Gas stations and beyond: Why cybersecurity is a top priority for industrial infrastructure
December 19, 2021 1:55 p.m.
By Chris Connell, Managing Director for Asia Pacific at Kaspersky
Industrial Control Systems (ICS) demand specific approaches to cybersecurity due to their complex structure, connected devices with different capabilities, software and operating systems, and critical functions. And this isn’t just a theory.
Something as common as a gas station has all the attributes of an ICS, such as connected equipment including pumps and tanks, controllers, a management system, a payment system, as well as connection to the corporate network, third-party service systems, and the internet. Just like any industrial facility, it has cybersecurity issues that companies should consider, to avoid disruptions that may affect the business, its employees, and the general public. This happened recently when gas stations in Iran were shut down because of a targeted attack.
This look through an ICS infrastructure is based on our research carried out at the end of 2020. It included the analysis of a modern gas station’s automation software architecture, a typical infrastructure, and the communications inside it. This allowed us to classify potential attack vectors and their impact on the fuel station’s network.
At a gas station
Imagine you’re driving your car and you need to fill it. You stop at a gas station, put the dispenser in the tank, and go to the convenience store to pay for the fuel. Once inside, the fresh coffee smells nice, you take some snacks for the road, complete your purchase and return to your vehicle.
To deliver the fuel to your tank, several systems should work: the back-office system and point of sales are used for payments and management functions. They are connected to the forecourt controller (FCC). This is the area with pumps outside the convenience store where customers park their cars to fill up. It is equipped with many systems such as a pump control, an automatic tank gauge (ATG), payment systems, etc. The FCC is the main device that controls fuel distribution, so when you pay through a cashier, the FCC commands the pump to supply it to your car so you can continue your journey.
Information about operations, the amount of fuel sold and available is transmitted to the management system locally and then to a head office that accumulates information from all stations.
Where are the problems?
Through our research, we managed to classify what could go wrong in this process. There are several potential operational technology (OT) and IT security issues that can affect the work of the station.
The first group of risks involves potential remote access from external networks. Just like many industrial systems today, the gas station employs solutions that are connected to public services through the internet, these include cloud banking systems or specialised fleet management systems. Remote access to the fuel station allows further malicious actions inside the network.
This was a real case described in one of Kaspersky’s studies. At the gas station, fuel management software was used to track the amount stored, set the price, and process payments. The system was connected to the internet and had vulnerabilities that allowed remote admin access with the ability to even change the fuel price.
There are also suppliers and service companies that have access to some parts of the infrastructure. Compromising these third parties may open doors to the target system for attackers. In fact, this type of threat is of great concern for companies of any size profile: a third (32%) of large organizations suffered attacks involving data shared with suppliers. What’s more, the financial impact of such incidents on enterprises is the highest across all types of attacks in 2021.
Another set of risks involves network and device issues that may potentially lead to the disruption of fuel station services or direct financial impact. Attacks can come from remote networks or by connecting to wireless networks or wired network ports available onsite.
Then, if the network is not segmented, the attack can spread from entry points such as secondary equipment in a shop and office workstations to critical components such as fuel management controls. The usage of unencrypted protocols (HTTP, CDP, FTP, Telnet, etc.) in the gas station network may allow adversaries to disclose sensitive information for further attack development.
Another critical but evergreen problem is vulnerabilities or security flaws in the fuel controller, POS terminals, and network equipment, as well as corporate endpoints and applications. In 2015, 5,800 automatic tank gauges (ATGs) were found to be exposed to unauthorized access from the internet because of a lack of password protection on a serial port. ATG is an electronic component placed in the tank that monitors the level of fuel and checks if it is leaking fluid. And through this serial port, the ATG can be programmed. If the signal it transfers is not correct, the operator won’t get an alert about any deviation. Figures from 2015 also suggested that at the time, most systems were in gas stations in the US and represented 3% of those used in the country. By compromising such critical systems as automatic tank gauges, criminals can unlock options for fraud or even physical damage.
It is also important to verify all workstations used on the forecourt such as points of sale, back-office systems, fuel controllers or payment terminals, as well as their configuration and even access to USB ports. For example, a lack of encryption or incompliancy to the PCI DSS standard in a payment system can contribute to the risk of an attack. For a fuel controller, it is also important to check industrial protocols. Lack of source authentication or integrity control may give adversaries, performing a man-in-the-middle attack, the opportunity to intercept data and manipulate station controllers.
Another point to manage is wireless gateways and reader units. A security assessment should be performed to identify insecure industrial protocols, the possibility of jamming and spoofing attacks.
How to improve
There are major security measures that should help increase the overall level of operational technology infrastructure. It is applicable to fuel stations but is no less relevant to any industrial network.
Network security: Purpose-based network segmentation enhances overall security and minimizes the surface of a possible attack. The segment of the network that has access to untrusted parts of it, such as corporate IT, should also be separated and protected with appropriate enterprise-grade protection software.
Passive OT network monitoring is essential for asset and communication inventory and detection of intrusions before they affect the technological process. Monitoring data also helps IT security teams to analyze events and consider hardening measures.
Access control: This should include restricting physical and logical access to the automation and control system. Security measures for remote access control for service companies will help to avoid third-party incidents.
Endpoint protection: It is important to implement specialized industrial-grade security software for OT hosts and servers. Ensure that the software is approved by the automation vendor and compatible with its solutions. This should help to avoid a situation where the protection product affects operation functions.
Security management: A system for centralized security event collection and protection software policy management should be implemented. It is also important that the solution allows vulnerability and patch management. If the system can be integrated with Security Information and Event Management (SIEM), that is a ‘nice to have’ option for organizations that plan to upgrade their protection level. Real-time continuous monitoring and endpoint data collection with rules-based response and analysis capabilities will help to further improve protection from advanced attacks.
A more fundamental approach that involves long-term measures is also important to improve the overall cybersecurity posture. This means adhering to industry standards for information security controls such as IEC 62443, NIST, NERC CIP, and so on. The organization should also conduct penetration testing or security analysis regularly, to identify vulnerabilities and information security problems before they are exploited by someone. And then, of course, follow all recommended measures to fix them properly.
Going deeper, there are specific requirements for companies with different levels of protection. But the measures listed above are essential to fill most cybersecurity gaps. Be it a fuel station, refinery, or giant car manufacturer, the basic principles of OT and IT protection should allow the company to build a reliable cybersecurity system and develop it according to their needs. This will provide a great foundation for satisfied business owners and happy clients.
LG’s Inverter Direct Drive motor reaches milestone with 100M units produced
March 14, 2023 11:32 a.m.
A Key Component of Premium LG Washing Machines for More than Two Decades, Company’s Innovative Motor Technology Continues to Evolve for Excellence
LG Electronics (LG) announces that production of its Inverter Direct Drive™ (DD™) motor has exceeded 100 million units. The company’s differentiated motor technology is a major factor in the strong, reliable performance and continuing global popularity of LG’s industry-leading laundry solutions.
From 1998 to the end of 2022, the company produced, on average, over 12,000 Inverter DD motors per day. LG’s Inverter DD motor connects directly to the washing drum, an innovation that helps make LG washing machines more durable and dramatically reduces noise and energy consumption during operation.
LG has refined the Inverter DD motor over four generations, continuously improving the technology and its performance capabilities to deliver greater customer value. The company holds over 240 Inverter DD motor related technology patents in Korea and internationally. In 2019, the company applied Artificial Intelligence (AI) to the Inverter DD motor to further enhance its efficiency and effectiveness. Used in LG’s premium washing machines and dryers, the AI DD motor leverages deep learning technology to detect the weight of each load and the types of fabrics being washed. It then selects the optimal combination of drum movements from the company’s proprietary 6 Motion tech – which enables six discrete drum movements – to care and clean for users’ laundry.
Last year, LG brought its advanced Inverter DD motor to its dryers for the first time. Like the company’s washers, LG dryers also offer 6 Motion (Tumble, Swing, Rolling, Stepping, Scrubbing, and Filtration) technology to boost drying performance and minimize fabric damage. LG’s inverter motor technology – specifically, the AI DD – became the first home appliance technology to earn Deep Learning AI Verification from global safety science company, (UL) Underwriters Laboratories.
“The number of Inverter DD motors produced points to the excellence of the motor technology LG has developed for its premium laundry solutions,” said Kim Yang-sun, head of the Component Solution Business Unit at LG Electronics Home Appliance & Air Solution Company. “We will continue to create highly efficient core components that boost the performance and reliability of our products while also reducing carbon emissions during operation.”
Kaspersky study reveals basic cybersecurity terms unfamiliar to C-level executives in SEA
February 20, 2023 3:05 p.m.
Every fourth business executive in Southeast Asia (SEA) prefers not to flag lack of understanding when discussing cybersecurity issues. A recent Kaspersky study also reveals one in ten C-level managers have never heard of threats such as Botnet, APT and Zero-Day exploit.
The same proportion appeared to be unfamiliar with cyber security concepts like DecSecOps, ZeroTrust, SOC and Pentesting.
According to a PwC’s study, while backing cybersecurity in every business decision has already become the norm in every other company, more than half of executives lack confidence that their cyber spending is being allocated to the most significant risks their organization is facing. Kaspersky conducted their own research to help IT and C-level find common ground and explore the root of their misunderstandings, where a total of 300 executives from the SEA region were surveyed.
The Kaspersky poll indicates that C-suite sometimes struggle to understand their IT security peers and are not always ready to show their confusion. Thus, 26% of non-IT executives here say they would not feel comfortable flagging that they don’t understand something during a meeting with IT and IT security.
Although most of them hide their confusion because they prefer to clarify everything after the meeting or choose to figure everything out by themselves, more than half (55%) don’t ask additional questions because they don’t believe the IT peers will be able to explain it in a clear way. Almost two-in-five also feel embarrassed revealing they don’t understand the topic and 42% don’t want to look ignorant in front of their IT colleagues.
Also, even though all surveyed top-managers from SEA regularly discuss security related issues with IT security managers more than one-in-ten respondents have never heard of threats such as Zero-Day exploit (11%), Botnet (9%), and APT (9%). At the same time Spyware, Malware, Trojan and Phishing appeared to be more familiar for top-managers.
More than one-in-ten top managers here admit they have never heard of cybersecurity terms like DecSecOps (10%), SOC (10%), Pentesting (10%), and ZeroTrust (6%).
“Non-IT top management do not have to be experts in complex cybersecurity terminology and concepts and IT security executives should keep this in mind when communicating with the board,” comments Sergey Zhuykov, Solution Architect at Kaspersky.
“To establish efficient cooperation CISO should be able to focus C-level attention precisely on meaningful details and clearly explain what exactly the company is doing to minimize cybersecurity risks. In addition to communicating clear metrics to stakeholders, this approach requires offering solutions instead of problems,” says Zhuykov.
“On the other end of the communications spectrum, only 6% of IT security professionals in SEA admit facing difficulty in discussing aspects of their work to the C-level. This means the majority of our technical workforce deem that their updates are understood by the decision makers. To bridge this dangerous gap, security teams should also incorporate effective tools – real life examples and use of reports and numbers – to ensure that discussions are done effectively,” adds Chris Connell, Managing Director for Asia Pacific at Kaspersky.
To ease the communication between IT security and business functions within the company, Kaspersky recommends the following:
- IT security should be positioned as a driver for growth and innovation in the organization. To achieve this the IT security team should move away from prohibitive tactics and rather explain how the business can achieve its goals while mitigating cybersecurity risks.
- CISO should actively engage in operational activities and build relationships with the company’s stakeholders. While fewer than 20% of CISOs have established partnerships with key executives in sales, finance, and marketing, it is hard for them to stay abreast of the needs of the business.
- When communicating with the board, use arguments based on an overview of threats by experts, your company’s attack status and best practices.
- Explain to the board what the main responsibilities of the IT security team are. If possible, provide them with an opportunity to walk in a CISO’s shoes to get insights on the most relevant IT security challenges.
- Allocate cybersecurity investments in tools with proven efficacy and ROI. This means tools that lower the level of false positives, and reduce times of attack detection, the time spent per case and other metrics are important to any IT security team.
Kaspersky in Southeast Asia also has launched a Buy 1 Free 1 promo to help SMBs and midrange enterprises in beefing their cybersecurity capabilities. Businesses can now enjoy two years of enterprise-grade endpoint protection for the price of 1 with Kaspersky Endpoint Security for Business or Cloud or Kaspersky Endpoint Detection and Response Optimum, with 24×7 phone support. Interested customers can reach out to email@example.com.
The full report and more insights on communications issues between C-level and IT security managers are available via the link.
Kaspersky Threat Intelligence enhances its threat data feeds, threat analysis, brand protection capabilities
February 4, 2023 9:41 a.m.
The latest release of Kaspersky Threat Intelligence service includes a range of improved feeds that contribute to a deeper understanding of cyberattackers’ behavior, tactics, techniques and procedures regardless of region or language.
It also contains new integrated elements allowing for the protection of companies’ brands on social networks and in marketplaces.
Cybercriminals can remain undetected in companies’ networks, obtaining sensitive information resulting in financial loss, reputational damage, and long-lasting system failures. According to statistics provided by Kaspersky Global Emergency Response Team, the average duration of a prolonged attack is 94.5 days before it is detected by an InfoSec specialist.
To protect businesses from hidden threats like these, companies should provide their security teams with reliable solutions that help them stay one step ahead of cybercriminals and eliminate cyber risks before they can do any harm.
To implement this goal, Kaspersky updated its Threat Intelligence with new Threat Hunting and Incident Investigation capabilities. Providing information in human- and machine-readable formats, the solution supports security teams with meaningful context throughout the incident management cycle, boosts incident investigations and informs strategic decision-making.
Advanced Threat Data Feeds for better protection
The latest release of Kaspersky Threat Intelligence contains new feeds on crimeware, cloud services and threats to open-source software. These feeds will help customers to detect or prevent confidential data leakage and mitigate risks of supply chain attacks and vulnerable or politically compromised software components.
It also introduces Industrial Vulnerability data feed in OVAL format. It allows customers to find vulnerable ICS software easily on Windows hosts in their networks by using popular vulnerability scanners.
The existing feeds are enriched with additional valuable and actionable information such as new threat categories, attack tactics and techniques in MITRE ATT&CK classification, which will help customers identify their adversary, investigate and respond to the threats faster and more efficiently.
Integration with Security information and event management (SIEM) solutions via Kaspersky CyberTrace is also enhanced with the automated parsing of indicators of compromise (IoCs) directly from emails and PDFs.
Moreover, CyberTrace now supports flexible export format of IoCs, allowing seamless integration of filtered Threat Data Feeds into third-party security controls.
Better visibility for in-depth investigation
Kaspersky Threat Intelligence extended its coverage to IP addresses and added new categories such as DDoS, Intrusion, Brute-force and Net scanners, as customers previously made many searches related to these types of threats.
The updated solution also supports filters that can help users specify criteria sources, sections and periods for automated schedule searches.
The Research Graph, a graphic visualization tool, was also updated to support two new nodes: actors and reports.
Users can apply them to find additional connections with IoCs. This option accelerates threat response and threat hunting activities by highlighting IoCs from high profile attacks described in APT, crimeware and industrial reports as well as in Actor profiles.
Reliable brand protection on social networks and marketplaces
Reliable brand protection on social networks and marketplaces
The brand protection capability of Threat Intelligence was improved by adding new notifications to the Digital Footprint Intelligence service. Now it supports real time alerts for Targeted Phishing, faked Social Networks accounts or applications in Mobile Marketplace.
It helps to track the appearance of the phishing website targeting their brand company name, online services or trademarks and provide relevant, accurate and detailed information about phishing activities. The updated solution also monitors and detects malicious mobile applications impersonating the customer’s brand and fake organization profiles on social networks.
Improved threat analysis tools
The updated Kaspersky Cloud Research Sandbox now supports Android OS and MITRE ATT&CK mapping, related metrics will be displayed on a dashboard of the Cloud Sandbox. It also provides all network activities across all protocols, including IP, UDP, TCP, DNS, HTTP(S), SSL, FTP, POP3, IRC. The user can now specify command lines and file parameters to launch the emulation in a tailored way.
“We have been focusing on threat research at Kaspersky for over two decades. With petabytes of rich threat data, advanced machine learning technologies and a unique pool of global experts we work to support customers with the latest threat intelligence from all over the world, helping them to defend themselves even from previously unseen cyberattacks,” comments Anatoly Simonenko, Head of Technology Solutions Product Management at Kaspersky.
Learn more about Kaspersky Threat Intelligence.