Home » News » Archives for Sagacitymedia

Author: Sagacitymedia

European Rail Cyber Security Working Group announced

On September 12th the Cyber Senate will be hosting the European Rail Cyber Security Working Group in a roundtable format with discussion groups in the morning and outcomes presented in the afternoon. Capped at 70 participants, this face to face knowledge sharing exercise is specifically designed to assist all stakeholders in the rail ecosystem with an opportunity to assess their security posture, and collaborate with their industry counterparts.
Already confirmed table leaders include the Rail Delivery Group, Deutsche Bahn, and the ERTMS Users Group. More announcements will be made shortly.

ICS and the need for public and private information sharing

The cyber attacks from the last week have affected entities globally, from telecommunication infrastructure to medical facilities across the UK to European utilities as well as multiple other types of industries and consumers. The WannaCry ransomware will go down in history for setting an example of how malicious software can disrupt global networks, leaving systems crippled until demands are met.

This highlights so many issues we at the Cyber Senate have been working so hard to bring to our forums. We believe there is so much work to be done to fully understand how we can better develop a culture of awareness within our organisations, and how we address the skills gap in our industry. We Tneed to have a better understanding of the risks of 3rd party applications and the supply chain, as well as better educate procurement. There is still much work to do in developing synergies between IT and OT divisions wrestling with convergence, in understanding that compliance doesn’t equal security and that just because “you’re not connected to the internet” that you’re cyber secure. That is just a few areas we need better insight. On another note, how many ICS systems are still running a unpatched version of Windows XP?

Cyber attacks that impact critical national infrastructure can ultimately cost lives. That is why these discussions are so important. These events are built to facilitate public and private information sharing, to assist you and your team in understanding how your industry counterparts are meeting the challenge, what you are doing right, wrong, and to help define “what is best practice?”

We hear a lot about vendor accountability and disclosure which is another piece of this puzzle that needs to be addressed. We, however, believe people are the most important factor in the cyber kill chain. Technology will never tick all the boxes, it can and does fail and so do humans. It is how we get up, respond, move forward and learn from these lessons that count.

We hope to meet you in 2017. If we can help you bridge the gap, do not hesitate to reach out.

The DHS issue Statement on WannaCry

“DHS Statement on Ongoing Ransomware Attacks”
The DHS have issues a statement in relation to the latest ransomware attacks and advice on how to get help and deal with the cyber attack.

“We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.  DHS has a cadre of cybersecurity professionals that can provide expertise and support to critical infrastructure entities.” 

The statement can be found here https://www.dhs.gov/news/2017/05/12/dhs-statement-ongoing-ransomware-attacks

Further guidance can be found here:

WANNACRY guidance from the NCSC

The NCSC issue guidance on Ransomware

‘The NCSC are aware of a ransomware campaign relating to version 2 of the “WannaCry” malware affecting a wide range of organisations globally.

NCSC are working with affected organisations and partners to investigate and coordinate the response in the UK. This guidance will be updated as new information becomes available.

From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.”

Visit https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance


“The National Cyber Security Strategy set out the Government’s overarching plan “to make Britain confident, capable and resilient in a fast-moving digital world.”2 This strategy specifically supports the Government in ensuring that the UK has a secure and resilient energy system, by ensuring that the civil nuclear sector is able to defend against, recover from, and is resilient to evolving cyber threats. This enables the sector to continue to produce secure, affordable and clean energy. The strategy will also support the safe, responsible and cost effective management of the UK’s energy legacy. This strategy sets out a path to keeping the UK civil nuclear sector ahead of rapidly evolving threats to, and vulnerabilities in, software and equipment in the next five years.”


The Cyber Senate 2nd Annual ICS Cyber Security Nuclear Summit will take place in Warrington on May 22-24th.


Civil Nuclear Strategy can be found here https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/591619/170213_-_Civil_Nuclear_Cyber_Security_Strategy.pdf

New wave of cyberattacks against Ukrainian power industry

“The cyberattacks against the Ukrainian electric power industry continue. Yesterday (January 19th) we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December.” – See article by BY POSTED 20 JAN 2016 – 06:59PM http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

“The attack on energy facilities on 19-20 January 2016. After the fact”

The attack on energy facilities on 19-20 January 2016. After the fact “”Department Incident Response CyS Centrum (CyS-CERT)”
Article https://cys-centrum.com/ru/news/attack_on_energy_facilities_jan_ps

The attack on energy facilities on 19-20 January 2016. After the factNo sooner had the country / industry oklematsya against cyber attacks, which had led to the outage for an impressive number of consumers as something similar and potentially dangerous happened again.Unidentified attackers on 19 and January 20, 2016 was carried out spot “viral distribution” for e-mail addresses (about 100 recipients), a large number of energy companies in Ukraine. Tactics used much like the one that was used before, during already described cyber attacks on critical information infrastructure of our country – emails, documents, bait, macros, droppers, etc.
In this review, designed to further sharpen the question of the need to improve awareness of information security, we propose to review the process of the attack, the technical details of its implementation, as well as measures taken to address the threat and minimize the negative effects.“Viral delivery” began at the end of the day January 19, 2016. Acting consistently, the second wave of malicious emails sent attackers at the start of day on January 20. When on such actions became known among energy companies, NEC “Ukrenergo” Concerned by the fact that the letters are sent, allegedly on her behalf, made ​​a public statement on the official web site (Fig. 1) [1].

The Cyber Senate announce ICS ISAC Alliance

ICS-ISAC Chair Chris Blask noted that Cyber Senate is an example of an information sharing organization which spans key demographics. “The mission of information sharing involves many stakeholders groups across the entire global community. Cyber Senate captures key thought leaders and works to share information among them and with critical communities. We see Cyber Senate as a highly valuable organization and are pleased to support the good work they are doing.”

Cyber security for the digital railway

Join the Cyber Senate on March 16th in London for an in-depth discussion on the current and future threat, how the industry is responding, the absolute importance of “Security by Design,” the challenges that bridging IT and OT bring in deploying enterprise facing architecture and how to further develop a culture of awareness. Cyber threats are growing in frequency and capability across every industry, but none carry more consequences than those carried out against critical national infrastructure. The global rail industry is where the Smart Grid industry was 10 years ago, now realising that through advanced connectivity and digitisation that greater levels of efficiency and optimisation can be achieved, reduction of carbon footprints and greater value can be provided to both asset owners and operators, passengers and shareholders. The rush to next generation infrastructure however is not with out its vulnerabilities. The proliferation of machine to machine sensors, the Internet of Things and the convergence of IT and OT – two very different disciplines, has extended the attack surface dramatically for an industry historically isolated from modern day cyber threats. Join the Cyber Senate on March 16th in Londonfor an in-depth discussion on the advancing threat, the reality of security of our future rail networks, the absolute importance of “Security by Design,” the challenges that bridging IT and OT bring in deploying enterprise facing architecture and more. This is a unique opportunity to address key cyber issues in the design stage within the rail industry, so let us begin. A strong cyber security strategy saves lives. All stakeholders have a responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure. Information sharing is paramount in educating ourselves and the industry




Anti-IS group’ claims BBC website attack

Reports state the BBC was subject to a DDoS attack by group calling itself “New World Hacking,” targeting IS affiliated web activity. They are reported to have stated “We are based in the US, but we strive to take down Isis [IS] affiliated websites, also Isis members. The reason we really targeted the BBC is because we wanted to see our actual server power. It was a test.”

Source: BBC news

Read more here 

“Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage”

This post was written by Michael J. Assante, SANS ICS Director

“There have been a small number of reports describing a power outage in Eastern Ukraine on the day before Christmas Eve. What makes these reports unique is the cited cause of the outage. A small number of sources in Russia and Ukraine indicate the electrical outage was caused by a cyber attack, specifically a virus from an outside source. I am skeptical as the referenced outage has been hard to substantiate and the cause surfaced relatively quickly (normally, determining root cause analysis of an incident takes time especially when it pertains to activity on the network).” Read more here

IAEA join the ICS Nuclear conference as Key Note speakers

The Cyber Senate are pleased to announce the IAEA will be joining us as Key Note presenters on the Industrial Control Cyber Security Nuclear conference we will be hosting in Warrington UK, May 24-25th 2016.

For further information see www.industrialcontrolsecuritynuclear.com

How does trust help improve the cyber resilience of the European energy grid?

JOHANInterview with Johan Rambi, Corporate Privacy & Security Advisor for the Dutch network operator Alliander
Johan will be speaking on Day 1 September 29th and also taking part in our Panel Session: Maturation, Incident Response and Recovery

The official interview can be found here

Johan Rambi is Corporate Privacy & Security Advisor for the Dutch network operator Alliander. In his role of (interim) chair of EE-ISAC, to be launched on 4 November 2015, his task is to lay the foundations of this partnership – namely, trust and commitment. Cyber resilience risks force the energy sector to start sharing sensitive information, both across national borders and between the public and the private sector. This will only happen if you create a safe environment of trust, says Rambi.

  • Alliander is already participating in the Dutch Energy ISAC. Can you explain why, as a regional network operator, you were also pushing for an Energy ISAC at European level?

Cyber security does not stop at national borders. Focusing on Dutch cases only would be unrealistic since the increased interconnectedness to the internet creates a reality in which our national “grid” is no longer independent from the outside world.

We need to address cyber resilience risks at an international (EU) level. Other international ISAC’s (e.g. the European FS-ISAC or United States ES-ISAC) have already proven the importance and benefits of international information sharing. In the end, different international ISACs should work together to realise global information and experience sharing. However, scaling up from national to European level is a good and necessary start.

“Cyber resilience risks force the energy sector to start sharing sensitive information,
both across national borders and between the public and the private sector.
This will only happen if you create a safe environment of trust.”

  • ISACs are based on trust; stakeholders are being asked to share (sometimes confidential) company information. What does an ISAC do to make utilities but also technology providers feel safe about sharing sensitive data?

The trust-based environment in which our members will share data, knowledge and experiences is legally defined by our Terms of Reference (ToR). Every individual member will commit itself to the ToR before participating. We will cooperate with each other under strict participation rules, including those regarding transparency and information sharing, and using the traffic light protocol (TLP) protocol in our meetings.

Topics such as vulnerabilities in ICS/SCADA systems or cyber security incidents in smart meters are classified as RED according to the TLP protocol. These topics will not be shared outside the meeting room.

  • But doesn’t it take more than just the legal boundaries of a trust-based environment that makes people talk about what is worrying them?

Yes, definetely. It is easier to trust those you know. The role of EE-ISAC is to build a good relationship between its members. This will facilitate information and experience sharing in the already legally defined trust-based environment.

Also, EE-ISAC will monitor the mutual benefit of the information shared. This is a very important factor since it creates a situation in which the interests of the different stakeholders are equal. If this situation is out of balance, the willingness to share will diminish.

I think you can put it like this, EE-ISAC brings together top experts dealing with cyber security issues from different perspectives. It creates an environment in which they start talking to each other without legal or social hesitations. This results in a broader view upon the solution to these issues for each indivdual member. In the end we believe that this will strengthen the cyber resilience of energy sector as a whole.

“EE-ISAC creates an environment in which cyber security experts
start talking to each other without legal or social hesitations.”


The 2012 cyber-attacks against Saudi Aramco and the Aramco family

Potentially the first ever presentation on the 2012 Saudi Aramco attacks? Quite possibly. Do not miss this presentation in London on September 29/30th at the 2nd Annual Industrial Control Cybersecurity Europe conference, or the 2nd Annual Industrial Control Cybersecurity USA conference in Sacramento California.
Register here:

Case Study: The 2012 cyber-attacks against Saudi Aramco and the Aramco family of affiliates was a major game changer in IT & ICS Security. The energy sector, relevant markets and governments worldwide shuddered. Although oil production wasn’t directly affected, business operations were greatly interrupted and remain so. This presentation is the story how I implemented the first IT Security unit for Aramco Overseas Company, a Saudi Aramco affiliate which provides all IT services for Saudi Aramco in South America and the EMEA region outside of Saudi Arabia.

  1. Cybergeddon 2012

Description of Shamoon and attack effects on the Aramco family

  1. Starting from Zero to Hero

An offer I couldn’t refuse after “The Incident”

Implementation of basic IT security

Recruitment of skilled in-house IT security staff

  1. Maturization -IT Security to the next level

Development of staff: hackers, lock pickers, geniuses and Harlem Shakers

Exercises and independent operational audits

Building the framework for a functional incident response team and CERT

  1. Lessons Learned

Twitter setbacks

Dealing with panic

What I would do different if I had a Time Machine

Detecting substation cyber-attacks presentation announced for US Cyber Senate conference

We are pleased to announce a new presentation for October’s conference “A Department of Energy-funded physics-based method for detecting substation cyber-attacks” presented by Alex McEachern, President, Power Standards Lab (USA), Fellow, IEEE, Convenor, IEC for the 2nd annual Industrial Control Cyber Security USA conference in Sacramento California held at the Hyatt Regency October 13/14th.
Visit the latest agenda here https://industrialcontrolsecurityusa.com/program/