Posted on Jan 16, 2019
Caston Thomas of InterWorks and Rob Goss of Tempered Networks had the opportunity to discuss “Zero Trust” and “Software Defined Parameter” with the Detroit-based podcast, ITintheD. ITintheD is a long-established weekly podcast with over 150K subscribers and over 300K weekly plays.
During the podcast, Rob introduced Tempered’s Identity Defined Networking and the benefits of Host Identity Protocol which was developed to address the vulnerabilities of TCP/IP. No other commercial solution leverages HIP, which lets network managers easily connect, segment, move, revoke, cloak, and manage any networked ‘thing’. HIP is the only protocol designed for zero trust segmentation by eliminating the pitfall of tying network communication to IP addresses.
They talked about how organizations are looking for ways to enhance their network security without a lot of complexity and hardware, thereby accelerating deployment. They also introduced HIPnet which lets users set up their own private, secure networks in minutes – at no cost. Skepticism turned into excitement during the episode, which has led to a follow-up episode for the week on January 14th – this is this week.
You can find the podcast here. Our segment begins at the 52 minute mark.
Posted on Jan 3, 2019
If you had told me a year ago that our Front Desk Receptionist would come back a year later as an Inside Sales Representative, I don’t think I would have believed you. Not that he’s incapable by any means, but just because that doesn’t usually happen.
Miguel (or Mickey) left Tempered last year to work in Sales for a different tech company. When we opened up an opportunity in Sales, we knew we wanted to get Mickey back. I was able to sit down with him to hear more about the journey from his perspective.
How did you get into Sales in the first place?
Mickey: Because of where I worked at Tempered, I had the opportunity to get to know everyone in the office. When I knew it was time to grow from my position, a VP in Sales asked what I was doing next. I had told her I was looking for sales positions and she really took the initiative to sit down with me and tell me everything I needed to know to get into the industry. She even set me up with other folks in Sales to learn more from their perspective. These acts really emphasized the small family vibe Tempered has. It was even through networking with people here that I got my job at the next place and was a shoe-in.
How do you feel like your previous job prepared you for the Inside Sales role here?
Mickey: It definitely helped that it was a firewall company, so I was able to learn a lot about the cybersecurity industry. That combined with the background knowledge I picked up from Tempered has really boosted me.
How are you doing in the role now?
Mickey: My new role at Tempered has a lot more responsibility, and I feel it more. There’s a lot more ownership. I’ve gotten a lot of leads, but I know I need to keep going because I want more!
Mickey is definitely an achiever. It sounds like he’s doing a lot of work already to me, but he’s the type of person that always wants to keep going and getting better.
How do you balance your career and personal life?
Mickey: It’s difficult. I like to work. I want to do the best I can, but I live with five guys so even if I wanted to work at home it would not happen. I try to stay to myself on weekends.
What do you do for fun?
Mickey: Food and eating out. I’m competitive, and I love soccer.
We are so happy to have Mickey back! He adds so much personality and gusto to our team.
Posted on Dec 13, 2018
This month a European water utility found its SCADA/ICS equipment had been compromised in a cryptojacking attack. The mining attack, which happened in an unspecified utility facility, was discovered after three weeks. The attack was discovered by a security firm and likely stemmed from an operator opening a phishing e-mail.
Cryptojacking is the process by which malicious actors install code, either through a website or phishing email, into the user’s computer. This code then uses compute cycles to perform the complex mathematical equations necessary to mine for cryptocurrency, degrading server speed. In this case, hackers were mining for Monero, a notably private and untraceable form of digital currency. This type of attack has gained popularity lately, owing partially to a higher success rate than ransomware payouts.
Tempered Networks can utilize zero trust protocols and microsegmentation to head off such attacks before they start. Within a flat network, such as the one above, bad actors can traverse networks once they gain access at any endpoint. Zero trust protocol requires mutual authentication before any communication can take place, leaving malware unable to operate. Microsegmentation further restricts communication to network segments that are specifically allowed between devices.
Want to see how we’ve applied our solution to other utilities networks? Check out our case study here.
Posted on Nov 30, 2018
Manufacturing has been aptly named a structure critical to our way of life by the Department of Homeland Security. This sector is integral to the foundation of our economic prosperity and access to goods needed for everyday life. At first glance, manufacturing may seem like an unlikely target for cyber security threats – but advancements in IoT connectivity have integrated networking and production in extraordinary ways.
This infrastructure increasingly relies on digitized Industrial Control Systems and IoT devices which, if compromised, can give direct access to invaluable intellectual property and physical operations controls. A perilous blend of remote, vendor-operated, and on-premises device connectivity have led to endpoints that are hard to define, let alone secure With manufacturing being a recently digitized industry, cybersecurity is increasingly falling upon the backs of IT workers who may or may not be trained. And the previous strategy of moving systems offline is no longer viable in this connected age. This combination of untrained staff and endless attack vectors is obviously worrying.
Cyberattacks in manufacturing cause costly downtime, threatens valuable intellectual properties, and can cause changes in the physical operations of production. Even a seemingly insignificant alteration in production can cause life-threatening changes to products vital to consumer safety, like car doors. These risks aren’t hypothetical – the examples are many. In 2017, HONDA had to shut down production after the infamous WannaCry worm brought one of their factories to a staggering halt, stalling the production of 1000 vehicles.
Identity Defined Networking is the solution this critical infrastructure requires. By overlaying cryptographic identities where spoofable IP addresses were once used, each device is authenticated before communication is allowed. These new identities can be added to on-premises devices or in the cloud, ensuring that remote and vendor endpoints are both functional and secure. The result is a versatile network that fundamentally combines security seamlessly with networking. This new way to network is simple, fast, secure, and already in practice.
For a deep dive into how we helped a manufacturing customer implement radical security in our point-and-click UI, you can view our in-depth case study here.
Posted on Nov 16, 2018
For many—including myself—November marks an important time of the calendar year; one where friends and family gather to honor what’s most important to our communities and way of life. It’s a time where we pay particular attention to protect all the things we hold near and dear. Of course, I’m talking about Critical Infrastructure Security and Resiliency Month. It’s truly the most wonderful time of the year!
What else did you think I was referring to?
The Department of Homeland Security (DHS) has officially decreed 16 industry sectors within the U.S. as critical infrastructure. These sectors are set aside as critical because they protect essential services that provide clean drinking water, power to our homes, reliable methods of communication, and much more.
At Tempered Networks, we think a lot about protecting these sectors from cyberattacks, espionage, human error, and other dangers that may threaten public safety and the lifestyle we’ve grown accustomed to living.
I wanted to take this opportunity to reaffirm our company’s commitment to keep our critical infrastructure and our communities safe and secure. The benefits of micro-segmentation and proper access control have already been established by industry experts and organizations like NIST, PCI, and the U.S. DoD, as best practices. With that in mind, here are useful tips as you do your due diligence for your organization.
- Micro-segment your network with a modern software solution – Technologies such as VLANs and ACLs certainly still have a place in networking, but hardened security isn’t one of them. There are far too many loopholes that could make your network vulnerable to a variety of common attacks such as Double Tagging and Switch Spoofing. Using VLANs, ACLs, firewalls, or even older software-defined solutions also adds an unacceptable level of complexity that will require increased expertise and an overall lag in systems operations and corporate productivity. If a solution requires continuous modification of existing infrastructure or is dependent upon that infrastructure for enforcement, management costs will be high and prone to error. Instead, start with a proven approach using zero trust segmentation and access.
- A comprehensive segmentation solution includes connectivity, cloaking, and encryption – Traditional segmentation solutions still use address-defined networking that is susceptible to attacks through a flawed use of the IP address to provide the identity of a network endpoint, as well as the location. Fortunately, there’s a solution to this decades-old security flaw by leveraging the host identity protocol (HIP), which abstracts the IP layer with verifiable machine identities. Our HIP-based solution that we warmly refer to as Identity Defined Networking (IDN), employs fully encrypted overlay networks that are simple to deploy and manage. Mere mortals can use it. Really. Any device or machine in an IDN overlay is effectively cloaked and invisible to all but trusted endpoints in the IDN overlay. To complete the trifecta required for effective and sustainable segmentation, you need the ability to seamlessly connect network endpoints, even if they’re deemed as “non-routable,” meaning they have private IP addresses. In fact, IDN can even establish failover connections without human intervention, which is particularly important to reduce cost and complexity.
- Understand the scope of your segmentation requirements – The emergence of IoT has left a wide spectrum of new devices that could be used as entry points for hackers to gain access to your network. All too often we see organizations approach an initiative with a very narrow scope. Yet, the biggest attack vectors are largely forgotten “things” on your network. Don’t overlook your IP cameras, HVAC systems, IoT sensors, vending machines, bio-medical devices, and other previously unthought of, but nonetheless vulnerable portions of your network. Instead of assuming you know all the ins and outs of your company’s computing environment, we recommend soliciting feedback from others to ensure total coverage. Ask members at all levels of your IT staff to provide information on the various aspects of their job, to gain insight on some potential blind spots in security on which you may need clarity.
- Account for the high probability of human error – Regardless of the extreme measures you take to diligently connect your network, human error is going to occur. Traditional solutions that involve an abundance of firewalls and nearly constant security patches still use the inherently vulnerable IP address as an identifier. Complex solutions with many dependencies will create too many opportunities for human error. IT and OT teams are frequently overworked and understaffed, especially when it comes to network security, but you cannot hire your way out of this problem. Most experts will agree that any segmentation strategy which requires significant human effort with too many dependencies on the underlying network and security infrastructure is a recipe for failure.
Look for a segmentation and access solution that can be easily implemented over your existing infrastructure and maintained by the least tech savvy members of your team. Not sure you have all the bases covered to protect your organization? That’s okay, because Tempered Networks can provide all the security and connectivity you need with a simple, cost-effective, and scalable solution. You can learn more by reading a common use case for segmenting critical infrastructure environments and downloading our micro-segmentation guide . Whether you’re protecting renewable energy, county buildings, or oil and gas resources, we can help. Contact us today for more information, a no obligation demo, or a free trial.
Oh yeah, it’s also the start of the holiday season. I suppose Thanksgiving and Christmas mark a wonderful time of the year too! Happy Holidays!
Posted on Sep 13, 2018
During my first visit to one of the largest cruise ships in the world, I was amazed not only with the enormity of the vessel but more so by the “logistical ballet” that occurs on each embarkment day. With the capacity to host over 6,000 passengers and 2,000 crew, it’s amazing these vessels can be re-stocked and back at sea for their next cruise in less than 12 hours!
As I’ve learned more about these ships and the marine system that control them, it’s fair to say that these ships are truly floating cities converging both IT and OT systems. There are more than a dozen complex systems, managed by multiple vendors, that are responsible for just controlling the ship: power generation, propulsion, navigation, and fuel management just to list a few. Another challenge with these systems is that they normally run on older operating systems and do not have security patches applied nor do they run any type of security software such as antivirus. This creates a huge risk for these systems. As one could imagine these systems are very sophisticated and require highly skilled individuals to develop, maintain and troubleshoot them. It’s unrealistic that any single ship, or any single cruise line for that matter, has all the in-house expertise to deal with every problem or issue that may arise. Because of this, it’s essential that vendors be able to access these systems when their expertise is needed to resolve an issue. Unfortunately, most of the traditional remote access solutions do a poor job of providing fine-grained access policies that can securely segment the vendors while also cloaking and isolating their systems from the underlying network. For this particular cruise line, lack of vendor segmentation was identified as a major risk which a 3rd party cybersecurity audit revealed.
The cruise line started looking for a solution to better segment, isolate and protect each of these critical systems while implementing fine-grained device level access policies to manage and control authorized access. One of the other requirements was that the solution had to be easy to deploy and non-disruptive to the current network. Taking a ship out of production was not an option as that would be a huge loss in revenue due to ship “down time.” This presented the perfect opportunity for Tempered’s IDN solution. During an onboard pilot earlier this year, we were able to showcase the Tempered Network solution had the ability to meet all their requirements with very little change to their existing architecture. The solution was also deemed the most cost effective from both a CapEx and OpEx standpoint. We were able to protect, segment and provide vendor-specific granular access without changing any IP address or network settings for any of the involved systems. Because of the flexibility the IDN fabric provides we can seamlessly install HIPservices between the critical systems and the existing network without making any changes to the systems. This allows for a transparent deployment as well as an easy back out should any issues arise. With the new architecture, the security perimeter/enforcement has been pushed down to the host level. Now only cryptographically verified and trusted devices can access or even see the critical systems and granular access policies are based on device level trust. Our solution also provides end to end encryption so that all the communications are protected within HIP encryption tunnels. This is truly device and network security hardening via micro-segmentation made easy.
Hoping your next cruise is aboard a Tempered-protected ship!
Posted on Aug 30, 2018
At DEF CON 26, there were many exciting hacks and exploits demonstrated against technologies ranging from self-driving cars to voting machines. Attendees competed to “pwn” (slang for exploit, or “own”) whatever tech they could get their hands on.
While voting machines and futuristic cars may make for an exciting news cycle, let’s talk about some vulnerabilities exposed on real infrastructure. Let’s talk about Industrial Control Systems (ICS), or more specifically, Programmable Logic Controllers (PLCs).
These devices control a lot of the world around us. Some of them aren’t that important – some just run shop-floor machinery – they aren’t networked, they don’t need updates for years, they just do what they need to do. However, many of these devices operate critical infrastructure like dams, power stations, gas pumps and oil rigs, and many more are connected to a network – sometimes even to the Internet – where they can be exploited by a bad actor. These high-profile PLCs are ticking time-bombs, as real catastrophes can result if they are compromised.
Thiago Alves, a Ph.D. Student at the University of Alabama in Huntsville and SCADA Cyber Security Researcher at the Center for Cybersecurity Research and Education (CCRE) demonstrated how one would go about doing exactly this.
In his presentation he offers a look at three attacks. The first is a DDoS attack against multiple PCLs, making them malfunction and become unmanageable. The second is a buffer overflow attack that crashes a PLC and corrupts its programming. The third exploits a badly-architected secret protocol that allows untrusted hosts to assume management rights to a PLC and exposes plaintext passwords.
His demonstration lab is simple. He has three PLCs (Open PLC, Allen-Bradley and Modicon/Schneider), and three glasses of water. The PLCs are programmed to keep the water in each glass at 40° C using a temperature probe and a heater. He also has a ScadaBR control panel that allows him to turn the heaters on and off manually or give automated control back to the PLCs for automatic temperature regulation.
All three PLCs are running the same ladder-logic program and use Modbus for communication.
Attack 1: Command Injection against OpenPLC, Allen-Bradley and Modicon (Schneider) PLCs – DDoSing a PLC with bad commands:
In the first Attack, Alves performs a DDoS attack against all three PLCs, forcing them into manual mode, and forcing the heaters on. In this state, the water in the glasses will continue to be heated until they boil. The ScadaBR interface does not respond to input while the PLC is under attack.
Alves runs his Injection attack against each PLC:
And he loses the ability to take control of each PLC he attacks:
Left running, the PLCs will eventually raise the water to boiling temperature. All he has to do is replay a previous Modbus packet sent from this ScadaBR panel from another host, and it will override the packets sent from legitimate hosts. While legitimate Modbus instructions may make it to the PLC, their effect will be fleeting so long as the device is under attack with illegitimate packets.
Attack 2: Micrologix 1400 Vulnerability - Lying about the size and contents of a Modbus packet to create a buffer overflow:
In the second attack, Alves sends specially-crafted Modbus packets to the PLC, lying about the size and contents of the packets, bringing the device offline. Every time the device receives a Modbus packet, there’s a chance that it will fail to deallocate memory related to that packet. By sending two malformed Modbus packets in sequence, the PLC crashes and reboots.
The magic Modbus packets look like this:
The first packet gives a length longer than the actual payload.
The second packet gives the length of the previous packet’s payload but comes with no payload of its own.
Not only does this crash the PLC, but it corrupts onboard storage forcing a technician to re-flash the PLC with its program to bring it back online.
If this attack were levied against a remote PLC, it would require human intervention to fix, which could be very costly and time-consuming.
Attack 3: Modicon (Schneider) M221 PLC “Unity” vulnerability.
In the third attack, Alves demonstrates how to use an undocumented Modbus protocol called “Unity” to take over a managed PLC and expose the password used to protect it. In the demonstration, Alves explains that he and his colleagues have reverse-engineered the Unity protocol and created a program that allows them to send specially crafted Unity packets.
Unity contains specific instruction that can control a PLC, turning it on and off, replace programs, and read the contents of memory.
The first Unity message he sends to the PLC is a basic acknowledgement packet, which tells the PLC that he wishes to establish communication with it, in which is responds with a confirmation:
The second message he sends asks the PLC to disconnect from any management servers it is connected to, in which is responds with another confirmation:
Next, he sends a message asking it to “Reserve Me”, in which it responds with a confirmation and session number (90):
Then he uses the session number to send command to the PLC telling it to stop executing its program:
The result is that the PLC shuts down and becomes unresponsive in ScadaBR (though it still returns sensor data):
Of course, it can be turned back on again using another Unity command:
This is only the tip of the iceberg – Unity is an even bigger security risk than this demonstration has proven so far. Alves next uses Schneider SoMachine Basic to demonstrate management of the PLC. The Modicon PLC he wants to access requires a password to manage:
So, he sends a Unity message to the PLC requesting the project headers for the currently installed program:
Which causes the PLC to return the Project name, “New project”, and the Unity password, “D3FC0N”. This password can be used inside of SoMachine Basic to manage the PLC:
Can HIP (Host Identity Protocol) help?
We followed up with Alves after seeing his presentation and asked him about the best ways to mitigate threats against PLCs. The obvious answer is to upgrade your PLC firmware often (and yes, these exploits have been patched in the most current software releases), and without delay when critical security patches are pushed – however this isn’t always possible given 24/7 operation and other technical concerns.
I asked what he would consider to be the best way to mitigate these kinds of threats to infrastructure, assuming that updates were not an option. “That is what every SCADA researcher is looking for”, he told us, “there is no solution I can find”. He did illustrate what his ideal mitigation would be. His suggestion is to isolate the PLC from the rest of the network or “build a wall around the PLC”. This would prevent a rogue network device from sending malicious Modbus/Unity/etc. packets to PLCs on the network, as only authorized devices would be able to communicate with it. Although, he warns that “the device is still vulnerable, and it will still talk to a node with an insecure protocol. If the protected host is compromised, the same kinds of attacks can be replicated.”
Tempered Networks HIPswitches represent half of Alves’ ideal “bump-in-the-wire” (BITW) security model for protecting PLCs. The rest, he says, is “side-channel defense”. He envisions the use of a Modbus preprocessor with learned behavior. As he explains it, “An attack might look a lot different [than normal traffic] and could trigger an alarm”.
What else does Alves recommend for KEEPING infrastructure secure?
Thiago Alves is also the lead programmer for OpenPLC, a project that aims to replace traditional industrial PLCs with commodity hardware like Raspberry Pis and Arduinos.
One of the biggest downsides to traditional PLCs is that they are closed-source, which makes security hard in the face of them ostensibly being a development platform. Combined with the use of proprietary, insecure legacy protocols these devices are being exposed as some of the most vulnerable devices connected to our core infrastructure.
OpenPLC is fully open-source and is compatible with the same ladder-logic code (All 5 IEC 61131-3 languages) that powers existing PLCs, in addition to modern programming languages. The hardware needed to run OpenPLC is a mere fraction of the cost of commercial equivalents. While Tempered Network’s HIPswitches are one half of BITW threat mediation, perhaps community-driven solutions like OpenPLC will represent the other half, providing security against attacks while also maintaining compatibility with existing industrial systems. The OpenPLC runtime is compatible with the PLCopen XML editor, and ScadaBR GUI builder.
- You can see Alves’ original DEF CON presentation materials here: https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Thiago%20Alves/
- You can download Alves’ PLC exploits here: https://github.com/thiagoralves/defcon26
- You can learn more about OpenPLC here: http://www.openplcproject.com/
All photos are courtesy of Thiago Alves / UAH / DEF CON