3:
What relevant research or technological advances do you find most interesting for the future?

Answer 3:
Have to think about this one.  It feels we are all trying to keep afloat in a tsunami of technological advances.  The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.

Question 4:
Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?

Answer 4:
I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner.  The questions and concerns he raised in that lecture IMHO have not been addressed.

Question 5:
Do you have plans to, or do you think that you will expand the cyber security department in the coming years?

Answer 5:
I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer).  If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant.  When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation.  The senior plant engineer has to keep things running and does not have time to stop and investigate something.  He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.

Question 6:
Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?

Answer 6:
Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly  available.  Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents.  There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)

Question 7:
Has the attitude towards cyber security changed in the last 5 years, why and in which way/

Answer 7:
The attitude is changing and for the better. Much better in the engineering community who have  understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed.  You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.

Improve the Quality of Your Standard With A Tissue Database

What is a Tissue Database? Tissue stands for Technical Issues - short Tissues.

One of the crucial challenges of maintaining and improving standard series like IEC 61850, IEC 62351, IEC 61400-25, ... is that usually standardization processes of the Standard Setting Organizations use text files (Word, pdf, ...) for publishing drafts and final documents. When it comes to manage and document errors and other problems, then quite often Excel Sheets are used ... or even just a text file.

This was the case in the IEC TC 57 regarding IEC 61850 after the first parts had been published. We often had a discussion like: Who has the latest Word Document with the Tissue Lists? When was it updated ... grrrr.

NettedAutomation GmbH developed the first version of the so-called IEC 61850 Database in 2004. 16 years later IEC uses a license of the improved tissue database (Tissue DB v.

Click HERE for the parts overview.

For the current Edition 2.1 of part 7-2 there are eight tissues listed:

Click HERE for 7-2 Ed 2.1.

The IEC 61850 tissue database is a very helpful tool to improve the quality of the standard series IEC 61850, IEC 61400-25, and IEC 62351.

Contact NettedAutomation GmbH for an offer of a license of the NettedAutomation tissue database for your project.

Click HERE to contact NettedAutomation for a quote.

IEC Just Published IEC 61850-80-5 Guideline for Mapping Information Between IEC 61850 and IEC 61158-6 (Modbus)

IEC TC 57 Just Published IEC 61850-80 -5 Guideline for Mapping Information Between IEC 61850 and IEC 61158-6 (Modbus)

(57/2250/CD, 166 pages) - closing date for comments: 2020-09-11

Excerpt from the introduction:

"This technical specification provides a guideline to exchanging information between IEC 61850 and IEC 61185-6 (Modbus TCP). Nowadays, industrial field such as distributed energy resource (wind and solar energy, etc.) and condition monitoring, has been exchanging the information from Modbus to IEC 61850 for an effective operation. Although many manufacturers already implemented the Modbus to IEC 61850 conversion device or system, these devices do not guarantee interoperability. Therefore, it requires the consistent and unified information exchange scheme between IEC 61850 and IEC 61158-6 (Modbus).
Modbus over serial line (Modbus RTU) is not part of IEC 61185-6, but is also considered in this technical specification."

IEC Just Published IEC TR 61850-7-5 ED1 - Modelling Concepts

IEC TC 57 just Published Draft IEC TR 61850-7-5 ED1 - IEC 61850 Modelling Concepts

(57/2253/DTR - 33 pages) - voting closes 2020-09-11

Excerpt from the introduction:

"The standard IEC 61850 provides a very broad range of data models covering as much as possible all application functions in the range of power utility automation. The modelling both in the domains and between the domains show differences which may impact the interoperability. Therefore, some informative guideline is helpful to reach a common approach in application function modelling. A lot of basic functionality is based on the concept of IEC 61850 and, therefore, the same for all application domains. As result, a basic cross-domain part as Technical Report is useful. Domain specific issues are addressed in the Technical Reports 7-5xx (e.g. IEC TR 61850-7-500 for substation automation)."

Wednesday, July 15, 2020

Repository of Ransomware Incidents Against Critical Infrastructures

Aunshul Rege, Ph.D., Associate Professor Trusted CI Open Science Cybersecurity Fellow 2019 Department of Criminal Justice | Temple University

wrote today:

"I'd like to share a potentially useful FREE resource that my team and I have created. In September 2019, we started a repository of ransomware incidents against critical infrastructures. These are based on publicly disclosed incidents in the media or security reports. This repository now has 642 records assembled from publicly disclosed incidents between 2013 and June 2020. So far, we have had download requests from industry, researchers, faculty, undergraduate and graduate students, so we hope that this repository might be of use to this community.

Please visit to request a download. Funded by my NSF CAREER Award #1453040. "

The Version 9 of the repository (I received today) lists the following numbers of ransomware incidents:

2 for 2013
6 for 2014
9 for 2015
82 for 2016
99 for 2017
68 for 2018
202 for 2019
173 for 2010 (until 20 June)

The total amount paid is unbelievable high! Even most amounts are undisclosed!

It is unbelievable!

Friday, July 10, 2020

Fusion: Fundamentals and SystemCORP

Excerpt from the press release:

Fundamentals and SystemCORP Energy have each built businesses on a combination of know-how, innovation, engineering, products and services, in particular but overlapping areas of expertise. But coming together now as a single Fundamentals entity will create a fusion reaction, generating more energy for innovation than our two separate elements.

On a more immediate and practical level, SystemCORP and its employees in Perth are being incorporated into Fundamentals Australia Pty Ltd., adding to Fundamentals’ existing bases in Sydney, together with our headquarters in Swindon, UK,  and facilities in Bristol and Oldham. This will greatly enhance the mutual support we can provide for customers in both countries – and increasingly worldwide, as we continue to grow.

Click HERE for the complete press release.