Critical Infrastructure Ransomware Dataset V 11.6 Available For Download

 Aunshul Rege announced the latest Critical Infrastructure Ransomware Dataset (Friday Nov 05, 2021):

"Dear all,

I hope everyone is doing well.

My team and I have updated our dataset of critical infrastructures ransomware incidents (CIRW) that have been publicly disclosed in the media or security reports. CIRW dataset version 11.6 now has 1066 incidents, which are assembled from publicly disclosed incidents between November 2013 and October end 2021. 

Also, community members can now submit a CIRW that you would like to see included into this dataset!

To download the dataset or submit a CIRW incident, please visit https://sites.temple.edu/care/ci-rw-attacks/. Please ensure that you enter your email address correctly, and note that we do not reply to personal email addresses (protonmail, gmail, etc.). And please give us a few days to respond to your request."

The Report "IT-Security-Situation-in-Germany-2020" describes three German ransomware cases:

1. Ransomware Attack on the Council Offices of a Mid-sized German City
2. Ransomware in Hospitals
3. Ransomware Attack on a University

Click HERE to access the Report [PDF, 1.72 MB] ... worth to read.

PhD Student Working On Cyber Security In Critical Infrastructures

Fredrik Heiding (PhD Student) wrote the other day:

Fredrik Heiding, PhD StudentNetwork and Systems Engineering
KTH, Royal Institute of Technology

I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.

Here are the Questions from Fredrik and Answers from a very senior expert:

Vytautas Butrimas

Cybersecurity consulting

See also: http://blog.nettedautomation.com/2020/06/scada-security-matters-should-matter.html
Vytautas Butrimas wrote in the introduction to his answers:

This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers.  If you wish to further discuss them with me then we can do so offline.

---------------------------------

Question 1:

What concerns for the future do you have regarding cyber security in critical infrastructure?

Answer 1:

How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.

Question 2:

Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?

Answer 2:

There are some signs that things will get better but at the same time they will get more complicated.  Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room.  ** One more thing we should not just be focused  on „ATTACKS“.  We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***

Question 3:

What relevant research or technological advances do you find most interesting for the future?

Answer 3:

Have to think about this one.  It feels we are all trying to keep afloat in a tsunami of technological advances.  The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.

Question 4:

Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?

Answer 4:

I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner.  The questions and concerns he raised in that lecture IMHO have not been addressed.

Question 5:

Do you have plans to, or do you think that you will expand the cyber security department in the coming years?

Answer 5:

I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer).  If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant.  When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation.  The senior plant engineer has to keep things running and does not have time to stop and investigate something.  He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.

Question 6:

Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?

Answer 6:

Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly  available.  Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents.  There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)

Question 7:

Has the attitude towards cyber security changed in the last 5 years, why and in which way/

Answer 7:

The attitude is changing and for the better. Much better in the engineering community who have  understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed.  You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.

--------------------------------

Repository of Ransomware Incidents Against Critical Infrastructures

Aunshul Rege, Ph.D., Associate Professor Trusted CI Open Science Cybersecurity Fellow 2019 Department of Criminal Justice | Temple University

wrote today:

"I'd like to share a potentially useful FREE resource that my team and I have created. In September 2019, we started a repository of ransomware incidents against critical infrastructures. These are based on publicly disclosed incidents in the media or security reports. This repository now has 642 records assembled from publicly disclosed incidents between 2013 and June 2020. So far, we have had download requests from industry, researchers, faculty, undergraduate and graduate students, so we hope that this repository might be of use to this community.

Please visit https://sites.temple.edu/care/downloads/ to request a download. Funded by my NSF CAREER Award #1453040. "

The Version 9 of the repository (I received today) lists the following numbers of ransomware incidents:

2 for 2013
6 for 2014
9 for 2015
82 for 2016
99 for 2017
68 for 2018
202 for 2019
173 for 2010 (until 20 June)

The total amount paid is unbelievable high! Even most amounts are undisclosed!

It is unbelievable!

Great Article on Internet Insecurity - a New Approach!?

Yes - the title is about "Internet Insecurity" ...

The paper suggests a radical new approach in dealing with security or insecurity.

The papers closes:
"Every organization that depends on digital technologies and the internet is vulnerable to a devastating cyberattack. Not even the best cyber hygiene will stop Russia, North Korea, and highly skilled, well-resourced criminal and terrorist groups. The only way to protect your business is to take, where you can, what may look like a technological step backward but in reality is a smart engineering step forward. The goal is to reduce, if not eliminate, the dependency of critical functions on digital technologies and their connections to the internet. The sometimes higher cost will be a bargain when compared with the potentially devastating price of business as usual."

Click HERE for the article.

ICS-Security Für Kleine Unternehmen Machbar Machen

Industrielle Automatisierungssysteme (Industrial Automation and Control Systeme, IACS) durchdringen viele Bereiche der kritischen Infrastrukturen wie Versorgungssysteme für Strom, Gas, Wasser, Abwasser, ...).

Mittlerweile wächst so langsam das Bewußtsein, dass viele dieser Systeme aus vielerlei Gründen nur unzureichend (im Sinne von Informationssicherheit) geschützt sind. Gründe können sein, dass Verantwortliche noch nicht die Notwendigkeit für mehr Schutzanforderungen sehen oder dass die installierten Systeme "altersschwach" sind und nur durch Austausch geschützt werden können, und und ...

Wasserversorgungsunternehmen zusammen mit dem BSI und der RWTH Aachen haben eine Masterarbeit begleitet, die besonders kleinen Versogungsunternehmen den Blick für mehr Sicherheit in der Informations- und Automatisierungstechnik öffnen könnte:

Sarah Fluchs hat die folgende Masterarbeit geschrieben:

Erstellung eines IT-Grundschutz-Profils für ein Referenzunternehmen (kleines/mittelständisches Unternehmen, KMU) mit automatisierter Prozesssteuerung (Industrial Control System, ICS)

Oder:

ICS-Security für kleine Unternehmen machbar machen

Die Arbeit und ein Anhang sind öffentlich zugänglich:

HIER für den Hauptteil der Arbeit klicken.
HIER für den Anhang "IT-Grundschutz-Pilotprofil bzw. IT-Grundschutz-Profil für die Wasserwirtschaft

Diese Masterarbeit ist absolut lesens- und beachtenswert!

Die Einleitung beginnt mit einer Aussage von Ralph Langer:

„For many complex IACS networks, there is no longer any single person who fully understands the system, […] and neither is there accurate documentation.“

Dieser Aussage stelle ich eine viel ältere von Rene Descartes (1596-1650) voran:

"Hence we must believe that all the sciences [all the aspects of a distributed Automation System; vom Verfasser des Blogposts eingefügt] are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science (aspect), for all the sciences (aspects) are cojoined with each other and interdependent."

Die Herausforderungen der heutigen und zukünftigen Generationen bestehen darin, ganzheitlich zu denken und zu handeln sowie die vielen überlieferten und damit auch vielfältigen Erfahrungen von unseren Vorfahren, besonders aber von solchen Menschen zu berücksichtigen, die unmittelbar in der Praxis tätig waren und gegenwärtig sind! [Aussage wurde von einem guten Freund ergänzt].

Teamwork makes the dream work.

In diesem Sinne geht mein Dank an Frau Fluchs, die mit ihrer Masterarbeit einen Grundstein gelegt hat. Symptomatisch ist, dass oft grundlegende Arbeiten "nur" von Studenten durchgeführt werden. Schade! Die angesprochenen Themen betreffen uns ALLE!

Eine Aussage in ihrem Fazit und Ausblick würde ich gerne korrigieren:

"Die übergeordnete Thematik der vorliegenden Arbeit ist die ICS-Security. Das Thema besetzt im Vergleich zu der „gewöhnlichen“ IT-Security bislang eine Nische. Vor allen produzierende Unternehmen und Betreiber kritischer Infrastrukturen müssen sich damit befassen – Otto Nor-malverbraucher bekäme zwar die Auswirkungen eines Security Incidents potenziell zu spüren, hat aber keinen direkten Einfluss auf die ICS-Netze und deren Sicherheit."

Wir als Otto-Normalverbraucher haben einen sehr großen direkten Einfluss auf die Sicherheit unserer Infrastrukturen: Indem wir bereit sind, mehr für unsere Grund-Versorgung zu bezahlen!!

When will Hackers Take Control Over Substations?

I guess most people belief that our power delivery infrastructure is very secure - yes, I agree that this is (still) the case. What's next? There are some publicly visible efforts to change this - obviously.
One of the attempts to approach the power delivery control systems has been made public the other day with the headline:
Attack on Critical Infrastructure Leverages Template Injection
"Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer."
Click HERE to read the full report.
Click HERE for NYTimes report.

Animal "Attacks" on Power Systems - Worry About Squirrels

BBC news has published an interesting report on "Squirrel 'threat' to critical infrastructure".

According to the report "The real threat to global critical infrastructure is not enemy states or organisations but squirrels, according to one security expert.
Cris Thomas has been tracking power cuts caused by animals since 2013.
Squirrels, birds, rats and snakes have been responsible for more than 1,700 power cuts affecting nearly 5 million people, he told a security conference."

Click HERE to read the report.

How to Protect Electric Power Delivery Systems?

These days we see a lot of discussions on security in the domain of electric power delivery systems. One thing is for sure: The power delivery infrastructure is under heavy stress ... just to list a few issues:

1. Aging equipment (primary and secondary).
2. Increasing cyber attacks.
3. Increasing physical attacks.
4. Aging Workforce.
5. Political objective to reduce the rate per kWh of electric power consumed.
6. ...

A lot has been discussed recently regarding these and other issues.

Today I would like to have a brief look on the third bullet "Physical Attack". The Wall Street Journal (WSJ) published the other day a report on physical attacks of substations in the US: "Grid Attack: How America Could Go Dark". After reading these news I decided not to post anything about that report. But: When I got up this morning I read the (bad) news about the tragic attack on humans in Nice (France) last night with 80 people on the death toll of 80, I said to myself, I have to talk about these physical attacks.

First of all, our prayers are for the French people in general and especially for those that have lost one of their loved one, for those that are insured, and those that have experienced this attack.

Second, please read the WSJ report to understand the situation of our - partly very unprotected - electric power delivery system:

Click HERE for the report.

More or less the same could be reported about many substations worldwide.

Next time we may see a truck driving into a major substation, power plant, or high voltage transmission tower, ... How can we protect ourselves and the technical systems that are needed every second in our life?

2. Timothy 3:1-5 says: "1 But understand this, that in the last days there will come times of difficulty. 2 For people will be lovers of self, lovers of money, proud, arrogant, abusive, disobedient to their parents, ungrateful, unholy, 3 heartless, unappeasable, slanderous, without self-control, brutal, not loving good, 4 treacherous, reckless, swollen with conceit, lovers of pleasure rather than lovers of God, 5 having the appearance of godliness, but denying its power."

It is unlikely that all humans will understand the importance of the electric power delivery system (and other critical infrastructures) and to control themselves NOT TO TOUCH the system (AND of course other humans)! So, we have to do our best to better physically protect the crucial stations - which is better than do nothing. Attacks will continue to happen - but we have to spent more resources to increase the physical security.

We all have to accept the increase in your electric power bill - if we want to continue using power whenever we need it - 24/7. I hope that we learn better what the real value of our electric power infrastructure is for our daily life!

Security: A Never Ending or a not Yet Started Story?

Everybody talks about security! Who is working on it? Some people are working on meeting compliance requirements like those defined in NERC CIP. Very few are dealing with measures to make and keep systems secure.

What's the difference between compliance and security? Does being compliant also mean being secure? NO – not at all. Being compliant may let you sleep better …

Two excellent publications touch on these issues:

1. NERC CIP v5 Suggests Compliance Does Not Equal Security

2. What effective legislation would you write for CI ICS

The first article closes:

“Compliance means you won't be fined. Security means you won't end up in the headlines. A friendly security suggestion would be to look beyond CIP compliance and use it as a baseline for your security policies.”

and the second:

“Hopefully, industry can get behind some sort of meaningful control system
security legislation before we end up with a catastrophic attack on a control
system.”

Since most people likely not yet have tried to implement security measures … the following sign (I purchased the other day) wouldn’t help either:

Try it again or the first time. But don’t give up before you have a process for a higher level of security in operation. And never give up to improve.

What about security for SCADA systems?

Since the early 80s we have discussions on open systems. I remember well people saying in 1984: If you want open systems – you must be crazy. True! If you don’t shut the doors of the access and let only those in that are allowed to.

There are measures to secure the access – but they have to be implemented and used. There are a lot of concerns about embedded systems on the internet and security.

Read this up-to-date story – and you may not sleep tonight:

Journalists warned system owners and Norwegian NSA of 2500 critical data flaws

How two journalists set out on a mission to test the data security in the whole of Norway

Excerpt:

“Thus far, they have found:
• 290 vulnerable control systems, in banks, schools, nursing homes - and a military camp
• 2048 surveillance cameras in private homes, night clubs, shops and restaurants
• 2500 control systems connected to the Internet with minimal or no security
• 500 of these control industrial or critical infrastructure
• Thousands of data bases and servers that give away content without passwords

These are all found in Norway. Guess if it is any better in your country?”

Click HERE for the report.

And YOU? Become more serious about security!!! For the good of you and all of us – all over.

And do not blame IEC 61850 not providing security measures! It has: IEC 62351 shall be applied – but you gave to do it! Do it!

http://blog.iec61850.com/2015/02/standard-iec-62351-3-communication.html

New Models for Condition Monitoring: IEC 61850-90-3

IEC TC 57 just published a very comprehensive document (draft technical report, 57/1522/DTR) of 150 pages that suggests a lot of new models:

IEC 61850-90-3 TR:
Communication networks and systems for power utility automation –
Part 90-3: Using IEC 61850 for condition monitoring diagnosis and analysis

The CMD (Condition Monitoring Diagnosis) which diagnoses power grid health status has been one of the major issues to improve the reliability of the power system by preventing a potential failure in advance. Since too many different information modeling, information exchange, and configuration techniques for CMD in various forms from many vendors are currently used, they need to be standardized in TC57.

The new document contains a lot of new Logical Nodes and Data Objects like for:

• GIS (Gas Insulated Switchgear)
• Transformer
• Load Tap Changer (LTC)
• Under Ground Cable (UGC)
• Transmission Line (TL)
• Auxiliary Power System

Example of an extension of the very common Model for a tank (KTNK):

LevMaxSet - Maximum level reached setting
LevHlfSet - Half level reached setting
LevMinSet - Minimum level reached setting

LevMax - Maximum level reached
LevHlf - Half level reached
LevMin - Minimum level reached

Voting terminates on 2015-01-16

More to come.