Select Page

OT & IoT
Security Blog

Learn More About OT & IoT Security and Visibility

OT & IoT Security Blog

Learn More About OT & IoT Security and Visibility

Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions. This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

read more
New Release: Industroyer2 Content Pack

New Release: Industroyer2 Content Pack

Not long after our blog discussing detecting Log2Shell activity in your network with a content pack, Industroyer2 reared its ugly head. Nozomi Networks Labs dug deeply into the topic of Industroyer2 through various blogs sharing technical details of the exploit and an...

read more
Finding the OT in ZerO Trust

Finding the OT in ZerO Trust

Chances are, this isn’t the first article you’re reading about Zero Trust. Chances are also that articles you have seen vary greatly in what Zero Trust means and does. Zero Trust isn’t a clearly defined IEEE standard, nor was there ever an RFC written about it. Each...

read more
Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a Building Automation System (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It could also have been abused to perform a Denial-of-Service (DoS) attack against the controller.

read more
Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

read more
Advances in Cyber Security for Electric Utilities: WG15 & Black Hat

Advances in Cyber Security for Electric Utilities: WG15 & Black Hat

As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.

If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.

read more
GreyEnergy Malware Targets Industrial Critical Infrastructure

GreyEnergy Malware Targets Industrial Critical Infrastructure

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.

read more
Electric Grid Cyber Security: Ten Actions Utilities Can Do Now

Electric Grid Cyber Security: Ten Actions Utilities Can Do Now

Concerns about cyber attacks on the U.S. critical infrastructure have reached a new level with The Wall Street Journal reporting “an evolution in the U.S. government’s thinking about how to deter malicious cyberactors”.

Find out ten actions that can be done quickly to monitor and secure the electrical grid against determined threat actors.

read more
Russian Cyber Attacks on Critical Infrastructure: The “New Normal”

Russian Cyber Attacks on Critical Infrastructure: The “New Normal”

Concerns about Russian cyber attacks on U.S. electric utilities have increased again this week. The Wall Street Journal is reporting that such attacks have impacted hundreds of victims, not just the dozens reported earlier.

This news brings a new wave of concern about cyber attacks across the U.S. and beyond. If you are involved in this discussion, following is a recap of what is known about the Russian cyber attacks and my thoughts on its significance and repercussions.

read more
Thwarting a Power Grid Control Center Cyberattack

Thwarting a Power Grid Control Center Cyberattack

Based on recent reports of Russian involvement in a multistage intrusion of the US power grid, it’s no longer a question of “if” threat actors will gain access to critical infrastructure control systems – it’s when it will happen again, and for what purpose.

What can be done to thwart these potentially disruptive assaults?

read more
Russian Cyberattacks on Critical Infrastructure – What You Need to Know

Russian Cyberattacks on Critical Infrastructure – What You Need to Know

The U.S. government has just released an important cyber security alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors.

The cyber campaign described is not new however, rather it is likely an expanded version of the Dragonfly 2.0 playbook. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly.

read more
Advancing ICS Cyber Security for Low-Impact Electricity Carriers

Advancing ICS Cyber Security for Low-Impact Electricity Carriers

Cyber security threats to the power grid are a continuous danger nowadays, and because of this, regulation in North America may expand from covering bulk electricity carriers to low-impact carriers. Last month FERC, the U.S. Federal Energy Regulatory Commission, proposed a new rule for low-impact carriers, covering transient electronic devices such as USBs and laptops, and incident response policies.
While the regulation is still in the review stage, some low-impact utilities are not waiting to improve their cyber security posture and get a head start on compliance. They are taking advantage of the latest innovation for cyber threat monitoring and detection systems. Vermont Electric Coop is one such entity, and they have realized multiple benefits from their proactive approach.

read more
Securing Substations and Power Grids with ICS Anomaly Detection

Securing Substations and Power Grids with ICS Anomaly Detection

One of the findings of the recent SANS report “Securing Industrial Control Systems – 2017” is that the number one technology industrial organizations are looking to implement over the next 18 months is intrusion detection.

Up until recently, detecting anomalies on ICS networks that might be caused by a cyberattack has been ”mission impossible.” That’s because such networks typically include equipment from a wide assortment of vendors, run thousands of real-time processes and generate huge volumes of data. Analyzing and monitoring this data to detect anomalies was very difficult.

The good news is that a new generation of ICS cyber security tool is available for industrial intrusion detection. This article describes how our product, SCADAguardian does it, and gives an example of how it would detect and counter a cyberattack on a regional control center of an electric power utility.

read more
Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions. This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

read more
Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a Building Automation System (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It could also have been abused to perform a Denial-of-Service (DoS) attack against the controller.

read more
Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

read more
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload

Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload

While Industroyer targets multiple IEC protocols, Industroyer2 is a standalone executable which exclusively targets IEC-104. Based on the analysis, it’s likely that the threat actor was in the network days before the attack and had a fairly complete understanding of security measures in the target environment, and that Industroyer2 was designed to be executed in a privileged environment with direct access to the target device.

read more
New BotenaGo Variant Discovered by Nozomi Networks Labs

New BotenaGo Variant Discovered by Nozomi Networks Labs

While the use of open-source programming languages has its benefits, attackers find it equally beneficial and have been utilizing Go to code malicious malware. Our research highlights a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, which we have named Lillin scanner.

read more
Reverse Engineering Obfuscated Firmware for Vulnerability Analysis

Reverse Engineering Obfuscated Firmware for Vulnerability Analysis

With vendors leveraging increasingly advanced obfuscation and encryption techniques to protect the confidentiality of their code, finding vulnerabilities can be especially challenging. Another difficulty is the firmware itself becoming a challenge to reverse, if it was compiled for an obsolete architecture and commercial disassemblers can’t properly reconstruct it. The firmware in the Schneider Electric APC PDU is an example of such a code; it has been around for years and is compiled for an old and obsolete version of the Intel 80286, which prevents easy reading or inspection.

read more
How to Analyze Malware for Technical Writing

How to Analyze Malware for Technical Writing

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. To efficiently conduct an analysis and publish new findings on emerging malware, it’s important to be prepared. We share tips on how researchers can conduct the analysis, and a suggested workflow.

read more
Improving Pipeline Operational Visibility Avoids Costly Downtime

Improving Pipeline Operational Visibility Avoids Costly Downtime

Operators in the midstream oil and gas industry know their main priority is to keep product flowing through the pipeline. With that focus, its hard to notice subtle changes that may cause a costly problem in the future.

Find out how one operator experienced $1.9 million in lost revenue due to unscheduled downtime – and how real-time industrial network monitoring can help.

read more
Black Hat: Understanding TRITON, The First SIS Cyber Attack

Black Hat: Understanding TRITON, The First SIS Cyber Attack

Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.

The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.

read more
SCADA Cyber Security for an Industry 4.0 Oil and Gas Application

SCADA Cyber Security for an Industry 4.0 Oil and Gas Application

If you’re boots-on-the-ground dealing with the daily oil and gas challenges of control and automation, you’ve likely heard lots about Industry 4.0, the fourth wave of industrial revolution. Given the inter-connection between more and more devices and commercially marketed systems, the cyber security challenges of this phase of automation are daunting.

To overcome these hurdles, let’s examine how an application that’s been around for a long time – hosted SCADA, can be monitored for cyber security, data integrity and reliability.

read more
Improving ICS Cyber Security for Pipeline Systems

Improving ICS Cyber Security for Pipeline Systems

In the last decade market and cost pressures have driven significant technological advances in automation and industrial connectivity across all aspects of petroleum extraction, pipeline transport and refining. While technological advances are delivering business benefits, systems are now exposed to more cyber risks than ever before.

Yet, according to a 2017 survey by the Ponemon Institute, the deployment of cyber security measures in the oil and gas industry isn’t keeping pace with the growth of digitalization in operations.

One way to overcome the ICS cyber security gap is to utilize next generation technology that leverages machine learning and artificial intelligence (AI) to deal with system complexity and deliver immediate benefits. Let’s take a look at two examples of how a passive ICS anomaly detection and monitoring solution secures pipeline networks.

read more
Deep IBM Collaboration Delivers Unified IT and OT Cyber Security

Deep IBM Collaboration Delivers Unified IT and OT Cyber Security

Senior executives at industrial and OT organizations increasingly need to understand the full scope of their cyber risks. However, their confidence with current monitoring for OT/IoT systems is typically low.

To help tackle this challenge, IBM and Nozomi Networks are expanding the capabilities and solutions we offer together to deliver unified IT, IoT, and OT cyber security.

read more
Speeding IT Visibility into OT: New Integrations with Fortinet

Speeding IT Visibility into OT: New Integrations with Fortinet

Fortinet and Nozomi Networks achieve another partnership milestone with two new integrations that help eliminate the gap between IT and OT. Now Nozomi Networks Guardian is now comprehensively integrated with FortiGate, FortiNAC, and FortiSIEM.

Learn how these integrations deliver full visibility across IT and OT environments, improve access control and speed incident response.

read more
Nozomi Networks Cyber Security Solution Embedded in RUGGEDCOM

Nozomi Networks Cyber Security Solution Embedded in RUGGEDCOM

Nozomi Networks is bundling its real-time ICS cyber security and visibility solution on the new RUGGEDCOM RX15xx Multi-Service Platform from Siemens AG.

Read on to learn how this industrial networking platform with embedded security improves operational resiliency with minimal rackspace and streamlined deployment.

read more
Nozomi Networks Helps Build ISA Global Cybersecurity Alliance

Nozomi Networks Helps Build ISA Global Cybersecurity Alliance

The International Society of Automation (ISA) announced that Nozomi Networks is a Founding Member of the new Global Cybersecurity Alliance (GCA).
See how GCA will advance cyber security education, readiness and knowledge-sharing in manufacturing and critical infrastructure facilities and processes, strengthening industrial cyber security worldwide.

read more
Nozomi Networks Embeds SCADAguardian Advanced on RUGGEDCOM Platform

Nozomi Networks Embeds SCADAguardian Advanced on RUGGEDCOM Platform

Nozomi Networks is proud to debut our flagship industrial security and visibility solution as part of the RUGGEDCOM Multi-Service Platforms from Siemens AG.

Our integrated offering delivers multiple advantages, including an industrially hardened, comprehensive cyber security solution with a low Total Cost of Ownership (TCO). Let’s take a closer look at this innovative and useful development.

read more
Nozomi Networks, Schneider Electric Work Together to Secure Critical Infrastructure

Nozomi Networks, Schneider Electric Work Together to Secure Critical Infrastructure

I’m excited to let you know that Schneider Electric has teamed up with Nozomi Networks to help secure industrial facilities as they face escalating cyber threats and rapid digital transformation in the age of IIoT.

Our global partnership agreement provides Schneider Electric customers with easy access to our ICS cyber security and visibility solution, security-enhanced industrial internet of things solutions, and a global network of trained consultants.

read more
Nozomi Networks, Accenture Secure Global Industrial Infrastructures

Nozomi Networks, Accenture Secure Global Industrial Infrastructures

Oil & gas, energy and manufacturing operators around the world just got a big security boost thanks to the Nozomi Networks / Accenture partnership. Accenture Security Services will now bundle our deep network visibility and real-time OT cyber security products with their threat-hunting services to create a comprehensive security solution. And the collaboration doesn’t stop there.

read more
Integration with Cisco Technologies Delivers IT / ICS Security

Integration with Cisco Technologies Delivers IT / ICS Security

Nozomi Networks has integrated its ICS security solution with Cisco Security technologies to deliver comprehensive operational visibility and cyber security across IT/OT networks.

Together, we provide real-time monitoring and threat detection that streamlines security policy management & enforcement, and speeds incident response.

read more
How ICS Data Analytics & Cyber Security Deliver True Business Value

How ICS Data Analytics & Cyber Security Deliver True Business Value

Last month we launched our partnership with digital transformation heavyweight Atos. Combining Atos analytics on data from industrial devices, with our cyber security processes, takes operational visibility and OT security to new levels.

But the real value goes way beyond cyber security – to include lower total cost of ownership and business resilience. Read on to learn more.

read more
Comprehensive OT Cyber Security from Nozomi Networks & Fortinet

Comprehensive OT Cyber Security from Nozomi Networks & Fortinet

At the RSA Conference in San Francisco, many CISOs and IT leaders shared that OT risk management, defense and resiliency topped their must-have list.

Nozomi Networks and Fortinet deliver one ‘knock-out’ IT/OT cyber security solution for network and operational visibility, risk assessment, and proactive defense. Read on to see how it tackles two of the most common OT use cases.

read more

THE LATEST LABS BLOGS

stay current with Cybersecurity, OT, and IoT trends and information

Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions. This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

read more

Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a Building Automation System (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It could also have been abused to perform a Denial-of-Service (DoS) attack against the controller.

read more

Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

read more